From: Peter Gonda <pgonda@google.com>
To: Sean Christopherson <seanjc@google.com>
Cc: Thomas.Lendacky@amd.com, Marc Orr <marcorr@google.com>,
David Rientjes <rientjes@google.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Joerg Roedel <jroedel@suse.de>,
Herbert Xu <herbert@gondor.apana.org.au>,
John Allen <john.allen@amd.com>,
"David S. Miller" <davem@davemloft.net>,
Paolo Bonzini <pbonzini@redhat.com>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH V3 2/4] crypto: ccp - Move SEV_INIT retry for corrupted data
Date: Tue, 9 Nov 2021 11:42:08 -0700 [thread overview]
Message-ID: <CAMkAt6pF9cLQa5i4rqGVsrkwZSKsXbWBjY4sgGHVs+HT+4NtXA@mail.gmail.com> (raw)
In-Reply-To: <YYqwT1fGxBQQmFvY@google.com>
On Tue, Nov 9, 2021 at 10:31 AM Sean Christopherson <seanjc@google.com> wrote:
>
> On Tue, Nov 09, 2021, Peter Gonda wrote:
> > On Tue, Nov 9, 2021 at 9:31 AM Sean Christopherson <seanjc@google.com> wrote:
> > >
> > > On Tue, Nov 02, 2021, Peter Gonda wrote:
> > > > This change moves the data corrupted retry of SEV_INIT into the
> > >
> > > Use imperative mood.
> >
> > Will do for next revision
> >
> > >
> > > > __sev_platform_init_locked() function. This is for upcoming INIT_EX
> > > > support as well as helping direct callers of
> > > > __sev_platform_init_locked() which currently do not support the
> > > > retry.
> > > >
> > > > Signed-off-by: Peter Gonda <pgonda@google.com>
> > > > Reviewed-by: Marc Orr <marcorr@google.com>
> > > > Acked-by: David Rientjes <rientjes@google.com>
> > > > Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
> > > > Cc: Tom Lendacky <thomas.lendacky@amd.com>
> > > > Cc: Brijesh Singh <brijesh.singh@amd.com>
> > > > Cc: Marc Orr <marcorr@google.com>
> > > > Cc: Joerg Roedel <jroedel@suse.de>
> > > > Cc: Herbert Xu <herbert@gondor.apana.org.au>
> > > > Cc: David Rientjes <rientjes@google.com>
> > > > Cc: John Allen <john.allen@amd.com>
> > > > Cc: "David S. Miller" <davem@davemloft.net>
> > > > Cc: Paolo Bonzini <pbonzini@redhat.com>
> > > > Cc: linux-crypto@vger.kernel.org
> > > > Cc: linux-kernel@vger.kernel.org
> > > > ---
> > > > drivers/crypto/ccp/sev-dev.c | 24 ++++++++++++------------
> > > > 1 file changed, 12 insertions(+), 12 deletions(-)
> > > >
> > > > diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> > > > index ec89a82ba267..e4bc833949a0 100644
> > > > --- a/drivers/crypto/ccp/sev-dev.c
> > > > +++ b/drivers/crypto/ccp/sev-dev.c
> > > > @@ -267,6 +267,18 @@ static int __sev_platform_init_locked(int *error)
> > > > }
> > > >
> > > > rc = __sev_do_cmd_locked(SEV_CMD_INIT, &data, error);
> > > > + if (rc && *error == SEV_RET_SECURE_DATA_INVALID) {
> > >
> > > There are no guarantees that @error is non-NULL as this is reachable via an
> > > exported function, sev_platform_init(). Which ties in with my complaints in the
> > > previous patch that the API is a bit of a mess.
> >
> > That seems like a bug from the caller right? Is it typical that we
> > sanity-check the caller in these instances?
>
> sev-dev.c needs to make up its mind. __sev_do_cmd_locked() very clearly allows
> a NULL @error, ergo all of the wrappers for sev_do_cmd() support a NULL @error.
>
> > For example the same comment could be made here:
> > https://elixir.bootlin.com/linux/latest/source/drivers/crypto/ccp/sev-dev.c#L336
> >
> > ```
> > static int sev_get_platform_state(int *state, int *error)
> > {
> > struct sev_user_data_status data;
> > int rc;
> >
> > rc = __sev_do_cmd_locked(SEV_CMD_PLATFORM_STATUS, &data, error);
> > if (rc)
> > return rc;
> >
> > *state = data.state; <--- State could be null.
>
> No, because this is an internal helper and all call sites can be easily audited.
>
> > return rc;
> > }
> > ```
> >
> > Example outside of this driver:
> > https://elixir.bootlin.com/linux/v5.15.1/source/arch/x86/kvm/x86.c#L468
> >
> > ```
> > int kvm_set_apic_base(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> > {
> > enum lapic_mode old_mode = kvm_get_apic_mode(vcpu);
> > enum lapic_mode new_mode = kvm_apic_mode(msr_info->data); <---
> > msr_info could be null here
> > u64 reserved_bits = kvm_vcpu_reserved_gpa_bits_raw(vcpu) | 0x2ff |
> > (guest_cpuid_has(vcpu, X86_FEATURE_X2APIC) ? 0 : X2APIC_ENABLE);
> >
> > if ((msr_info->data & reserved_bits) != 0 || new_mode == LAPIC_MODE_INVALID)
> > return 1;
> > if (!msr_info->host_initiated) {
> > if (old_mode == LAPIC_MODE_X2APIC && new_mode == LAPIC_MODE_XAPIC)
> > return 1;
> > if (old_mode == LAPIC_MODE_DISABLED && new_mode == LAPIC_MODE_X2APIC)
> > return 1;
> > }
> >
> > kvm_lapic_set_base(vcpu, msr_info->data);
> > kvm_recalculate_apic_map(vcpu->kvm);
> > return 0;
> > }
> > EXPORT_SYMBOL_GPL(kvm_set_apic_base);
> > ```
>
> The difference is that KVM has consistent expecations for a set of functions,
> whereas sev-dev.c does not. Yes, KVM will explode if @msr_info is NULL, and
> there are undoubtedly a bajillion flows in the kernel that would do the same,
> but unlike the functions declared in include/linux/psp-sev.h() the requirements
> on the caller are fairly obvious. E.g. why should this be illegal from a caller's
> perspective?
>
> sev_platform_init(NULL);
> sev_platform_status(&status, NULL);
Ack. I'll store a intermediate error in __sev_platform_init_locked and
export to @error if its not null.
next prev parent reply other threads:[~2021-11-09 18:42 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-02 14:23 [PATCH V3 0/4] Add SEV_INIT_EX support Peter Gonda
2021-11-02 14:23 ` [PATCH V3 1/4] crypto: ccp - Fix SEV_INIT error logging on init Peter Gonda
2021-11-09 16:26 ` Sean Christopherson
2021-11-09 16:46 ` Peter Gonda
2021-11-09 19:25 ` Tom Lendacky
2021-11-10 17:29 ` Peter Gonda
2021-11-11 14:10 ` Tom Lendacky
2021-11-02 14:23 ` [PATCH V3 2/4] crypto: ccp - Move SEV_INIT retry for corrupted data Peter Gonda
2021-11-09 16:31 ` Sean Christopherson
2021-11-09 16:56 ` Peter Gonda
2021-11-09 17:30 ` Sean Christopherson
2021-11-09 18:42 ` Peter Gonda [this message]
2021-11-02 14:23 ` [PATCH V3 3/4] crypto: ccp - Refactor out sev_fw_alloc() Peter Gonda
2021-11-02 14:23 ` [PATCH V3 4/4] crypto: ccp - Add SEV_INIT_EX support Peter Gonda
2021-11-02 15:38 ` Tom Lendacky
2021-11-02 16:28 ` Peter Gonda
2021-11-09 17:21 ` Sean Christopherson
2021-11-09 20:09 ` Peter Gonda
2021-11-09 20:26 ` Sean Christopherson
2021-11-09 20:46 ` Peter Gonda
2021-11-09 22:19 ` Brijesh Singh
2021-11-10 15:32 ` Peter Gonda
2021-11-12 16:55 ` Peter Gonda
2021-11-12 17:46 ` Marc Orr
2021-11-12 17:49 ` Peter Gonda
2021-11-12 18:28 ` Marc Orr
2021-11-12 23:39 ` Brijesh Singh
2021-11-12 23:44 ` Peter Gonda
2021-11-12 23:50 ` Brijesh Singh
2021-11-15 17:42 ` Peter Gonda
2021-11-02 16:05 ` [PATCH V3 0/4] " Sean Christopherson
2021-11-02 16:25 ` Peter Gonda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMkAt6pF9cLQa5i4rqGVsrkwZSKsXbWBjY4sgGHVs+HT+4NtXA@mail.gmail.com \
--to=pgonda@google.com \
--cc=Thomas.Lendacky@amd.com \
--cc=brijesh.singh@amd.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=john.allen@amd.com \
--cc=jroedel@suse.de \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcorr@google.com \
--cc=pbonzini@redhat.com \
--cc=rientjes@google.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.