From: "Andy Lutomirski" <luto@kernel.org>
To: "Dave Hansen" <dave.hansen@intel.com>,
"Borislav Petkov" <bp@alien8.de>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: "Sean Christopherson" <seanjc@google.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Joerg Roedel" <jroedel@suse.de>,
"Ard Biesheuvel" <ardb@kernel.org>,
"Andi Kleen" <ak@linux.intel.com>,
"Sathyanarayanan Kuppuswamy"
<sathyanarayanan.kuppuswamy@linux.intel.com>,
"David Rientjes" <rientjes@google.com>,
"Vlastimil Babka" <vbabka@suse.cz>,
"Tom Lendacky" <thomas.lendacky@amd.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Ingo Molnar" <mingo@redhat.com>,
"Varad Gautam" <varad.gautam@suse.com>,
"Dario Faggioli" <dfaggioli@suse.com>,
"Mike Rapoport" <rppt@kernel.org>,
"David Hildenbrand" <david@redhat.com>,
"Marcelo Henrique Cerri" <marcelo.cerri@canonical.com>,
tim.gardner@canonical.com, khalid.elmously@canonical.com,
philip.cox@canonical.com,
"the arch/x86 maintainers" <x86@kernel.org>,
linux-mm@kvack.org, linux-coco@lists.linux.dev,
linux-efi@vger.kernel.org,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCHv7 10/14] x86/mm: Avoid load_unaligned_zeropad() stepping into unaccepted memory
Date: Sat, 13 Aug 2022 09:04:58 -0700 [thread overview]
Message-ID: <f2cf11d3-c2f8-4add-ab58-19a4844be361@www.fastmail.com> (raw)
In-Reply-To: <073c5a97-272c-c5a0-19f2-c3f14f916c72@intel.com>
On Wed, Aug 3, 2022, at 7:02 AM, Dave Hansen wrote:
> On 8/2/22 16:46, Dave Hansen wrote:
>> To sum it all up, I'm not happy with the complexity of the page
>> acceptance code either but I'm not sure that it's bad tradeoff compared
>> to greater #VE complexity or fragility.
>>
>> Does anyone think we should go back and really reconsider this?
>
> One other thing I remembered as I re-read my write up on this.
>
> In the "new" mode, guests never get #VE's for unaccepted memory. They
> just exit to the host and can never be reentered. They must be killed.
>
> In the "old" mode, I _believe_ that the guest always gets a #VE for
> non-EPT-present memory. The #VE is basically the same no matter if the
> page is unaccepted or if the host goes out and makes a
> previously-accepted page non-present.
>
> One really nasty implication of this "old" mode is that the host can
> remove *accepted* pages that are used in the syscall gap. That means
> that the #VE handler would need to be of the paranoid variety which
> opens up all kinds of other fun.
>
> * "Old" - #VE's can happen in the syscall gap
> * "New" - #VE's happen at better-defined times. Unexpected ones are
> fatal.
>
> There's a third option which I proposed but doesn't yet exist. The TDX
> module _could_ separate the behavior of unaccepted memory #VE's and
> host-induced #VEs. This way, we could use load_unaligned_zeropad() with
> impunity and handle it in the #VE handler. At the same time, the host
> would not be allowed to remove accepted memory and cause problems in the
> syscall gap. Kinda the best of both worlds.
>
> But, I'm not sure how valuable that would be now that we have the
> (admittedly squirrelly) code to avoid load_unaligned_zeropad() #VE's.
How would that be implemented? It would need to track which GPAs *were* accepted across a host-induced unmap/remap cycle. This would involve preventing the host from ever completely removing a secure EPT table without the guest’s help, right?
Admittedly this would IMO be better behavior. Is it practical to implement?
next prev parent reply other threads:[~2022-08-13 16:05 UTC|newest]
Thread overview: 139+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-14 12:02 [PATCHv7 00/14] mm, x86/cc: Implement support for unaccepted memory Kirill A. Shutemov
2022-06-14 12:02 ` [PATCHv7 01/14] x86/boot: Centralize __pa()/__va() definitions Kirill A. Shutemov
2022-06-23 17:37 ` Dave Hansen
2022-06-14 12:02 ` [PATCHv7 02/14] mm: Add support for unaccepted memory Kirill A. Shutemov
2022-06-14 12:57 ` Gupta, Pankaj
2022-06-17 19:28 ` Tom Lendacky
2022-06-17 20:53 ` Tom Lendacky
2022-07-21 15:14 ` Borislav Petkov
2022-07-21 15:49 ` Dave Hansen
2022-07-22 19:18 ` Borislav Petkov
2022-07-22 19:30 ` Dave Hansen
2022-07-25 12:23 ` Borislav Petkov
2022-07-25 12:38 ` David Hildenbrand
2022-07-25 12:53 ` Borislav Petkov
2022-07-26 14:30 ` David Hildenbrand
2022-07-25 13:00 ` Mike Rapoport
2022-07-25 13:05 ` Borislav Petkov
2022-08-05 11:49 ` Vlastimil Babka
2022-08-05 12:09 ` David Hildenbrand
2022-08-05 13:38 ` Vlastimil Babka
2022-08-05 14:22 ` David Hildenbrand
2022-08-05 14:53 ` Dave Hansen
2022-08-05 14:41 ` Dave Hansen
2022-08-05 18:17 ` Vlastimil Babka
2022-08-08 15:55 ` Dave Hansen
2022-08-10 14:19 ` Mel Gorman
2022-08-15 21:08 ` Dionna Amalie Glaze
2022-08-15 22:02 ` Tom Lendacky
2022-08-29 16:02 ` Dionna Amalie Glaze
2022-08-29 16:19 ` Dave Hansen
2022-09-06 17:50 ` Dionna Amalie Glaze
2022-09-08 12:11 ` Mike Rapoport
2022-09-08 16:23 ` Dionna Amalie Glaze
2022-09-08 19:28 ` Mike Rapoport
2022-09-22 14:31 ` Tom Lendacky
2022-09-24 1:03 ` Kirill A. Shutemov
2022-09-24 9:36 ` Mike Rapoport
2022-09-26 12:10 ` Kirill A. Shutemov
2022-09-26 13:38 ` Tom Lendacky
2022-09-26 15:42 ` Kirill A. Shutemov
2022-09-26 15:42 ` Tom Lendacky
2022-06-14 12:02 ` [PATCHv7 03/14] mm: Report unaccepted memory in meminfo Kirill A. Shutemov
2022-07-26 14:33 ` David Hildenbrand
2022-06-14 12:02 ` [PATCHv7 04/14] efi/x86: Get full memory map in allocate_e820() Kirill A. Shutemov
2022-07-25 13:02 ` Borislav Petkov
2022-06-14 12:02 ` [PATCHv7 05/14] x86/boot: Add infrastructure required for unaccepted memory support Kirill A. Shutemov
2022-06-15 10:19 ` Peter Zijlstra
2022-06-15 15:05 ` Kirill A. Shutemov
2022-07-17 17:16 ` Borislav Petkov
2022-07-25 21:33 ` Borislav Petkov
2022-06-14 12:02 ` [PATCHv7 06/14] efi/x86: Implement support for unaccepted memory Kirill A. Shutemov
2022-06-22 19:58 ` Dave Hansen
2022-07-26 8:35 ` Borislav Petkov
2022-06-14 12:02 ` [PATCHv7 07/14] x86/boot/compressed: Handle " Kirill A. Shutemov
2022-06-14 12:02 ` [PATCHv7 08/14] x86/mm: Reserve unaccepted memory bitmap Kirill A. Shutemov
2022-07-26 9:07 ` Borislav Petkov
2022-11-30 1:28 ` Kirill A. Shutemov
2022-12-01 9:37 ` Mike Rapoport
2022-12-01 13:47 ` Kirill A. Shutemov
2022-06-14 12:02 ` [PATCHv7 09/14] x86/mm: Provide helpers for unaccepted memory Kirill A. Shutemov
2022-06-14 12:02 ` [PATCHv7 10/14] x86/mm: Avoid load_unaligned_zeropad() stepping into " Kirill A. Shutemov
2022-06-23 17:19 ` Dave Hansen
2022-07-26 10:21 ` Borislav Petkov
2022-08-02 23:46 ` Dave Hansen
2022-08-03 14:02 ` Dave Hansen
2022-08-11 11:26 ` Borislav Petkov
2022-08-13 16:11 ` Andy Lutomirski
2022-08-13 21:13 ` Kirill A. Shutemov
2022-08-13 16:04 ` Andy Lutomirski [this message]
2022-08-13 20:58 ` Kirill A. Shutemov
2022-07-26 17:25 ` Borislav Petkov
2022-07-26 17:46 ` Dave Hansen
2022-07-26 20:17 ` Andy Lutomirski
2022-08-09 11:38 ` Kirill A. Shutemov
2022-08-13 16:03 ` Andy Lutomirski
2022-08-13 21:02 ` Kirill A. Shutemov
2022-06-14 12:02 ` [PATCHv7 11/14] x86: Disable kexec if system has " Kirill A. Shutemov
2022-06-23 17:23 ` Dave Hansen
2022-06-23 21:48 ` Eric W. Biederman
2022-06-24 2:00 ` Kirill A. Shutemov
2022-06-28 23:51 ` Kirill A. Shutemov
2022-06-29 0:10 ` Dave Hansen
2022-06-29 0:59 ` Kirill A. Shutemov
2022-07-04 7:18 ` Dave Young
2022-06-14 12:02 ` [PATCHv7 12/14] x86/tdx: Make _tdx_hypercall() and __tdx_module_call() available in boot stub Kirill A. Shutemov
2022-06-23 17:25 ` Dave Hansen
2022-06-14 12:02 ` [PATCHv7 13/14] x86/tdx: Refactor try_accept_one() Kirill A. Shutemov
2022-06-23 17:31 ` Dave Hansen
2022-07-26 10:58 ` Borislav Petkov
2022-06-14 12:02 ` [PATCHv7 14/14] x86/tdx: Add unaccepted memory support Kirill A. Shutemov
2022-06-24 16:22 ` Dave Hansen
2022-06-27 10:42 ` Kirill A. Shutemov
2022-07-26 14:51 ` Borislav Petkov
2022-08-09 11:45 ` Kirill A. Shutemov
2022-08-10 10:27 ` Borislav Petkov
2022-06-24 16:37 ` [PATCHv7 00/14] mm, x86/cc: Implement support for unaccepted memory Peter Gonda
2022-06-24 16:57 ` Dave Hansen
2022-06-24 17:06 ` Marc Orr
2022-06-24 17:09 ` Dave Hansen
2022-06-24 17:15 ` Peter Gonda
2022-06-24 17:19 ` Marc Orr
2022-06-24 17:21 ` Peter Gonda
2022-06-24 17:47 ` Dave Hansen
2022-06-24 18:10 ` Peter Gonda
2022-06-24 18:13 ` Dave Hansen
2022-06-24 17:40 ` Michael Roth
2022-06-24 17:58 ` Michael Roth
2022-06-24 18:05 ` Peter Gonda
2022-06-27 11:30 ` Kirill A. Shutemov
2022-06-27 11:54 ` Ard Biesheuvel
2022-06-27 12:22 ` Kirill A. Shutemov
2022-06-27 16:17 ` Peter Gonda
2022-06-27 16:33 ` Ard Biesheuvel
2022-06-27 22:38 ` Kirill A. Shutemov
2022-06-28 17:17 ` Ard Biesheuvel
2022-07-18 17:21 ` Kirill A. Shutemov
2022-07-18 23:32 ` Dionna Amalie Glaze
2022-07-19 0:31 ` Dionna Amalie Glaze
2022-07-19 18:29 ` Dionna Amalie Glaze
2022-07-19 19:13 ` Borislav Petkov
2022-07-19 20:45 ` Ard Biesheuvel
2022-07-19 21:23 ` Borislav Petkov
2022-07-19 21:35 ` Dave Hansen
2022-07-19 21:50 ` Borislav Petkov
2022-07-19 22:01 ` Kirill A. Shutemov
2022-07-19 22:02 ` Dave Hansen
2022-07-19 22:08 ` Tom Lendacky
2022-07-20 0:26 ` Marc Orr
2022-07-20 5:44 ` Borislav Petkov
2022-07-20 17:03 ` Marc Orr
2022-07-22 15:07 ` Borislav Petkov
2022-07-21 17:12 ` Dave Hansen
2022-07-23 11:14 ` Ard Biesheuvel
2022-07-28 22:01 ` Dionna Amalie Glaze
2022-08-09 11:14 ` Kirill A. Shutemov
2022-08-09 11:36 ` Ard Biesheuvel
2022-08-09 11:54 ` Kirill A. Shutemov
2022-08-09 21:09 ` Dionna Amalie Glaze
2022-07-19 2:48 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f2cf11d3-c2f8-4add-ab58-19a4844be361@www.fastmail.com \
--to=luto@kernel.org \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=ardb@kernel.org \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=david@redhat.com \
--cc=dfaggioli@suse.com \
--cc=jroedel@suse.de \
--cc=khalid.elmously@canonical.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=marcelo.cerri@canonical.com \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=philip.cox@canonical.com \
--cc=rientjes@google.com \
--cc=rppt@kernel.org \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tim.gardner@canonical.com \
--cc=varad.gautam@suse.com \
--cc=vbabka@suse.cz \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).