From: Peter Gonda <pgonda@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
Sean Christopherson <seanjc@google.com>
Subject: Re: [PATCH 08/12] selftests: sev_migrate_tests: add tests for KVM_CAP_VM_COPY_ENC_CONTEXT_FROM
Date: Tue, 7 Dec 2021 13:11:40 -0700 [thread overview]
Message-ID: <CAMkAt6pLD-r9Zi+31nZYZKh=EpeYPc-nyc8pA_5DtspB3Xv03w@mail.gmail.com> (raw)
In-Reply-To: <CAMkAt6ouPVpRAAEhT1SgYEr3egiVCziKxV0viRiQxg7MD0dHHQ@mail.gmail.com>
On Wed, Dec 1, 2021 at 11:09 AM Peter Gonda <pgonda@google.com> wrote:
>
> On Mon, Nov 22, 2021 at 5:50 PM Paolo Bonzini <pbonzini@redhat.com> wrote:
> >
> > I am putting the tests in sev_migrate_tests because the failure conditions are
> > very similar and some of the setup code can be reused, too.
> >
> > The tests cover both successful creation of a mirror VM, and error
> > conditions.
> >
> > Cc: Peter Gonda <pgonda@google.com>
> > Cc: Sean Christopherson <seanjc@google.com>
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > ---
> > .../selftests/kvm/x86_64/sev_migrate_tests.c | 112 ++++++++++++++++--
> > 1 file changed, 105 insertions(+), 7 deletions(-)
> >
> > diff --git a/tools/testing/selftests/kvm/x86_64/sev_migrate_tests.c b/tools/testing/selftests/kvm/x86_64/sev_migrate_tests.c
> > index 0cd7e2eaa895..d265cea5de85 100644
> > --- a/tools/testing/selftests/kvm/x86_64/sev_migrate_tests.c
> > +++ b/tools/testing/selftests/kvm/x86_64/sev_migrate_tests.c
> > @@ -54,12 +54,15 @@ static struct kvm_vm *sev_vm_create(bool es)
> > return vm;
> > }
> >
> > -static struct kvm_vm *__vm_create(void)
> > +static struct kvm_vm *aux_vm_create(bool with_vcpus)
> > {
> > struct kvm_vm *vm;
> > int i;
> >
> > vm = vm_create(VM_MODE_DEFAULT, 0, O_RDWR);
> > + if (!with_vcpus)
> > + return vm;
> > +
> > for (i = 0; i < NR_MIGRATE_TEST_VCPUS; ++i)
> > vm_vcpu_add(vm, i);
> >
> > @@ -93,7 +96,7 @@ static void test_sev_migrate_from(bool es)
> >
> > src_vm = sev_vm_create(es);
> > for (i = 0; i < NR_MIGRATE_TEST_VMS; ++i)
> > - dst_vms[i] = __vm_create();
> > + dst_vms[i] = aux_vm_create(true);
> >
> > /* Initial migration from the src to the first dst. */
> > sev_migrate_from(dst_vms[0]->fd, src_vm->fd);
> > @@ -162,7 +165,7 @@ static void test_sev_migrate_parameters(void)
> > sev_vm = sev_vm_create(/* es= */ false);
> > sev_es_vm = sev_vm_create(/* es= */ true);
> > vm_no_vcpu = vm_create(VM_MODE_DEFAULT, 0, O_RDWR);
> > - vm_no_sev = __vm_create();
> > + vm_no_sev = aux_vm_create(true);
> > sev_es_vm_no_vmsa = vm_create(VM_MODE_DEFAULT, 0, O_RDWR);
> > sev_ioctl(sev_es_vm_no_vmsa->fd, KVM_SEV_ES_INIT, NULL);
> > vm_vcpu_add(sev_es_vm_no_vmsa, 1);
> > @@ -203,11 +206,106 @@ static void test_sev_migrate_parameters(void)
> > kvm_vm_free(vm_no_sev);
> > }
> >
> > +static int __sev_mirror_create(int dst_fd, int src_fd)
> > +{
> > + struct kvm_enable_cap cap = {
> > + .cap = KVM_CAP_VM_COPY_ENC_CONTEXT_FROM,
> > + .args = { src_fd }
> > + };
> > +
> > + return ioctl(dst_fd, KVM_ENABLE_CAP, &cap);
> > +}
> > +
> > +
> > +static void sev_mirror_create(int dst_fd, int src_fd)
> > +{
> > + int ret;
> > +
> > + ret = __sev_mirror_create(dst_fd, src_fd);
> > + TEST_ASSERT(!ret, "Copying context failed, ret: %d, errno: %d\n", ret, errno);
> > +}
> > +
> > +static void test_sev_mirror(bool es)
> > +{
> > + struct kvm_vm *src_vm, *dst_vm;
> > + struct kvm_sev_launch_start start = {
> > + .policy = es ? SEV_POLICY_ES : 0
> > + };
> > + int i;
> > +
> > + src_vm = sev_vm_create(es);
> > + dst_vm = aux_vm_create(false);
> > +
> > + sev_mirror_create(dst_vm->fd, src_vm->fd);
> > +
> > + /* Check that we can complete creation of the mirror VM. */
> > + for (i = 0; i < NR_MIGRATE_TEST_VCPUS; ++i)
> > + vm_vcpu_add(dst_vm, i);
> > + sev_ioctl(dst_vm->fd, KVM_SEV_LAUNCH_START, &start);
>
> I don't think this should be called on the mirror and I think it
> should be an error.
>
> In is_cmd_allowed_from_mirror() KVM_SEV_LAUNCH_START should not be allowed:
>
> if (cmd_id == KVM_SEV_LAUNCH_UPDATE_VMSA ||
> cmd_id == KVM_SEV_GUEST_STATUS || cmd_id == KVM_SEV_DBG_DECRYPT ||
> cmd_id == KVM_SEV_DBG_ENCRYPT)
> return true;
>
> This overrides the mirrored values and sets up the VM as a new SEV
> context. I would have thought the sev_bind_asid() in
> sev_launch_start() would fail because the asid is already used by the
> source.
Since you already queue'd this I sent another patch to fix the issue
with sev_ioctl() and remove this call.
>
> > + if (es)
> > + sev_ioctl(dst_vm->fd, KVM_SEV_LAUNCH_UPDATE_VMSA, NULL);
> > +
> > + kvm_vm_free(src_vm);
> > + kvm_vm_free(dst_vm);
> > +}
> > +
> > +static void test_sev_mirror_parameters(void)
> > +{
> > + struct kvm_vm *sev_vm, *sev_es_vm, *vm_no_vcpu, *vm_with_vcpu;
> > + int ret;
> > +
> > + sev_vm = sev_vm_create(/* es= */ false);
> > + sev_es_vm = sev_vm_create(/* es= */ true);
> > + vm_with_vcpu = aux_vm_create(true);
> > + vm_no_vcpu = aux_vm_create(false);
> > +
> > + ret = __sev_mirror_create(sev_vm->fd, sev_vm->fd);
> > + TEST_ASSERT(
> > + ret == -1 && errno == EINVAL,
> > + "Should not be able copy context to self. ret: %d, errno: %d\n",
> > + ret, errno);
> > +
> > + ret = __sev_mirror_create(sev_vm->fd, sev_es_vm->fd);
> > + TEST_ASSERT(
> > + ret == -1 && errno == EINVAL,
> > + "Should not be able copy context to SEV enabled VM. ret: %d, errno: %d\n",
> > + ret, errno);
> > +
> > + ret = __sev_mirror_create(sev_es_vm->fd, sev_vm->fd);
> > + TEST_ASSERT(
> > + ret == -1 && errno == EINVAL,
> > + "Should not be able copy context to SEV-ES enabled VM. ret: %d, errno: %d\n",
> > + ret, errno);
> > +
> > + ret = __sev_mirror_create(vm_no_vcpu->fd, vm_with_vcpu->fd);
> > + TEST_ASSERT(ret == -1 && errno == EINVAL,
> > + "Copy context requires SEV enabled. ret %d, errno: %d\n", ret,
> > + errno);
> > +
> > + ret = __sev_mirror_create(vm_with_vcpu->fd, sev_vm->fd);
> > + TEST_ASSERT(
> > + ret == -1 && errno == EINVAL,
> > + "SEV copy context requires no vCPUS on the destination. ret: %d, errno: %d\n",
> > + ret, errno);
> > +
> > + kvm_vm_free(sev_vm);
> > + kvm_vm_free(sev_es_vm);
> > + kvm_vm_free(vm_with_vcpu);
> > + kvm_vm_free(vm_no_vcpu);
> > +}
> > +
> > int main(int argc, char *argv[])
> > {
> > - test_sev_migrate_from(/* es= */ false);
> > - test_sev_migrate_from(/* es= */ true);
> > - test_sev_migrate_locking();
> > - test_sev_migrate_parameters();
> > + if (kvm_check_cap(KVM_CAP_VM_MOVE_ENC_CONTEXT_FROM)) {
> > + test_sev_migrate_from(/* es= */ false);
> > + test_sev_migrate_from(/* es= */ true);
> > + test_sev_migrate_locking();
> > + test_sev_migrate_parameters();
> > + }
> > + if (kvm_check_cap(KVM_CAP_VM_COPY_ENC_CONTEXT_FROM)) {
> > + test_sev_mirror(/* es= */ false);
> > + test_sev_mirror(/* es= */ true);
> > + test_sev_mirror_parameters();
> > + }
> > return 0;
> > }
> > --
> > 2.27.0
> >
> >
next prev parent reply other threads:[~2021-12-07 20:11 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-23 0:50 [PATCH 00/12] Fixes for KVM_CAP_VM_MOVE/COPY_ENC_CONTEXT_FROM Paolo Bonzini
2021-11-23 0:50 ` [PATCH 01/12] selftests: fix check for circular KVM_CAP_VM_MOVE_ENC_CONTEXT_FROM Paolo Bonzini
2021-12-01 15:52 ` Peter Gonda
2021-11-23 0:50 ` [PATCH 02/12] selftests: sev_migrate_tests: free all VMs Paolo Bonzini
2021-12-01 15:54 ` Peter Gonda
2021-11-23 0:50 ` [PATCH 03/12] KVM: SEV: expose KVM_CAP_VM_MOVE_ENC_CONTEXT_FROM capability Paolo Bonzini
2021-11-29 22:28 ` Sean Christopherson
2021-12-01 15:55 ` Peter Gonda
2021-11-23 0:50 ` [PATCH 04/12] KVM: SEV: do not use list_replace_init on an empty list Paolo Bonzini
2021-11-29 22:27 ` Sean Christopherson
2021-11-23 0:50 ` [PATCH 05/12] KVM: SEV: cleanup locking for KVM_CAP_VM_MOVE_ENC_CONTEXT_FROM Paolo Bonzini
2021-12-01 16:11 ` Peter Gonda
2021-11-23 0:50 ` [PATCH 06/12] KVM: SEV: initialize regions_list of a mirror VM Paolo Bonzini
2021-11-29 23:00 ` Sean Christopherson
2021-11-23 0:50 ` [PATCH 07/12] KVM: SEV: move mirror status to destination of KVM_CAP_VM_MOVE_ENC_CONTEXT_FROM Paolo Bonzini
2021-11-29 23:02 ` Sean Christopherson
2021-11-23 0:50 ` [PATCH 08/12] selftests: sev_migrate_tests: add tests for KVM_CAP_VM_COPY_ENC_CONTEXT_FROM Paolo Bonzini
2021-12-01 18:09 ` Peter Gonda
2021-12-07 20:11 ` Peter Gonda [this message]
2021-11-23 0:50 ` [PATCH 09/12] KVM: SEV: Do COPY_ENC_CONTEXT_FROM with both VMs locked Paolo Bonzini
2021-11-29 23:08 ` Sean Christopherson
2021-11-23 0:50 ` [PATCH 10/12] KVM: SEV: Prohibit migration of a VM that has mirrors Paolo Bonzini
2021-11-29 22:54 ` Sean Christopherson
2021-12-01 18:17 ` Peter Gonda
2021-12-01 18:21 ` Paolo Bonzini
2021-11-23 0:50 ` [PATCH 11/12] KVM: SEV: do not take kvm->lock when destroying Paolo Bonzini
2021-11-29 22:31 ` Sean Christopherson
2021-11-23 0:50 ` [PATCH 12/12] KVM: SEV: accept signals in sev_lock_two_vms Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMkAt6pLD-r9Zi+31nZYZKh=EpeYPc-nyc8pA_5DtspB3Xv03w@mail.gmail.com' \
--to=pgonda@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.