Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

soundness/correctness issues in tdx-tdcall #744

Open
Freax13 opened this issue Oct 31, 2024 · 1 comment
Open

soundness/correctness issues in tdx-tdcall #744

Freax13 opened this issue Oct 31, 2024 · 1 comment
Assignees
Labels
enhancement New feature or request

Comments

@Freax13
Copy link
Contributor

Freax13 commented Oct 31, 2024

  1. tdcall_report/TdxReport assumes that all memory is identity mapped. TDG.MR.REPORT takes a guest physical address, but tdcall_report simply converts a pointer to an u64 without translating the virtual address to a physical address.
  2. td_call should be marked as unsafe as it can be used to violate Rust's aliasing rules.
  3. tdvmcall_mmio_read does nothing to enforce that the value read contains a valid bit-pattern for T. It should either be marked as unsafe with a SAFETY comment stating that it may only be used for types for which all bit-patterns are safe or it should check the bit-pattern e.g. using zerocopy or bytemuck. It also doesn't check that the size of the T doesn't exceed 8 bytes.
  4. tdvmcall_get_quote also assumes a identity mapping. Furthermore having buffer be a &mut [u8] doesn't work because mutable references may never be created to hypervisor-shared memory as the hypervisor is free to alias and modify that memory in violation of Rust's rules.
  5. tdcall_accept_page, td_accept_pages, and td_accept_memory should be marked as unsafe as they could be used to violate Rust's memory aliasing rules.
  6. tdcall_vp_write should be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by writing the address of a shared reference into VMX_VIRTUAL_APIC_PAGE_ADDRESS_FULL_ENCODE.
  7. tdcall_vp_enter should be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by using the address of a shared reference as the gpa parameter.
  8. tdcall_mem_page_attr_wr should be marked as unsafe as it could be used to violate Rust's memory aliasing rules e.g. by providing write access to the address of a shared reference to an untrusted L2 guest.

Other functions that may or may not need to be marked as unsafe: tdcall_servtd_wr, tdcall_vm_write.

@jyao1
Copy link
Member

jyao1 commented Dec 12, 2024

Good feedback! Thanks @Freax13

@jyao1 jyao1 added the enhancement New feature or request label Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants