Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp5432875ybx;
        Sun, 10 Nov 2019 13:11:55 -0800 (PST)
X-Google-Smtp-Source: APXvYqyrluiaxESmA+unKFgiYMX4OgUsQ/In/sj8bwJnds/j3ncI8vrp+UjTU0rXfvvtg+W/Ko0d
X-Received: by 2002:a50:ac2c:: with SMTP id v41mr22523430edc.11.1573420315030;
        Sun, 10 Nov 2019 13:11:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1573420315; cv=none;
        d=google.com; s=arc-20160816;
        b=guk2EnC/wzdDczIN5wJmO90ldrnOFStV2W5G/gMlgwvgn5UTEYj4KOE/di3YXPyTUv
         rsHCFkzIUIUUaI54mxd+hOl7A3IGT6W5Sa8DIMNo5olWLlo8Bpxli23xAXRDepAcZBpb
         s/k62pfPKV2lptmHxjYyUf7hj1aQLm3TLPaVMK6uEp3WenHxwVO809Gtkj62xGO1+xiK
         Fnz/cCVOgV0S7cRcEzqiKrV6UJeEyRAEXFibrAJqKe+CLlw0p2YJwGWztqq2qjtZUWga
         H4rHAJHoXlA9H3b2ZoqnKhQve2tSP2HDGwlPM2YK8g9I//eenvFff2A5OtYvyyYQiHAj
         gryw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=S4JR4lv8Y86WM6sSdRgoYbCO9U/PBssIT24SbLsToTQ=;
        b=V7vsoTfNFIGZz2WtJaOWjJL8wxQAMqQEfB0oD6FhhEIzv2w3xINWLPJnc9gnAQMFE8
         EL36ymayhFR2LANbyqMPDFWGFRgUEaWQ9G+IP5iv70QODaucmhWNq3WAoNkVq3BUQQ8c
         cr1eGL01wSbWhfT/ge2B7doc4LsACk4Jds6cl9iDUpXDSSyk2+lRJtjjdzlKG5LdpHFc
         8F4Kq+Sq+rG9NOzmAbpK43pLz5QT/70zKtn2kYaYYToaHpg/LR6D5Qpm2X4/RmNtzBYF
         7Gn/tXEb1cMvUbht6FBZoY5Sp1Mb0ncArkim+v10RZWcynl3V27VqKpR1WJNi/36nm+S
         d+Pg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gibson.dropbear.id.au header.s=201602 header.b="GXUH/Zuc";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i13si8125265ejc.76.2019.11.10.13.11.32;
        Sun, 10 Nov 2019 13:11:55 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gibson.dropbear.id.au header.s=201602 header.b="GXUH/Zuc";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727011AbfKJVKu (ORCPT <rfc822;busarih159@gmail.com>
        + 99 others); Sun, 10 Nov 2019 16:10:50 -0500
Received: from ozlabs.org ([203.11.71.1]:47885 "EHLO ozlabs.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726856AbfKJVKu (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 10 Nov 2019 16:10:50 -0500
Received: by ozlabs.org (Postfix, from userid 1007)
        id 47B69g21Jbz9sPK; Mon, 11 Nov 2019 08:10:46 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
        d=gibson.dropbear.id.au; s=201602; t=1573420247;
        bh=sgl6XwaqQKuWwNLFcxgCVCJd1ny8a3Y5WhLWIZgRB+w=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=GXUH/ZucMTSO8lUMwgX4o1MuQVS9+ZQ/DD/1O8usLKlRKOyhuj/4hI8/57w/C9XLP
         SnmdxtnIbeEhqXifQjE5gJSakdwrJwzIk2m0e2GOxJZ7fI2ctXgvC+WP6SVSAFn6M4
         Rwg/wedGqEhGy8Ca+ER2oTOv+sJZHGOBeMj9j3os=
Date:   Sun, 10 Nov 2019 19:40:06 +0000
From:   David Gibson <david@gibson.dropbear.id.au>
To:     Ram Pai <linuxram@us.ibm.com>
Cc:     linuxppc-dev@lists.ozlabs.org, benh@kernel.crashing.org,
        mpe@ellerman.id.au, paulus@ozlabs.org, mdroth@linux.vnet.ibm.com,
        hch@lst.de, andmike@us.ibm.com, sukadev@linux.vnet.ibm.com,
        mst@redhat.com, ram.n.pai@gmail.com, aik@ozlabs.ru, cai@lca.pw,
        tglx@linutronix.de, bauerman@linux.ibm.com,
        linux-kernel@vger.kernel.org
Subject: Re: [RFC v2 1/2] powerpc/pseries/iommu: Share the per-cpu TCE page
 with the hypervisor.
Message-ID: <20191110194006.GQ2461@umbus.Home>
References: <1573254011-1604-1-git-send-email-linuxram@us.ibm.com>
 <1573254011-1604-2-git-send-email-linuxram@us.ibm.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
        protocol="application/pgp-signature"; boundary="63aIh6YiuHX+oBFP"
Content-Disposition: inline
In-Reply-To: <1573254011-1604-2-git-send-email-linuxram@us.ibm.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--63aIh6YiuHX+oBFP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Nov 08, 2019 at 03:00:10PM -0800, Ram Pai wrote:
> The hypervisor needs to access the contents of the page holding the TCE
> entries while setting up the TCE entries in the IOMMU's TCE table.
>=20
> For SecureVMs, since this page is encrypted, the hypervisor cannot
> access valid entries. Share the page with the hypervisor. This ensures
> that the hypervisor sees those valid entries.
>=20
> Why is this safe?
>    The page contains only TCE entries; not any sensitive data
>    belonging to the Secure VM. The hypervisor has a genuine need to know
>    the value of the TCE entries, without which it will not be able to
>    DMA to/from the pages pointed to by the TCE entries. In a Secure
>    VM the TCE entries point to pages that are also shared with the
>    hypervisor; example: pages containing bounce buffers.

The bit that may not be obvious to reviewers from the above is this:

This is *not* a page of "live" TCEs which are actively used for
translation.  Instead this is just a transient buffer with a batch of
TCEs to set, passed to the hypervisor with the H_PUT_TCE_INDIRECT call.

>=20
> Signed-off-by: Ram Pai <linuxram@us.ibm.com>
> ---
>  arch/powerpc/platforms/pseries/iommu.c | 23 ++++++++++++++++++++---
>  1 file changed, 20 insertions(+), 3 deletions(-)
>=20
> diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platfo=
rms/pseries/iommu.c
> index 8d9c2b1..a302aaa 100644
> --- a/arch/powerpc/platforms/pseries/iommu.c
> +++ b/arch/powerpc/platforms/pseries/iommu.c
> @@ -37,6 +37,7 @@
>  #include <asm/mmzone.h>
>  #include <asm/plpar_wrappers.h>
>  #include <asm/svm.h>
> +#include <asm/ultravisor.h>
> =20
>  #include "pseries.h"
> =20
> @@ -179,6 +180,23 @@ static int tce_build_pSeriesLP(struct iommu_table *t=
bl, long tcenum,
> =20
>  static DEFINE_PER_CPU(__be64 *, tce_page);
> =20
> +/*
> + * Allocate a tce page.  If secure VM, share the page with the hyperviso=
r.
> + *
> + * NOTE: the TCE page is shared with the hypervisor explicitly and remai=
ns
> + * shared for the lifetime of the kernel. It is implicitly unshared at k=
ernel
> + * shutdown through a UV_UNSHARE_ALL_PAGES ucall.
> + */
> +static __be64 *alloc_tce_page(void)
> +{
> +	__be64 *tcep =3D (__be64 *)__get_free_page(GFP_ATOMIC);
> +
> +	if (tcep && is_secure_guest())
> +		uv_share_page(PHYS_PFN(__pa(tcep)), 1);
> +
> +	return tcep;
> +}
> +
>  static int tce_buildmulti_pSeriesLP(struct iommu_table *tbl, long tcenum,
>  				     long npages, unsigned long uaddr,
>  				     enum dma_data_direction direction,
> @@ -206,8 +224,7 @@ static int tce_buildmulti_pSeriesLP(struct iommu_tabl=
e *tbl, long tcenum,
>  	 * from iommu_alloc{,_sg}()
>  	 */
>  	if (!tcep) {
> -		tcep =3D (__be64 *)__get_free_page(GFP_ATOMIC);
> -		/* If allocation fails, fall back to the loop implementation */
> +		tcep =3D alloc_tce_page();
>  		if (!tcep) {
>  			local_irq_restore(flags);
>  			return tce_build_pSeriesLP(tbl, tcenum, npages, uaddr,
> @@ -405,7 +422,7 @@ static int tce_setrange_multi_pSeriesLP(unsigned long=
 start_pfn,
>  	tcep =3D __this_cpu_read(tce_page);
> =20
>  	if (!tcep) {
> -		tcep =3D (__be64 *)__get_free_page(GFP_ATOMIC);
> +		tcep =3D alloc_tce_page();
>  		if (!tcep) {
>  			local_irq_enable();
>  			return -ENOMEM;

--=20
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

--63aIh6YiuHX+oBFP
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEdfRlhq5hpmzETofcbDjKyiDZs5IFAl3IZ5MACgkQbDjKyiDZ
s5K+kQ/+PKlvYDKC8LlZl7hGJs9oVVlDQG/Q3tWSAsQWzhygYK+NhJxNT1t0AF0I
0HnXRPw673myMED+6+j/cIS6zKg3N9GoOwBnaIxh+CzpsbzGtG+4XpCPcrAVO5+k
9vBX6Bhr+UmvI4V1tfW6Q3c7MEMEtH4VX57ZSZe9Poq5p39NVyX3nggrIZxlsgjC
SI90Vj/iGgfs3lyT+bIq9TU9N7pduaW6+JvNArThePpmUMgwc+EbVSGEh851wsGe
Uav8B7Axg8ZlKsA1XSf+WfHU4Z+/fsYYOBMSfecs1SvyxizGaWoGXayKe1aaGWSj
amPV9YZYecLkDPZG558cvT20KGnJ6JpJwebhVVzKIv8b/oLOzIjrHEku7Jy1OR+o
PfYzfpt2Ddc2NGQjsq8ppB6FuAAMRcn5FXtXnxWqS0AbIo+nJ7r9R2gYk1TD+VF7
S/7LmPh1Cd/xBZyxJFruj0qL21lGA9J0ff1MY7/qZ/8tySd0qJ4ehfQElJAFGSQC
4JFQFXrC6GLyHdAgF3jCr7AVIcSEy7Zwt4ueNYtPoFFXYqR29UXzGngVUXSb1+90
nZ9AJDRbFwtQo0ySgMYrchZw9ZOcRkDVuU730lwznf9+n0XpEdBjCauCuV0AK4PY
yrrBbg8WWdqOYmtgafVuQmUQhX2NFMVYx98wTFJWLT9FaJVBoo4=
=zGQn
-----END PGP SIGNATURE-----

--63aIh6YiuHX+oBFP--