ereshetova
commented
3 months ago Note: we have not done any fuzzing on the interrupt handlers.
Open ereshetova opened 3 months ago
ereshetova
commented
3 months ago Note: we have not done any fuzzing on the interrupt handlers.
Problem
The below is TDX specific: Untrusted VMM can inject both non-NMI interrupts (via posted-interrupt mechanism) or NMI interrupts. However, TDX module does not allow VMM injecting interrupt vectors in range 0-30 via posted-interrupt mechanism, which drastically reduces the exposed attack surface towards the untrusted VMM. The rest of interrupts are considered controlled by the host and therefore the guest kernel code that handles them must be audited and fuzzed as any other code that receives malicious host input.
Solution
So far we have only address int80 case: i.e. we are making sure that a host/VMM cannot inject int80 interrupt for the guest (such case will be detected and guest will panic). Please see https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=55617fb991df535f953589586468612351575704 for details. The rest of interrupt handlers (above vector 30) has been audited and no security implications has been found except for the issue discussed in https://github.com/intel/ccc-linux-guest-hardening/issues/142