linux-coco.lists.linux.dev archive mirror
 help / color / mirror / Atom feed
From: Brijesh Singh <brijesh.singh@amd.com>
To: Sean Christopherson <seanjc@google.com>
Cc: brijesh.singh@amd.com, x86@kernel.org,
	linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
	linux-efi@vger.kernel.org, platform-driver-x86@vger.kernel.org,
	linux-coco@lists.linux.dev, linux-mm@kvack.org,
	linux-crypto@vger.kernel.org,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Joerg Roedel <jroedel@suse.de>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Ard Biesheuvel <ardb@kernel.org>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Vitaly Kuznetsov <vkuznets@redhat.com>,
	Wanpeng Li <wanpengli@tencent.com>,
	Jim Mattson <jmattson@google.com>,
	Andy Lutomirski <luto@kernel.org>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Sergio Lopez <slp@redhat.com>, Peter Gonda <pgonda@google.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>,
	David Rientjes <rientjes@google.com>,
	Dov Murik <dovmurik@linux.ibm.com>,
	Tobin Feldman-Fitzthum <tobin@ibm.com>,
	Borislav Petkov <bp@alien8.de>,
	Michael Roth <michael.roth@amd.com>,
	Vlastimil Babka <vbabka@suse.cz>,
	tony.luck@intel.com, npmccallum@redhat.com,
	brijesh.ksingh@gmail.com
Subject: Re: [PATCH Part2 RFC v4 37/40] KVM: SVM: Add support to handle the RMP nested page fault
Date: Tue, 20 Jul 2021 12:55:36 -0500	[thread overview]
Message-ID: <bff43050-aed7-011c-89e5-9899bd1df414@amd.com> (raw)
In-Reply-To: <YPYUe8hAz5/c7IW9@google.com>



On 7/19/21 7:10 PM, Sean Christopherson wrote:
> On Wed, Jul 07, 2021, Brijesh Singh wrote:
>> Follow the recommendation from APM2 section 15.36.10 and 15.36.11 to
>> resolve the RMP violation encountered during the NPT table walk.
> 
> Heh, please elaborate on exactly what that recommendation is.  A recommendation
> isn't exactly architectural, i.e. is subject to change :-)

I will try to expand it :)

> 
> And, do we have to follow the APM's recommendation?  

Yes, unless we want to be very strict on what a guest can do.


Specifically, can KVM treat
> #NPF RMP violations as guest errors, or is that not allowed by the GHCB spec?

The GHCB spec does not say anything about the #NPF RMP violation error. 
And not all #NPF RMP is a guest error (mainly those size mismatch etc).

> I.e. can we mandate accesses be preceded by page state change requests?  

This is a good question, the GHCB spec does not enforce that a guest 
*must* use page state. If the page state changes is not done by the 
guest then it will cause #NPF and its up to the hypervisor to decide on 
what it wants to do.


It would
> simplify KVM (albeit not much of a simplificiation) and would also make debugging
> easier since transitions would require an explicit guest request and guest bugs
> would result in errors instead of random corruption/weirdness.
> 

I am good with enforcing this from the KVM. But the question is, what 
fault we should inject in the guest when KVM detects that guest has 
issued the page state change.


>> index 46323af09995..117e2e08d7ed 100644
>> --- a/arch/x86/include/asm/kvm_host.h
>> +++ b/arch/x86/include/asm/kvm_host.h
>> @@ -1399,6 +1399,9 @@ struct kvm_x86_ops {
>>   
>>   	void (*write_page_begin)(struct kvm *kvm, struct kvm_memory_slot *slot, gfn_t gfn);
>>   	void (*write_page_end)(struct kvm *kvm, struct kvm_memory_slot *slot, gfn_t gfn);
>> +
>> +	int (*handle_rmp_page_fault)(struct kvm_vcpu *vcpu, gpa_t gpa, kvm_pfn_t pfn,
>> +			int level, u64 error_code);
>>   };
>>   
>>   struct kvm_x86_nested_ops {
>> diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
>> index e60f54455cdc..b6a676ba1862 100644
>> --- a/arch/x86/kvm/mmu/mmu.c
>> +++ b/arch/x86/kvm/mmu/mmu.c
>> @@ -5096,6 +5096,18 @@ static void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
>>   	write_unlock(&vcpu->kvm->mmu_lock);
>>   }
>>   
>> +static int handle_rmp_page_fault(struct kvm_vcpu *vcpu, gpa_t gpa, u64 error_code)
>> +{
>> +	kvm_pfn_t pfn;
>> +	int level;
>> +
>> +	if (unlikely(!kvm_mmu_get_tdp_walk(vcpu, gpa, &pfn, &level)))
>> +		return RET_PF_RETRY;
>> +
>> +	kvm_x86_ops.handle_rmp_page_fault(vcpu, gpa, pfn, level, error_code);
>> +	return RET_PF_RETRY;
>> +}
>> +
>>   int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u64 error_code,
>>   		       void *insn, int insn_len)
>>   {
>> @@ -5112,6 +5124,14 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u64 error_code,
>>   			goto emulate;
>>   	}
>>   
>> +	if (unlikely(error_code & PFERR_GUEST_RMP_MASK)) {
>> +		r = handle_rmp_page_fault(vcpu, cr2_or_gpa, error_code);
> 
> Adding a kvm_x86_ops hook is silly, there's literally one path, npf_interception()
> that can encounter RMP violations.  Just invoke snp_handle_rmp_page_fault() from
> there.  That works even if kvm_mmu_get_tdp_walk() stays around since it was
> exported earlier.
> 

Noted.



>> +
>> +	/*
>> +	 * If it's a shared access, then make the page shared in the RMP table.
>> +	 */
>> +	if (rmpentry_assigned(e) && !private)
>> +		rc = snp_make_page_shared(vcpu, gpa, pfn, PG_LEVEL_4K);
> 
> Hrm, this really feels like it needs to be protected by mmu_lock.  Functionally,
> it might all work out in the end after enough RMP violations, but it's extremely
> difficult to reason about and probably even more difficult if multiple vCPUs end
> up fighting over a gfn.
> 

Lets see what's your thought on enforcing the page state change for the 
KVM. If we want the guest to issue the page state change before the 
access then this case will simply need to inject an error in the guest 
and we can remove all of it.

> My gut reaction is that this is also backwards, i.e. KVM should update the RMP
> to match its TDP SPTEs, not the other way around.
> 
> The one big complication is that the TDP MMU only takes mmu_lock for read.  A few
> options come to mind but none of them are all that pretty.  I'll wait to hear back
> on whether or not we can make PSC request mandatory before thinking too hard on
> this one.
> 


  reply	other threads:[~2021-07-20 17:55 UTC|newest]

Thread overview: 178+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-07 18:35 [PATCH Part2 RFC v4 00/40] Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 01/40] KVM: SVM: Add support to handle AP reset MSR protocol Brijesh Singh
2021-07-14 20:17   ` Sean Christopherson
2021-07-15  7:39     ` Joerg Roedel
2021-07-15 13:42     ` Tom Lendacky
2021-07-15 15:45       ` Sean Christopherson
2021-07-15 17:05         ` Tom Lendacky
2021-07-07 18:35 ` [PATCH Part2 RFC v4 02/40] KVM: SVM: Provide the Hypervisor Feature support VMGEXIT Brijesh Singh
2021-07-14 20:37   ` Sean Christopherson
2021-07-14 21:00     ` Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 03/40] x86/cpufeatures: Add SEV-SNP CPU feature Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 04/40] x86/sev: Add the host SEV-SNP initialization support Brijesh Singh
2021-07-14 21:07   ` Sean Christopherson
2021-07-14 22:02     ` Brijesh Singh
2021-07-14 22:06       ` Sean Christopherson
2021-07-14 22:11         ` Brijesh Singh
2022-06-02 11:47   ` Jarkko Sakkinen
2022-06-06 11:42     ` Dr. David Alan Gilbert
2021-07-07 18:35 ` [PATCH Part2 RFC v4 05/40] x86/sev: Add RMP entry lookup helpers Brijesh Singh
2021-07-15 18:37   ` Sean Christopherson
2021-07-15 19:28     ` Brijesh Singh
2021-07-16 17:22       ` Brijesh Singh
2021-07-20 22:06         ` Sean Christopherson
2021-07-20 23:10           ` Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 06/40] x86/sev: Add helper functions for RMPUPDATE and PSMASH instruction Brijesh Singh
2021-07-12 18:44   ` Peter Gonda
2021-07-12 19:00     ` Dave Hansen
2021-07-15 18:56       ` Sean Christopherson
2021-07-15 19:08         ` Dave Hansen
2021-07-15 19:18           ` Sean Christopherson
2021-07-07 18:35 ` [PATCH Part2 RFC v4 07/40] x86/sev: Split the physmap when adding the page in RMP table Brijesh Singh
2021-07-14 22:25   ` Sean Christopherson
2021-07-15 17:05     ` Brijesh Singh
2021-07-15 17:51       ` Sean Christopherson
2021-07-15 18:14         ` Brijesh Singh
2021-07-15 18:39           ` Sean Christopherson
2021-07-15 19:38             ` Brijesh Singh
2021-07-15 22:01               ` Sean Christopherson
2021-07-15 22:11                 ` Brijesh Singh
2021-07-30 11:31               ` Vlastimil Babka
2021-07-30 16:10                 ` Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 08/40] x86/traps: Define RMP violation #PF error code Brijesh Singh
2021-07-15 19:02   ` Sean Christopherson
2021-07-15 19:16     ` Dave Hansen
2021-07-07 18:35 ` [PATCH Part2 RFC v4 09/40] x86/fault: Add support to dump RMP entry on fault Brijesh Singh
2021-07-07 19:21   ` Dave Hansen
2021-07-08 15:02     ` Brijesh Singh
2021-07-08 15:30       ` Dave Hansen
2021-07-08 16:48         ` Brijesh Singh
2021-07-08 16:58           ` Dave Hansen
2021-07-08 17:11             ` Brijesh Singh
2021-07-08 17:15               ` Dave Hansen
2021-07-07 18:35 ` [PATCH Part2 RFC v4 10/40] x86/fault: Add support to handle the RMP fault for user address Brijesh Singh
2021-07-08 16:16   ` Dave Hansen
2021-07-12 15:43     ` Brijesh Singh
2021-07-12 16:00       ` Dave Hansen
2021-07-12 16:11         ` Brijesh Singh
2021-07-12 16:15           ` Dave Hansen
2021-07-12 16:24             ` Brijesh Singh
2021-07-12 16:29               ` Dave Hansen
2021-07-12 16:49                 ` Brijesh Singh
2021-07-15 21:53                   ` Sean Christopherson
2021-07-30 16:00   ` Vlastimil Babka
2021-07-30 16:31     ` Dave Hansen
2021-07-07 18:35 ` [PATCH Part2 RFC v4 11/40] crypto:ccp: Define the SEV-SNP commands Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 12/40] crypto: ccp: Add support to initialize the AMD-SP for SEV-SNP Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 13/40] crypto: ccp: Shutdown SNP firmware on kexec Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 14/40] crypto:ccp: Provide APIs to issue SEV-SNP commands Brijesh Singh
2021-07-08 18:56   ` Dr. David Alan Gilbert
2021-07-07 18:35 ` [PATCH Part2 RFC v4 15/40] crypto: ccp: Handle the legacy TMR allocation when SNP is enabled Brijesh Singh
2021-07-14 13:22   ` Marc Orr
2021-07-14 16:45     ` Brijesh Singh
2021-07-14 18:14       ` Marc Orr
2021-07-15 23:48   ` Sean Christopherson
2021-07-16 12:55     ` Brijesh Singh
2021-07-16 15:35       ` Sean Christopherson
2021-07-16 15:47         ` Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 16/40] crypto: ccp: Handle the legacy SEV command " Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 17/40] crypto: ccp: Add the SNP_PLATFORM_STATUS command Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 18/40] crypto: ccp: Add the SNP_{SET,GET}_EXT_CONFIG command Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 19/40] crypto: ccp: provide APIs to query extended attestation report Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 20/40] KVM: SVM: Make AVIC backing, VMSA and VMCB memory allocation SNP safe Brijesh Singh
2021-07-14 13:35   ` Marc Orr
2021-07-14 16:47     ` Brijesh Singh
2021-07-20 18:02   ` Sean Christopherson
2021-08-03 14:38     ` Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 21/40] KVM: SVM: Add initial SEV-SNP support Brijesh Singh
2021-07-16 18:00   ` Sean Christopherson
2021-07-16 18:46     ` Brijesh Singh
2021-07-16 19:31       ` Sean Christopherson
2021-07-16 21:03         ` Brijesh Singh
2021-07-07 18:35 ` [PATCH Part2 RFC v4 22/40] KVM: SVM: Add KVM_SNP_INIT command Brijesh Singh
2021-07-16 19:33   ` Sean Christopherson
2021-07-16 21:25     ` Brijesh Singh
2021-07-19 20:24       ` Sean Christopherson
2021-07-07 18:35 ` [PATCH Part2 RFC v4 23/40] KVM: SVM: Add KVM_SEV_SNP_LAUNCH_START command Brijesh Singh
2021-07-12 18:45   ` Peter Gonda
2021-07-16 19:43   ` Sean Christopherson
2021-07-16 21:42     ` Brijesh Singh
2021-07-07 18:36 ` [PATCH Part2 RFC v4 24/40] KVM: SVM: Add KVM_SEV_SNP_LAUNCH_UPDATE command Brijesh Singh
2021-07-16 20:01   ` Sean Christopherson
2021-07-16 22:00     ` Brijesh Singh
2021-07-19 20:51       ` Sean Christopherson
2021-07-19 21:34         ` Brijesh Singh
2021-07-19 21:36           ` Brijesh Singh
2021-07-07 18:36 ` [PATCH Part2 RFC v4 25/40] KVM: SVM: Reclaim the guest pages when SEV-SNP VM terminates Brijesh Singh
2021-07-16 20:09   ` Sean Christopherson
2021-07-16 22:16     ` Brijesh Singh
2021-07-17  0:46       ` Sean Christopherson
2021-07-19 12:55         ` Brijesh Singh
2021-07-19 17:18           ` Sean Christopherson
2021-07-19 18:34             ` Brijesh Singh
2021-07-19 19:03               ` Sean Christopherson
2021-07-19 19:14                 ` Sean Christopherson
2021-07-19 19:37                 ` Brijesh Singh
2021-07-20 16:40                   ` Sean Christopherson
2021-07-20 18:23                     ` Brijesh Singh
2021-07-07 18:36 ` [PATCH Part2 RFC v4 26/40] KVM: SVM: Add KVM_SEV_SNP_LAUNCH_FINISH command Brijesh Singh
2021-07-16 20:18   ` Sean Christopherson
2021-07-16 22:48     ` Brijesh Singh
2021-07-19 16:54       ` Sean Christopherson
2021-07-19 18:29         ` Brijesh Singh
2021-07-19 19:14           ` Sean Christopherson
2021-07-19 19:49             ` Brijesh Singh
2021-07-19 20:13               ` Sean Christopherson
2021-07-21 17:53         ` Marc Orr
2021-07-07 18:36 ` [PATCH Part2 RFC v4 27/40] KVM: X86: Add kvm_x86_ops to get the max page level for the TDP Brijesh Singh
2021-07-16 19:19   ` Sean Christopherson
2021-07-16 20:41     ` Brijesh Singh
2021-07-20 19:38       ` Sean Christopherson
2021-07-20 20:06         ` Brijesh Singh
2021-07-07 18:36 ` [PATCH Part2 RFC v4 28/40] KVM: X86: Introduce kvm_mmu_map_tdp_page() for use by SEV Brijesh Singh
2021-07-16 18:15   ` Sean Christopherson
2021-07-07 18:36 ` [PATCH Part2 RFC v4 29/40] KVM: X86: Introduce kvm_mmu_get_tdp_walk() for SEV-SNP use Brijesh Singh
2021-07-07 18:36 ` [PATCH Part2 RFC v4 30/40] KVM: X86: Define new RMP check related #NPF error bits Brijesh Singh
2021-07-16 20:22   ` Sean Christopherson
2021-07-17  0:34     ` Brijesh Singh
2021-07-07 18:36 ` [PATCH Part2 RFC v4 31/40] KVM: X86: update page-fault trace to log the 64-bit error code Brijesh Singh
2021-07-16 20:25   ` Sean Christopherson
2021-07-17  0:35     ` Brijesh Singh
2021-07-07 18:36 ` [PATCH Part2 RFC v4 32/40] KVM: SVM: Add support to handle GHCB GPA register VMGEXIT Brijesh Singh
2021-07-16 20:45   ` Sean Christopherson
2021-07-17  0:44     ` Brijesh Singh
2021-07-19 20:04       ` Sean Christopherson
2021-07-07 18:36 ` [PATCH Part2 RFC v4 33/40] KVM: SVM: Add support to handle MSR based Page State Change VMGEXIT Brijesh Singh
2021-07-16 21:00   ` Sean Christopherson
2021-07-19 14:19     ` Brijesh Singh
2021-07-19 18:55       ` Sean Christopherson
2021-07-19 19:15         ` Brijesh Singh
2021-08-13 16:32         ` Borislav Petkov
2021-07-07 18:36 ` [PATCH Part2 RFC v4 34/40] KVM: SVM: Add support to handle " Brijesh Singh
2021-07-16 21:14   ` Sean Christopherson
2021-07-19 14:24     ` Brijesh Singh
2021-07-07 18:36 ` [PATCH Part2 RFC v4 35/40] KVM: Add arch hooks to track the host write to guest memory Brijesh Singh
2021-07-19 23:30   ` Sean Christopherson
2021-07-20 15:15     ` Brijesh Singh
2021-07-07 18:36 ` [PATCH Part2 RFC v4 36/40] KVM: X86: Export the kvm_zap_gfn_range() for the SNP use Brijesh Singh
2021-07-07 18:36 ` [PATCH Part2 RFC v4 37/40] KVM: SVM: Add support to handle the RMP nested page fault Brijesh Singh
2021-07-20  0:10   ` Sean Christopherson
2021-07-20 17:55     ` Brijesh Singh [this message]
2021-07-20 22:31       ` Sean Christopherson
2021-07-20 23:53         ` Brijesh Singh
2021-07-21 20:15           ` Sean Christopherson
2021-07-07 18:36 ` [PATCH Part2 RFC v4 38/40] KVM: SVM: Provide support for SNP_GUEST_REQUEST NAE event Brijesh Singh
2021-07-19 22:50   ` Sean Christopherson
2021-07-20 14:37     ` Brijesh Singh
2021-07-20 16:28       ` Sean Christopherson
2021-07-20 18:21         ` Brijesh Singh
2021-07-20 22:09           ` Sean Christopherson
2021-07-07 18:36 ` [PATCH Part2 RFC v4 39/40] KVM: SVM: Use a VMSA physical address variable for populating VMCB Brijesh Singh
2021-07-21  0:20   ` Sean Christopherson
2021-07-21 16:26     ` Tom Lendacky
2021-07-07 18:36 ` [PATCH Part2 RFC v4 40/40] KVM: SVM: Support SEV-SNP AP Creation NAE event Brijesh Singh
2021-07-21  0:01   ` Sean Christopherson
2021-07-21 17:47     ` Tom Lendacky
2021-07-21 19:52       ` Sean Christopherson
2021-08-20 14:44         ` Tom Lendacky
2021-07-08 15:40 ` [PATCH Part2 RFC v4 00/40] Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support Dave Hansen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bff43050-aed7-011c-89e5-9899bd1df414@amd.com \
    --to=brijesh.singh@amd.com \
    --cc=ardb@kernel.org \
    --cc=bp@alien8.de \
    --cc=brijesh.ksingh@gmail.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=dovmurik@linux.ibm.com \
    --cc=hpa@zytor.com \
    --cc=jmattson@google.com \
    --cc=jroedel@suse.de \
    --cc=kvm@vger.kernel.org \
    --cc=linux-coco@lists.linux.dev \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=luto@kernel.org \
    --cc=michael.roth@amd.com \
    --cc=mingo@redhat.com \
    --cc=npmccallum@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=peterz@infradead.org \
    --cc=pgonda@google.com \
    --cc=platform-driver-x86@vger.kernel.org \
    --cc=rientjes@google.com \
    --cc=seanjc@google.com \
    --cc=slp@redhat.com \
    --cc=srinivas.pandruvada@linux.intel.com \
    --cc=tglx@linutronix.de \
    --cc=thomas.lendacky@amd.com \
    --cc=tobin@ibm.com \
    --cc=tony.luck@intel.com \
    --cc=vbabka@suse.cz \
    --cc=vkuznets@redhat.com \
    --cc=wanpengli@tencent.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).