-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Canary validation in tdh_sys_lp_init() #8
Comments
Hello! Thank you for being interested in TDX.
|
Hi @sergey687, Thanks for the clarification. Cheers !!! |
@sergey687 I would like to ask a follow up question. |
@pansilup |
Hi @sergey687 Thanks. |
Summary:
I have an issue related to the use of stack canaries in the TDX module's execution of the seamcall, TDH.SYS.LP.INIT. My analysis points to a scenario where canary validation at the end of tdh_sys_lp_init() fails when the FS base is changed in the middle of the function. I appreciate your help in clarifying this.
Background Information Considered:
tdx-module/compiler_defs.mk
Line 43 in 2c25cb3
Execution Sequence
Suppose there are 2 LPs, LP0 and LP1. SEAMCALLs are issued sequentially.
on LP0: TDH.SYS.INIT
Updates the last global data page with a canary value.
This data page consists of a copy of the original sys-info table.
Changes fs base of LP0 to the last global data page address.
On LP0: TDH.SYS.LP.INIT
no issue here
On LP1: TDH.SYS.LP.INIT
Discussion:
Consider the following binary code from libtdx.so applicable for tdh_sys_lp_init() function.
-My scenario pertains to the third SEAMCALL in the sequence above.
Questions:
I have three questions:
Regarding Platform Initialization and Canary Validation:
My real TDX platform does not have any issues with platform initialization, and I assume none of the other users are facing such issues either. However, based on the analysis above, it appears that the canary validation at the end of tdh_sys_lp_init() should fail on any LP where the very first SEAMCALL on the LP happens to be TDH.SYS.LP.INIT. Logically, this makes sense, as I’m under the impression that the FS base must not be changed in the middle of a function if the function includes stack canary operations at both the beginning and the end. Do you have any thoughts on this? Is there any part of my analysis where I might have gone astray?
About the libtdx.so Compilation:
Is the production libtdx.so built without the fstack-protector-strong option?
About the Canary Location in sys-info Table:
It seems that the canary value is initialized by TDH.SYS.INIT in a copy of the sys-info table, which is copied onto the last global data page. In the struct sysinfo_table_s, the offset of the canary is 0x28. This offset is consistent with the offset to the FS base we observer when the canary is referenced in libtdx.so. How does the compilation process know where (i.e., at an offset of 0x28 from the FS base) the TDX module stores the canary value?
Thank you.
The text was updated successfully, but these errors were encountered: