You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
tdcall_report/TdxReport assumes that all memory is identity mapped. TDG.MR.REPORT takes a guest physical address, but tdcall_report simply converts a pointer to an u64 without translating the virtual address to a physical address.
td_call should be marked as unsafe as it can be used to violate Rust's aliasing rules.
tdvmcall_mmio_read does nothing to enforce that the value read contains a valid bit-pattern for T. It should either be marked as unsafe with a SAFETY comment stating that it may only be used for types for which all bit-patterns are safe or it should check the bit-pattern e.g. using zerocopy or bytemuck. It also doesn't check that the size of the T doesn't exceed 8 bytes.
tdvmcall_get_quote also assumes a identity mapping. Furthermore having buffer be a &mut [u8] doesn't work because mutable references may never be created to hypervisor-shared memory as the hypervisor is free to alias and modify that memory in violation of Rust's rules.
tdcall_accept_page, td_accept_pages, and td_accept_memory should be marked as unsafe as they could be used to violate Rust's memory aliasing rules.
tdcall_vp_write should be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by writing the address of a shared reference into VMX_VIRTUAL_APIC_PAGE_ADDRESS_FULL_ENCODE.
tdcall_vp_enter should be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by using the address of a shared reference as the gpa parameter.
tdcall_mem_page_attr_wr should be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by providing write access to the address of a shared reference to an untrusted L2 guest.
Other functions that may or may not need to be marked as unsafe: tdcall_servtd_wr, tdcall_vm_write.
The text was updated successfully, but these errors were encountered:
tdcall_report
/TdxReport
assumes that all memory is identity mapped.TDG.MR.REPORT
takes a guest physical address, buttdcall_report
simply converts a pointer to anu64
without translating the virtual address to a physical address.td_call
should be marked as unsafe as it can be used to violate Rust's aliasing rules.tdvmcall_mmio_read
does nothing to enforce that the value read contains a valid bit-pattern forT
. It should either be marked as unsafe with aSAFETY
comment stating that it may only be used for types for which all bit-patterns are safe or it should check the bit-pattern e.g. usingzerocopy
orbytemuck
. It also doesn't check that the size of theT
doesn't exceed 8 bytes.tdvmcall_get_quote
also assumes a identity mapping. Furthermore havingbuffer
be a&mut [u8]
doesn't work because mutable references may never be created to hypervisor-shared memory as the hypervisor is free to alias and modify that memory in violation of Rust's rules.tdcall_accept_page
,td_accept_pages
, andtd_accept_memory
should be marked as unsafe as they could be used to violate Rust's memory aliasing rules.tdcall_vp_write
should be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by writing the address of a shared reference intoVMX_VIRTUAL_APIC_PAGE_ADDRESS_FULL_ENCODE
.tdcall_vp_enter
should be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by using the address of a shared reference as thegpa
parameter.tdcall_mem_page_attr_wr
should be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by providing write access to the address of a shared reference to an untrusted L2 guest.Other functions that may or may not need to be marked as unsafe:
tdcall_servtd_wr
,tdcall_vm_write
.The text was updated successfully, but these errors were encountered: