Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp6105762yba; Tue, 14 May 2019 01:36:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqzntLR/VAfI/WXTdZbxg2hn48y1Ck0eX3ag2mTnCiSvd5RuPbZ4niaTku35a3ciG7NlQWCD X-Received: by 2002:a62:54c7:: with SMTP id i190mr17623568pfb.87.1557823000866; Tue, 14 May 2019 01:36:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557823000; cv=none; d=google.com; s=arc-20160816; b=xlqLHjjVaLDzAJY7W5UMb2QzzM/roUiebyenbQ39XEbgmRqTpCNPq0LxxdO9/jYtQ2 mV5Bvx4F8sACjDRsVVe4GAqOnw+3upsN3SPFrK2pIIKfN/KktXX4pMgvqCL3T4IoiyQW MC/Qf0o9+bth0OUiZgaTFAvYfE080UHsYLw0SStshoUSPTsrLB4eaT8GaohcLa7M0e29 ZrgCFJAbmYCoyorluoEX9T7WXa//KWropAAcUUi2Tgyk1CHtKI7spWEXtsHXKukH+1Bs KL2ZdmD5czOhYhVP0XwDyCAHW0eqhq8C0WnPOfRbhLnaesmdZTj9j5lfHxg9JK6XLEcG ASvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=hDxyx52ZHxybLIaQgqYkgIgM9saZTw3PtnrtMC+I7nY=; b=TF/KIHId8NHtD3WpfTceLuiIIW/D8g9OWjcfL9tQqvXMOtW4/DANPP1MYqcGqIPzkD VhERwUpN+oCAEkvqthhwTYT6AClkWWFvHsuH8xbv0dF2lkPBSSEGE8YlMhzCOfeDuJuT bvjq09tFB7VNEVjCY98k4jH6b7pypvef/Ox6NoQTyAAlbKWMpsa88J3h3WxY3G1vFR1y oqmHSsQBYH7CgW1axLti1bRYHFi4rpvkAiB8dMPC/x6DyikygKxDkaKUT3nQ5Wif9EBC w7UOQeSpZSmHmdUDKos3FPLdLDq9IChqTJzgZuMkukhdlaDVQaLx6U/bCvBYFgJiDZcR pfTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=V1fySS88; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h1si16294125pgv.67.2019.05.14.01.36.25; Tue, 14 May 2019 01:36:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=V1fySS88; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726475AbfENIeH (ORCPT + 99 others); Tue, 14 May 2019 04:34:07 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:44299 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726109AbfENIeH (ORCPT ); Tue, 14 May 2019 04:34:07 -0400 Received: by mail-pg1-f193.google.com with SMTP id z16so8234396pgv.11 for ; Tue, 14 May 2019 01:34:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hDxyx52ZHxybLIaQgqYkgIgM9saZTw3PtnrtMC+I7nY=; b=V1fySS88ojdaA5J3kVvNrhouMk585i4pA8vbBVomSrsOi8RHjcgYc7KvrkPXXZNgSV OLpeJryWoG+Z8+3ehqnV1obfrxQBzF2iFd1KXeVg3V1BZ2ocLrRihAV4elcX6OOBPOsH BridwfMxgjM1a7LU4JUrULKuAzfjFanypx5iYzIeDOj+B966bCEcMkWtBWeCaULiJHgY D4wopj3OIqUTsuWy/NWee71NbSfJLuDwHsyQpNoPX19EWvpgueGaASh1pibGPPqrgW7A nlb7D7mdsF2VCyicLPcSaXUwID0nqqYEcvVRf69YRGaV5Q0Id4jXgYWdUERJ0MIn+2mD a4iw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hDxyx52ZHxybLIaQgqYkgIgM9saZTw3PtnrtMC+I7nY=; b=ZSf6eTHaMQEeLERIy7s7qksDQuNaW2BBGctSpwdiubXNHvA/5pb0/Ri7s7GbQR6dH6 QCPnhbpg1TB0K2jklJ5xaBKBiZczuYGyBe2+Wduw4w27KFepTFbZtCM/iN0JASACDEwC LSbbcLe6XsHpwcqTFonqA0Y00uLeDC+5ab/qMvesyR2mNLFfFd5eaxa6fpNCpxZbT4t5 aoEfaMK7ABwcIpdzPu8/L0sfU68PjZ4yZd/i/4GMNyg1Bu3ZfNeGAlWQ24W4VoSGYRhX 2VYgd3RgtYC8owfE5TKO961kyDegAlMjuja//vdqbDcKYmncmJmNqaniiX3+XBRKEaZc 5iFA== X-Gm-Message-State: APjAAAX8CZPivc7n+fUe747Fl10hDkX48oL6vFPULlGIZXcqohGdgtlz 8ojd2MI2ta/mIHKULN2mAyZ5yg== X-Received: by 2002:a62:570a:: with SMTP id l10mr38957276pfb.151.1557822846594; Tue, 14 May 2019 01:34:06 -0700 (PDT) Received: from ?IPv6:2601:646:c200:1ef2:1d0a:33b8:7824:bf6b? ([2601:646:c200:1ef2:1d0a:33b8:7824:bf6b]) by smtp.gmail.com with ESMTPSA id u75sm40423546pfa.138.2019.05.14.01.34.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 May 2019 01:34:05 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [RFC KVM 18/27] kvm/isolation: function to copy page table entries for percpu buffer From: Andy Lutomirski X-Mailer: iPhone Mail (16E227) In-Reply-To: Date: Tue, 14 May 2019 01:34:05 -0700 Cc: Peter Zijlstra , Andy Lutomirski , Paolo Bonzini , Radim Krcmar , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , Dave Hansen , kvm list , X86 ML , Linux-MM , LKML , Konrad Rzeszutek Wilk , jan.setjeeilers@oracle.com, Liran Alon , Jonathan Adams Content-Transfer-Encoding: quoted-printable Message-Id: References: <1557758315-12667-1-git-send-email-alexandre.chartre@oracle.com> <1557758315-12667-19-git-send-email-alexandre.chartre@oracle.com> <20190514070941.GE2589@hirez.programming.kicks-ass.net> To: Alexandre Chartre Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On May 14, 2019, at 1:25 AM, Alexandre Chartre wrote: >=20 >=20 >> On 5/14/19 9:09 AM, Peter Zijlstra wrote: >>> On Mon, May 13, 2019 at 11:18:41AM -0700, Andy Lutomirski wrote: >>> On Mon, May 13, 2019 at 7:39 AM Alexandre Chartre >>> wrote: >>>>=20 >>>> pcpu_base_addr is already mapped to the KVM address space, but this >>>> represents the first percpu chunk. To access a per-cpu buffer not >>>> allocated in the first chunk, add a function which maps all cpu >>>> buffers corresponding to that per-cpu buffer. >>>>=20 >>>> Also add function to clear page table entries for a percpu buffer. >>>>=20 >>>=20 >>> This needs some kind of clarification so that readers can tell whether >>> you're trying to map all percpu memory or just map a specific >>> variable. In either case, you're making a dubious assumption that >>> percpu memory contains no secrets. >> I'm thinking the per-cpu random pool is a secrit. IOW, it demonstrably >> does contain secrits, invalidating that premise. >=20 > The current code unconditionally maps the entire first percpu chunk > (pcpu_base_addr). So it assumes it doesn't contain any secret. That is > mainly a simplification for the POC because a lot of core information > that we need, for example just to switch mm, are stored there (like > cpu_tlbstate, current_task...). I don=E2=80=99t think you should need any of this. >=20 > If the entire first percpu chunk effectively has secret then we will > need to individually map only buffers we need. The kvm_copy_percpu_mapping= () > function is added to copy mapping for a specified percpu buffer, so > this used to map percpu buffers which are not in the first percpu chunk. >=20 > Also note that mapping is constrained by PTE (4K), so mapped buffers > (percpu or not) which do not fill a whole set of pages can leak adjacent > data store on the same pages. >=20 >=20 I would take a different approach: figure out what you need and put it in it= s own dedicated area, kind of like cpu_entry_area. One nasty issue you=E2=80=99ll have is vmalloc: the kernel stack is in the v= map range, and, if you allow access to vmap memory at all, you=E2=80=99ll ne= ed some way to ensure that *unmap* gets propagated. I suspect the right choi= ce is to see if you can avoid using the kernel stack at all in isolated mode= . Maybe you could run on the IRQ stack instead.=