soundness improvements around hypervisor-shared memory #451
Commits on Sep 18, 2024
-
greq: derive AsBytes for SnpGuestRequestMsgHdr
This makes it possible to implement get_aad_slice without any unsafe code. Signed-off-by: Tom Dohrmann <[email protected]>
-
hv_doorbell: wrap reserved_63_4 in UnsafeCell
Given that the hypervisor has write access to that memory, we need to treat the memory as interiorly mutable. Signed-off-by: Tom Dohrmann <[email protected]>
Commits on Sep 20, 2024
-
ghcb: make all accesses atomic
Cell doesn't allow concurrent accesses. This is a problem because we share the memory with the host and the host could write to the memory while we're reading it. Use atomic accesses instead. Atomic accesses can tolerate concurrent writes. Signed-off-by: Tom Dohrmann <[email protected]>
Commits on Sep 26, 2024
-
greq: copy data before checking if it's empty
This resolves a TOC-TOU issue. Furthermore we don't need to check the entire content: If the certificate data is not empty, there will be non-zero bytes in the first 24 bytes. Signed-off-by: Tom Dohrmann <[email protected]>
-
SharedBox is a safe wrapper around memory pages shared with the host. Signed-off-by: Tom Dohrmann <[email protected]>
-
mm: replace HVDoorbellPage with single function
HVDoorbellPage was only used in one place and leak was immediately called on it. Given that we don't ever need to free up a doorbell page let's just implement this in a single function returning a static reference. Signed-off-by: Tom Dohrmann <[email protected]>
-
stage2: use drop_in_place instead of shutdown
This is better for a couple of reasons: 1. drop_in_place destroys the object rather than mutating it to release resources. The downside with simply mutating but not destroying is that the object still has to be in a valid state and this limits the shutdown code (for example it can't release the memory associated with a PageBox) 2. After the object has been dropped, it can't be accessed anymore. This means that the shutdown code doesn't have to worry about later accesses like the previous code had to. 3. All resources are freed, not just the GHCB. This also fixes a soundness issue where if the shutdown were to be called twice on the same GHCB that would result in a double-pvalidate bug. Signed-off-by: Tom Dohrmann <[email protected]>
-
This impl is unused. It is also unsound because we can never have unique ownership over the GHCB as long as it is shared with the host. Signed-off-by: Tom Dohrmann <[email protected]>
-
ghcb: move shutdown code into Drop impl
Now that the shutdown code is only called from the Drop impl we might as well move it in there. This also makes it impossible to call shutdown more than once (or to call shutdown and the Drop the GhcbPage). Signed-off-by: Tom Dohrmann <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.