From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
John Allen <john.allen@amd.com>
Cc: Sean Christopherson <seanjc@google.com>,
Vitaly Kuznetsov <vkuznets@redhat.com>,
Wanpeng Li <wanpengli@tencent.com>,
Jim Mattson <jmattson@google.com>, Joerg Roedel <joro@8bytes.org>,
kvm@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org, Borislav Petkov <bp@suse.de>
Subject: [PATCH 3/5] crypto: ccp: Play nice with vmalloc'd memory for SEV command structs
Date: Fri, 2 Apr 2021 16:37:00 -0700 [thread overview]
Message-ID: <20210402233702.3291792-4-seanjc@google.com> (raw)
In-Reply-To: <20210402233702.3291792-1-seanjc@google.com>
Copy vmalloc'd data to an internal buffer instead of rejecting outright
so that callers can put SEV command buffers on the stack without running
afoul of CONFIG_VMAP_STACK=y. Currently, the largest supported command
takes a 68 byte buffer, i.e. pretty much every command can be put on the
stack. Because sev_cmd_mutex is held for the entirety of a transaction,
only a single bounce buffer is required.
Use a flexible array for the buffer, sized to hold the largest known
command. Alternatively, the buffer could be a union of all known
command structs, but that would incur a higher maintenance cost due to
the need to update the union for every command in addition to updating
the existing sev_cmd_buffer_len().
Align the buffer to an 8-byte boundary, mimicking the alignment that
would be provided by the compiler if any of the structs were embedded
directly. Note, sizeof() correctly incorporates this alignment.
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
drivers/crypto/ccp/sev-dev.c | 33 +++++++++++++++++++++++++++------
drivers/crypto/ccp/sev-dev.h | 7 +++++++
2 files changed, 34 insertions(+), 6 deletions(-)
diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
index 4c513318f16a..6d5882290cfc 100644
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -135,13 +135,14 @@ static int sev_cmd_buffer_len(int cmd)
return 0;
}
-static int __sev_do_cmd_locked(int cmd, void *data, int *psp_ret)
+static int __sev_do_cmd_locked(int cmd, void *__data, int *psp_ret)
{
struct psp_device *psp = psp_master;
struct sev_device *sev;
unsigned int phys_lsb, phys_msb;
unsigned int reg, ret = 0;
int buf_len;
+ void *data;
if (!psp || !psp->sev_data)
return -ENODEV;
@@ -152,11 +153,21 @@ static int __sev_do_cmd_locked(int cmd, void *data, int *psp_ret)
sev = psp->sev_data;
buf_len = sev_cmd_buffer_len(cmd);
- if (WARN_ON_ONCE(!!data != !!buf_len))
+ if (WARN_ON_ONCE(!!__data != !!buf_len))
return -EINVAL;
- if (WARN_ON_ONCE(data && is_vmalloc_addr(data)))
- return -EINVAL;
+ if (__data && is_vmalloc_addr(__data)) {
+ /*
+ * If the incoming buffer is virtually allocated, copy it to
+ * the driver's scratch buffer as __pa() will not work for such
+ * addresses, vmalloc_to_page() is not guaranteed to succeed,
+ * and vmalloc'd data may not be physically contiguous.
+ */
+ data = sev->cmd_buf;
+ memcpy(data, __data, buf_len);
+ } else {
+ data = __data;
+ }
/* Get the physical address of the command buffer */
phys_lsb = data ? lower_32_bits(__psp_pa(data)) : 0;
@@ -204,6 +215,13 @@ static int __sev_do_cmd_locked(int cmd, void *data, int *psp_ret)
print_hex_dump_debug("(out): ", DUMP_PREFIX_OFFSET, 16, 2, data,
buf_len, false);
+ /*
+ * Copy potential output from the PSP back to __data. Do this even on
+ * failure in case the caller wants to glean something from the error.
+ */
+ if (__data && data != __data)
+ memcpy(__data, data, buf_len);
+
return ret;
}
@@ -978,9 +996,12 @@ int sev_dev_init(struct psp_device *psp)
{
struct device *dev = psp->dev;
struct sev_device *sev;
- int ret = -ENOMEM;
+ int ret = -ENOMEM, cmd_buf_size = 0, i;
- sev = devm_kzalloc(dev, sizeof(*sev), GFP_KERNEL);
+ for (i = 0; i < SEV_CMD_MAX; i++)
+ cmd_buf_size = max(cmd_buf_size, sev_cmd_buffer_len(i));
+
+ sev = devm_kzalloc(dev, sizeof(*sev) + cmd_buf_size, GFP_KERNEL);
if (!sev)
goto e_err;
diff --git a/drivers/crypto/ccp/sev-dev.h b/drivers/crypto/ccp/sev-dev.h
index dd5c4fe82914..b43283ce2d73 100644
--- a/drivers/crypto/ccp/sev-dev.h
+++ b/drivers/crypto/ccp/sev-dev.h
@@ -52,6 +52,13 @@ struct sev_device {
u8 api_major;
u8 api_minor;
u8 build;
+
+ /*
+ * Buffer used for incoming commands whose physical address cannot be
+ * resolved via __pa(), e.g. stack pointers when CONFIG_VMAP_STACK=y.
+ * Note, alignment isn't strictly required.
+ */
+ u8 cmd_buf[] __aligned(8);
};
int sev_dev_init(struct psp_device *psp);
--
2.31.0.208.g409f899ff0-goog
next prev parent reply other threads:[~2021-04-02 23:37 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-02 23:36 [PATCH 0/5] ccp: KVM: SVM: Use stack for SEV command buffers Sean Christopherson
2021-04-02 23:36 ` [PATCH 1/5] crypto: ccp: Detect and reject vmalloc addresses destined for PSP Sean Christopherson
2021-04-04 6:31 ` Christophe Leroy
2021-04-02 23:36 ` [PATCH 2/5] crypto: ccp: Reject SEV commands with mismatching command buffer Sean Christopherson
2021-04-03 17:02 ` Christophe Leroy
2021-04-05 16:26 ` Tom Lendacky
2021-04-05 16:33 ` Sean Christopherson
2021-04-05 16:37 ` Tom Lendacky
2021-04-02 23:37 ` Sean Christopherson [this message]
2021-04-03 17:05 ` [PATCH 3/5] crypto: ccp: Play nice with vmalloc'd memory for SEV command structs Christophe Leroy
2021-04-03 17:13 ` Christophe Leroy
2021-04-04 6:48 ` Christophe Leroy
2021-04-05 15:06 ` Sean Christopherson
2021-04-05 16:01 ` Brijesh Singh
2021-04-02 23:37 ` [PATCH 4/5] crypto: ccp: Use the stack for small SEV command buffers Sean Christopherson
2021-04-02 23:37 ` [PATCH 5/5] KVM: SVM: Allocate SEV command structures on local stack Sean Christopherson
2021-04-04 19:54 ` [PATCH 0/5] ccp: KVM: SVM: Use stack for SEV command buffers Brijesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210402233702.3291792-4-seanjc@google.com \
--to=seanjc@google.com \
--cc=bp@suse.de \
--cc=brijesh.singh@amd.com \
--cc=jmattson@google.com \
--cc=john.allen@amd.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=thomas.lendacky@amd.com \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.