From: Jason Gunthorpe <jgg@nvidia.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-mm@kvack.org,
kvm@vger.kernel.org, "Radim Krčmář" <rkrcmar@redhat.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Matt Fleming" <matt@codeblueprint.co.uk>,
"Konrad Rzeszutek Wilk" <konrad.wilk@oracle.com>,
"Andrey Ryabinin" <aryabinin@virtuozzo.com>,
"Ingo Molnar" <mingo@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
"Andy Lutomirski" <luto@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Alexander Potapenko" <glider@google.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Dmitry Vyukov" <dvyukov@google.com>,
"Rik van Riel" <riel@redhat.com>,
"Larry Woodman" <lwoodman@redhat.com>,
"Dave Young" <dyoung@redhat.com>,
"Toshimitsu Kani" <toshi.kani@hpe.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Brijesh Singh" <brijesh.singh@amd.com>
Subject: Re: AMD SME encrpytion and PCI BAR pages to user space
Date: Wed, 21 Oct 2020 13:03:22 -0300 [thread overview]
Message-ID: <20201021160322.GT6219@nvidia.com> (raw)
In-Reply-To: <f9c50e3a-c5de-8c85-4d6c-0e8a90729420@amd.com>
On Wed, Oct 21, 2020 at 10:30:23AM -0500, Tom Lendacky wrote:
> On 10/21/20 6:59 AM, Jason Gunthorpe wrote:
> > On Mon, Oct 19, 2020 at 11:36:16AM -0500, Tom Lendacky wrote:
> >
> >>> io_remap_pfn_range()? Is there use cases where a caller actually wants
> >>> encrypted io memory?
> >>
> >> As long as you never have physical memory / ram being mapped in this path,
> >> it seems that applying pgprot_decrypted() would be ok.
> >
> > I made a patch along these lines:
> >
> > https://github.com/jgunthorpe/linux/commit/fc990842983f3530b72fcceafed84bd6075174a1
> >
> > Just waiting for the 0-day bots to check it
> >
> > I now have a report that SME works OK but when the same test is done
> > inside a VM with SEV it fails again - is there something else needed
> > for the SEV case?
>
> Probably. I would assume that it is getting past the MMIO issue, since the
> above patch should cover SEV, too. But, with SEV, all DMA to and from the
> guest is unencrypted. I'm not familiar with how the DMA is setup and
> performed in this situation, but if the DMA is occurring to userspace
> buffers that are mapped as encrypted, then the resulting access will be
> ciphertext (either reading unencrypted data from the device as encrypted
> or writing encrypted data to the device that should be unencrypted). There
> isn't currently an API to allow userspace to change its mapping from
> encrypted to unencrypted.
Oh, interesting.. Yes the issue is no userspace DMA stuff uses the DMA
API correctly (because it is in userspace)
So SWIOTLB tricks don't work, I wish the dma_map could fail for these
situations
I would have guessed it used some vIOMMU and setup decrpytion just
like the host does..
Thanks,
Jason
next prev parent reply other threads:[~2020-10-21 16:04 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-19 15:25 AMD SME encrpytion and PCI BAR pages to user space Jason Gunthorpe
2020-10-19 16:36 ` Tom Lendacky
2020-10-19 17:00 ` Jason Gunthorpe
2020-10-19 17:11 ` Tom Lendacky
2020-10-19 17:25 ` Jason Gunthorpe
2020-10-21 11:59 ` Jason Gunthorpe
2020-10-21 15:30 ` Tom Lendacky
2020-10-21 16:03 ` Jason Gunthorpe [this message]
2020-10-27 8:43 ` Christoph Hellwig
2020-10-27 11:58 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201021160322.GT6219@nvidia.com \
--to=jgg@nvidia.com \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=bp@alien8.de \
--cc=brijesh.singh@amd.com \
--cc=dvyukov@google.com \
--cc=dyoung@redhat.com \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=konrad.wilk@oracle.com \
--cc=kvm@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=lwoodman@redhat.com \
--cc=matt@codeblueprint.co.uk \
--cc=mingo@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=riel@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=toshi.kani@hpe.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).