linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Claudio Imbrenda <imbrenda@linux.ibm.com>
To: Thomas Huth <thuth@redhat.com>
Cc: kvm@vger.kernel.org, borntraeger@de.ibm.com,
	frankja@linux.ibm.com, pasic@linux.ibm.com, david@redhat.com,
	linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
	scgl@linux.ibm.com, mimu@linux.ibm.com, nrb@linux.ibm.com
Subject: Re: [PATCH v10 02/19] KVM: s390: pv: handle secure storage violations for protected guests
Date: Fri, 6 May 2022 13:33:26 +0200	[thread overview]
Message-ID: <20220506133326.09e9a887@p-imbrenda> (raw)
In-Reply-To: <9d79d8c9-9d3f-de6e-e910-62549fc2ac5d@redhat.com>

On Thu, 5 May 2022 19:10:39 +0200
Thomas Huth <thuth@redhat.com> wrote:

> On 14/04/2022 10.02, Claudio Imbrenda wrote:
> > With upcoming patches, protected guests will be able to trigger secure
> > storage violations in normal operation.
> > 
> > A secure storage violation is triggered when a protected guest tries to
> > access secure memory that has been mapped erroneously, or that belongs
> > to a different protected guest or to the ultravisor.
> > 
> > With upcoming patches, protected guests will be able to trigger secure
> > storage violations in normal operation.  
> 
> You've already used this sentence as 1st sentence of the patch description. 
> Looks weird to read it again. Maybe scratch the 1st sentence?

oops!

> 
> > This happens for example if a
> > protected guest is rebooted with lazy destroy enabled and the new guest
> > is also protected.
> > 
> > When the new protected guest touches pages that have not yet been
> > destroyed, and thus are accounted to the previous protected guest, a
> > secure storage violation is raised.
> > 
> > This patch adds handling of secure storage violations for protected
> > guests.
> > 
> > This exception is handled by first trying to destroy the page, because
> > it is expected to belong to a defunct protected guest where a destroy
> > should be possible. If that fails, a normal export of the page is
> > attempted.
>  >
> > Therefore, pages that trigger the exception will be made non-secure
> > before attempting to use them again for a different secure guest.  
> 
> I'm an complete ignorant here, but isn't this somewhat dangerous? Could it 
> happen that a VM could destroy/export the pages of another secure guest that 
> way?

this is a good question, perhaps I should add a comment explaining that
the destroy page UVC will only work on protected VMs with no CPUs.

Exporting instead is not an issue, if/when the page is needed, it will
get imported again. Unless some things went really wrong, but that can
only happen in case of a bug in the hypervisor.

> 
>   Thomas
> 


  reply	other threads:[~2022-05-06 11:34 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-14  8:02 [PATCH v10 00/19] KVM: s390: pv: implement lazy destroy for reboot Claudio Imbrenda
2022-04-14  8:02 ` [PATCH v10 01/19] KVM: s390: pv: leak the topmost page table when destroy fails Claudio Imbrenda
2022-04-14 11:30   ` Janosch Frank
2022-04-14 12:19     ` Claudio Imbrenda
2022-05-05 14:45   ` Thomas Huth
2022-05-06 11:30     ` Claudio Imbrenda
2022-05-16  7:22   ` Nico Boehr
2022-05-16 15:55     ` Claudio Imbrenda
2022-04-14  8:02 ` [PATCH v10 02/19] KVM: s390: pv: handle secure storage violations for protected guests Claudio Imbrenda
2022-05-05 17:10   ` Thomas Huth
2022-05-06 11:33     ` Claudio Imbrenda [this message]
2022-04-14  8:02 ` [PATCH v10 03/19] KVM: s390: pv: handle secure storage exceptions for normal guests Claudio Imbrenda
2022-04-14  8:02 ` [PATCH v10 04/19] KVM: s390: pv: refactor s390_reset_acc Claudio Imbrenda
2022-05-16  8:04   ` Nico Boehr
2022-05-16 16:11     ` Claudio Imbrenda
2022-05-30  7:40       ` Nico Boehr
2022-05-30 10:50         ` Claudio Imbrenda
2022-04-14  8:02 ` [PATCH v10 05/19] KVM: s390: pv: usage counter instead of flag Claudio Imbrenda
2022-04-14  8:02 ` [PATCH v10 06/19] KVM: s390: pv: add export before import Claudio Imbrenda
2022-04-14  8:02 ` [PATCH v10 07/19] KVM: s390: pv: module parameter to fence lazy destroy Claudio Imbrenda
2022-04-14  8:02 ` [PATCH v10 08/19] KVM: s390: pv: clear the state without memset Claudio Imbrenda
2022-04-14  8:03 ` [PATCH v10 09/19] KVM: s390: pv: Add kvm_s390_cpus_from_pv to kvm-s390.h and add documentation Claudio Imbrenda
2022-04-14  8:03 ` [PATCH v10 10/19] KVM: s390: pv: add mmu_notifier Claudio Imbrenda
2022-04-14  8:03 ` [PATCH v10 11/19] s390/mm: KVM: pv: when tearing down, try to destroy protected pages Claudio Imbrenda
2022-04-14  8:03 ` [PATCH v10 12/19] KVM: s390: pv: refactoring of kvm_s390_pv_deinit_vm Claudio Imbrenda
2022-04-14  8:03 ` [PATCH v10 13/19] KVM: s390: pv: destroy the configuration before its memory Claudio Imbrenda
2022-05-30  7:37   ` Nico Boehr
2022-05-30 12:05     ` Claudio Imbrenda
2022-04-14  8:03 ` [PATCH v10 14/19] KVM: s390: pv: cleanup leftover protected VMs if needed Claudio Imbrenda
2022-05-30  8:11   ` Nico Boehr
2022-05-30 10:43     ` Claudio Imbrenda
2022-04-14  8:03 ` [PATCH v10 15/19] KVM: s390: pv: asynchronous destroy for reboot Claudio Imbrenda
2022-05-30  9:46   ` Nico Boehr
2022-05-30 11:06     ` Claudio Imbrenda
2022-04-14  8:03 ` [PATCH v10 16/19] KVM: s390: pv: api documentation for asynchronous destroy Claudio Imbrenda
2022-05-30  9:47   ` Nico Boehr
2022-04-14  8:03 ` [PATCH v10 17/19] KVM: s390: pv: add KVM_CAP_S390_PROTECTED_ASYNC_DISABLE Claudio Imbrenda
2022-05-30 10:24   ` Nico Boehr
2022-04-14  8:03 ` [PATCH v10 18/19] KVM: s390: pv: avoid export before import if possible Claudio Imbrenda
2022-05-30 10:07   ` Nico Boehr
2022-05-30 11:16     ` Claudio Imbrenda
2022-04-14  8:03 ` [PATCH v10 19/19] KVM: s390: pv: support for Destroy fast UVC Claudio Imbrenda

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220506133326.09e9a887@p-imbrenda \
    --to=imbrenda@linux.ibm.com \
    --cc=borntraeger@de.ibm.com \
    --cc=david@redhat.com \
    --cc=frankja@linux.ibm.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=mimu@linux.ibm.com \
    --cc=nrb@linux.ibm.com \
    --cc=pasic@linux.ibm.com \
    --cc=scgl@linux.ibm.com \
    --cc=thuth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).