stage2: Use IGVM memory map to resize SVSM kernel #590
Conversation
|
Thanks for taking a look. It seems like the fundamental question here is if a maliciously-chosen kernel region could cause anything worse than DoS. If it can, then we should add checks for the specific conditions necessary (e.g. check alignment, check it doesn't overlap anything important, check a size minimum, or in the worst case check against a few known-good values). I was under the impression that an incorrect region wouldn't cause anything worse than a DoS, however, which is why I didn't add any checks (besides 4k alignment which is implicit in the multiplication). I'd certainly be open to adding generic checks for things that are weird even if not currently exploitable. |
AdamCDunlap
force-pushed
the
paravisor_reserved_mem
branch
3 times, most recently
from
6244f89 to
5842fd9
Compare
|
@AdamCDunlap Version 0.3.4 of the |
If the IGVM memory map has a HIDDEN entry that matches where the SVSM kernel should go according to the IgvmParamBlock, then use the size of that block for the size of the kernel (checked against a minimum and maximum size in the ParamBlock) This allows the hypervisor to dynamically resize the SVSM based on the machine shape without changing the IgvmParamBlock and thus the launch measurement. This is necessary because the SVSM uses more memory when there are more vCPUs (and, in the future, guest memory). The location and minium and maximum size can still be measured in the IgvmParamBlock to ensure that the kernel region will not overlap anything important or cause undersize problems. Signed-off-by: Adam Dunlap <[email protected]>
AdamCDunlap
force-pushed
the
paravisor_reserved_mem
branch
from
5842fd9 to
7ce600f
Compare
AdamCDunlap
changed the title
msft-jlange
added
ready-to-merge
|
Thanks for your help! |
If the IGVM memory map contains a PARAVISOR_RESERVED entry, then place the SVSM kernel at that region instead of the region specified in the IgvmParamBlock. If no such entry exists in the memory map, then continue using the IgvmParamBlock.
This allows the hypervisor to dynamically resize the SVSM based on the machine shape without changing the IgvmParamBlock and thus the launch measurement. This is necessary because the SVSM uses more memory when there are more vCPUs (and, in the future, guest memory).
Note this relies on an unpublished IGVM spec change to add the PARAVISOR_RESERVED MemoryMapEntryType.