Re: [virtio-dev] [PATCH RFC 3/3] rng: leak detection support

[Babis Chalios]

On 27/9/23 23:47, Michael S. Tsirkin wrote:

On Wed, Sep 27, 2023 at 12:43:20PM +0200, Babis Chalios wrote:

On 22/9/23 18:01, Michael S. Tsirkin wrote:

On Fri, Sep 22, 2023 at 05:40:50PM +0200, Babis Chalios wrote:

On 22/9/23 17:06, Michael S. Tsirkin wrote:

On Tue, Sep 19, 2023 at 12:11:37PM +0200, Babis Chalios wrote:

On 19/9/23 12:01, Michael S. Tsirkin wrote:

On Tue, Sep 19, 2023 at 09:32:08AM +0200, Babis Chalios wrote:

Resending to fix e-mail formatting issues (sorry for the spam)

On 18/9/23 18:30, Babis Chalios wrote:

Yes, that's what the driver does now in the RFC patch.
However, this just
decreases
the race window, it doesn't eliminate it. If a third
leak event happens it
might not
find any buffers to use:

1. available buffers to queue 1-X
2. available buffers to queue X


3. poll queue X
4. used buffers in queue X   <- leak event 1 will
use buffers in X
5. avail buffers in queue X
6. poll queue 1-X<- leak event 2 will
use buffers in 1-X
7. used buffers in queue 1-X
8. avail buffers in queue 1-X
   <- leak event 3 (it
needs buffers in X, race with step 5)
9. goto 3

I don't get it. we added buffers in step 5.

What if the leak event 3 arrives before step 5 had time to
actually add the
buffers in X and make
them visible to the device?

Then it will see a single event in 1-X instead of two events.  A leak is
a leak though, I don't see does it matter how many triggered.


So the scenario I have in mind is the following:

(Epoch here is terminology that I used in the Linux RFC. It is a value
maintained by random.c
that changes every time a leak event happens).

1. add buffers to 1-X
2. add buffers to X
3. poll queue X
4. vcpu 0: get getrandom() entropy and cache epoch value
5. Device: First snapshot, uses buffers in X
6. vcpu 1: sees used buffers
7. Device: Second snapshot, uses buffers in 1-X
8. vcpu 0: getrandom() observes new  epoch value & caches it
9. Device: Third snapshot, no buffers in either queue, (vcpu 1 from step 6
has not yet finished adding new buffers).
10. vcpu 1 adds new buffer in X
11. vcpu 0: getrandom() will not see new epoch and gets stale entropy.


In this succession of events, when the third snapshot will happen, the
device won't find
any buffers in either queue, so it won't increase the RNG epoch value. So,
any entropy
gathered after step 8 will be the same across all snapshots. Am I missing
something?

Cheers,
Babis


Yes but notice how this is followed by:

12. vcpu 1: sees used buffers in 1-X

Driver can notify getrandom I guess?

It could, but then we have the exact race condition that VMGENID had,
userspace has already consumed stale entropy and there's nothing we
can do about that.

Although this is indeed a corner case, it feels like it beats the purpose
of having the hardware update directly userspace (via copy on leak).

How do you feel about the proposal a couple of emails back? It looks to
me that it avoids completely the race condition.

Cheers,
Babis

It does. The problem of course is that this means that e.g.
taking a snapshot of a guest that is stuck won't work well.

That is true, but does it matter? The intention of the proposal
is that if it is not safe to take snapshots (i.e. no buffers in the
queue) don't take snapshots.


I have been thinking of adding MAP/UNMAP descriptors for
a while now. Thus it will be possible to modify
userspace memory without consuming buffers.
Would something like this solve the problem?

I am not familiar with MAP/UNMAP descriptors. Is there
a link where I can read about them?

Cheers,
Babis

Heh no I just came up with the name. Will write up in a couple
of days, but the idea is that driver does get_user_pages,
adds buffer to queue, and device will remember the address
and change that memory on a snapshot. If there are buffers
in the queue it will also use these to tell driver,
but if there are no buffers then it won't.

That sounds like a nice mechanism. However in our case the page
holding the counter that gets increased by the hardware is a kernel
page.

The reason for that is that things other than us (virtio-rng) might
want to notify for leak events. For example, I think that Jason
intended to use this mechanism to periodically notify user-space
PRNGs that they need to reseed.

Cheers,
Babis


Now I'm lost.
when you write, e.g.:
4. vcpu 0: get getrandom() entropy and cache epoch value
how does vcpu access the epoch?


The kernel provides a user space API to map a pointer to the epoch
value. User space then caches its value and checks it every time it
needs to make sure that no entropy leak has happened before using
cached kernel entropy.

virtio-rng driver adds a copy on leak command to the queue for
increasing this value (that's what we are speaking about in this thread).
But other systems might want to report "leaks", such as random.c
itself.

Cheers,
Babis

-
To unsubscribe, e-mail: 

Re: [virtio-dev] [PATCH v2] virtio-tee: Reserve device ID 46 for TEE device

[Sumit Garg]

On Wed, 27 Sept 2023 at 21:39, Arnd Bergmann  wrote:
>
> On Wed, 27 Sept 2023 at 16:09, Sumit Garg  wrote:
> >
>
> It looks like I accidentally dropped the entire Cc list in my earlier reply,
> adding them all back.

No worries.

>
> > On Wed, 27 Sept 2023 at 01:44, Arnd Bergmann  wrote:
> > >
> > > On Tue, 26 Sept 2023 at 08:44, Sumit Garg  wrote:
> > > > On Tue, 26 Sept 2023 at 08:16, Jens Wiklander 
> > > >  wrote:
> > > > > On Tue, Sep 26, 2023 at 8:00 AM Sumit Garg  
> > > > > wrote:
> > > > > >
> > > > > > How about shared memory support? We would like to register guest 
> > > > > > pages with the trusted OS.
> > > > >
> > > > > Coincidently Arnd and I (among others) discussed this in person last
> > > > > week and the conclusion was that only temporary shared memory is
> > > > > possible with virtio. So the shared memory has to be set up and torn
> > > > > down by the host during each operation, typically open-session or
> > > > > invoke-func.
> > > >
> > > > Agree as I was part of those discussions. But I would like to
> > > > understand the reasoning behind it. Is there any restriction by VIRTIO
> > > > specification that we can't register guest page PAs to a device (TEE
> > > > in our case) to allow for zero copy transfers?
> > > >
> > > > Alex mentioned some references to virtio GPU device. I suppose I need
> > > > to dive into its implementation to see if there are any similarities
> > > > to our use-case.
> > > >
> > > > > That might not be optimal if trying to maximize
> > > > > performance, but it is portable.
> > > >
> > > > IMO, the ABI should be flexible enough to support a TEE with optimum
> > > > performance.
> > >
> > > As we discussed last week, I can see two possible ways to implement
> > > a TEE device within the constraints of the virtio specification:
> > >
> > > a) Allocate a shared memory area in the device (host) and export it
> > >to the driver (guest) via a virtio shared memory area. This shared
> > >memory can be shared with userspace using mmap() if necessary.
> > >A tee command in this case would be sent using a normal virtqueue
> > >to the device with a pair of one transmit and one receive buffer.
> > >Any arguments that refer to memory blocks in this case are
> > >offsets into the shared memory area. Using this preallocated buffer
> > >is similar to earlier TEE implementations but has some restrictions.
> > >The command in this case has to be copied in and out by the
> > >hypervisor implementation.
> >
> > Yeah that was the initial approach that we used for OP-TEE but it was
> > limited by the fixed size of the shared memory area. A guest client
> > application may want to share a larger data buffer with TA which can't
> > be supported via this approach.
>
> I don't know if there is a limit on the size of the virtio shared
> memory area other than the PCI MMIO space size, could
> this just be made (much) larger?

Actually it's a double edged sword. You wouldn't like to block too
much host memory which remains unused and on the other hand not too
less that can't serve guest application needs. That's the reason we
should provide an option to dynamically share guest memory with a TEE.

>
> > > b) Send all data through the virtqueue itself, pointing into normal
> > >guest memory. The first buffer sent to the device is the request,
> > >while the receive buffer is the result. Instead of pointers to
> > >shared memory, this means that all data transfers would be
> > >done in additional buffers on the same virtio transaction, and
> > >the host would have to register the guest memory dynamically
> > >as part of the command before forwarding them to a TEE that
> > >relies on registering shared memory, and unmap it afterwards
> > >since the guest might reuse the buffers for other data later
> > >that it does not want to share with the TEE
> > >
> >
> > The TEE communication protocol has to support INOUT shared memory
> > buffers. So it will be quite tricky to support it via TX only and RX
> > only buffers (many more buffer copies).
>
> I don't remember if you can just list the same address in
> virtio for both directions, but that could solve this problem.
>

Okay in that case I think following approach can work:

- Issue VIRTIO_TEE_CMD_REGISTER_MEM to register an additional buffer
passed through virtqueue.
- Instruct TEE to perform operations on it via VIRTIO_TEE_CMD_INVOKE_FUNC.
- Issue VIRTIO_TEE_CMD_UNREGISTER_MEM to unregister that additional
buffer passed through virtqueue.

I suppose we can pass either guest user-space or kernel reference in
that virtqueue. Does this approach make sense to you?

-Sumit

> > > Registering guest memory to the TEE permanently would be
> > > a layering violation since that makes invalid assumptions about
> > > the type of virtio transport that do not make sense to a virtio
> > > driver.
> >
> > AFAICS, the VIRTIO is just a transport to relay information among
> > guest 

Re: [virtio-dev] [PATCH] html: add missing enumitem package

[Cornelia Huck]

On Wed, Sep 27 2023, "Michael S. Tsirkin"  wrote:

> makediffhtml.sh currently fails with:
>
> ! Missing number, treated as zero.
> 
>\c@*
> l.25850 \begin{enumerate}[label=\alph*
>   .]
> ?
> ! Emergency stop.
> 
>\c@*
> l.25850 \begin{enumerate}[label=\alph*
>   .]
>
> Some web searches turned up suggestions to use enumitem and in fact,
> virtio.tex already does this - but virtio-html.tex doesn't.
>
> Adding \usepackage{enumitem} in virtio-html.tex too fixes the issue.
>
> Signed-off-by: Michael S. Tsirkin 
> ---
>  virtio-html.tex | 1 +
>  1 file changed, 1 insertion(+)
>

Oops, should read my mail before pushing. I'll use this one instead.


-
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org

[virtio-dev] [PATCH v3] virtio-tee: Reserve device ID 46 for TEE device

[jeshwank]

In a virtual environment, an application running in guest VM may want
to delegate security sensitive tasks to a Trusted Application (TA)
running within a Trusted Execution Environment (TEE). A TEE is a trusted
OS running in some secure environment, for example, TrustZone on ARM
CPUs, or a separate secure co-processor etc.

A virtual TEE device emulates a TEE within a guest VM. Such a virtual
TEE device supports multiple operations such as:

VIRTIO_TEE_CMD_OPEN_DEVICE – Open a communication channel with virtio
 TEE device.
VIRTIO_TEE_CMD_CLOSE_DEVICE – Close communication channel with virtio
  TEE device.
VIRTIO_TEE_CMD_GET_VERSION – Get version of virtio TEE.
VIRTIO_TEE_CMD_OPEN_SESSION – Open a session to communicate with
  trusted application running in TEE.
VIRTIO_TEE_CMD_CLOSE_SESSION – Close a session to end communication
   with trusted application running in TEE.
VIRTIO_TEE_CMD_INVOKE_FUNC – Invoke a command or function in trusted
 application running in TEE.
VIRTIO_TEE_CMD_CANCEL_REQ – Cancel an ongoing command within TEE.
VIRTIO_TEE_CMD_REGISTER_MEM - Register shared memory with TEE.
VIRTIO_TEE_CMD_UNREGISTER_MEM - Unregister shared memory from TEE.

We would like to reserve device ID 46 for Virtio-TEE device.

Signed-off-by: Jeshwanth Kumar 
Reviewed-by: Rijo Thomas 
Reviewed-by: Parav Pandit 
Acked-by: Sumit Garg 
---
 content.tex | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/content.tex b/content.tex
index 0a62dce..644aa4a 100644
--- a/content.tex
+++ b/content.tex
@@ -739,6 +739,8 @@ \chapter{Device Types}\label{sec:Device Types}
 \hline
 45 &   SPI master \\
 \hline
+46 &   TEE device \\
+\hline
 \end{tabular}
 
 Some of the devices above are unspecified by this document,
-- 
2.25.1


-
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org