Mailing List Archive

From:: "Theo de Raadt" <deraadt@openbsd.org>
Subject:: Re: [EXT] AMD SEV 1/5: ccp(4): pledge for ioctl(2
To:: =?iso-8859-1?Q?Hans-J=F6rg_H=F6xer?= <Hans-Joerg_Hoexer@genua.de>
Cc:: tech@openbsd.org, mlarkin@nested.page, dv@sisu.io, alexander.bluhm@gmx.net
Date:: Wed, 28 Aug 2024 09:03:05 -0600

Download raw body.

Thread

2024-08-28 14:19 Theo de Raadt:
AMD SEV 1/5: ccp(4): pledge for ioctl(2
- 2024-08-28 14:59 Hans-Jörg Höxer:
  [EXT] AMD SEV 1/5: ccp(4): pledge for ioctl(2
- - 2024-08-28 15:03 Theo de Raadt:
    [EXT] AMD SEV 1/5: ccp(4): pledge for ioctl(2
  - - 2024-08-28 15:35 Hans-Jörg Höxer:
      [EXT] AMD SEV 1/5: ccp(4): pledge for ioctl(2
    - - 2024-08-28 15:48 Theo de Raadt:
        [EXT] AMD SEV 1/5: ccp(4): pledge for ioctl(2

Hans-Jörg Höxer <Hans-Joerg_Hoexer@genua.de> wrote:

> Hi,
> 
> On Wed, Aug 28, 2024 at 08:19:49AM -0600, Theo de Raadt wrote:
> > You need all the ioctl values to work with this pledge?
> 
> good point.  Updated diff below limits to those values that will actually
> be used by vmd.

I think those ioctl's should pledge_fail, rather than returning EPERM.
Meaning, crash the program that requested an unpermitted operation.

2024-08-28 14:19 Theo de Raadt:
AMD SEV 1/5: ccp(4): pledge for ioctl(2
- 2024-08-28 14:59 Hans-Jörg Höxer:
  [EXT] AMD SEV 1/5: ccp(4): pledge for ioctl(2
- - 2024-08-28 15:03 Theo de Raadt:
    [EXT] AMD SEV 1/5: ccp(4): pledge for ioctl(2
  - - 2024-08-28 15:35 Hans-Jörg Höxer:
      [EXT] AMD SEV 1/5: ccp(4): pledge for ioctl(2
    - - 2024-08-28 15:48 Theo de Raadt:
        [EXT] AMD SEV 1/5: ccp(4): pledge for ioctl(2