linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Borislav Petkov <bp@alien8.de>
To: Brijesh Singh <brijesh.singh@amd.com>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org,
	kvm@vger.kernel.org, linux-efi@vger.kernel.org,
	platform-driver-x86@vger.kernel.org, linux-coco@lists.linux.dev,
	linux-mm@kvack.org, linux-crypto@vger.kernel.org,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Joerg Roedel <jroedel@suse.de>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Ard Biesheuvel <ardb@kernel.org>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Sean Christopherson <seanjc@google.com>,
	Vitaly Kuznetsov <vkuznets@redhat.com>,
	Wanpeng Li <wanpengli@tencent.com>,
	Jim Mattson <jmattson@google.com>,
	Andy Lutomirski <luto@kernel.org>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Sergio Lopez <slp@redhat.com>, Peter Gonda <pgonda@google.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>,
	David Rientjes <rientjes@google.com>,
	Dov Murik <dovmurik@linux.ibm.com>,
	Tobin Feldman-Fitzthum <tobin@ibm.com>,
	Michael Roth <michael.roth@amd.com>,
	Vlastimil Babka <vbabka@suse.cz>,
	tony.luck@intel.com, npmccallum@redhat.com,
	brijesh.ksingh@gmail.com
Subject: Re: [PATCH Part1 RFC v4 15/36] x86/mm: Add support to validate memory when changing C-bit
Date: Tue, 17 Aug 2021 19:27:02 +0200	[thread overview]
Message-ID: <YRvxZtLkVNda9xwX@zn.tnic> (raw)
In-Reply-To: <20210707181506.30489-16-brijesh.singh@amd.com>

On Wed, Jul 07, 2021 at 01:14:45PM -0500, Brijesh Singh wrote:
> +struct __packed psc_hdr {
> +	u16 cur_entry;
> +	u16 end_entry;
> +	u32 reserved;
> +};
> +
> +struct __packed psc_entry {
> +	u64	cur_page	: 12,
> +		gfn		: 40,
> +		operation	: 4,
> +		pagesize	: 1,
> +		reserved	: 7;
> +};
> +
> +struct __packed snp_psc_desc {
> +	struct psc_hdr hdr;
> +	struct psc_entry entries[VMGEXIT_PSC_MAX_ENTRY];
> +};

The majority of kernel code puts __packed after the struct definition,
let's put it there too pls, out of the way.

...

> +static int vmgexit_psc(struct snp_psc_desc *desc)
> +{
> +	int cur_entry, end_entry, ret;
> +	struct snp_psc_desc *data;
> +	struct ghcb_state state;
> +	struct ghcb *ghcb;
> +	struct psc_hdr *hdr;
> +	unsigned long flags;
> +
> +	local_irq_save(flags);
> +
> +	ghcb = __sev_get_ghcb(&state);
> +	if (unlikely(!ghcb))
> +		panic("SEV-SNP: Failed to get GHCB\n");
> +
> +	/* Copy the input desc into GHCB shared buffer */
> +	data = (struct snp_psc_desc *)ghcb->shared_buffer;
> +	memcpy(ghcb->shared_buffer, desc, sizeof(*desc));
> +
> +	hdr = &data->hdr;
> +	cur_entry = hdr->cur_entry;
> +	end_entry = hdr->end_entry;
> +
> +	/*
> +	 * As per the GHCB specification, the hypervisor can resume the guest
> +	 * before processing all the entries. Checks whether all the entries
> +	 * are processed. If not, then keep retrying.
> +	 *
> +	 * The stragtegy here is to wait for the hypervisor to change the page
> +	 * state in the RMP table before guest access the memory pages. If the
> +	 * page state was not successful, then later memory access will result
> +	 * in the crash.
> +	 */
> +	while (hdr->cur_entry <= hdr->end_entry) {
> +		ghcb_set_sw_scratch(ghcb, (u64)__pa(data));
> +
> +		ret = sev_es_ghcb_hv_call(ghcb, NULL, SVM_VMGEXIT_PSC, 0, 0);
> +
> +		/*
> +		 * Page State Change VMGEXIT can pass error code through
> +		 * exit_info_2.
> +		 */
> +		if (WARN(ret || ghcb->save.sw_exit_info_2,
> +			 "SEV-SNP: page state change failed ret=%d exit_info_2=%llx\n",
> +			 ret, ghcb->save.sw_exit_info_2))
> +			return 1;

Yikes, you return here and below with interrupts disabled.

All your returns need to be "goto out;" instead where you do

out:
        __sev_put_ghcb(&state);
        local_irq_restore(flags);

Yap, you very likely need to put the GHCB too.

> +		/*
> +		 * Lets do some sanity check that entry processing is not going
> +		 * backward. This will happen only if hypervisor is tricking us.
> +		 */
> +		if (WARN((hdr->end_entry > end_entry) || (cur_entry > hdr->cur_entry),
> +			"SEV-SNP: page state change processing going backward, end_entry "
> +			"(expected %d got %d) cur_entry (expected %d got %d)\n",
> +			end_entry, hdr->end_entry, cur_entry, hdr->cur_entry))
> +			return 1;

WARNING: quoted string split across lines
#293: FILE: arch/x86/kernel/sev.c:750:
+			"SEV-SNP: page state change processing going backward, end_entry "
+			"(expected %d got %d) cur_entry (expected %d got %d)\n",

If you're wondering what to do, yes, you can really stretch that string
and shorten it too:

                if (WARN((hdr->end_entry > end_entry) || (cur_entry > hdr->cur_entry),
"SEV-SNP: PSC processing going backwards, end_entry %d (got %d) cur_entry: %d (got %d)\n",
                         end_entry, hdr->end_entry, cur_entry, hdr->cur_entry))
                        return 1;

so that it fits on a single line and grepping can find it.

> +		/* Lets verify that reserved bit is not set in the header*/
> +		if (WARN(hdr->reserved, "Reserved bit is set in the PSC header\n"))

psc_entry has a ->reserved field too and since we're iterating over the
entries...

> +			return 1;
> +	}
> +
> +	__sev_put_ghcb(&state);
> +	local_irq_restore(flags);
> +
> +	return 0;
> +}
> +
> +static void __set_page_state(struct snp_psc_desc *data, unsigned long vaddr,
> +			     unsigned long vaddr_end, int op)
> +{
> +	struct psc_hdr *hdr;
> +	struct psc_entry *e;
> +	unsigned long pfn;
> +	int i;
> +
> +	hdr = &data->hdr;
> +	e = data->entries;
> +
> +	memset(data, 0, sizeof(*data));
> +	i = 0;
> +
> +	while (vaddr < vaddr_end) {
> +		if (is_vmalloc_addr((void *)vaddr))
> +			pfn = vmalloc_to_pfn((void *)vaddr);
> +		else
> +			pfn = __pa(vaddr) >> PAGE_SHIFT;
> +
> +		e->gfn = pfn;
> +		e->operation = op;
> +		hdr->end_entry = i;
> +
> +		/*
> +		 * The GHCB specification provides the flexibility to
> +		 * use either 4K or 2MB page size in the RMP table.
> +		 * The current SNP support does not keep track of the
> +		 * page size used in the RMP table. To avoid the
> +		 * overlap request, use the 4K page size in the RMP
> +		 * table.
> +		 */
> +		e->pagesize = RMP_PG_SIZE_4K;
> +
> +		vaddr = vaddr + PAGE_SIZE;
> +		e++;
> +		i++;
> +	}
> +
> +	/* Terminate the guest on page state change failure. */

That comment is kinda obvious :)

> +	if (vmgexit_psc(data))
> +		sev_es_terminate(1, GHCB_TERM_PSC);
> +}
> +
> +static void set_page_state(unsigned long vaddr, unsigned int npages, int op)
> +{
> +	unsigned long vaddr_end, next_vaddr;
> +	struct snp_psc_desc *desc;
> +
> +	vaddr = vaddr & PAGE_MASK;
> +	vaddr_end = vaddr + (npages << PAGE_SHIFT);
> +
> +	desc = kmalloc(sizeof(*desc), GFP_KERNEL_ACCOUNT);

kzalloc() so that you don't have to memset() later in
__set_page_state().

> +	if (!desc)
> +		panic("failed to allocate memory");

Make that error message more distinctive so that *if* it happens, one
can pinpoint the place in the code where the panic comes from.

> +	while (vaddr < vaddr_end) {
> +		/*
> +		 * Calculate the last vaddr that can be fit in one
> +		 * struct snp_psc_desc.
> +		 */
> +		next_vaddr = min_t(unsigned long, vaddr_end,
> +				(VMGEXIT_PSC_MAX_ENTRY * PAGE_SIZE) + vaddr);
> +
> +		__set_page_state(desc, vaddr, next_vaddr, op);
> +
> +		vaddr = next_vaddr;
> +	}
> +
> +	kfree(desc);
> +}
> +

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

  reply	other threads:[~2021-08-17 17:26 UTC|newest]

Thread overview: 86+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-07 18:14 [PATCH Part1 RFC v4 00/36] Add AMD Secure Nested Paging (SEV-SNP) Guest Support Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 01/36] x86/sev: shorten GHCB terminate macro names Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 02/36] x86/sev: Save the negotiated GHCB version Brijesh Singh
2021-08-10  9:17   ` Borislav Petkov
2021-08-10 13:15     ` Brijesh Singh
2021-08-10 10:01   ` Borislav Petkov
2021-08-10 13:17     ` Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 03/36] x86/sev: Add support for hypervisor feature VMGEXIT Brijesh Singh
2021-08-10 11:22   ` Borislav Petkov
2021-08-10 13:39     ` Brijesh Singh
2021-08-10 14:03       ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 04/36] x86/mm: Add sev_feature_enabled() helper Brijesh Singh
2021-07-08  8:50   ` Dr. David Alan Gilbert
2021-07-08  8:53     ` Paolo Bonzini
2021-08-10 11:25   ` Borislav Petkov
2021-08-10 14:57     ` Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 05/36] x86/sev: Define the Linux specific guest termination reasons Brijesh Singh
2021-08-10 11:33   ` Borislav Petkov
2021-08-10 14:59     ` Brijesh Singh
2021-08-10 19:30       ` Tom Lendacky
2021-08-10 21:52         ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 06/36] x86/sev: check SEV-SNP features support Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 07/36] x86/sev: Add a helper for the PVALIDATE instruction Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 08/36] x86/sev: check the vmpl level Brijesh Singh
2021-08-13  7:25   ` Borislav Petkov
2021-08-13 13:13     ` Brijesh Singh
2021-08-13 15:16       ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 09/36] x86/compressed: Add helper for validating pages in the decompression stage Brijesh Singh
2021-08-13 10:22   ` Borislav Petkov
2021-08-13 14:21     ` Brijesh Singh
2021-08-13 15:19       ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 10/36] x86/compressed: Register GHCB memory when SEV-SNP is active Brijesh Singh
2021-08-13 10:47   ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 11/36] x86/sev: " Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 12/36] x86/sev: Add helper for validating pages in early enc attribute changes Brijesh Singh
2021-08-13 11:13   ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 13/36] x86/kernel: Make the bss.decrypted section shared in RMP table Brijesh Singh
2021-08-13 17:09   ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 14/36] x86/kernel: Validate rom memory before accessing when SEV-SNP is active Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 15/36] x86/mm: Add support to validate memory when changing C-bit Brijesh Singh
2021-08-17 17:27   ` Borislav Petkov [this message]
2021-08-17 18:07     ` Brijesh Singh
2021-08-17 18:17       ` Borislav Petkov
2021-08-17 18:18         ` Brijesh Singh
2021-08-17 20:34     ` Brijesh Singh
2021-08-17 20:44       ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 16/36] KVM: SVM: define new SEV_FEATURES field in the VMCB Save State Area Brijesh Singh
2021-08-17 17:54   ` Borislav Petkov
2021-08-17 17:59     ` Borislav Petkov
2021-08-17 18:11     ` Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 17/36] KVM: SVM: Create a separate mapping for the SEV-ES save area Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 18/36] KVM: SVM: Create a separate mapping for the GHCB " Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 19/36] KVM: SVM: Update the SEV-ES save area mapping Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 20/36] x86/sev: Use SEV-SNP AP creation to start secondary CPUs Brijesh Singh
2021-08-17 20:04   ` Borislav Petkov
2021-08-17 22:13     ` Tom Lendacky
2021-08-18  8:38       ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 21/36] x86/head/64: set up a startup %gs for stack protector Brijesh Singh
2021-08-19  9:34   ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 22/36] x86/sev: move MSR-based VMGEXITs for CPUID to helper Brijesh Singh
2021-08-19  9:45   ` Borislav Petkov
2021-08-19 15:37     ` Michael Roth
2021-08-19 16:46       ` Borislav Petkov
2021-08-20  3:29         ` Michael Roth
2021-08-23  4:50           ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 23/36] KVM: x86: move lookup of indexed CPUID leafs " Brijesh Singh
2021-08-19 10:07   ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 24/36] x86/compressed/acpi: move EFI config table access to common code Brijesh Singh
2021-08-19 10:47   ` Borislav Petkov
2021-08-19 14:58     ` Michael Roth
2021-08-19 17:09       ` Borislav Petkov
2021-08-19 23:42         ` Michael Roth
2021-08-23  4:52           ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 25/36] x86/boot: Add Confidential Computing type to setup_data Brijesh Singh
2021-08-19 11:06   ` Borislav Petkov
2021-07-07 18:14 ` [PATCH Part1 RFC v4 26/36] x86/compressed/64: enable SEV-SNP-validated CPUID in #VC handler Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 27/36] x86/boot: add a pointer to Confidential Computing blob in bootparams Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 28/36] x86/compressed/64: store Confidential Computing blob address " Brijesh Singh
2021-07-07 18:14 ` [PATCH Part1 RFC v4 29/36] x86/compressed/64: add identity mapping for Confidential Computing blob Brijesh Singh
2021-07-07 18:15 ` [PATCH Part1 RFC v4 30/36] x86/sev: enable SEV-SNP-validated CPUID in #VC handlers Brijesh Singh
2021-07-07 18:15 ` [PATCH Part1 RFC v4 31/36] x86/sev: Provide support for SNP guest request NAEs Brijesh Singh
2021-07-07 18:15 ` [PATCH Part1 RFC v4 32/36] x86/sev: Add snp_msg_seqno() helper Brijesh Singh
2021-07-07 18:15 ` [PATCH Part1 RFC v4 33/36] x86/sev: Register SNP guest request platform device Brijesh Singh
2021-07-07 18:15 ` [PATCH Part1 RFC v4 34/36] virt: Add SEV-SNP guest driver Brijesh Singh
2021-07-07 18:15 ` [PATCH Part1 RFC v4 35/36] virt: sevguest: Add support to derive key Brijesh Singh
2021-07-07 18:15 ` [PATCH Part1 RFC v4 36/36] virt: sevguest: Add support to get extended report Brijesh Singh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YRvxZtLkVNda9xwX@zn.tnic \
    --to=bp@alien8.de \
    --cc=ardb@kernel.org \
    --cc=brijesh.ksingh@gmail.com \
    --cc=brijesh.singh@amd.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=dovmurik@linux.ibm.com \
    --cc=hpa@zytor.com \
    --cc=jmattson@google.com \
    --cc=jroedel@suse.de \
    --cc=kvm@vger.kernel.org \
    --cc=linux-coco@lists.linux.dev \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=luto@kernel.org \
    --cc=michael.roth@amd.com \
    --cc=mingo@redhat.com \
    --cc=npmccallum@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=peterz@infradead.org \
    --cc=pgonda@google.com \
    --cc=platform-driver-x86@vger.kernel.org \
    --cc=rientjes@google.com \
    --cc=seanjc@google.com \
    --cc=slp@redhat.com \
    --cc=srinivas.pandruvada@linux.intel.com \
    --cc=tglx@linutronix.de \
    --cc=thomas.lendacky@amd.com \
    --cc=tobin@ibm.com \
    --cc=tony.luck@intel.com \
    --cc=vbabka@suse.cz \
    --cc=vkuznets@redhat.com \
    --cc=wanpengli@tencent.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).