From: Claudio Imbrenda <imbrenda@linux.ibm.com>
To: Thomas Huth <thuth@redhat.com>
Cc: kvm@vger.kernel.org, borntraeger@de.ibm.com,
frankja@linux.ibm.com, pasic@linux.ibm.com, david@redhat.com,
linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
scgl@linux.ibm.com, mimu@linux.ibm.com, nrb@linux.ibm.com
Subject: Re: [PATCH v10 02/19] KVM: s390: pv: handle secure storage violations for protected guests
Date: Fri, 6 May 2022 13:33:26 +0200 [thread overview]
Message-ID: <20220506133326.09e9a887@p-imbrenda> (raw)
In-Reply-To: <9d79d8c9-9d3f-de6e-e910-62549fc2ac5d@redhat.com>
On Thu, 5 May 2022 19:10:39 +0200
Thomas Huth <thuth@redhat.com> wrote:
> On 14/04/2022 10.02, Claudio Imbrenda wrote:
> > With upcoming patches, protected guests will be able to trigger secure
> > storage violations in normal operation.
> >
> > A secure storage violation is triggered when a protected guest tries to
> > access secure memory that has been mapped erroneously, or that belongs
> > to a different protected guest or to the ultravisor.
> >
> > With upcoming patches, protected guests will be able to trigger secure
> > storage violations in normal operation.
>
> You've already used this sentence as 1st sentence of the patch description.
> Looks weird to read it again. Maybe scratch the 1st sentence?
oops!
>
> > This happens for example if a
> > protected guest is rebooted with lazy destroy enabled and the new guest
> > is also protected.
> >
> > When the new protected guest touches pages that have not yet been
> > destroyed, and thus are accounted to the previous protected guest, a
> > secure storage violation is raised.
> >
> > This patch adds handling of secure storage violations for protected
> > guests.
> >
> > This exception is handled by first trying to destroy the page, because
> > it is expected to belong to a defunct protected guest where a destroy
> > should be possible. If that fails, a normal export of the page is
> > attempted.
> >
> > Therefore, pages that trigger the exception will be made non-secure
> > before attempting to use them again for a different secure guest.
>
> I'm an complete ignorant here, but isn't this somewhat dangerous? Could it
> happen that a VM could destroy/export the pages of another secure guest that
> way?
this is a good question, perhaps I should add a comment explaining that
the destroy page UVC will only work on protected VMs with no CPUs.
Exporting instead is not an issue, if/when the page is needed, it will
get imported again. Unless some things went really wrong, but that can
only happen in case of a bug in the hypervisor.
>
> Thomas
>
next prev parent reply other threads:[~2022-05-06 11:34 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-14 8:02 [PATCH v10 00/19] KVM: s390: pv: implement lazy destroy for reboot Claudio Imbrenda
2022-04-14 8:02 ` [PATCH v10 01/19] KVM: s390: pv: leak the topmost page table when destroy fails Claudio Imbrenda
2022-04-14 11:30 ` Janosch Frank
2022-04-14 12:19 ` Claudio Imbrenda
2022-05-05 14:45 ` Thomas Huth
2022-05-06 11:30 ` Claudio Imbrenda
2022-05-16 7:22 ` Nico Boehr
2022-05-16 15:55 ` Claudio Imbrenda
2022-04-14 8:02 ` [PATCH v10 02/19] KVM: s390: pv: handle secure storage violations for protected guests Claudio Imbrenda
2022-05-05 17:10 ` Thomas Huth
2022-05-06 11:33 ` Claudio Imbrenda [this message]
2022-04-14 8:02 ` [PATCH v10 03/19] KVM: s390: pv: handle secure storage exceptions for normal guests Claudio Imbrenda
2022-04-14 8:02 ` [PATCH v10 04/19] KVM: s390: pv: refactor s390_reset_acc Claudio Imbrenda
2022-05-16 8:04 ` Nico Boehr
2022-05-16 16:11 ` Claudio Imbrenda
2022-05-30 7:40 ` Nico Boehr
2022-05-30 10:50 ` Claudio Imbrenda
2022-04-14 8:02 ` [PATCH v10 05/19] KVM: s390: pv: usage counter instead of flag Claudio Imbrenda
2022-04-14 8:02 ` [PATCH v10 06/19] KVM: s390: pv: add export before import Claudio Imbrenda
2022-04-14 8:02 ` [PATCH v10 07/19] KVM: s390: pv: module parameter to fence lazy destroy Claudio Imbrenda
2022-04-14 8:02 ` [PATCH v10 08/19] KVM: s390: pv: clear the state without memset Claudio Imbrenda
2022-04-14 8:03 ` [PATCH v10 09/19] KVM: s390: pv: Add kvm_s390_cpus_from_pv to kvm-s390.h and add documentation Claudio Imbrenda
2022-04-14 8:03 ` [PATCH v10 10/19] KVM: s390: pv: add mmu_notifier Claudio Imbrenda
2022-04-14 8:03 ` [PATCH v10 11/19] s390/mm: KVM: pv: when tearing down, try to destroy protected pages Claudio Imbrenda
2022-04-14 8:03 ` [PATCH v10 12/19] KVM: s390: pv: refactoring of kvm_s390_pv_deinit_vm Claudio Imbrenda
2022-04-14 8:03 ` [PATCH v10 13/19] KVM: s390: pv: destroy the configuration before its memory Claudio Imbrenda
2022-05-30 7:37 ` Nico Boehr
2022-05-30 12:05 ` Claudio Imbrenda
2022-04-14 8:03 ` [PATCH v10 14/19] KVM: s390: pv: cleanup leftover protected VMs if needed Claudio Imbrenda
2022-05-30 8:11 ` Nico Boehr
2022-05-30 10:43 ` Claudio Imbrenda
2022-04-14 8:03 ` [PATCH v10 15/19] KVM: s390: pv: asynchronous destroy for reboot Claudio Imbrenda
2022-05-30 9:46 ` Nico Boehr
2022-05-30 11:06 ` Claudio Imbrenda
2022-04-14 8:03 ` [PATCH v10 16/19] KVM: s390: pv: api documentation for asynchronous destroy Claudio Imbrenda
2022-05-30 9:47 ` Nico Boehr
2022-04-14 8:03 ` [PATCH v10 17/19] KVM: s390: pv: add KVM_CAP_S390_PROTECTED_ASYNC_DISABLE Claudio Imbrenda
2022-05-30 10:24 ` Nico Boehr
2022-04-14 8:03 ` [PATCH v10 18/19] KVM: s390: pv: avoid export before import if possible Claudio Imbrenda
2022-05-30 10:07 ` Nico Boehr
2022-05-30 11:16 ` Claudio Imbrenda
2022-04-14 8:03 ` [PATCH v10 19/19] KVM: s390: pv: support for Destroy fast UVC Claudio Imbrenda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220506133326.09e9a887@p-imbrenda \
--to=imbrenda@linux.ibm.com \
--cc=borntraeger@de.ibm.com \
--cc=david@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mimu@linux.ibm.com \
--cc=nrb@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=scgl@linux.ibm.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.