fix(migtd): harden virtqueue, vsock, SPDM and policy against untruste…#935
Open
MichalTarnacki wants to merge 1 commit into
Open
fix(migtd): harden virtqueue, vsock, SPDM and policy against untruste…#935MichalTarnacki wants to merge 1 commit into
MichalTarnacki wants to merge 1 commit into
Conversation
1db0bce to
a3d8359
Compare
…d input Address the remaining security-audit findings across the virtio, vsock, migtd, policy, json-signer and td-payload-emu crates. - virtqueue: drive free-list traversal and chain recycling from private shadow state (desc_next, desc_write, chain_len) instead of the host-writable desc.next/desc.flags, and validate the host-reported used id against a chain we actually submitted, so the VMM cannot redirect recycling to never-submitted slots or leak in-flight descriptors. - vsock vmcall transport: reject responses whose VMM-controlled data section is shorter than the parsed fields, preventing an out-of-bounds panic when indexing reply.data(). - spdm MigtdTransport::receive: cap both read loops to the frame boundary and return payload_size + header, so a coalesced stream read no longer over-reads into the next frame and desyncs the transport. - spdm responder: gate handle_exchange_mig_info_req on the MigrationInformation variant to close a rebind-mode confusion, and persist peer-supplied SERVTD_EXT only after attestation verification succeeds. - policy: floor-match get_tcb_level_by_svn per Intel TCB-Info semantics, and fail closed in enforce_mandatory_deny when the MigTD-engine TCB status cannot be established (None treated like Revoked). - session/vsock: collapse check-then-act across separate lock scopes into a single BTreeSet::insert return-value check. - json-signer: enforce canonical-form input in json_sign_detached so a detached signature cannot be produced for bytes that will never verify. - td-payload-emu: copy into a separate shadow buffer in copy_to_private_shadow to match real td-payload snapshot semantics. Signed-off-by: Michal Tarnacki <[email protected]> Co-authored-by: GitHub Copilot <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
let mut g=USED_PORT.lock(); if g.contains(..){Err} else {g.insert(..);Ok}.