From patchwork Wed Feb 24 08:47:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Catangiu, Adrian Costin" X-Patchwork-Id: 12101525 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02A04C433E0 for ; Wed, 24 Feb 2021 08:51:35 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 50ECD64EBB for ; Wed, 24 Feb 2021 08:51:34 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 50ECD64EBB Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:60354 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lEptN-0000f1-2B for qemu-devel@archiver.kernel.org; Wed, 24 Feb 2021 03:51:33 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40882) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lEpqG-0007AS-B8 for qemu-devel@nongnu.org; Wed, 24 Feb 2021 03:48:21 -0500 Received: from smtp-fw-6001.amazon.com ([52.95.48.154]:61489) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lEpqE-0007oi-2M for qemu-devel@nongnu.org; Wed, 24 Feb 2021 03:48:19 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1614156498; x=1645692498; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=/R8Bcf3qXRH0sz3GRvHFXvpgzilNaYT4N1/kR6A7D8E=; b=lv1dvwgMXavfBqvi/ChtFDpibw2UCkORnuEwXKQb6icUMPNnanQhnBG/ laYqOsq2YiO5q4Pqb8FyU23W8+jjrs8yXFOjvrEBIV2zKVs/VlENSBw3k YMjXYyDRTJFIZL8OD6zJhI6T2V89BXk22mZn3V1iSZlPq6mY/i62p4lwL I=; X-IronPort-AV: E=Sophos;i="5.81,202,1610409600"; d="scan'208";a="91601605" Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-1a-715bee71.us-east-1.amazon.com) ([10.43.8.2]) by smtp-border-fw-out-6001.iad6.amazon.com with ESMTP; 24 Feb 2021 08:48:09 +0000 Received: from EX13D08EUB004.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan2.iad.amazon.com [10.40.163.34]) by email-inbound-relay-1a-715bee71.us-east-1.amazon.com (Postfix) with ESMTPS id B296FA20A1; Wed, 24 Feb 2021 08:47:57 +0000 (UTC) Received: from uf6ed9c851f4556.ant.amazon.com (10.43.160.157) by EX13D08EUB004.ant.amazon.com (10.43.166.158) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 24 Feb 2021 08:47:42 +0000 From: Adrian Catangiu To: , , , , CC: , , , , , , <0x7f454c46@gmail.com>, , , , , , , , , , , , , , , , , , , , , , , , , , , , , Adrian Catangiu Subject: [PATCH v7 0/2] System Generation ID driver and VMGENID backend Date: Wed, 24 Feb 2021 10:47:30 +0200 Message-ID: <1614156452-17311-1-git-send-email-acatan@amazon.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-Originating-IP: [10.43.160.157] X-ClientProxiedBy: EX13D38UWC002.ant.amazon.com (10.43.162.46) To EX13D08EUB004.ant.amazon.com (10.43.166.158) Precedence: Bulk Received-SPF: pass client-ip=52.95.48.154; envelope-from=prvs=6821e0933=acatan@amazon.com; helo=smtp-fw-6001.amazon.com X-Spam_score_int: -118 X-Spam_score: -11.9 X-Spam_bar: ----------- X-Spam_report: (-11.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" This feature is aimed at virtualized or containerized environments where VM or container snapshotting duplicates memory state, which is a challenge for applications that want to generate unique data such as request IDs, UUIDs, and cryptographic nonces. The patch set introduces a mechanism that provides a userspace interface for applications and libraries to be made aware of uniqueness breaking events such as VM or container snapshotting, and allow them to react and adapt to such events. Solving the uniqueness problem strongly enough for cryptographic purposes requires a mechanism which can deterministically reseed userspace PRNGs with new entropy at restore time. This mechanism must also support the high-throughput and low-latency use-cases that led programmers to pick a userspace PRNG in the first place; be usable by both application code and libraries; allow transparent retrofitting behind existing popular PRNG interfaces without changing application code; it must be efficient, especially on snapshot restore; and be simple enough for wide adoption. The first patch in the set implements a device driver which exposes a the /dev/sysgenid char device to userspace. Its associated filesystem operations operations can be used to build a system level safe workflow that guest software can follow to protect itself from negative system snapshot effects. The second patch in the set adds a VmGenId driver which makes use of the ACPI vmgenid device to drive SysGenId and to reseed kernel entropy following VM snapshots. **Please note**, SysGenID alone does not guarantee complete snapshot safety to applications using it. A certain workflow needs to be followed at the system level, in order to make the system snapshot-resilient. Please see the "Snapshot Safety Prerequisites" section in the included SysGenID documentation. --- v6 -> v7: - remove sysgenid uevent v5 -> v6: - sysgenid: watcher tracking disabled by default - sysgenid: add SYSGENID_SET_WATCHER_TRACKING ioctl to allow each file descriptor to set whether they should be tracked as watchers - rename SYSGENID_FORCE_GEN_UPDATE -> SYSGENID_TRIGGER_GEN_UPDATE - rework all documentation to clearly capture all prerequisites for achieving snapshot safety when using the provided mechanism - sysgenid documentation: replace individual filesystem operations examples with a higher level example showcasing system-level snapshot-safe workflow v4 -> v5: - sysgenid: generation changes are also exported through uevents - remove SYSGENID_GET_OUTDATED_WATCHERS ioctl - document sysgenid ioctl major/minor numbers v3 -> v4: - split functionality in two separate kernel modules: 1. drivers/misc/sysgenid.c which provides the generic userspace interface and mechanisms 2. drivers/virt/vmgenid.c as VMGENID acpi device driver that seeds kernel entropy and acts as a driving backend for the generic sysgenid - rename /dev/vmgenid -> /dev/sysgenid - rename uapi header file vmgenid.h -> sysgenid.h - rename ioctls VMGENID_* -> SYSGENID_* - add ‘min_gen’ parameter to SYSGENID_FORCE_GEN_UPDATE ioctl - fix races in documentation examples v2 -> v3: - separate the core driver logic and interface, from the ACPI device. The ACPI vmgenid device is now one possible backend - fix issue when timeout=0 in VMGENID_WAIT_WATCHERS - add locking to avoid races between fs ops handlers and hw irq driven generation updates - change VMGENID_WAIT_WATCHERS ioctl so if the current caller is outdated or a generation change happens while waiting (thus making current caller outdated), the ioctl returns -EINTR to signal the user to handle event and retry. Fixes blocking on oneself - add VMGENID_FORCE_GEN_UPDATE ioctl conditioned by CAP_CHECKPOINT_RESTORE capability, through which software can force generation bump v1 -> v2: - expose to userspace a monotonically increasing u32 Vm Gen Counter instead of the hw VmGen UUID - since the hw/hypervisor-provided 128-bit UUID is not public anymore, add it to the kernel RNG as device randomness - insert driver page containing Vm Gen Counter in the user vma in the driver's mmap handler instead of using a fault handler - turn driver into a misc device driver to auto-create /dev/vmgenid - change ioctl arg to avoid leaking kernel structs to userspace - update documentation Adrian Catangiu (2): drivers/misc: sysgenid: add system generation id driver drivers/virt: vmgenid: add vm generation id driver Documentation/misc-devices/sysgenid.rst | 229 +++++++++++++++ Documentation/userspace-api/ioctl/ioctl-number.rst | 1 + Documentation/virt/vmgenid.rst | 36 +++ MAINTAINERS | 15 + drivers/misc/Kconfig | 15 + drivers/misc/Makefile | 1 + drivers/misc/sysgenid.c | 322 +++++++++++++++++++++ drivers/virt/Kconfig | 13 + drivers/virt/Makefile | 1 + drivers/virt/vmgenid.c | 153 ++++++++++ include/uapi/linux/sysgenid.h | 18 ++ 11 files changed, 804 insertions(+) create mode 100644 Documentation/misc-devices/sysgenid.rst create mode 100644 Documentation/virt/vmgenid.rst create mode 100644 drivers/misc/sysgenid.c create mode 100644 drivers/virt/vmgenid.c create mode 100644 include/uapi/linux/sysgenid.h