From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.4 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19209C43331 for ; Wed, 13 Nov 2019 00:14:39 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B85FE21A49 for ; Wed, 13 Nov 2019 00:14:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ozlabs.org header.i=@ozlabs.org header.b="tHOIFJ1a" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B85FE21A49 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=ozlabs.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 571B56B0005; Tue, 12 Nov 2019 19:14:38 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 4FB746B0006; Tue, 12 Nov 2019 19:14:38 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3E9D16B0007; Tue, 12 Nov 2019 19:14:38 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0028.hostedemail.com [216.40.44.28]) by kanga.kvack.org (Postfix) with ESMTP id 246BA6B0005 for ; Tue, 12 Nov 2019 19:14:38 -0500 (EST) Received: from smtpin12.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with SMTP id 9B69C181AEF1E for ; Wed, 13 Nov 2019 00:14:37 +0000 (UTC) X-FDA: 76149332994.12.side72_b2f2ceff8763 X-HE-Tag: side72_b2f2ceff8763 X-Filterd-Recvd-Size: 5168 Received: from ozlabs.org (bilbo.ozlabs.org [203.11.71.1]) by imf45.hostedemail.com (Postfix) with ESMTP for ; Wed, 13 Nov 2019 00:14:36 +0000 (UTC) Received: by ozlabs.org (Postfix, from userid 1003) id 47CQ8n24p7z9sQp; Wed, 13 Nov 2019 11:14:33 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ozlabs.org; s=201707; t=1573604073; bh=eaKlwgdIJsn3cYx0pG4CKYUAolYzy7bggI3IJ4S28AA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=tHOIFJ1aAXXPXE/f6Js+XN05su1cvwOOR8xTEilo5y6hTG2AXO/heOo4+hDJXY5Ad Eir1KR4sScjbJRiF0dXzzck5iNHTv7hkB9TQwygDVpsYd7IsvyOOx0J/7S9iFrc02T 6iurluDgA9EI2/Whftfdvn8mlCBb8YfF2eezroDsREjyct5/Obv4SCDKWmODQlwp57 U5cIHsJyt5czMWTLjsEH8ulgxo6zAtyxWedJYvBjs8DhIQ2YURxk8uCbZvkq4Mg+ds kKuuWN3HECgYTsAdNx4vbRijYZYf986wgAUJwJ686x8nf69Xc+rdrIH0PjZFUlaGOV Ts5qUlizrz5mQ== Date: Wed, 13 Nov 2019 11:14:27 +1100 From: Paul Mackerras To: Ram Pai Cc: Bharata B Rao , linuxppc-dev@lists.ozlabs.org, kvm-ppc@vger.kernel.org, linux-mm@kvack.org, paulus@au1.ibm.com, aneesh.kumar@linux.vnet.ibm.com, jglisse@redhat.com, cclaudio@linux.ibm.com, sukadev@linux.vnet.ibm.com, hch@lst.de, Sukadev Bhattiprolu , Ram Pai Subject: Re: [PATCH v10 7/8] KVM: PPC: Implement H_SVM_INIT_ABORT hcall Message-ID: <20191113001427.GA17829@oak.ozlabs.ibm.com> References: <20191104041800.24527-1-bharata@linux.ibm.com> <20191104041800.24527-8-bharata@linux.ibm.com> <20191111041924.GA4017@oak.ozlabs.ibm.com> <20191112010158.GB5159@oc0525413822.ibm.com> <20191112053836.GB10885@oak.ozlabs.ibm.com> <20191112075215.GD5159@oc0525413822.ibm.com> <20191112113204.GA10178@blackberry> <20191112144555.GE5159@oc0525413822.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191112144555.GE5159@oc0525413822.ibm.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000028, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Nov 12, 2019 at 06:45:55AM -0800, Ram Pai wrote: > On Tue, Nov 12, 2019 at 10:32:04PM +1100, Paul Mackerras wrote: > > On Mon, Nov 11, 2019 at 11:52:15PM -0800, Ram Pai wrote: > > > There is subtle problem removing that code from the assembly. > > > > > > If the H_SVM_INIT_ABORT hcall returns to the ultravisor without clearing > > > kvm->arch.secure_guest, the hypervisor will continue to think that the > > > VM is a secure VM. However the primary reason the H_SVM_INIT_ABORT > > > hcall was invoked, was to inform the Hypervisor that it should no longer > > > consider the VM as a Secure VM. So there is a inconsistency there. > > > > Most of the checks that look at whether a VM is a secure VM use code > > like "if (kvm->arch.secure_guest & KVMPPC_SECURE_INIT_DONE)". Now > > since KVMPPC_SECURE_INIT_ABORT is 4, an if statement such as that will > > take the false branch once we have set kvm->arch.secure_guest to > > KVMPPC_SECURE_INIT_ABORT in kvmppc_h_svm_init_abort. So in fact in > > most places we will treat the VM as a normal VM from then on. If > > there are any places where we still need to treat the VM as a secure > > VM while we are processing the abort we can easily do that too. > > Is the suggestion -- KVMPPC_SECURE_INIT_ABORT should never return back > to the Ultravisor? Because removing that assembly code will NOT lead the No. The suggestion is that vcpu->arch.secure_guest stays set to KVMPPC_SECURE_INIT_ABORT until userspace calls KVM_PPC_SVM_OFF. > Hypervisor back into the Ultravisor. This is fine with the > ultravisor. But then the hypervisor will not know where to return to. > If it wants to return directly to the VM, it wont know to > which address. It will be in a limbo. > > > > > > This is fine, as long as the VM does not invoke any hcall or does not > > > receive any hypervisor-exceptions. The moment either of those happen, > > > the control goes into the hypervisor, the hypervisor services > > > the exception/hcall and while returning, it will see that the > > > kvm->arch.secure_guest flag is set and **incorrectly** return > > > to the ultravisor through a UV_RETURN ucall. Ultravisor will > > > not know what to do with it, because it does not consider that > > > VM as a Secure VM. Bad things happen. > > > > If bad things happen in the ultravisor because the hypervisor did > > something it shouldn't, then it's game over, you just lost, thanks for > > playing. The ultravisor MUST be able to cope with bogus UV_RETURN > > calls for a VM that it doesn't consider to be a secure VM. You need > > to work out how to handle such calls safely and implement that in the > > ultravisor. > > Actually we do handle this gracefully in the ultravisor :). > We just retun back to the hypervisor saying "sorry dont know what > to do with it, please handle it yourself". > > However hypervisor would not know what to do with that return, and bad > things happen in the hypervisor. Right. We need something after the "sc 2" to handle the case where the ultravisor returns with an error from the UV_RETURN. Paul. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.1 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CAB3AC43331 for ; Wed, 13 Nov 2019 00:16:53 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 30AFD206BB for ; Wed, 13 Nov 2019 00:16:53 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=ozlabs.org header.i=@ozlabs.org header.b="tHOIFJ1a" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 30AFD206BB Authentication-Results: mail.kernel.org; dmarc=pass (p=none dis=none) header.from=ozlabs.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47CQCR093vzF5wW for ; Wed, 13 Nov 2019 11:16:51 +1100 (AEDT) Received: from ozlabs.org (bilbo.ozlabs.org [203.11.71.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47CQ8n4VL5zF4Hd for ; Wed, 13 Nov 2019 11:14:33 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=ozlabs.org Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=ozlabs.org header.i=@ozlabs.org header.b="tHOIFJ1a"; dkim-atps=neutral Received: by ozlabs.org (Postfix, from userid 1003) id 47CQ8n24p7z9sQp; Wed, 13 Nov 2019 11:14:33 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ozlabs.org; s=201707; t=1573604073; bh=eaKlwgdIJsn3cYx0pG4CKYUAolYzy7bggI3IJ4S28AA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=tHOIFJ1aAXXPXE/f6Js+XN05su1cvwOOR8xTEilo5y6hTG2AXO/heOo4+hDJXY5Ad Eir1KR4sScjbJRiF0dXzzck5iNHTv7hkB9TQwygDVpsYd7IsvyOOx0J/7S9iFrc02T 6iurluDgA9EI2/Whftfdvn8mlCBb8YfF2eezroDsREjyct5/Obv4SCDKWmODQlwp57 U5cIHsJyt5czMWTLjsEH8ulgxo6zAtyxWedJYvBjs8DhIQ2YURxk8uCbZvkq4Mg+ds kKuuWN3HECgYTsAdNx4vbRijYZYf986wgAUJwJ686x8nf69Xc+rdrIH0PjZFUlaGOV Ts5qUlizrz5mQ== Date: Wed, 13 Nov 2019 11:14:27 +1100 From: Paul Mackerras To: Ram Pai Subject: Re: [PATCH v10 7/8] KVM: PPC: Implement H_SVM_INIT_ABORT hcall Message-ID: <20191113001427.GA17829@oak.ozlabs.ibm.com> References: <20191104041800.24527-1-bharata@linux.ibm.com> <20191104041800.24527-8-bharata@linux.ibm.com> <20191111041924.GA4017@oak.ozlabs.ibm.com> <20191112010158.GB5159@oc0525413822.ibm.com> <20191112053836.GB10885@oak.ozlabs.ibm.com> <20191112075215.GD5159@oc0525413822.ibm.com> <20191112113204.GA10178@blackberry> <20191112144555.GE5159@oc0525413822.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191112144555.GE5159@oc0525413822.ibm.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sukadev Bhattiprolu , cclaudio@linux.ibm.com, kvm-ppc@vger.kernel.org, Bharata B Rao , linux-mm@kvack.org, jglisse@redhat.com, Ram Pai , aneesh.kumar@linux.vnet.ibm.com, paulus@au1.ibm.com, sukadev@linux.vnet.ibm.com, linuxppc-dev@lists.ozlabs.org, hch@lst.de Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Tue, Nov 12, 2019 at 06:45:55AM -0800, Ram Pai wrote: > On Tue, Nov 12, 2019 at 10:32:04PM +1100, Paul Mackerras wrote: > > On Mon, Nov 11, 2019 at 11:52:15PM -0800, Ram Pai wrote: > > > There is subtle problem removing that code from the assembly. > > > > > > If the H_SVM_INIT_ABORT hcall returns to the ultravisor without clearing > > > kvm->arch.secure_guest, the hypervisor will continue to think that the > > > VM is a secure VM. However the primary reason the H_SVM_INIT_ABORT > > > hcall was invoked, was to inform the Hypervisor that it should no longer > > > consider the VM as a Secure VM. So there is a inconsistency there. > > > > Most of the checks that look at whether a VM is a secure VM use code > > like "if (kvm->arch.secure_guest & KVMPPC_SECURE_INIT_DONE)". Now > > since KVMPPC_SECURE_INIT_ABORT is 4, an if statement such as that will > > take the false branch once we have set kvm->arch.secure_guest to > > KVMPPC_SECURE_INIT_ABORT in kvmppc_h_svm_init_abort. So in fact in > > most places we will treat the VM as a normal VM from then on. If > > there are any places where we still need to treat the VM as a secure > > VM while we are processing the abort we can easily do that too. > > Is the suggestion -- KVMPPC_SECURE_INIT_ABORT should never return back > to the Ultravisor? Because removing that assembly code will NOT lead the No. The suggestion is that vcpu->arch.secure_guest stays set to KVMPPC_SECURE_INIT_ABORT until userspace calls KVM_PPC_SVM_OFF. > Hypervisor back into the Ultravisor. This is fine with the > ultravisor. But then the hypervisor will not know where to return to. > If it wants to return directly to the VM, it wont know to > which address. It will be in a limbo. > > > > > > This is fine, as long as the VM does not invoke any hcall or does not > > > receive any hypervisor-exceptions. The moment either of those happen, > > > the control goes into the hypervisor, the hypervisor services > > > the exception/hcall and while returning, it will see that the > > > kvm->arch.secure_guest flag is set and **incorrectly** return > > > to the ultravisor through a UV_RETURN ucall. Ultravisor will > > > not know what to do with it, because it does not consider that > > > VM as a Secure VM. Bad things happen. > > > > If bad things happen in the ultravisor because the hypervisor did > > something it shouldn't, then it's game over, you just lost, thanks for > > playing. The ultravisor MUST be able to cope with bogus UV_RETURN > > calls for a VM that it doesn't consider to be a secure VM. You need > > to work out how to handle such calls safely and implement that in the > > ultravisor. > > Actually we do handle this gracefully in the ultravisor :). > We just retun back to the hypervisor saying "sorry dont know what > to do with it, please handle it yourself". > > However hypervisor would not know what to do with that return, and bad > things happen in the hypervisor. Right. We need something after the "sc 2" to handle the case where the ultravisor returns with an error from the UV_RETURN. Paul. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Mackerras Date: Wed, 13 Nov 2019 00:14:27 +0000 Subject: Re: [PATCH v10 7/8] KVM: PPC: Implement H_SVM_INIT_ABORT hcall Message-Id: <20191113001427.GA17829@oak.ozlabs.ibm.com> List-Id: References: <20191104041800.24527-1-bharata@linux.ibm.com> <20191104041800.24527-8-bharata@linux.ibm.com> <20191111041924.GA4017@oak.ozlabs.ibm.com> <20191112010158.GB5159@oc0525413822.ibm.com> <20191112053836.GB10885@oak.ozlabs.ibm.com> <20191112075215.GD5159@oc0525413822.ibm.com> <20191112113204.GA10178@blackberry> <20191112144555.GE5159@oc0525413822.ibm.com> In-Reply-To: <20191112144555.GE5159@oc0525413822.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Ram Pai Cc: Bharata B Rao , linuxppc-dev@lists.ozlabs.org, kvm-ppc@vger.kernel.org, linux-mm@kvack.org, paulus@au1.ibm.com, aneesh.kumar@linux.vnet.ibm.com, jglisse@redhat.com, cclaudio@linux.ibm.com, sukadev@linux.vnet.ibm.com, hch@lst.de, Sukadev Bhattiprolu , Ram Pai On Tue, Nov 12, 2019 at 06:45:55AM -0800, Ram Pai wrote: > On Tue, Nov 12, 2019 at 10:32:04PM +1100, Paul Mackerras wrote: > > On Mon, Nov 11, 2019 at 11:52:15PM -0800, Ram Pai wrote: > > > There is subtle problem removing that code from the assembly. > > > > > > If the H_SVM_INIT_ABORT hcall returns to the ultravisor without clearing > > > kvm->arch.secure_guest, the hypervisor will continue to think that the > > > VM is a secure VM. However the primary reason the H_SVM_INIT_ABORT > > > hcall was invoked, was to inform the Hypervisor that it should no longer > > > consider the VM as a Secure VM. So there is a inconsistency there. > > > > Most of the checks that look at whether a VM is a secure VM use code > > like "if (kvm->arch.secure_guest & KVMPPC_SECURE_INIT_DONE)". Now > > since KVMPPC_SECURE_INIT_ABORT is 4, an if statement such as that will > > take the false branch once we have set kvm->arch.secure_guest to > > KVMPPC_SECURE_INIT_ABORT in kvmppc_h_svm_init_abort. So in fact in > > most places we will treat the VM as a normal VM from then on. If > > there are any places where we still need to treat the VM as a secure > > VM while we are processing the abort we can easily do that too. > > Is the suggestion -- KVMPPC_SECURE_INIT_ABORT should never return back > to the Ultravisor? Because removing that assembly code will NOT lead the No. The suggestion is that vcpu->arch.secure_guest stays set to KVMPPC_SECURE_INIT_ABORT until userspace calls KVM_PPC_SVM_OFF. > Hypervisor back into the Ultravisor. This is fine with the > ultravisor. But then the hypervisor will not know where to return to. > If it wants to return directly to the VM, it wont know to > which address. It will be in a limbo. > > > > > > This is fine, as long as the VM does not invoke any hcall or does not > > > receive any hypervisor-exceptions. The moment either of those happen, > > > the control goes into the hypervisor, the hypervisor services > > > the exception/hcall and while returning, it will see that the > > > kvm->arch.secure_guest flag is set and **incorrectly** return > > > to the ultravisor through a UV_RETURN ucall. Ultravisor will > > > not know what to do with it, because it does not consider that > > > VM as a Secure VM. Bad things happen. > > > > If bad things happen in the ultravisor because the hypervisor did > > something it shouldn't, then it's game over, you just lost, thanks for > > playing. The ultravisor MUST be able to cope with bogus UV_RETURN > > calls for a VM that it doesn't consider to be a secure VM. You need > > to work out how to handle such calls safely and implement that in the > > ultravisor. > > Actually we do handle this gracefully in the ultravisor :). > We just retun back to the hypervisor saying "sorry dont know what > to do with it, please handle it yourself". > > However hypervisor would not know what to do with that return, and bad > things happen in the hypervisor. Right. We need something after the "sc 2" to handle the case where the ultravisor returns with an error from the UV_RETURN. Paul.