[UBUNTU 20.04] KVM: Enable storage key checking for intercepted instruction
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
linux (Ubuntu) |
Fix Released
|
High
|
Canonical Kernel Team | ||
Focal |
Fix Released
|
Medium
|
Unassigned |
Bug Description
SRU Justification:
==================
[Impact]
* KVM uses lazy storage key enablement as Linux does no longer make use of
the storage keys. When the guest enters keyed mode, then KVM will
save/restore the key during paging, provide change/reference tracking for
guest and host and for all interpreted instructions will do key protection.
* If an instruction is intercepted and passed along to userspace (like QEMU)
no storage key protection is checked, though.
* But this is in violation of the architecture and it can result in misbehaving
guests that rely on key protection for all instructions.
* This item will improve the MEMOP ioctl to also add key checking.
In case of a key protection the right fault is injected in the guest.
[Fix]
* The following changes since commit dbdbd581976f9df
UBUNTU: Ubuntu-
are available in the Git repository at:
https:/
for you to fetch changes up to 16c0809cf1012e6
KVM: s390: Add missing vm MEM_OP size check (2022-03-03 22:45:50 +0100)
* Patches are upstream accepted (but some are as of today still in linux-next).
* Notes on why the backports are needed are included in the provenance of the corresponding commit.
[Test Case]
* An IBM z13 or LinuxONE system is needed running Ubuntu Server 20.04
with QEMU/KVM setup.
* These modification here are covered by the following three tests:
* [kvm-unit-tests,v2] s390x: Test effect of storage keys on some instructions
https:/
* [PATCH v2 0/5] memop selftest for storage key checking
https://<email address hidden>/
* c7ef9ebbed20 "KVM: s390: selftests: Test TEST PROTECTION emulation"
* The tests and the verification will be done by the IBM Z team.
* On top a test build is available (see below).
[Where problems could occur]
* Issues with vm ioctl may occur due to the introduction of _vm_ioctl.
* Tests may fail or may report wrong states due to the new TEST_FAIL macro in
tests/utilities or due to new variants of GUEST_ASSERT in selftests.
* Problems on gaccess might be caused due to the refactoring of gpa, length
calculation, access address range check and the new access_guest_page helper
function.
* In uaccess issues may occur due to the introduction of the bit field for OAC
specifier, that causes lot's but relatively straight forward changes or due
to the new storage key checking functions copy_from/
* Compile issues may happen if the changes in uaccess.h bout z10 features
are erroneous.
* Instructions that are emulated by KVM might be impacted due to the expanded
storage key checking, that now covers intercepted instructions, too.
This is the most significant modification in terms of size and complexity
and therefore carries the highest risk.
* MEM_OP IOCTL could be harmed due to the additional, but optional, storage
key extension and checking, or the new size check and I/O emulation can be
impacted due to the new vm IOCTL for key checked guest memory access.
* Some tests were added to mitigate this, like the selftests TEST PROTECTION.
* The renaming of the existing vcpu memop functions shouldn't be very harmful,
since issues will already occur test build.
* The rest are API documentation updates and clarifications.
* Except two include/header changes and changes in tools/testing
all other modifications are s390x specific
[Other]
* It was ensured that these changes are in jammy based on LP#1933179.
__________
Description:
KVM uses lazy storage key enablement as Linux does no longer make use of the storage keys. When the guest enters keyed mode, then KVM will save/restore the key during paging, provide change/reference tracking for guest and host and for all interpreted instructions will do key protection.
If an instruction is intercepted and passed along to userspace (like QEMU) no storage key protection is checked, though. This is in violation of the architecture and it can result in misbehaving guests that rely on key protection for all instructions.
This item will add the missing key checking to MEMOP ioctl.
tags: | added: architecture-s39064 bugnameltc-196455 severity-high targetmilestone-inin--- |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
Changed in linux (Ubuntu): | |
importance: | Undecided → High |
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
summary: |
[UBUNTU 20.04] KVM: Enable storage key checking for intercepted - instruction (Backport to focal) + instruction |
description: | updated |
Changed in linux (Ubuntu Focal): | |
importance: | Undecided → Medium |
status: | New → Fix Committed |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
tags: |
added: targetmilestone-inin2004 removed: targetmilestone-inin--- |
tags: |
added: verification-done-focal removed: verification-needed-focal |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
------- Comment From <email address hidden> 2022-03-03 05:34 EDT-------
Here is the action performed to arrive at the specific patch, respectively:
01. backport e2c12909ae5f (selftests: kvm: add _vm_ioctl) to_user_ key functions)
02. backport a46f8a63cde8 (selftests: kvm: Introduce the TEST_FAIL macro)
03. cherry-pick 3e6b94126784 (KVM: selftests: Add GUEST_ASSERT variants to pass values to host)
04. cherry-pick 416e7f0c9d61 (KVM: s390: gaccess: Refactor gpa and length calculation)
05. cherry-pick 7faa543df19b (KVM: s390: gaccess: Refactor access address range check)
06. cherry-pick bad13799e030 (KVM: s390: gaccess: Cleanup access to guest pages)
07. backport 012a224e1fa3 (s390/uaccess: introduce bit field for OAC specifier)
08. backport 3d787b392d16 (s390/uaccess: fix compile error)
09. backport 1a82f6ab2365 (s390/uaccess: Add copy_from/
10. backport e613d83454d7 (KVM: s390: Honor storage keys when accessing guest memory)
11. cherry-pick 61380a7adfce (KVM: s390: handle_tprot: Honor storage keys)
12. backport c7ef9ebbed20 (KVM: s390: selftests: Test TEST PROTECTION emulation)
13. cherry-pick e9e9feebcbc1 (KVM: s390: Add optional storage key checking to MEMOP IOCTL)
14. backport ef11c9463ae0 (KVM: s390: Add vm IOCTL for key checked guest absolute memory access)
15. cherry-pick 0e1234c02b77 (KVM: s390: Rename existing vcpu memop functions)
16. backport d004079edc16 (KVM: s390: Add capability for storage key extension of MEM_OP IOCTL)
17. backport 5e35d0eb472b (KVM: s390: Update api documentation for memop ioctl)
18. backport cbf9b8109d32 (KVM: s390: Clarify key argument for MEM_OP in api docs)
19. cherry-pick 3d9042f8b923 (KVM: s390: Add missing vm MEM_OP size check)
Notes on backport to/from_ user_key by copying include/ linux/uaccess. h (i.e. old code) implementation and adding key support dirty_in_ slot
01. resolve minor conflict due to additional includes
02. resolve minor conflict due to additional functionality
07. backport needs to use primary address space
08. resolve minor conflict, only move #define
09. resolve minor conflict caused by older base, e.g. use of primary address space
implement __copy_
10. replace locking of current->mm
mark_page_dirty instead of mark_page_
12. replace aligned attribute
GUEST_ASSERT instead of GUEST_ASSERT_EQ,
fprintf instead of print_skip
14. replace locking of current->mm
16. resolve minor conflict caused by additional capabilities
ADJUST CAPABILITY NUMBER TO 211 TO ACCOUNT FOR MERGE COMMIT IN kvm-next THAT CHANGED IT
17. move documentation to api.txt
18. move documentation to api.txt
As 16. mentions, capability number was adjusted to 211