From: Joerg Roedel <email@example.com> To: "Eric W. Biederman" <firstname.lastname@example.org> Cc: Joerg Roedel <email@example.com>, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, Andy Lutomirski <firstname.lastname@example.org>, Dave Hansen <email@example.com>, Peter Zijlstra <firstname.lastname@example.org>, Jiri Slaby <email@example.com>, Dan Williams <firstname.lastname@example.org>, Tom Lendacky <email@example.com>, Juergen Gross <firstname.lastname@example.org>, Kees Cook <email@example.com>, David Rientjes <firstname.lastname@example.org>, Cfir Cohen <email@example.com>, Erdem Aktas <firstname.lastname@example.org>, Masami Hiramatsu <email@example.com>, Mike Stunes <firstname.lastname@example.org>, Sean Christopherson <email@example.com>, Martin Radev <firstname.lastname@example.org>, Arvind Sankar <email@example.com>, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Subject: Re: [PATCH 2/2] x86/kexec/64: Forbid kexec when running as an SEV-ES guest Date: Thu, 6 May 2021 22:41:05 +0200 [thread overview] Message-ID: <YJRUYWRItEziB2eP@8bytes.org> (raw) In-Reply-To: <firstname.lastname@example.org> On Thu, May 06, 2021 at 01:59:42PM -0500, Eric W. Biederman wrote: > Joerg Roedel <email@example.com> writes: > Why does it need that? > > Would it not make sense to instead teach kexec how to pass a cpu from > one kernel to another. We could use that everywhere. > > Even the kexec-on-panic case should work as even in that case we have > to touch the cpus as they go down. > > The hardware simply worked well enough that it hasn't mattered enough > for us to do something like that, but given that we need to do something > anyway. It seems like it would make most sense do something that > will work everywhere, and does not introduce unnecessary dependencies > on hypervisors. Well, I guess we could implement something that even works for non SEV-ES guests and bare-metal. The question is what benefit we get from that. Is the SIPI sequence currently used not reliable enough? The benefit of being able to rely on the SIPI sequence is that the kexec'ed kernel can use the same method to bring up APs as the first kernel did. Btw, the same is true for SEV-ES guests, The goal is bring the APs of an SEV-ES guest into a state where they will use the SEV-ES method of AP-bringup when they wake up again. This method involves a firmware-owned page called the AP-jump-table, which contains the reset vector for the AP in its first 4 bytes. > > As I said above, for protocol version 1 it will stay disabled, so it is > > not only a temporary hack. > > Why does bringing up a cpu need hypervisor support? When a CPU is taken offline under SEV-ES it will do a special hypercall named AP-reset-hold. The hypervisor will put the CPU into a halt state until the next SIPI arrives. In protocol version 1 this hypercall requires a GHCB shared page to be set up for the CPU doing the hypercall and upon CPU wakeup the HV will write to that shared page. Problem with that is that the page which contains the GHCB is already owned by the new kernel then and is probably not shared anymore, which can cause data corruption in the new kernel. Version 2 of the protocol adds a purely MSR based version of the AP-reset-hold hypercall. This one does not need a GHCB page and has to be used to bring the APs offline before doing the kexec. That is the reason I plan to only support kexec when the hypervisor provides version 2 of the protocol. Regards, Joerg
prev parent reply other threads:[~2021-05-06 20:41 UTC|newest] Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-05-06 9:31 [PATCH 0/2] x86: Disable kexec for SEV-ES guests Joerg Roedel 2021-05-06 9:31 ` [PATCH 1/2] kexec: Allow architecture code to opt-out at runtime Joerg Roedel 2021-05-06 15:43 ` Sean Christopherson 2021-05-06 18:24 ` Joerg Roedel 2021-05-06 9:31 ` [PATCH 2/2] x86/kexec/64: Forbid kexec when running as an SEV-ES guest Joerg Roedel 2021-05-06 17:42 ` Eric W. Biederman 2021-05-06 18:41 ` Joerg Roedel 2021-05-06 18:59 ` Eric W. Biederman 2021-05-06 20:41 ` Joerg Roedel [this message]
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=YJRUYWRItEziB2eP@8bytes.org \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --subject='Re: [PATCH 2/2] x86/kexec/64: Forbid kexec when running as an SEV-ES guest' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).