From patchwork Wed Mar 15 15:34:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Michael Kelley (LINUX)" X-Patchwork-Id: 70285 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp2406333wrd; Wed, 15 Mar 2023 08:53:44 -0700 (PDT) X-Google-Smtp-Source: AK7set/r/OcYUKZkUIRuEGMKZUQ9lxCfhBLR2oEDYhXnR4TSw6B3zELdChI6IbvxHzV37gB+AlfX X-Received: by 2002:a17:90b:1c05:b0:23d:4188:ad8e with SMTP id oc5-20020a17090b1c0500b0023d4188ad8emr332029pjb.7.1678895624072; Wed, 15 Mar 2023 08:53:44 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1678895624; cv=pass; d=google.com; s=arc-20160816; b=xack0ZpHnpzdtArfxKTLQzWZr76WXVa2tm+CNZSmLCW2hnGPisUrCDKu1Znfy53wSQ z0n+/S8TBaL8QvURwso+kQaTKy9rAE1p/RPUyBNi6mO9S69icc+PKVdo5fBVGuHg8YDj tAsA4O0Q7Xiju3sErNdzrqUMcXqJNGOpMecorkrO/gw39PED758JbvFP1WSpcSV40Lef wpH0ANzewGhnOho900u8+R2NAXy9ApHnsOmVJeYyNSf2N0HBUXPxUz7NjUWL7NAZ6sMa xV1Tuq+ulIdiMdjmA/xFNag48ANpy4UId4EhqojmnHPLG/mZfTfpyfcJ7clDAh88G2Gb wiSA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from :dkim-signature; bh=TEvTwbSm+SYNjj3V6awTABgkLvLLqCZ5NqjuTGIdrs8=; b=dK/e7l8wQKVG27yTE5dEaHH1y8weBzjnb3nuYDJAuEX9uta9pMeKMGQEfT7gsINLnZ cdzlb4PTQj47AlIepcD5LIKwTN331AWu4QCaLOMFe79jqOz7AEeqvKybLF/9ks2OLA5E ZJRNF9DZpxIlzN/FW6sZIUcBdotbIiboSc1MdrGRJhYY/n0iKWMC8sSIrSoCPMi8BQB5 zZg+tNQVPS2zgLCbqgHhmmE9NEcxeaaLE8NcG5zAUs9aKVvWxd2Gk1wBHmABEs2ZbT2D 1Lz4MncS2DHFsFQnsV9TMxX1SZzCec88Dk64fehbhcF3DCgn2wXEPH3TWeeWfpzcNH0e cP3Q== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector2 header.b=FmpjfXlb; arc=pass (i=1 spf=pass spfdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d5-20020a170902cec500b001a021d57a5dsi6368674plg.48.2023.03.15.08.53.28; Wed, 15 Mar 2023 08:53:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector2 header.b=FmpjfXlb; arc=pass (i=1 spf=pass spfdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232502AbjCOPe4 (ORCPT + 99 others); Wed, 15 Mar 2023 11:34:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46350 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232760AbjCOPeu (ORCPT ); Wed, 15 Mar 2023 11:34:50 -0400 Received: from BN6PR00CU002.outbound.protection.outlook.com (mail-eastus2azon11021015.outbound.protection.outlook.com [52.101.57.15]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 13F8646085; Wed, 15 Mar 2023 08:34:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C38wHomTncQxRepBq5+u1Kps7seX7KK7xlIMHRXhC9aaYxK1+0VOM4hAgeadQQYnnPuFe7sBblQmaiLgKSM5YvmmtSP6oNexvr/DxWnHVaIlRN580b1JqjV2l47eyTDNQWpZUx++9wuBVIV15y7di1ZQbujEA56TAsoeU45uyqHj7p0ipVgjT2h2NAndDUfe6FV2aLLzEzlD3VCSJjkcJZ0mPY/4S8+gC1m52tsteVLSuwfFvJ91srAni2hbSwtg0Hyg8bKF5e475IUBpjOF0tFDTrM9QUS/QC2ATN5nOyunQ4wUJlIpmDhgEgDPj3JbNF/29vyyTTG7pJgVuyHSRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TEvTwbSm+SYNjj3V6awTABgkLvLLqCZ5NqjuTGIdrs8=; b=HlGcGUtuL8RWgPqlSoC1AsRL107FuiLKJWNPjFMidgIae/4tUPOjETxwIfzdrES1ppnaVgHR7eZMSpkTzj7u1B/VaLXlG6i5A4k5te9s+fxFG+zBTkJB2Q1x193vgN4g0v/OL4BykmFFDNKa+Z/as7TyEavCWGlYPZXutN3JdurWVF0cIr6YHub32LTz3sncT6lZCyIpZElYhAY5QhDY8d9MLBfzub052VGld1gjf4TRo/CUWwsj0ONkI7O3F+STqlbBVsHfJgoyJkpdLtAvOE4Dbs8qHph2uU8EhRiCLXgH+pp0/mvw5dpCaHlPWigNGwYVDn98OzGd26bm2Zn9Hg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TEvTwbSm+SYNjj3V6awTABgkLvLLqCZ5NqjuTGIdrs8=; b=FmpjfXlbf2H3RG6pXqSq7W0+yHDxL9mGxEFPkns8mUJjt0CJ5lbDkoUCdUB7bktyNeJSW5g9Dm/kUTBBbfyLNJLWxU2wMJMqDDrskM/+OubQSGaD7hRfve0pJV0tRgrEo0l9epeJ3zCiZkTL/OvkXnMb0n6roOalp+su8pThGFs= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com; Received: from DM6PR21MB1370.namprd21.prod.outlook.com (2603:10b6:5:16b::28) by CO1PR21MB1316.namprd21.prod.outlook.com (2603:10b6:303:153::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6222.3; Wed, 15 Mar 2023 15:34:38 +0000 Received: from DM6PR21MB1370.namprd21.prod.outlook.com ([fe80::caf1:81fb:4297:bf17]) by DM6PR21MB1370.namprd21.prod.outlook.com ([fe80::caf1:81fb:4297:bf17%5]) with mapi id 15.20.6222.007; Wed, 15 Mar 2023 15:34:35 +0000 From: Michael Kelley To: kys@microsoft.com, wei.liu@kernel.org, decui@microsoft.com, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, x86@kernel.org, linux-kernel@vger.kernel.org, linux-hyperv@vger.kernel.org Cc: mikelley@microsoft.com Subject: [PATCH 1/1] x86/hyperv: Block root partition functionality in a Confidential VM Date: Wed, 15 Mar 2023 08:34:13 -0700 Message-Id: <1678894453-95392-1-git-send-email-mikelley@microsoft.com> X-Mailer: git-send-email 1.8.3.1 X-ClientProxiedBy: MW4PR04CA0322.namprd04.prod.outlook.com (2603:10b6:303:82::27) To DM6PR21MB1370.namprd21.prod.outlook.com (2603:10b6:5:16b::28) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6PR21MB1370:EE_|CO1PR21MB1316:EE_ X-MS-Office365-Filtering-Correlation-Id: 98d98690-7a9f-46bd-a482-08db256ac800 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: GWTXH9isjdgMrXDEnR2t5tVyswFDJQELpCsFpCyjImI98V3/QCn/rFj62fJIMbJ8LDd2woVtlf0LTrA7ZQxOFHXd8hTpb/saHvdT+212DkWPOvUXxdW7NMlv5rlaWrEYb4WksmRxrKgn8sgD9dwTbYqvEXtFpPon0ggDWf4ZxsSJvfpPlOjyp2v4qmpG05y45cb1u/kNITt5dNTnpVID4TiWJbspFbc0jXV1McujfhJyEiArfLnhw/zB2rv9XXbDN/lhdO2cF/m8+Nq7MhZFCeObjSXuoaqjeRxa93CFcynhy4gobXjRJ6tM6uvghfZ+LLRpYMTsL1OTK4c0y2NjldfenzTXjQGOa5BTfaxCUKb+iu2PAkjdOt5YjFp5dqt9w8ol/ff6TsdOfq91Ctpr0CsrRYD9cUq6qROp2qNFz6okr3yP4iFPgfy5m3uBIbwlhuGp0Vcx/XMaTtiYimLCpoHj2MkwtveWCCMB/A8bPNbRdIFQGhn1PhSmKZB4zkSWN9qSxS1X01ftl6wtbU3fCLl/qkxQUPF+ap0+cbtvurGsywXYEchvAqxpE8O8ZGVi4j5s7/lO9EDLw91IuoA1onTGeDF01cLn78vBXw2mlLsGTuDVtmGpiguPDpobxlcKkc10IJqTrf4GLLUcPmA80twu4x7GeqP7I01ks7eg+FWPEVmuDOhsr/9tNCf0Hq3C3kKXOsbICUAU2dJY54fRByt0lviExiPC/4f7R1NNDX2MWZZZ9/Vry14V7tu3j7qhdoSGsIXczVJ9oehTHTLZdQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR21MB1370.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(4636009)(136003)(39860400002)(396003)(376002)(346002)(366004)(451199018)(36756003)(5660300002)(83380400001)(8676002)(66476007)(6512007)(478600001)(2616005)(26005)(10290500003)(107886003)(6666004)(52116002)(6506007)(6486002)(66946007)(66556008)(316002)(4326008)(41300700001)(38100700002)(921005)(86362001)(38350700002)(82960400001)(82950400001)(186003)(2906002)(8936002);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: HpBp7+PYZShHAnemmfcJGr9MpOSCI5eGSuR8rAWiTTsddZ8jxo5iFnIQ3oB120q3cZEbXDPtAHdhOjIbQ1wrjPec7oHwUEiVGyIN92x/QqAq0R+a8QJVtSQWVriuH9STb5TUPgvGbSmAQ9ZTZaCfod8l7Zmh88sRuA71kq7TXgoNK+y2VE0snXgb7YOFrY27K9RrhusoigDwF7KkCyS7sIJaDgzTCU8nluNbEbvfVD7OQGARZAets9FA+u7XKslYVjf0Q5ZBJRQ8S0knnbANEFthl/VlXYGr7LZbDBfDeaDJ+xUQqRMm/uoLfdsUWZQte3qWhAdeR4N8U6amD1doqFmbzLzbHOuDHqT7Bur2cMRfmzHuanEXC5CwWfGs85j8LvzfMVeTqrEGOQtSgnENFYL1u+GuWRPFebozXhrf1Q1m92oD6ZyfvllKChR3AjMBgKYN2MMufvK74ssWPdNqqwttLoM1PxM56ZtzkWi7IAmQa46NzrbAfzhtuaCr1jl+yMNJXzyHMxFuEtHJ9sASQrFuLC9WsiuI0VFBfsVwnJm3n+IoSlEbqe1fgSeMdjITUuWA96CpfLXy9xfT5vdHN/oiTPL8USTNfCH0sZao6U+7smm7srvsDp+RtYyaXYnqw2BG5MHs7lhW8x2nluieRc42FnZrEh2iFdH7eLL6bxdG6OT/1x2hczQJDO2WGyvStXCbTsfXNas695XKGq13Bnsyj30HBMahO+icFRPjRrqNvsGoowQSNe3NeXeM1pllIgHkSTiLW536FI35FtIwJ54lrRjievg9L1igQilwDxsgMARyU1oODUpBVApNJZYkoUvSS/oDq2xCDUxfMsXVHCVRAb3kPMgiiwxXYpMZzLMsqOyc/ncfvnJ7W2fOPF8ds14zGlatAifg+m9GOF4BLIOzFOf7eZ66Fak940JuCW2KnIpSjTMFd5nkhIeRorPReFm24Y6Mvdl7xL4c6BRtDUdCa1w50PCI9/xF+VEHtH0fOIJV+ONVVg+JvkJYSjoYs2oDnnNlSqfwx3Jl90c+NozebUKneEvM8Kvl49272OzUs1bcYMgocBPs+Idg7wN/8qHD/I9v23tIWv2ufqgYdljhZlFbDhN61ZELHNi1vfw7iLHods9e0tO/jY1spHn6Bwaoe2hVE0+p/bD0/IRHHktYYFbIyKVQW5aHi1gHzgqqVq79M9/+RfOmnXhTnXw42oHqOGFmrRHpWC6uu4CYqqHSuCl/MtNHEzhoY3J8Gm/dYv6T7wepwRQxLIC0SI2wpUvKTgs40eGi3TDU6Hd89R23khOjOFzvQ3rwrTQe7o80VfbKCxmL41coJui/A9b5jEZRrGi+WD2droNMYr/ap2CSRdP0kk3nZK0nfChJkOD0m+EVPiAL4/5oSdxivBRW/6ap1rfCc5WM1I/r+Cc+7KzYkjpH0Zn7aj1eOMYhecG0TSSYmCnowSICAeCOteNTOQxlpJ1VwVA3K9Am/1m1+h3Konuf6K684kYwlsC/g1jCOmjx859Cye7BSTrWJ1mvUdkwHTYJG0S65xEFuXeWYJ6OF0x/is9DZSZ4v0BfhfouaXkJwOP8UQI1mIiIhF4kmvahqgxEBnH6ZAxbcVaZYg== X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: 98d98690-7a9f-46bd-a482-08db256ac800 X-MS-Exchange-CrossTenant-AuthSource: DM6PR21MB1370.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Mar 2023 15:34:35.6854 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Z6jFNnBtsG8GM8BmaV4VG9t04MvC26ZtdiDa7Ij4naOrgbnbYYgxRFpsP4ZZJcFM7Ujxur5KjiNa7jTqhegesQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR21MB1316 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1760449657618951789?= X-GMAIL-MSGID: =?utf-8?q?1760449657618951789?= Hyper-V should never specify a VM that is a Confidential VM and also running in the root partition. Nonetheless, explicitly block such a combination to guard against a compromised Hyper-V maliciously trying to exploit root partition functionality in a Confidential VM to expose Confidential VM secrets. No known bug is being fixed, but the attack surface for Confidential VMs on Hyper-V is reduced. Signed-off-by: Michael Kelley --- arch/x86/kernel/cpu/mshyperv.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index ff348eb..ac630ec 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -356,12 +356,16 @@ static void __init ms_hyperv_init_platform(void) * To mirror what Windows does we should extract CPU management * features and use the ReservedIdentityBit to detect if Linux is the * root partition. But that requires negotiating CPU management - * interface (a process to be finalized). + * interface (a process to be finalized). For now, use the privilege + * flag as the indicator for running as root. * - * For now, use the privilege flag as the indicator for running as - * root. + * Hyper-V should never specify running as root and as a Confidential + * VM. But to protect against a compromised/malicious Hyper-V trying + * to exploit root behavior to expose Confidential VM memory, ignore + * the root partition setting if also a Confidential VM. */ - if (cpuid_ebx(HYPERV_CPUID_FEATURES) & HV_CPU_MANAGEMENT) { + if ((ms_hyperv.priv_high & HV_CPU_MANAGEMENT) && + !(ms_hyperv.priv_high & HV_ISOLATION)) { hv_root_partition = true; pr_info("Hyper-V: running as root partition\n"); }