marcan changed the topic of #asahi to: Asahi Linux: porting Linux to Apple Silicon macs | General project discussion | GitHub: https://alx.sh/g | Wiki: https://alx.sh/w | Topics: #asahi-dev #asahi-re #asahi-gpu #asahi-offtopic | Keep things on topic | Logs: https://alx.sh/l/asahi
<marcan>
maz: I was just thinking, what does KVM do with impdef traps? I know it does set TIDCP
<marcan>
if it just kills the VM, then this thing turns into a DoS vuln in KVM, so it'd have to handle it and ignore reads/writes instead
<marcan>
(which is what Hypervisor.framework does)
<marcan>
or perhaps just re-inject the exception as an unknown into the guest (which would then handle it as a userspace fault)
<marcan>
looks like Freenode just purged all channels with the word "libera" in the topic
<marcan>
seems we were spared by choosing OFTC instead, but I'm still going to just purge the asahi channels
klange has joined #asahi
tertu has joined #asahi
VinDuv has joined #asahi
<rkjnsn[m]>
While not usable from VMs, would M1RACLES allow two containers that are supposed to be isolated / sandboxed to communicate?
<marcan>
OS-based containers (e.g. docker on linux) yes, unfortunately
<thunfisch>
ouch, that's brutal. thanks for disclosing that.
<marcan>
but there are probably many ways of doing that anyway, with other CPU side channels and such (just this one is a particularly trivial one)
<marcan>
e.g. I bet someone can come up with something funky with cache timing attacks on vDSO pages, or stuff like that
mulderje[m] has joined #asahi
mulderje[m] is now known as mulderje
mulderje has quit []
mulderje has joined #asahi
<rkjnsn[m]>
Sure, but compared to timing attacks, this appears to be relatively easy, fast, and reliable. (No statistical analysis necessary.)
<rkjnsn[m]>
Almost certainly still not a concern for anything I plan on doing, but good to be aware of.
<thunfisch>
yeah, to me this rules out any possibility of trying to isolate stuff on m1 with containers. :[ way too easy to explit apparently.
<thunfisch>
not that containers are a good choice for security, sure, but in some cases it was "enough"
<emilazy>
you can still isolate them in many ways
<emilazy>
you just can't stop two malicious, collaborating ones from communicating
<phire>
is two containers voulterally communicating really a threat model?
<emilazy>
it certainly breaks a sufficiently strict sandboxing discipline, including the one the OS is meant to provide
<emilazy>
but yeah it's unlikely to be the dealbreaker for most
<emilazy>
if you were expecting a standard linux system with containers to provide this kind of isolation you probably already lost
<thunfisch>
yeah :)
<emilazy>
like, it's basically granting certain kinds of IPC privilege to every running process, but it has to be one both ends deliberately use, so the potential for exploits beyond two exploited components negotiating data exfiltration is probably low
<marcan>
exactly, the use cases for "I want to run two containers but talking to each other breaks my security model" are very few
<marcan>
this is veering on the malware analysis side of things, and you are quite frankly insane if you are doing that with containers; that needs a VM
<phire>
it's only going to matter if you have some containers which have network privlages and others which have other diffrent privaliages and there are collaberating malicious containers in each domain
<marcan>
I consider containers to be a security technology for, a priori, non-malicious software
<marcan>
I would not deliberately run fully untrusted, presumed-malicious code in containers as policy
<marcan>
and certainly not in scenarios sensitive enough where this kind of covert channel is an issue
cptcobalt has joined #asahi
<rkjnsn[m]>
I was thinking along the lines of, if I knew some target of value spun up containers for specific activities,
<rkjnsn[m]>
one with network access and one of particular interest was explicitly run without network access,
<rkjnsn[m]>
perhaps I find a way to compromise the base image they use for both and use M1RACLES to pass the data.
<rkjnsn[m]>
Not an attack I personally have to worry about, but folks have gone to greater lengths than that for some high-value targets.
<marcan>
yeah, but APTs like that have better exploits anyway, as I said in the faq... :)
VinDuv has quit [Quit: Leaving.]
<dottedmag>
Spinning untrusted containers on high-value targets...
pugguu has joined #asahi
<dottedmag>
BTW, it means that no amount of userspace trickery can be applied to work around it, so e.g. gVisor doesn't help, right?
<pugguu>
Are those suppose to be like that marcan all i see is 2 question marks in sideways squuares
<pugguu>
They are more like diamonds
<emilazy>
it sounds like your software or font is missing support for some Unicode characters
<emilazy>
and showing � instead
<emilazy>
though I'm not seeing where the non-ASCII characters in marcan's recent messages are
sirn has joined #asahi
<pugguu>
Hmm interesting im on a ascii supported client and is running in android so shouldnt have any issues
skali has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<marcan>
maz: it isn't if you inject UNDEF
<marcan>
it would if you terminated the VM instead or something
<marcan>
so no problem then :)
<maz>
marcan: no. the guest has done something that was never advertised as supported.
<maz>
marcan: you execute an UNDEF, you take an exception. that's what the architecture says.
<marcan>
Misthios: I guess your webclient is missing the Hypervisor Progress Glyphs unicode page
<marcan>
maz: sure, though normally those UNDEFs are sent straight to EL1, which is different from these which trap to EL2 and have to be reinjected, so I wasn't sure what the behavior was :)
<marcan>
but of course this all makes sense, I just wanted to double check
<maz>
marcan: thankfully, from the guest PoV, it cannot make the difference. we just emulate that part of the architecture (and the NV support requires that at all times anyway).
<matt_b>
I take it there won't be a march-april status update blog post?
nafod has joined #asahi
<Chainsaw>
matt_b: There were m1racles instead.
VinDuv has joined #asahi
hir0pro has joined #asahi
<matt_b>
yeah, saw that this morning :p
<matt_b>
but I assumed that was the progress report for may XD
hir0pro has quit [Quit: leaving]
<yrlf>
matt_b: IIRC marcan said he wants to wait a bit for the progress report to be able to add the hypervisor / mmiotrace stuff to it; that was a few weeks ago I think
<matt_b>
mmm
choozy has joined #asahi
Andalu30 has joined #asahi
hir0pro has joined #asahi
<marcan>
matt_b: the march one is very overdue and is supposed to be about kernel upstreaming
<marcan>
then april-may, about the hypervisor
elwisp has joined #asahi
<marcan>
was going to do another stream today but too much m1racles stuff, so tomorrow instead :)
<marcan>
off to sleep
<facez[m]>
<Chainsaw "matt_b: There were m1racles inst"> m1racles brought me here! Well done
bps has joined #asahi
bps is now known as bps2
pugguu has quit [Read error: Connection reset by peer]
pugguu has joined #asahi
bps2 has left #asahi [Leaving]
Andalu30 has quit [Ping timeout: 480 seconds]
pugguu has quit [Read error: Connection reset by peer]
pugguu has joined #asahi
izmar has joined #asahi
Izumoo has joined #asahi
pugguu has quit [Read error: Connection reset by peer]
pugguu has joined #asahi
fridtjof[m] is now known as fridtjof[m2]
fridtjof[m2] is now known as fridtjof[m]
fridtjof[m] has quit [Quit: authenticating]
fridtjof[m] has joined #asahi
Tom has joined #asahi
Tom has left #asahi [#asahi]
StupidYui has joined #asahi
SunWuKung has quit [Remote host closed the connection]
pugguu has quit [Read error: Connection reset by peer]
pugguu has joined #asahi
pugguu has quit [Read error: Connection reset by peer]
pugguu has joined #asahi
SunWuKung has joined #asahi
maor26 has joined #asahi
maor26 has quit []
ah-[m] has joined #asahi
PieroDel[m] has joined #asahi
pugguu has quit [Ping timeout: 480 seconds]
<Misthios>
I liked the jokes
izmar has quit [Remote host closed the connection]