linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
From: Jason Gunthorpe <jgg@nvidia.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org,
	linux-arch@vger.kernel.org, linux-mm@kvack.org,
	kvm@vger.kernel.org, "Radim Krčmář" <rkrcmar@redhat.com>,
	"Arnd Bergmann" <arnd@arndb.de>,
	"Matt Fleming" <matt@codeblueprint.co.uk>,
	"Konrad Rzeszutek Wilk" <konrad.wilk@oracle.com>,
	"Andrey Ryabinin" <aryabinin@virtuozzo.com>,
	"Ingo Molnar" <mingo@redhat.com>,
	"Borislav Petkov" <bp@alien8.de>,
	"Andy Lutomirski" <luto@kernel.org>,
	"H. Peter Anvin" <hpa@zytor.com>,
	"Paolo Bonzini" <pbonzini@redhat.com>,
	"Alexander Potapenko" <glider@google.com>,
	"Thomas Gleixner" <tglx@linutronix.de>,
	"Dmitry Vyukov" <dvyukov@google.com>,
	"Rik van Riel" <riel@redhat.com>,
	"Larry Woodman" <lwoodman@redhat.com>,
	"Dave Young" <dyoung@redhat.com>,
	"Toshimitsu Kani" <toshi.kani@hpe.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	"Brijesh Singh" <brijesh.singh@amd.com>
Subject: Re: AMD SME encrpytion and PCI BAR pages to user space
Date: Wed, 21 Oct 2020 13:03:22 -0300	[thread overview]
Message-ID: <20201021160322.GT6219@nvidia.com> (raw)
In-Reply-To: <f9c50e3a-c5de-8c85-4d6c-0e8a90729420@amd.com>

On Wed, Oct 21, 2020 at 10:30:23AM -0500, Tom Lendacky wrote:
> On 10/21/20 6:59 AM, Jason Gunthorpe wrote:
> > On Mon, Oct 19, 2020 at 11:36:16AM -0500, Tom Lendacky wrote:
> > 
> >>> io_remap_pfn_range()? Is there use cases where a caller actually wants
> >>> encrypted io memory?
> >>
> >> As long as you never have physical memory / ram being mapped in this path,
> >> it seems that applying pgprot_decrypted() would be ok.
> > 
> > I made a patch along these lines:
> > 
> > https://github.com/jgunthorpe/linux/commit/fc990842983f3530b72fcceafed84bd6075174a1
> > 
> > Just waiting for the 0-day bots to check it
> > 
> > I now have a report that SME works OK but when the same test is done
> > inside a VM with SEV it fails again - is there something else needed
> > for the SEV case?
> 
> Probably. I would assume that it is getting past the MMIO issue, since the
> above patch should cover SEV, too. But, with SEV, all DMA to and from the
> guest is unencrypted. I'm not familiar with how the DMA is setup and
> performed in this situation, but if the DMA is occurring to userspace
> buffers that are mapped as encrypted, then the resulting access will be
> ciphertext (either reading unencrypted data from the device as encrypted
> or writing encrypted data to the device that should be unencrypted). There
> isn't currently an API to allow userspace to change its mapping from
> encrypted to unencrypted.

Oh, interesting.. Yes the issue is no userspace DMA stuff uses the DMA
API correctly (because it is in userspace)

So SWIOTLB tricks don't work, I wish the dma_map could fail for these
situations

I would have guessed it used some vIOMMU and setup decrpytion just
like the host does..

Thanks,
Jason


  reply	other threads:[~2020-10-21 16:04 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-19 15:25 AMD SME encrpytion and PCI BAR pages to user space Jason Gunthorpe
2020-10-19 16:36 ` Tom Lendacky
2020-10-19 17:00   ` Jason Gunthorpe
2020-10-19 17:11     ` Tom Lendacky
2020-10-19 17:25       ` Jason Gunthorpe
2020-10-21 11:59   ` Jason Gunthorpe
2020-10-21 15:30     ` Tom Lendacky
2020-10-21 16:03       ` Jason Gunthorpe [this message]
2020-10-27  8:43         ` Christoph Hellwig
2020-10-27 11:58           ` Jason Gunthorpe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201021160322.GT6219@nvidia.com \
    --to=jgg@nvidia.com \
    --cc=arnd@arndb.de \
    --cc=aryabinin@virtuozzo.com \
    --cc=bp@alien8.de \
    --cc=brijesh.singh@amd.com \
    --cc=dvyukov@google.com \
    --cc=dyoung@redhat.com \
    --cc=glider@google.com \
    --cc=hpa@zytor.com \
    --cc=konrad.wilk@oracle.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=luto@kernel.org \
    --cc=lwoodman@redhat.com \
    --cc=matt@codeblueprint.co.uk \
    --cc=mingo@redhat.com \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=riel@redhat.com \
    --cc=rkrcmar@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=thomas.lendacky@amd.com \
    --cc=toshi.kani@hpe.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).