From: Ram Pai <linuxram@us.ibm.com>
To: Paul Mackerras <paulus@ozlabs.org>
Cc: Sukadev Bhattiprolu <sukadev@linux.ibm.com>,
cclaudio@linux.ibm.com, kvm-ppc@vger.kernel.org,
Bharata B Rao <bharata@linux.ibm.com>,
linux-mm@kvack.org, jglisse@redhat.com,
Ram Pai <linuxram@linux.ibm.com>,
aneesh.kumar@linux.vnet.ibm.com, paulus@au1.ibm.com,
sukadev@linux.vnet.ibm.com, linuxppc-dev@lists.ozlabs.org,
hch@lst.de
Subject: Re: [PATCH v10 7/8] KVM: PPC: Implement H_SVM_INIT_ABORT hcall
Date: Mon, 11 Nov 2019 23:52:15 -0800 [thread overview]
Message-ID: <20191112075215.GD5159@oc0525413822.ibm.com> (raw)
In-Reply-To: <20191112053836.GB10885@oak.ozlabs.ibm.com>
On Tue, Nov 12, 2019 at 04:38:36PM +1100, Paul Mackerras wrote:
> On Mon, Nov 11, 2019 at 05:01:58PM -0800, Ram Pai wrote:
> > On Mon, Nov 11, 2019 at 03:19:24PM +1100, Paul Mackerras wrote:
> > > On Mon, Nov 04, 2019 at 09:47:59AM +0530, Bharata B Rao wrote:
> > > > From: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
> > > >
> > > > Implement the H_SVM_INIT_ABORT hcall which the Ultravisor can use to
> > > > abort an SVM after it has issued the H_SVM_INIT_START and before the
> > > > H_SVM_INIT_DONE hcalls. This hcall could be used when Ultravisor
> > > > encounters security violations or other errors when starting an SVM.
> > > >
> > > > Note that this hcall is different from UV_SVM_TERMINATE ucall which
> > > > is used by HV to terminate/cleanup an SVM.
> > > >
> > > > In case of H_SVM_INIT_ABORT, we should page-out all the pages back to
> > > > HV (i.e., we should not skip the page-out). Otherwise the VM's pages,
> > > > possibly including its text/data would be stuck in secure memory.
> > > > Since the SVM did not go secure, its MSR_S bit will be clear and the
> > > > VM wont be able to access its pages even to do a clean exit.
> > >
...skip...
> >
> > If the ultravisor cleans up the SVM's state on its side and then informs
> > the Hypervisor to abort the SVM, the hypervisor will not be able to
> > cleanly terminate the VM. Because to terminate the SVM, the hypervisor
> > still needs the services of the Ultravisor. For example: to get the
> > pages back into the hypervisor if needed. Another example is, the
> > hypervisor can call UV_SVM_TERMINATE. Regardless of which ucall
> > gets called, the ultravisor has to hold on to enough state of the
> > SVM to service that request.
>
> OK, that's a good reason. That should be explained in the commit
> message.
>
> > The current design assumes that the hypervisor explicitly informs the
> > ultravisor, that it is done with the SVM, through the UV_SVM_TERMINATE
> > ucall. Till that point the Ultravisor must to be ready to service any
> > ucalls made by the hypervisor on the SVM's behalf.
>
> I see that UV_SVM_TERMINATE is done when the VM is being destroyed (at
> which point kvm->arch.secure_guest doesn't matter any more), and in
> kvmhv_svm_off(), where kvm->arch.secure_guest gets cleared
> explicitly. Hence I don't see any need for clearing it in the
> assembly code on the next secure guest entry. I think the change to
> book3s_hv_rmhandlers.S can just be dropped.
There is subtle problem removing that code from the assembly.
If the H_SVM_INIT_ABORT hcall returns to the ultravisor without clearing
kvm->arch.secure_guest, the hypervisor will continue to think that the
VM is a secure VM. However the primary reason the H_SVM_INIT_ABORT
hcall was invoked, was to inform the Hypervisor that it should no longer
consider the VM as a Secure VM. So there is a inconsistency there.
This is fine, as long as the VM does not invoke any hcall or does not
receive any hypervisor-exceptions. The moment either of those happen,
the control goes into the hypervisor, the hypervisor services
the exception/hcall and while returning, it will see that the
kvm->arch.secure_guest flag is set and **incorrectly** return
to the ultravisor through a UV_RETURN ucall. Ultravisor will
not know what to do with it, because it does not consider that
VM as a Secure VM. Bad things happen.
( Sidenote: when H_SVM_INIT_ABORT hcalls returns from the hypervisor,
the ultravisor cleans up its internal state corresponding of that
aborted-SVM and returns back to the caller with MSR[S]=0 )
RP
next prev parent reply other threads:[~2019-11-12 7:55 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-04 4:17 [PATCH v10 0/8] KVM: PPC: Driver to manage pages of secure guest Bharata B Rao
2019-11-04 4:17 ` [PATCH v10 1/8] mm: ksm: Export ksm_madvise() Bharata B Rao
2019-11-06 4:33 ` Paul Mackerras
2019-11-06 6:45 ` Bharata B Rao
2019-11-07 5:45 ` Paul Mackerras
2019-11-15 14:10 ` Bharata B Rao
2019-11-04 4:17 ` [PATCH v10 2/8] KVM: PPC: Support for running secure guests Bharata B Rao
2019-11-06 4:34 ` Paul Mackerras
2019-11-04 4:17 ` [PATCH v10 3/8] KVM: PPC: Shared pages support for " Bharata B Rao
2019-11-06 4:52 ` Paul Mackerras
2019-11-06 8:22 ` Bharata B Rao
2019-11-06 8:29 ` Bharata B Rao
2019-11-04 4:17 ` [PATCH v10 4/8] KVM: PPC: Radix changes for secure guest Bharata B Rao
2019-11-06 5:58 ` Paul Mackerras
2019-11-06 8:36 ` Bharata B Rao
2019-11-04 4:17 ` [PATCH v10 5/8] KVM: PPC: Handle memory plug/unplug to secure VM Bharata B Rao
2019-11-11 4:25 ` Paul Mackerras
2019-11-04 4:17 ` [PATCH v10 6/8] KVM: PPC: Support reset of secure guest Bharata B Rao
2019-11-11 5:28 ` Paul Mackerras
2019-11-11 6:55 ` Bharata B Rao
2019-11-12 5:34 ` Paul Mackerras
2019-11-13 15:29 ` Bharata B Rao
2019-11-14 5:07 ` Paul Mackerras
2019-11-04 4:17 ` [PATCH v10 7/8] KVM: PPC: Implement H_SVM_INIT_ABORT hcall Bharata B Rao
2019-11-11 4:19 ` Paul Mackerras
2019-11-12 1:01 ` Ram Pai
2019-11-12 5:38 ` Paul Mackerras
2019-11-12 7:52 ` Ram Pai [this message]
2019-11-12 11:32 ` Paul Mackerras
2019-11-12 14:45 ` Ram Pai
2019-11-13 0:14 ` Paul Mackerras
2019-11-13 6:32 ` Ram Pai
2019-11-13 21:18 ` Paul Mackerras
2019-11-13 21:50 ` Ram Pai
2019-11-14 5:08 ` Paul Mackerras
2019-11-14 7:02 ` Ram Pai
2019-11-04 4:18 ` [PATCH v10 8/8] KVM: PPC: Ultravisor: Add PPC_UV config option Bharata B Rao
2019-11-06 4:30 ` [PATCH v10 0/8] KVM: PPC: Driver to manage pages of secure guest Paul Mackerras
2019-11-06 6:20 ` Bharata B Rao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191112075215.GD5159@oc0525413822.ibm.com \
--to=linuxram@us.ibm.com \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=bharata@linux.ibm.com \
--cc=cclaudio@linux.ibm.com \
--cc=hch@lst.de \
--cc=jglisse@redhat.com \
--cc=kvm-ppc@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=linuxram@linux.ibm.com \
--cc=paulus@au1.ibm.com \
--cc=paulus@ozlabs.org \
--cc=sukadev@linux.ibm.com \
--cc=sukadev@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).