RE: [PATCH] x86/tdx: Mark TSC reliable

From: Reshetova, Elena
Date: Wed Aug 09 2023 - 01:44:49 EST

Next message: Sunil V L: "Re: [RFC PATCH v1 11/21] swnode: Add support to create early during boot"
Previous message: Thomas McKahan: "[PATCH v2 0/2] Add Support for the FriendlyElec NanoPC T6"
In reply to: Kirill A. Shutemov: "Re: [PATCH] x86/tdx: Mark TSC reliable"
Next in thread: Kirill A. Shutemov: "Re: [PATCH] x86/tdx: Mark TSC reliable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Tue, Aug 08, 2023 at 10:13:05AM -0700, Dave Hansen wrote:
> > On 8/8/23 09:23, Kirill A. Shutemov wrote:
> > ...
> > > On the other hand, other clock sources (such as HPET, ACPI timer,
> > > APIC, etc.) necessitate VM exits to implement, resulting in more
> > > fluctuating measurements compared to TSC. Thus, those clock sources
> > > are not effective for calibrating TSC.
> >
> > Do we need to do anything to _those_ to mark them as slightly stinky?

IMO from pure security pov yes. It would be good secure default that
TDX guests (and other CoCo guests also) are using only trusted source time.
There are issues with this though and would need to understand where
to draw the line. Things like hpet and such we hoped to disable via
device filtering. For some other time sources we
have used patches below. But then there are things like RTC that would
be great to disable also, but without a proper remote time server
that breaks any date/timing for the guest, so we have not done it
and probably should not by default, but we recommend not using it
in docs we have:
https://intel.github.io/ccc-linux-guest-hardening-docs/security-spec.html#tsc-and-other-timers

>
> I don't know what the rules here. As far as I can see, all other clock
> sources relevant for TDX guest have lower rating. I guess we are fine?

What about acpi_pm?
See this:
https://github.com/intel/tdx/commit/045692772ab4ef75062a83cc6e4ffa22cab40226

>
> There's notable exception to the rating order is kvmclock which is higher
> than tsc. It has to be disabled, but it is not clear to me how. This topic
> is related to how we are going to filter allowed devices/drivers, so I
> would postpone the decision until we settle on wider filtering schema.

One option is to include "no-kvmclock" into kernel command line, which
is attested. Another option is to try to disable it explicitly, like we had
in past:
https://github.com/intel/tdx/commit/6b0357f2115c1bdd158c0c8836f4f541517bf375

The obvious issues with command line is that it is going to 1) grow
considerably if we try to disable everything we can via command line
and 2) there is a high chance that in practice people will not use secure default
and/or forget to verify the correct status of cmd line. But this is to be
expected I guess for any security method that involves attestation unfortunately.

Best Regards,
Elena.

Next message: Sunil V L: "Re: [RFC PATCH v1 11/21] swnode: Add support to create early during boot"
Previous message: Thomas McKahan: "[PATCH v2 0/2] Add Support for the FriendlyElec NanoPC T6"
In reply to: Kirill A. Shutemov: "Re: [PATCH] x86/tdx: Mark TSC reliable"
Next in thread: Kirill A. Shutemov: "Re: [PATCH] x86/tdx: Mark TSC reliable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]