From: "Michael Kelley (LINUX)" <mikelley@microsoft.com>
To: Tianyu Lan <ltykernel@gmail.com>, Borislav Petkov <bp@alien8.de>
Cc: "luto@kernel.org" <luto@kernel.org>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"mingo@redhat.com" <mingo@redhat.com>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"x86@kernel.org" <x86@kernel.org>,
"hpa@zytor.com" <hpa@zytor.com>,
"seanjc@google.com" <seanjc@google.com>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"jgross@suse.com" <jgross@suse.com>,
Tianyu Lan <Tianyu.Lan@microsoft.com>,
"kirill@shutemov.name" <kirill@shutemov.name>,
"jiangshan.ljs@antgroup.com" <jiangshan.ljs@antgroup.com>,
"peterz@infradead.org" <peterz@infradead.org>,
"ashish.kalra@amd.com" <ashish.kalra@amd.com>,
"srutherford@google.com" <srutherford@google.com>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"anshuman.khandual@arm.com" <anshuman.khandual@arm.com>,
"pawan.kumar.gupta@linux.intel.com"
<pawan.kumar.gupta@linux.intel.com>,
"adrian.hunter@intel.com" <adrian.hunter@intel.com>,
"daniel.sneddon@linux.intel.com" <daniel.sneddon@linux.intel.com>,
"alexander.shishkin@linux.intel.com"
<alexander.shishkin@linux.intel.com>,
"sandipan.das@amd.com" <sandipan.das@amd.com>,
"ray.huang@amd.com" <ray.huang@amd.com>,
"brijesh.singh@amd.com" <brijesh.singh@amd.com>,
"michael.roth@amd.com" <michael.roth@amd.com>,
"thomas.lendacky@amd.com" <thomas.lendacky@amd.com>,
"venu.busireddy@oracle.com" <venu.busireddy@oracle.com>,
"sterritt@google.com" <sterritt@google.com>,
"tony.luck@intel.com" <tony.luck@intel.com>,
"samitolvanen@google.com" <samitolvanen@google.com>,
"fenghua.yu@intel.com" <fenghua.yu@intel.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"linux-hyperv@vger.kernel.org" <linux-hyperv@vger.kernel.org>,
"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>
Subject: RE: [RFC PATCH V2 01/18] x86/sev: Pvalidate memory gab for decompressing kernel
Date: Wed, 28 Dec 2022 19:15:31 +0000 [thread overview]
Message-ID: <BYAPR21MB16886D446C3AC972AFF8DAB9D7F29@BYAPR21MB1688.namprd21.prod.outlook.com> (raw)
In-Reply-To: <6b3bdbbd-d381-3e52-57ec-729c8ab2d042@gmail.com>
From: Tianyu Lan <ltykernel@gmail.com> Sent: Tuesday, November 29, 2022 6:43 AM
>
> On 11/29/2022 8:56 PM, Borislav Petkov wrote:
> >> +/* Check SEV-SNP via MSR */
> >> +static bool sev_snp_runtime_check(void)
> > Functions need to have a verb in the name.
> >
> >> +{
> >> + unsigned long low, high;
> >> + u64 val;
> >> +
> >> + asm volatile("rdmsr\n" : "=a" (low), "=d" (high) :
> >> + "c" (MSR_AMD64_SEV));
> >> +
> >> + val = (high << 32) | low;
> >> + if (val & MSR_AMD64_SEV_SNP_ENABLED)
> >> + return true;
> > There already is a sev_snp_enabled() in that very same file. Did you not
> > see it?
> >
> > Why are you even adding such a function?!
>
> Hi Boris:
> Thanks for your review. sev_snp_enabled() is used after
> sev_status was initialized in sev_enable() while pvalidate_for_startup_
> 64() is called before sev_enable(). So add sev_snp_runtime_check() to
> check sev snp capability before calling sev_enable().
I understand needing to find out if SEV-SNP is enabled before sev_enable()
has set the value of sev_status. Unfortunately, just checking the
SEV_SNP_ENABLED bit in MSR_AMD64_SEV isn't sufficient. sev_enable()
correctly does a more complex check. The CPUID bit is checked first, and
the MSR is read only if the CPUID bit indicating SEV is set. The reason for
this behavior is described in the commit message for 009767dbf42a.
Furthermore, even if the MSR is safe to read, just checking the
SEV_SNP_ENABLED bit isn't sufficient because that bit is "1" in a vTOM VM.
The MSR check would need to be that SEV_SNP_ENABLED is set, and
VTOM_ENABLED is not set.
Michael
>
> >
> >> + return false;
> >> +}
> >> +
> >> static inline bool sev_snp_enabled(void)
> >> {
> >> return sev_status & MSR_AMD64_SEV_SNP_ENABLED;
> >> @@ -456,3 +475,68 @@ void sev_prep_identity_maps(unsigned long top_level_pgt)
> >>
> >> sev_verify_cbit(top_level_pgt);
> >> }
> >> +
> >> +static void extend_e820_on_demand(struct boot_e820_entry *e820_entry,
> >> + u64 needed_ram_end)
> >> +{
> >> + u64 end, paddr;
> >> + unsigned long eflags;
> >> + int rc;
> >> +
> >> + if (!e820_entry)
> >> + return;
> >> +
> >> + /* Validated memory must be aligned by PAGE_SIZE. */
> >> + end = ALIGN(e820_entry->addr + e820_entry->size, PAGE_SIZE);
> >> + if (needed_ram_end > end && e820_entry->type == E820_TYPE_RAM) {
> >> + for (paddr = end; paddr < needed_ram_end; paddr += PAGE_SIZE) {
> >> + rc = pvalidate(paddr, RMP_PG_SIZE_4K, true);
> >> + if (rc) {
> >> + error("Failed to validate address.n");
> >> + return;
> >> + }
> >> + }
> >> + e820_entry->size = needed_ram_end - e820_entry->addr;
> >> + }
> >> +}
> >> +
> >> +/*
> >> + * Explicitly pvalidate needed pages for decompressing the kernel.
> >> + * The E820_TYPE_RAM entry includes only validated memory. The kernel
> >> + * expects that the RAM entry's addr is fixed while the entry size is to be
> >> + * extended to cover addresses to the start of next entry.
> >> + * The function increases the RAM entry size to cover all possible memory
> > Similar issue as above: you don't need to say "this function" above this
> > function. IOW, it should say:
> >
> > "Increase the RAM entry size..."
> >
> > I.e., imperative mood above.
> >
> >> + * addresses until init_size.
> >> + * For example, init_end = 0x4000000,
> >> + * [RAM: 0x0 - 0x0], M[RAM: 0x0 - 0xa0000]
> >> + * [RSVD: 0xa0000 - 0x10000] [RSVD: 0xa0000 - 0x10000]
> >> + * [ACPI: 0x10000 - 0x20000] ==> [ACPI: 0x10000 - 0x20000]
> >> + * [RSVD: 0x800000 - 0x900000] [RSVD: 0x800000 - 0x900000]
> >> + * [RAM: 0x1000000 - 0x2000000] M[RAM: 0x1000000 - 0x2001000]
> >> + * [RAM: 0x2001000 - 0x2007000] M[RAM: 0x2001000 - 0x4000000]
> > What is this trying to tell me?
> >
> > That the end range 0x2007000 gets raised to 0x4000000?
> >
> > Why?
> >
> > This all sounds like there is some requirement somewhere but nothing
> > says what that requirement is and why.
> >
> >> + * Other RAM memory after init_end is pvalidated by ms_hyperv_init_platform
> >> + */
> >> +__visible void pvalidate_for_startup_64(struct boot_params *boot_params)
> > This doesn't do any validation. And yet it has "pvalidate" in the name.
> >
> >> +{
> >> + struct boot_e820_entry *e820_entry;
> >> + u64 init_end =
> >> + boot_params->hdr.pref_address + boot_params->hdr.init_size;
> > Nope, we never break lines like that.
> >
> >> + u8 i, nr_entries = boot_params->e820_entries;
> >> + u64 needed_end;
> > The tip-tree preferred ordering of variable declarations at the
> > beginning of a function is reverse fir tree order::
> >
> > struct long_struct_name *descriptive_name;
> > unsigned long foo, bar;
> > unsigned int tmp;
> > int ret;
> >
> > The above is faster to parse than the reverse ordering::
> >
> > int ret;
> > unsigned int tmp;
> > unsigned long foo, bar;
> > struct long_struct_name *descriptive_name;
> >
> > And even more so than random ordering::
> >
> > unsigned long foo, bar;
> > int ret;
> > struct long_struct_name *descriptive_name;
> > unsigned int tmp;
> >
> >> + if (!sev_snp_runtime_check())
> >> + return;
> >> +
> >> + for (i = 0; i < nr_entries; ++i) {
> >> + /* Pvalidate memory holes in e820 RAM entries. */
> >> + e820_entry = &boot_params->e820_table[i];
> >> + if (i < nr_entries - 1) {
> >> + needed_end = boot_params->e820_table[i + 1].addr;
> >> + if (needed_end < e820_entry->addr)
> >> + error("e820 table is not sorted.\n");
> >> + } else {
> >> + needed_end = init_end;
> >> + }
> >> + extend_e820_on_demand(e820_entry, needed_end);
> > Now*this* function does call pvalidate() and yet it doesn't have
> > "pvalidate" in the name. This all looks real confused.
> >
> > So first of all, you need to explain*why* you're doing this.
> >
> > It looks like it is because the guest needs to do the memory validation
> > by itself because nobody else does that.
> >
> > If so, this needs to be explained in detail in the commit message.
>
> Yes, I will update in the next version. Thanks for suggestion.
>
> >
> > Also, why is that ok for SNP guests on other hypervisors which get the
> > memory validated by the boot loader or firmware?
>
> This is for Linux direct boot mode and so it needs to do such check
> here. Will fix this in the next version.
next prev parent reply other threads:[~2022-12-28 19:16 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-19 3:46 [RFC PATCH V2 00/18] x86/hyperv/sev: Add AMD sev-snp enlightened guest support on hyperv Tianyu Lan
2022-11-19 3:46 ` [RFC PATCH V2 01/18] x86/sev: Pvalidate memory gab for decompressing kernel Tianyu Lan
2022-11-29 12:56 ` Borislav Petkov
2022-11-29 14:42 ` Tianyu Lan
2022-11-29 15:22 ` Borislav Petkov
2022-12-28 19:15 ` Michael Kelley (LINUX) [this message]
2022-12-06 9:16 ` Gupta, Pankaj
2022-12-08 13:04 ` Tianyu Lan
2022-11-19 3:46 ` [RFC PATCH V2 02/18] x86/hyperv: Add sev-snp enlightened guest specific config Tianyu Lan
2022-12-12 17:56 ` Michael Kelley (LINUX)
2022-12-13 9:58 ` Tianyu Lan
2022-11-19 3:46 ` [RFC PATCH V2 03/18] x86/hyperv: apic change for sev-snp enlightened guest Tianyu Lan
2022-12-12 19:00 ` Michael Kelley (LINUX)
2022-11-19 3:46 ` [RFC PATCH V2 04/18] x86/hyperv: Decrypt hv vp assist page in " Tianyu Lan
2022-12-12 19:41 ` Michael Kelley (LINUX)
2022-12-13 15:21 ` Tianyu Lan
2022-11-19 3:46 ` [RFC PATCH V2 05/18] x86/hyperv: Get Virtual Trust Level via hvcall Tianyu Lan
2022-12-12 23:41 ` Michael Kelley (LINUX)
2022-11-19 3:46 ` [RFC PATCH V2 06/18] x86/hyperv: Use vmmcall to implement hvcall in sev-snp enlightened guest Tianyu Lan
2022-12-13 17:19 ` Michael Kelley (LINUX)
2022-12-14 16:02 ` Tianyu Lan
2023-01-09 7:24 ` Dexuan Cui
2022-11-19 3:46 ` [RFC PATCH V2 07/18] clocksource: hyper-v: decrypt hyperv tsc page " Tianyu Lan
2022-12-13 17:30 ` Michael Kelley (LINUX)
2022-12-14 16:05 ` Tianyu Lan
2022-11-19 3:46 ` [RFC PATCH V2 08/18] x86/hyperv: decrypt vmbus pages for " Tianyu Lan
2022-12-13 18:08 ` Michael Kelley (LINUX)
2022-12-26 4:19 ` Tianyu Lan
2022-11-19 3:46 ` [RFC PATCH V2 09/18] x86/hyperv: set target vtl in the vmbus init message Tianyu Lan
2022-12-14 18:12 ` Michael Kelley (LINUX)
2022-11-19 3:46 ` [RFC PATCH V2 10/18] drivers: hv: Decrypt percpu hvcall input arg page in sev-snp enlightened guest Tianyu Lan
2022-12-08 21:52 ` Dexuan Cui
2022-12-09 2:26 ` Tianyu Lan
2022-12-14 18:16 ` Michael Kelley (LINUX)
2022-12-26 7:26 ` Tianyu Lan
2022-11-19 3:46 ` [RFC PATCH V2 11/18] Drivers: hv: vmbus: Decrypt vmbus ring buffer Tianyu Lan
2022-12-14 18:25 ` Michael Kelley (LINUX)
2022-12-26 7:59 ` Tianyu Lan
2022-11-19 3:46 ` [RFC PATCH V2 12/18] x86/hyperv: Initialize cpu and memory for sev-snp enlightened guest Tianyu Lan
2022-12-28 17:07 ` Michael Kelley (LINUX)
2022-11-19 3:46 ` [RFC PATCH V2 13/18] x86/hyperv: Add smp support for sev-snp guest Tianyu Lan
2022-12-28 18:14 ` Michael Kelley (LINUX)
2022-11-19 3:46 ` [RFC PATCH V2 14/18] x86/hyperv: Add hyperv-specific hadling for VMMCALL under SEV-ES Tianyu Lan
2022-11-19 3:46 ` [RFC PATCH V2 15/18] x86/sev: Add a #HV exception handler Tianyu Lan
2023-01-10 12:47 ` Gupta, Pankaj
2023-01-10 13:43 ` Tianyu Lan
2023-01-12 7:43 ` Gupta, Pankaj
2022-11-19 3:46 ` [RFC PATCH V2 16/18] x86/sev: Initialize #HV doorbell and handle interrupt requests Tianyu Lan
2022-11-21 15:05 ` Kalra, Ashish
2022-11-22 13:46 ` Tianyu Lan
2022-11-22 19:17 ` Kalra, Ashish
2022-11-23 18:36 ` Tom Lendacky
2022-11-25 3:36 ` Tianyu Lan
2022-11-25 11:49 ` Christophe de Dinechin
2022-11-28 5:47 ` Tianyu Lan
2022-12-07 14:13 ` Gupta, Pankaj
2022-12-08 14:21 ` Tianyu Lan
2022-12-08 14:36 ` Gupta, Pankaj
2022-12-08 11:47 ` Gupta, Pankaj
2022-12-08 14:25 ` Tianyu Lan
2022-11-19 3:46 ` [RFC PATCH V2 17/18] x86/sev: optimize system vector processing invoked from #HV exception Tianyu Lan
2022-11-19 3:46 ` [RFC PATCH V2 18/18] x86/sev: Fix interrupt exit code paths " Tianyu Lan
2022-12-13 7:37 ` Gupta, Pankaj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BYAPR21MB16886D446C3AC972AFF8DAB9D7F29@BYAPR21MB1688.namprd21.prod.outlook.com \
--to=mikelley@microsoft.com \
--cc=Tianyu.Lan@microsoft.com \
--cc=adrian.hunter@intel.com \
--cc=akpm@linux-foundation.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=anshuman.khandual@arm.com \
--cc=ashish.kalra@amd.com \
--cc=bp@alien8.de \
--cc=brijesh.singh@amd.com \
--cc=daniel.sneddon@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=fenghua.yu@intel.com \
--cc=hpa@zytor.com \
--cc=jgross@suse.com \
--cc=jiangshan.ljs@antgroup.com \
--cc=kirill@shutemov.name \
--cc=kvm@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ltykernel@gmail.com \
--cc=luto@kernel.org \
--cc=michael.roth@amd.com \
--cc=mingo@redhat.com \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=ray.huang@amd.com \
--cc=samitolvanen@google.com \
--cc=sandipan.das@amd.com \
--cc=seanjc@google.com \
--cc=srutherford@google.com \
--cc=sterritt@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tony.luck@intel.com \
--cc=venu.busireddy@oracle.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.