* [PATCH] x86/sev-es: Fix SEV-ES OUT/IN immediate opcode vc handling @ 2020-12-17 1:04 Peter Gonda 2020-12-17 17:19 ` Sean Christopherson 0 siblings, 1 reply; 5+ messages in thread From: Peter Gonda @ 2020-12-17 1:04 UTC (permalink / raw) To: Thomas Gleixner, Ingo Molnar, Borislav Petkov Cc: Peter Gonda, Joerg Roedel, Tom Lendacky, linux-kernel, x86, David Rientjes The IN and OUT immediate instructions only use an 8-bit immediate. The current VC handler uses the entire 32-bit immediate value. These instructions only set the first bytes. Tested with a loop back port with "outb %0,$0xe0". Before the port seen by KVM was 0xffffffffffffffe0 instead of 0xe0. After the correct port was seen by KVM and the guests loop back OUT then IN were equal. Signed-off-by: Peter Gonda <pgonda@google.com> Acked-by: David Rientjes <rientjes@google.com> --- arch/x86/kernel/sev-es-shared.c | 8 ++++++-- drivers/Makefile | 1 + 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/sev-es-shared.c b/arch/x86/kernel/sev-es-shared.c index 7d04b356d44d..6c790377c55c 100644 --- a/arch/x86/kernel/sev-es-shared.c +++ b/arch/x86/kernel/sev-es-shared.c @@ -305,14 +305,14 @@ static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo) case 0xe4: case 0xe5: *exitinfo |= IOIO_TYPE_IN; - *exitinfo |= (u64)insn->immediate.value << 16; + *exitinfo |= insn->immediate.bytes[0] << 16; break; /* OUT immediate opcodes */ case 0xe6: case 0xe7: *exitinfo |= IOIO_TYPE_OUT; - *exitinfo |= (u64)insn->immediate.value << 16; + *exitinfo |= insn->immediate.bytes[0] << 16; break; ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] x86/sev-es: Fix SEV-ES OUT/IN immediate opcode vc handling 2020-12-17 1:04 [PATCH] x86/sev-es: Fix SEV-ES OUT/IN immediate opcode vc handling Peter Gonda @ 2020-12-17 17:19 ` Sean Christopherson 2020-12-28 22:36 ` Borislav Petkov 0 siblings, 1 reply; 5+ messages in thread From: Sean Christopherson @ 2020-12-17 17:19 UTC (permalink / raw) To: Peter Gonda Cc: Thomas Gleixner, Ingo Molnar, Borislav Petkov, Joerg Roedel, Tom Lendacky, linux-kernel, x86, David Rientjes On Wed, Dec 16, 2020, Peter Gonda wrote: > > The IN and OUT immediate instructions only use an 8-bit immediate. The > current VC handler uses the entire 32-bit immediate value. These > instructions only set the first bytes. > > Tested with a loop back port with "outb %0,$0xe0". Before the port seen > by KVM was 0xffffffffffffffe0 instead of 0xe0. After the correct port > was seen by KVM and the guests loop back OUT then IN were equal. > > > Signed-off-by: Peter Gonda <pgonda@google.com> > Acked-by: David Rientjes <rientjes@google.com> > > > --- > arch/x86/kernel/sev-es-shared.c | 8 ++++++-- > drivers/Makefile | 1 + > 2 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/arch/x86/kernel/sev-es-shared.c b/arch/x86/kernel/sev-es-shared.c > index 7d04b356d44d..6c790377c55c 100644 > --- a/arch/x86/kernel/sev-es-shared.c > +++ b/arch/x86/kernel/sev-es-shared.c > @@ -305,14 +305,14 @@ static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo) > case 0xe4: > case 0xe5: > *exitinfo |= IOIO_TYPE_IN; > - *exitinfo |= (u64)insn->immediate.value << 16; > + *exitinfo |= insn->immediate.bytes[0] << 16; Can't we just drop the explicit cast to u64? Or explicitly cast to u8? Doesn't really matter, but poking into the backing bytes feels a bit backwards. > break; > > /* OUT immediate opcodes */ > case 0xe6: > case 0xe7: > *exitinfo |= IOIO_TYPE_OUT; > - *exitinfo |= (u64)insn->immediate.value << 16; > + *exitinfo |= insn->immediate.bytes[0] << 16; > break; ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] x86/sev-es: Fix SEV-ES OUT/IN immediate opcode vc handling 2020-12-17 17:19 ` Sean Christopherson @ 2020-12-28 22:36 ` Borislav Petkov 2020-12-28 23:43 ` Sean Christopherson 0 siblings, 1 reply; 5+ messages in thread From: Borislav Petkov @ 2020-12-28 22:36 UTC (permalink / raw) To: Sean Christopherson, Peter Gonda Cc: Thomas Gleixner, Ingo Molnar, Joerg Roedel, Tom Lendacky, linux-kernel, x86, David Rientjes On Thu, Dec 17, 2020 at 09:19:13AM -0800, Sean Christopherson wrote: > On Wed, Dec 16, 2020, Peter Gonda wrote: > > > > The IN and OUT immediate instructions only use an 8-bit immediate. The > > current VC handler uses the entire 32-bit immediate value. These > > instructions only set the first bytes. > > > > Tested with a loop back port with "outb %0,$0xe0". Before the port seen > > by KVM was 0xffffffffffffffe0 instead of 0xe0. After the correct port > > was seen by KVM and the guests loop back OUT then IN were equal. > > > > > > Signed-off-by: Peter Gonda <pgonda@google.com> > > Acked-by: David Rientjes <rientjes@google.com> > > > > > > --- > > arch/x86/kernel/sev-es-shared.c | 8 ++++++-- > > drivers/Makefile | 1 + > > 2 files changed, 7 insertions(+), 2 deletions(-) > > > > diff --git a/arch/x86/kernel/sev-es-shared.c b/arch/x86/kernel/sev-es-shared.c > > index 7d04b356d44d..6c790377c55c 100644 > > --- a/arch/x86/kernel/sev-es-shared.c > > +++ b/arch/x86/kernel/sev-es-shared.c > > @@ -305,14 +305,14 @@ static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo) > > case 0xe4: > > case 0xe5: > > *exitinfo |= IOIO_TYPE_IN; > > - *exitinfo |= (u64)insn->immediate.value << 16; > > + *exitinfo |= insn->immediate.bytes[0] << 16; > > Can't we just drop the explicit cast to u64? Or explicitly cast to u8? Doesn't > really matter, but poking into the backing bytes feels a bit backwards. GHCB spec says for IOIO_PROT (exit code 0x7b): "SW_EXITINFO1 will be set as documented in AMD64 Architecture Programmer’s Manual Volume 2: System Programming, Section 15.10.2" That section has "Figure 15-2. EXITINFO1 for IOIO Intercept" where [31:16] is the intercepted I/O port. Now, insn->immediate.value is a union between a signed int and a unsigned char bytes[4] array so in order to be absolutely correct, that should use: insn->immediate.bytes[0] instead, to get the port byte only, before shifting it into [31:16]. The (u64) cast doesn't matter because *exitinfo = 0 at function entry and that is part of the first assignment afterwards. I still don't see how that sign extension 0xffffffffffffffe0 can happen, though. Maybe something gets added during instruction decoding... Hmmm. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] x86/sev-es: Fix SEV-ES OUT/IN immediate opcode vc handling 2020-12-28 22:36 ` Borislav Petkov @ 2020-12-28 23:43 ` Sean Christopherson 2020-12-29 10:56 ` Borislav Petkov 0 siblings, 1 reply; 5+ messages in thread From: Sean Christopherson @ 2020-12-28 23:43 UTC (permalink / raw) To: Borislav Petkov Cc: Peter Gonda, Thomas Gleixner, Ingo Molnar, Joerg Roedel, Tom Lendacky, linux-kernel, x86, David Rientjes On Mon, Dec 28, 2020, Borislav Petkov wrote: > On Thu, Dec 17, 2020 at 09:19:13AM -0800, Sean Christopherson wrote: > > On Wed, Dec 16, 2020, Peter Gonda wrote: > > > > > > The IN and OUT immediate instructions only use an 8-bit immediate. The > > > current VC handler uses the entire 32-bit immediate value. These > > > instructions only set the first bytes. > > > > > > Tested with a loop back port with "outb %0,$0xe0". Before the port seen > > > by KVM was 0xffffffffffffffe0 instead of 0xe0. After the correct port > > > was seen by KVM and the guests loop back OUT then IN were equal. > > > > > > > > > Signed-off-by: Peter Gonda <pgonda@google.com> > > > Acked-by: David Rientjes <rientjes@google.com> > > > > > > > > > --- > > > arch/x86/kernel/sev-es-shared.c | 8 ++++++-- > > > drivers/Makefile | 1 + > > > 2 files changed, 7 insertions(+), 2 deletions(-) > > > > > > diff --git a/arch/x86/kernel/sev-es-shared.c b/arch/x86/kernel/sev-es-shared.c > > > index 7d04b356d44d..6c790377c55c 100644 > > > --- a/arch/x86/kernel/sev-es-shared.c > > > +++ b/arch/x86/kernel/sev-es-shared.c > > > @@ -305,14 +305,14 @@ static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo) > > > case 0xe4: > > > case 0xe5: > > > *exitinfo |= IOIO_TYPE_IN; > > > - *exitinfo |= (u64)insn->immediate.value << 16; > > > + *exitinfo |= insn->immediate.bytes[0] << 16; > > > > Can't we just drop the explicit cast to u64? Or explicitly cast to u8? Doesn't > > really matter, but poking into the backing bytes feels a bit backwards. > > GHCB spec says for IOIO_PROT (exit code 0x7b): > > "SW_EXITINFO1 will be set as documented in AMD64 Architecture > Programmer’s Manual Volume 2: System Programming, Section 15.10.2" > > That section has "Figure 15-2. EXITINFO1 for IOIO Intercept" where > [31:16] is the intercepted I/O port. > > Now, insn->immediate.value is a union between a signed int and a > unsigned char bytes[4] array so in order to be absolutely correct, that > should use: > > insn->immediate.bytes[0] Eh, casting to u8 is "absolutely correct" as well. I don't like using bytes[] because it feels like accessing the raw data as opposed to the end result of decoding, but it's not a sticking point. > (u64) cast doesn't matter because *exitinfo = 0 at function entry and > that is part of the first assignment afterwards. > > I still don't see how that sign extension 0xffffffffffffffe0 can happen, > though. Maybe something gets added during instruction decoding... Yes, insn_get_immediate() sets insn->immediate.value directly and sign extends the imm8 (which is correct, e.g. for "AND r/m64, imm8"). switch (inat_immediate_size(insn->attr)) { case INAT_IMM_BYTE: insn->immediate.value = get_next(signed char, insn); insn->immediate.nbytes = 1; break; ... } > > Hmmm. > > -- > Regards/Gruss, > Boris. > > https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] x86/sev-es: Fix SEV-ES OUT/IN immediate opcode vc handling 2020-12-28 23:43 ` Sean Christopherson @ 2020-12-29 10:56 ` Borislav Petkov 0 siblings, 0 replies; 5+ messages in thread From: Borislav Petkov @ 2020-12-29 10:56 UTC (permalink / raw) To: Sean Christopherson Cc: Peter Gonda, Thomas Gleixner, Ingo Molnar, Joerg Roedel, Tom Lendacky, linux-kernel, x86, David Rientjes On Mon, Dec 28, 2020 at 03:43:06PM -0800, Sean Christopherson wrote: > Eh, casting to u8 is "absolutely correct" as well. I don't like using bytes[] > because it feels like accessing the raw data as opposed to the end result of > decoding, but it's not a sticking point. Ok, code in the kernel uses mostly ->value so u8 casting it is. > Yes, insn_get_immediate() sets insn->immediate.value directly and sign extends > the imm8 (which is correct, e.g. for "AND r/m64, imm8"). > > switch (inat_immediate_size(insn->attr)) { > case INAT_IMM_BYTE: > insn->immediate.value = get_next(signed char, insn); > insn->immediate.nbytes = 1; Ah, there it is. And we set nbytes too, conveniently. Thx. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-12-29 10:59 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-12-17 1:04 [PATCH] x86/sev-es: Fix SEV-ES OUT/IN immediate opcode vc handling Peter Gonda 2020-12-17 17:19 ` Sean Christopherson 2020-12-28 22:36 ` Borislav Petkov 2020-12-28 23:43 ` Sean Christopherson 2020-12-29 10:56 ` Borislav Petkov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).