From: Michael Roth <michael.roth@amd.com>
To: Borislav Petkov <bp@alien8.de>
Cc: <x86@kernel.org>, <kvm@vger.kernel.org>,
<linux-coco@lists.linux.dev>, <linux-mm@kvack.org>,
<linux-crypto@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<tglx@linutronix.de>, <mingo@redhat.com>, <jroedel@suse.de>,
<thomas.lendacky@amd.com>, <hpa@zytor.com>, <ardb@kernel.org>,
<pbonzini@redhat.com>, <seanjc@google.com>, <vkuznets@redhat.com>,
<jmattson@google.com>, <luto@kernel.org>,
<dave.hansen@linux.intel.com>, <slp@redhat.com>,
<pgonda@google.com>, <peterz@infradead.org>,
<srinivas.pandruvada@linux.intel.com>, <rientjes@google.com>,
<tobin@ibm.com>, <vbabka@suse.cz>, <kirill@shutemov.name>,
<ak@linux.intel.com>, <tony.luck@intel.com>,
<sathyanarayanan.kuppuswamy@linux.intel.com>,
<alpergun@google.com>, <jarkko@kernel.org>,
<ashish.kalra@amd.com>, <nikunj.dadhania@amd.com>,
<pankaj.gupta@amd.com>, <liam.merwick@oracle.com>
Subject: Re: [PATCH v2 11/25] x86/sev: Adjust directmap to avoid inadvertant RMP faults
Date: Sat, 27 Jan 2024 09:45:06 -0600 [thread overview]
Message-ID: <20240127154506.v3wdio25zs6i2lc3@amd.com> (raw)
In-Reply-To: <20240127114207.GBZbTsDyC3hFq8pQ3D@fat_crate.local>
On Sat, Jan 27, 2024 at 12:42:07PM +0100, Borislav Petkov wrote:
> On Fri, Jan 26, 2024 at 05:54:20PM -0600, Michael Roth wrote:
> > Is something like this close to what you're thinking? I've re-tested with
> > SNP guests and it seems to work as expected.
> >
> > diff --git a/arch/x86/virt/svm/sev.c b/arch/x86/virt/svm/sev.c
> > index 846e9e53dff0..c09497487c08 100644
> > --- a/arch/x86/virt/svm/sev.c
> > +++ b/arch/x86/virt/svm/sev.c
> > @@ -421,7 +421,12 @@ static int adjust_direct_map(u64 pfn, int rmp_level)
> > if (WARN_ON_ONCE(rmp_level > PG_LEVEL_2M))
> > return -EINVAL;
> >
> > - if (WARN_ON_ONCE(rmp_level == PG_LEVEL_2M && !IS_ALIGNED(pfn, PTRS_PER_PMD)))
> > + if (!pfn_valid(pfn))
>
> _text at VA 0xffffffff81000000 is also a valid pfn so no, this is not
> enough.
directmap maps all physical memory accessible by kernel, including text
pages, so those are valid PFNs as far as this function is concerned. We
can't generally guard against the caller passing in any random PFN that
might also be mapped into additional address ranges, similarly to how
we can't guard against something doing a write to some random PFN
__va(0x1234) and scribbling over memory that it doesn't own, or just
unmapping the entire directmap range and blowing up the kernel.
The expectation is that the caller is aware of what PFNs it is passing in,
whether those PFNs have additional mappings, and if those mappings are of
concern, implement the necessary handlers if new use-cases are ever
introducted, like the adjust_kernel_text_mapping() example I mentioned
earlier.
>
> Either this function should not have "direct map" in the name as it
> converts *any* valid pfn not just the direct map ones or it should check
> whether the pfn belongs to the direct map range.
This function only splits mappings in the 0xffff888000000000 directmap
range. It would be inaccurate to name it in such a way that suggests
that it does anything else. If a use-case ever arises for splitting
_text mappings at 0xffffffff81000000, or any other ranges, those too
would best served by dedicated helpers adjust_kernel_text_mapping()
that *actually* modify mappings for those virtual ranges, and implement
bounds-checking appropriate for those physical/virtual ranges. The
directmap range maps all kernel-accessible physical memory, so it's
appropriate that our bounds-checking for the purpose of
adjust_direct_map() is all kernel-accessible physical memory. If that
includes PFNs mapped to other virtual ranges as well, the caller needs
to consider that and implement additional helpers as necessary, but
they'd likely *still* need to call adjust_direct_map() to adjust the
directmap range in addition to those other ranges, so even if were
possible to do so reliably, we shouldn't try to selectively reject any
PFN ranges beyond what mm.rst suggests is valid for 0xffff888000000000.
-Mike
>
> Thx.
>
> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette
>
next prev parent reply other threads:[~2024-01-27 15:45 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-26 4:11 [PATCH v2 00/25] Add AMD Secure Nested Paging (SEV-SNP) Initialization Support Michael Roth
2024-01-26 4:11 ` [PATCH v2 01/25] x86/cpufeatures: Add SEV-SNP CPU feature Michael Roth
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Brijesh Singh
2024-01-26 4:11 ` [PATCH v2 02/25] x86/speculation: Do not enable Automatic IBRS if SEV SNP is enabled Michael Roth
2024-01-30 16:26 ` [tip: x86/sev] x86/speculation: Do not enable Automatic IBRS if SEV-SNP " tip-bot2 for Kim Phillips
2024-01-26 4:11 ` [PATCH v2 03/25] iommu/amd: Don't rely on external callers to enable IOMMU SNP support Michael Roth
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Ashish Kalra
2024-01-26 4:11 ` [PATCH v2 04/25] x86/sev: Add the host SEV-SNP initialization support Michael Roth
2024-01-30 16:26 ` [tip: x86/sev] x86/sev: Add SEV-SNP host " tip-bot2 for Brijesh Singh
2024-01-26 4:11 ` [PATCH v2 05/25] x86/mtrr: Don't print errors if MtrrFixDramModEn is set when SNP enabled Michael Roth
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Ashish Kalra
2024-01-26 4:11 ` [PATCH v2 06/25] x86/sev: Add RMP entry lookup helpers Michael Roth
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Brijesh Singh
2024-01-26 4:11 ` [PATCH v2 07/25] x86/fault: Add helper for dumping RMP entries Michael Roth
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Brijesh Singh
2024-01-26 4:11 ` [PATCH v2 08/25] x86/traps: Define RMP violation #PF error code Michael Roth
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Brijesh Singh
2024-01-26 4:11 ` [PATCH v2 09/25] x86/fault: Dump RMP table information when RMP page faults occur Michael Roth
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Michael Roth
2024-01-26 4:11 ` [PATCH v2 10/25] x86/sev: Add helper functions for RMPUPDATE and PSMASH instruction Michael Roth
2024-01-29 18:00 ` Liam Merwick
2024-01-29 19:28 ` Borislav Petkov
2024-01-29 19:33 ` Borislav Petkov
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Brijesh Singh
2024-01-26 4:11 ` [PATCH v2 11/25] x86/sev: Adjust directmap to avoid inadvertant RMP faults Michael Roth
2024-01-26 15:34 ` Borislav Petkov
2024-01-26 17:04 ` Michael Roth
2024-01-26 18:43 ` Borislav Petkov
2024-01-26 23:54 ` Michael Roth
2024-01-27 11:42 ` Borislav Petkov
2024-01-27 15:45 ` Michael Roth [this message]
2024-01-27 16:02 ` Borislav Petkov
2024-01-29 11:59 ` Borislav Petkov
2024-01-29 15:26 ` Vlastimil Babka
2024-01-30 16:26 ` [tip: x86/sev] x86/sev: Adjust the directmap to avoid inadvertent " tip-bot2 for Michael Roth
2024-01-26 4:11 ` [PATCH v2 12/25] crypto: ccp: Define the SEV-SNP commands Michael Roth
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Brijesh Singh
2024-01-26 4:11 ` [PATCH v2 13/25] crypto: ccp: Add support to initialize the AMD-SP for SEV-SNP Michael Roth
2024-01-29 17:58 ` Borislav Petkov
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Brijesh Singh
2024-01-26 4:11 ` [PATCH v2 14/25] crypto: ccp: Provide API to issue SEV and SNP commands Michael Roth
2024-01-30 16:26 ` [tip: x86/sev] crypto: ccp: Provide an " tip-bot2 for Brijesh Singh
2024-01-26 4:11 ` [PATCH v2 15/25] x86/sev: Introduce snp leaked pages list Michael Roth
2024-01-29 14:26 ` Vlastimil Babka
2024-01-29 14:29 ` Borislav Petkov
2024-01-30 16:26 ` [tip: x86/sev] x86/sev: Introduce an SNP " tip-bot2 for Ashish Kalra
2024-01-26 4:11 ` [PATCH v2 16/25] crypto: ccp: Handle the legacy TMR allocation when SNP is enabled Michael Roth
2024-01-29 15:04 ` Borislav Petkov
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Brijesh Singh
2024-01-26 4:11 ` [PATCH v2 17/25] crypto: ccp: Handle non-volatile INIT_EX data " Michael Roth
2024-01-29 15:12 ` Borislav Petkov
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Tom Lendacky
2024-01-26 4:11 ` [PATCH v2 18/25] crypto: ccp: Handle legacy SEV commands " Michael Roth
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Brijesh Singh
2024-01-26 4:11 ` [PATCH v2 19/25] iommu/amd: Clean up RMP entries for IOMMU pages during SNP shutdown Michael Roth
2024-01-30 16:26 ` [tip: x86/sev] " tip-bot2 for Ashish Kalra
2024-02-07 17:13 ` [tip: x86/sev] iommu/amd: Fix failure return from snp_lookup_rmpentry() tip-bot2 for Ashish Kalra
2024-01-26 4:11 ` [PATCH v2 20/25] crypto: ccp: Add panic notifier for SEV/SNP firmware shutdown on kdump Michael Roth
2024-01-30 16:25 ` [tip: x86/sev] " tip-bot2 for Ashish Kalra
2024-01-26 4:11 ` [PATCH v2 21/25] KVM: SEV: Make AVIC backing, VMSA and VMCB memory allocation SNP safe Michael Roth
2024-01-26 11:00 ` Paolo Bonzini
2024-01-30 16:25 ` [tip: x86/sev] " tip-bot2 for Brijesh Singh
2024-01-26 4:11 ` [PATCH v2 22/25] x86/cpufeatures: Enable/unmask SEV-SNP CPU feature Michael Roth
2024-01-30 16:25 ` [tip: x86/sev] " tip-bot2 for Michael Roth
2024-01-26 4:11 ` [PATCH v2 23/25] crypto: ccp: Add the SNP_PLATFORM_STATUS command Michael Roth
2024-01-30 16:25 ` [tip: x86/sev] " tip-bot2 for Brijesh Singh
2024-01-26 4:11 ` [PATCH v2 24/25] crypto: ccp: Add the SNP_COMMIT command Michael Roth
2024-01-30 16:25 ` [tip: x86/sev] " tip-bot2 for Tom Lendacky
2024-01-26 4:11 ` [PATCH v2 25/25] crypto: ccp: Add the SNP_SET_CONFIG command Michael Roth
2024-01-29 19:18 ` Liam Merwick
2024-01-29 20:10 ` Michael Roth
2024-01-30 16:25 ` [tip: x86/sev] " tip-bot2 for Brijesh Singh
2024-01-30 16:19 ` [PATCH v2 00/25] Add AMD Secure Nested Paging (SEV-SNP) Initialization Support Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240127154506.v3wdio25zs6i2lc3@amd.com \
--to=michael.roth@amd.com \
--cc=ak@linux.intel.com \
--cc=alpergun@google.com \
--cc=ardb@kernel.org \
--cc=ashish.kalra@amd.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jarkko@kernel.org \
--cc=jmattson@google.com \
--cc=jroedel@suse.de \
--cc=kirill@shutemov.name \
--cc=kvm@vger.kernel.org \
--cc=liam.merwick@oracle.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=nikunj.dadhania@amd.com \
--cc=pankaj.gupta@amd.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=pgonda@google.com \
--cc=rientjes@google.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=seanjc@google.com \
--cc=slp@redhat.com \
--cc=srinivas.pandruvada@linux.intel.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tobin@ibm.com \
--cc=tony.luck@intel.com \
--cc=vbabka@suse.cz \
--cc=vkuznets@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.