From: Peter Gonda <pgonda@google.com>
To: Sean Christopherson <seanjc@google.com>
Cc: Thomas.Lendacky@amd.com, Marc Orr <marcorr@google.com>,
David Rientjes <rientjes@google.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Joerg Roedel <jroedel@suse.de>,
Herbert Xu <herbert@gondor.apana.org.au>,
John Allen <john.allen@amd.com>,
"David S. Miller" <davem@davemloft.net>,
Paolo Bonzini <pbonzini@redhat.com>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH V3 2/4] crypto: ccp - Move SEV_INIT retry for corrupted data
Date: Tue, 9 Nov 2021 11:42:08 -0700 [thread overview]
Message-ID: <CAMkAt6pF9cLQa5i4rqGVsrkwZSKsXbWBjY4sgGHVs+HT+4NtXA@mail.gmail.com> (raw)
In-Reply-To: <YYqwT1fGxBQQmFvY@google.com>
On Tue, Nov 9, 2021 at 10:31 AM Sean Christopherson <seanjc@google.com> wrote:
>
> On Tue, Nov 09, 2021, Peter Gonda wrote:
> > On Tue, Nov 9, 2021 at 9:31 AM Sean Christopherson <seanjc@google.com> wrote:
> > >
> > > On Tue, Nov 02, 2021, Peter Gonda wrote:
> > > > This change moves the data corrupted retry of SEV_INIT into the
> > >
> > > Use imperative mood.
> >
> > Will do for next revision
> >
> > >
> > > > __sev_platform_init_locked() function. This is for upcoming INIT_EX
> > > > support as well as helping direct callers of
> > > > __sev_platform_init_locked() which currently do not support the
> > > > retry.
> > > >
> > > > Signed-off-by: Peter Gonda <pgonda@google.com>
> > > > Reviewed-by: Marc Orr <marcorr@google.com>
> > > > Acked-by: David Rientjes <rientjes@google.com>
> > > > Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
> > > > Cc: Tom Lendacky <thomas.lendacky@amd.com>
> > > > Cc: Brijesh Singh <brijesh.singh@amd.com>
> > > > Cc: Marc Orr <marcorr@google.com>
> > > > Cc: Joerg Roedel <jroedel@suse.de>
> > > > Cc: Herbert Xu <herbert@gondor.apana.org.au>
> > > > Cc: David Rientjes <rientjes@google.com>
> > > > Cc: John Allen <john.allen@amd.com>
> > > > Cc: "David S. Miller" <davem@davemloft.net>
> > > > Cc: Paolo Bonzini <pbonzini@redhat.com>
> > > > Cc: linux-crypto@vger.kernel.org
> > > > Cc: linux-kernel@vger.kernel.org
> > > > ---
> > > > drivers/crypto/ccp/sev-dev.c | 24 ++++++++++++------------
> > > > 1 file changed, 12 insertions(+), 12 deletions(-)
> > > >
> > > > diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> > > > index ec89a82ba267..e4bc833949a0 100644
> > > > --- a/drivers/crypto/ccp/sev-dev.c
> > > > +++ b/drivers/crypto/ccp/sev-dev.c
> > > > @@ -267,6 +267,18 @@ static int __sev_platform_init_locked(int *error)
> > > > }
> > > >
> > > > rc = __sev_do_cmd_locked(SEV_CMD_INIT, &data, error);
> > > > + if (rc && *error == SEV_RET_SECURE_DATA_INVALID) {
> > >
> > > There are no guarantees that @error is non-NULL as this is reachable via an
> > > exported function, sev_platform_init(). Which ties in with my complaints in the
> > > previous patch that the API is a bit of a mess.
> >
> > That seems like a bug from the caller right? Is it typical that we
> > sanity-check the caller in these instances?
>
> sev-dev.c needs to make up its mind. __sev_do_cmd_locked() very clearly allows
> a NULL @error, ergo all of the wrappers for sev_do_cmd() support a NULL @error.
>
> > For example the same comment could be made here:
> > https://elixir.bootlin.com/linux/latest/source/drivers/crypto/ccp/sev-dev.c#L336
> >
> > ```
> > static int sev_get_platform_state(int *state, int *error)
> > {
> > struct sev_user_data_status data;
> > int rc;
> >
> > rc = __sev_do_cmd_locked(SEV_CMD_PLATFORM_STATUS, &data, error);
> > if (rc)
> > return rc;
> >
> > *state = data.state; <--- State could be null.
>
> No, because this is an internal helper and all call sites can be easily audited.
>
> > return rc;
> > }
> > ```
> >
> > Example outside of this driver:
> > https://elixir.bootlin.com/linux/v5.15.1/source/arch/x86/kvm/x86.c#L468
> >
> > ```
> > int kvm_set_apic_base(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> > {
> > enum lapic_mode old_mode = kvm_get_apic_mode(vcpu);
> > enum lapic_mode new_mode = kvm_apic_mode(msr_info->data); <---
> > msr_info could be null here
> > u64 reserved_bits = kvm_vcpu_reserved_gpa_bits_raw(vcpu) | 0x2ff |
> > (guest_cpuid_has(vcpu, X86_FEATURE_X2APIC) ? 0 : X2APIC_ENABLE);
> >
> > if ((msr_info->data & reserved_bits) != 0 || new_mode == LAPIC_MODE_INVALID)
> > return 1;
> > if (!msr_info->host_initiated) {
> > if (old_mode == LAPIC_MODE_X2APIC && new_mode == LAPIC_MODE_XAPIC)
> > return 1;
> > if (old_mode == LAPIC_MODE_DISABLED && new_mode == LAPIC_MODE_X2APIC)
> > return 1;
> > }
> >
> > kvm_lapic_set_base(vcpu, msr_info->data);
> > kvm_recalculate_apic_map(vcpu->kvm);
> > return 0;
> > }
> > EXPORT_SYMBOL_GPL(kvm_set_apic_base);
> > ```
>
> The difference is that KVM has consistent expecations for a set of functions,
> whereas sev-dev.c does not. Yes, KVM will explode if @msr_info is NULL, and
> there are undoubtedly a bajillion flows in the kernel that would do the same,
> but unlike the functions declared in include/linux/psp-sev.h() the requirements
> on the caller are fairly obvious. E.g. why should this be illegal from a caller's
> perspective?
>
> sev_platform_init(NULL);
> sev_platform_status(&status, NULL);
Ack. I'll store a intermediate error in __sev_platform_init_locked and
export to @error if its not null.
next prev parent reply other threads:[~2021-11-09 18:42 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-02 14:23 [PATCH V3 0/4] Add SEV_INIT_EX support Peter Gonda
2021-11-02 14:23 ` [PATCH V3 1/4] crypto: ccp - Fix SEV_INIT error logging on init Peter Gonda
2021-11-09 16:26 ` Sean Christopherson
2021-11-09 16:46 ` Peter Gonda
2021-11-09 19:25 ` Tom Lendacky
2021-11-10 17:29 ` Peter Gonda
2021-11-11 14:10 ` Tom Lendacky
2021-11-02 14:23 ` [PATCH V3 2/4] crypto: ccp - Move SEV_INIT retry for corrupted data Peter Gonda
2021-11-09 16:31 ` Sean Christopherson
2021-11-09 16:56 ` Peter Gonda
2021-11-09 17:30 ` Sean Christopherson
2021-11-09 18:42 ` Peter Gonda [this message]
2021-11-02 14:23 ` [PATCH V3 3/4] crypto: ccp - Refactor out sev_fw_alloc() Peter Gonda
2021-11-02 14:23 ` [PATCH V3 4/4] crypto: ccp - Add SEV_INIT_EX support Peter Gonda
2021-11-02 15:38 ` Tom Lendacky
2021-11-02 16:28 ` Peter Gonda
2021-11-09 17:21 ` Sean Christopherson
2021-11-09 20:09 ` Peter Gonda
2021-11-09 20:26 ` Sean Christopherson
2021-11-09 20:46 ` Peter Gonda
2021-11-09 22:19 ` Brijesh Singh
2021-11-10 15:32 ` Peter Gonda
2021-11-12 16:55 ` Peter Gonda
2021-11-12 17:46 ` Marc Orr
2021-11-12 17:49 ` Peter Gonda
2021-11-12 18:28 ` Marc Orr
2021-11-12 23:39 ` Brijesh Singh
2021-11-12 23:44 ` Peter Gonda
2021-11-12 23:50 ` Brijesh Singh
2021-11-15 17:42 ` Peter Gonda
2021-11-02 16:05 ` [PATCH V3 0/4] " Sean Christopherson
2021-11-02 16:25 ` Peter Gonda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMkAt6pF9cLQa5i4rqGVsrkwZSKsXbWBjY4sgGHVs+HT+4NtXA@mail.gmail.com \
--to=pgonda@google.com \
--cc=Thomas.Lendacky@amd.com \
--cc=brijesh.singh@amd.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=john.allen@amd.com \
--cc=jroedel@suse.de \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcorr@google.com \
--cc=pbonzini@redhat.com \
--cc=rientjes@google.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).