-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
x86/tdx: Make RDRAND/RDSEED loop forever
The hardware random generator behind RDRAND/RDSEED has limited bandwidth and can be in theory starved for some time by other cores. That's an potential attack against a TDX guest's random number generation. The RDRAND/RDSEED users generally fall back to some other method if the default retry loop (10 retries) fails, but these other methods are usually guessable by a malicious host (like RDTSC or interrupt timing or some other methods), which might help the host with guessing Just make them loop forever inside TDX until a valid random number is retrieved. While that's a potential DOS, a malicious host has already other ways to DOS. It cannot be used for a DOS from other guests, because those will be eventually interrupted, which allows this guest to make progress. Note this only affects the kernel users. Signed-off-by: Andi Kleen <ak@linux.intel.com> Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
- Loading branch information
Andi Kleen
authored and
Kuppuswamy Sathyanarayanan
committed
Sep 2, 2021
1 parent
09144dd
commit 1fe89e7
Showing
3 changed files
with
31 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters