search

intel / ccc-linux-guest-hardening

Linux Security Hardening for Confidential Compute
https://intel.github.io/ccc-linux-guest-hardening-docs
MIT License
66 stars 14 forks source link

tsc: Unable to calibrate against PIT #104

Closed williamcroberts closed 1 year ago

williamcroberts commented 1 year ago

I can't see any good logging in any of the campaigns that include VIRTIO:

$ pwd
/home/bill/data/test1/BPH_VIRTIO_PCI_PROBE
(.venv) $ fuzz.sh run build -p1 --debug

When I run fuzz.sh, the output to the console is:

Worker-00 RedQ-Dict: Have performed 0 itersvs pending, findings: <0, 0, 0>
Worker-00 Input validation failed! Target funky?..

See the full logs: kafl.log

(.venv) $ pwd
/var/run/shm/kafl_bill
(.venv) $ tail -f hprintf_00.log
tail: hprintf_00.log: file truncated
tsc: Unable to calibrate against PIT
tail: hprintf_00.log: file truncated
tsc: Unable to calibrate against PIT
tail: hprintf_00.log: file truncated
tsc: Unable to calibrate against PIT
tail: hprintf_00.log: file truncated
tsc: Unable to calibrate against PIT
tail: hprintf_00.log: file truncated
tsc: Unable to calibrate against PIT
tail: hprintf_00.log: file truncated
tsc: Unable to calibrate against PIT
tail: hprintf_00.log: file truncated

I have some local changes with a bunch of printk's to see what's going on, and I don't even see my printk from the kernel's entry point at the KAFL ifdef.

diff --git a/init/main.c b/init/main.c
index c652266dc548..4c2c86e9d623 100644
--- a/init/main.c
+++ b/init/main.c
@@ -1677,7 +1677,7 @@ static int __ref kernel_init(void *unused)
        rcu_end_inkernel_boot();

        do_sysctl_args();
-
+       printk("BILL KERNEL INIT\n");
 #if defined CONFIG_TDX_FUZZ_HARNESS_FULL_BOOT || defined CONFIG_TDX_FUZZ_HARNESS_REST_INIT
        // End fuzzing before dropping to userspace
        kafl_fuzz_event(KAFL_DONE);

But their in the vmlinux is both build and shm location:

(.venv) bill@fang:/var/run/shm/kafl_bill$ strings target/vmlinux | grep BILL
BILL KERNEL INIT
BILL getting cached u64.
BILL updating cache.
BILL is NOT VIRTIO DEVICE REFRESH SKIPPING...
BILL is VIRTIO DEVICE, REFRESHING!
BILL __virtio16_to_cpu
BILL __virtio32_to_cpu
BILL __virtio64_to_cpu
BILL __virtio16_to_cpu
BILL __virtio32_to_cpu
BILL __virtio64_to_cpu
BILL __virtio16_to_cpu
BILL __virtio32_to_cpu
BILL __virtio32_to_cpu
BILL __virtio16_to_cpu
BILL __virtio16_to_cpu
BILL __virtio16_to_cpu
BILL __virtio16_to_cpu
BILL __virtio16_to_cpu
williamcroberts commented 1 year ago

Also I am using my last known good KConfig from here:

ereshetova commented 1 year ago

In order to see detailed logs from the guest you need the ensure following (will file an issue to update the docs, it is not mentioned there):

1) change qemu_append line to select the one with more debug (it is commented out by default) in bkc/kafl/kafl_config.yaml

2) modify kafl.yaml in your local "data/test1/harness_name" to comment out "#log_crashes: True" and add "log_hprintf: True" .

3) run with "fuzz.sh run build -p 2 --log-hprintf"

The you will better boot log from the guest.

ereshetova commented 1 year ago

Filed issue to update the docs on verbose input: https://github.com/intel/ccc-linux-guest-hardening/issues/105

williamcroberts commented 1 year ago

Yep, that got me better logs, why wouldn't we just make that the default?

I tried applying the patch below, but still getting tsc: Unable to calibrate against PIT

diff --git a/arch/x86/kernel/kafl-agent.c b/arch/x86/kernel/kafl-agent.c
index 79a97655a2e1..0639f1acf1ac 100644
--- a/arch/x86/kernel/kafl-agent.c
+++ b/arch/x86/kernel/kafl-agent.c
@@ -403,6 +403,8 @@ static bool kafl_fuzz_filter(uintptr_t addr, enum tdx_fuzz_loc type)
                                case 0xc000 ... 0xcfff:
                                        return 0;
 #endif
+                               case 0x70 ... 0x71:
+                                       return 0;
                                default:
                                        return 1;
                        }
ereshetova commented 1 year ago

"tsc: Unable to calibrate against PIT", yes, this message seems to be ok actually (I forgot that our emulation VM is not a real TD and in such TD this can happen) actually I saw that output in a good campaign also, so smth else is wrong. How do I reproduce your setup?

why wouldn't we just make that the default? I guess because it is not good default if you actually want to fuzz (which ideally what people would like to do), not to debug why it is not fuzzing...

williamcroberts commented 1 year ago

"tsc: Unable to calibrate against PIT", yes, this message seems to be ok actually (I forgot that our emulation VM is not a real TD and in such TD this can happen) actually I saw that output in a good campaign also, so smth else is wrong. How do I reproduce your setup?

why wouldn't we just make that the default? I guess because it is not good default if you actually want to fuzz (which ideally what people would like to do), not to debug why it is not fuzzing...

All I am doing is following the setup:

  1. Make changes to linux-guest under the ccc-linux-guest-hardening
  2. make env from cc-linux-guest-hardening repo
  3. iniit_harness.py ~/data/test1 BPH_P9_VIRTIO_PROBE
  4. cd ~/data/test1/BPH_P9_VIRTIO_PROBE
  5. fuzz.sh build ./build
  6. cd build
  7. cp the KConfig from my last known good one over (https://github.com/intel/ccc-linux-guest-hardening/files/10946069/config.bak.txt): cp ~/config.bak .config
  8. make -j4 to rebuild the kernel
  9. cd .. back to parent directory BPH_P9_VIRTIO_PROBE.
  10. run the campaign fuzz.sh run build -p 2 --debug --log-hprintf
ereshetova commented 1 year ago

@williamcroberts when you overwrite the config in the above step 7, you are enabling only CONFIG_TDX_FUZZ_HARNESS_POST_TRAP harness from the guest point of view, so virtio inputs are not being injected.

Could you please try the following default sequence instead:

  1. Make changes to linux-guest under the ccc-linux-guest-hardening
  2. make env from cc-linux-guest-hardening repo
  3. iniit_harness.py ~/data/test1 BPH_P9_VIRTIO_PROBE
  4. cd ~/data/test1/BPH_P9_VIRTIO_PROBE
  5. fuzz.sh build ./build
  6. run the campaign fuzz.sh run build -p 2 --debug --log-hprintf
williamcroberts commented 1 year ago

@williamcroberts when you overwrite the config in the above step 7, you are enabling only CONFIG_TDX_FUZZ_HARNESS_POST_TRAP harness from the guest point of view, so virtio inputs are not being injected.

Oh duh :-p

Could you please try the following default sequence instead:

  1. Make changes to linux-guest under the ccc-linux-guest-hardening
  2. make env from cc-linux-guest-hardening repo
  3. iniit_harness.py ~/data/test1 BPH_P9_VIRTIO_PROBE
  4. cd ~/data/test1/BPH_P9_VIRTIO_PROBE
  5. fuzz.sh build ./build
  6. run the campaign fuzz.sh run build -p 2 --debug --log-hprintf
williamcroberts commented 1 year ago

Thanks @ereshetova that was obvious and a duh moment, I appreciate you pointing that out. That patches seem to work. I'll do some cleanups and submit another PR.

ereshetova commented 1 year ago

@williamcroberts Great! Thank you! Is it ok to close this issue?