Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1700729ybh; Tue, 14 Jul 2020 05:11:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxC3kyxCxM4BzSnATZvi0s27m/WPT/3xdtq5ycbkCU/eVhfusq4xnCBz0qZPGkxJB3ueuxZ X-Received: by 2002:aa7:d7d0:: with SMTP id e16mr4309762eds.10.1594728713852; Tue, 14 Jul 2020 05:11:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594728713; cv=none; d=google.com; s=arc-20160816; b=bxBwMXgG69dKlh6EintqgtPTem8KUx0P2j3O3MVcJ/rV/njNDpCt5AGpywFws5Qfy7 Cms0qSiNPThPjuOvGeUV8YBlFDlPzfPAYPbWPAsiI/EDPhlT7rJBfPRn2XFPx2f+oP09 Vz77ZlsglwvU910jiQulx5bIEQMKLQ1Zq79gCaQcCy+NTo5Y+cLV58W79GiMMpFE3jZw YbrJ7z4LjnK5MHmKNJBCfz5dkjEtLjzVvpCXbQEYscmTNDwvIPWcfftbrlo7WNOvQmsl lUOswUb3fuKMkqotUb7nnyE1vt096e/WnSQiq7aH9NpuEmcBtUfjpK83ipBp+1eyfhF3 /hxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=cCZl+37cSmqBu1yOvRfVleisY4b5CPJILgiGPiQRBzY=; b=WJ1RgdoxngS8MQMqSz1JOdHZBwsn2JKT6J82vcwTXPn0daL96qDH/xQa8QWPz2NOIT x/O3TtSU+y02VQIxD5rjxgN2m33WKo26N6aY7lYZlVmslly4/ONX1gR4DdgOeF7hGTnX qJHTaw5IBDmZUxUyd0/DvDb2MusCDjkFZxT/9r1/k3zld3QmeBnCoRNwGrVOBdaOMtXM env92//6hItQ1uVQjjBORWIZSAUnEeXvS/kiR42Ikbz9f5Vl0e0CDQE30jUnjU43R6xX EEJ2jYsvUQEzGvpUdaCalThvJMfC6wiFSZBXrFgSpmKrTJO15M0Lgt+OW6q7H8qC3e1E FI4A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=8bytes.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h22si11731236ejf.256.2020.07.14.05.11.29; Tue, 14 Jul 2020 05:11:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=8bytes.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728358AbgGNMK5 (ORCPT + 99 others); Tue, 14 Jul 2020 08:10:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60640 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728272AbgGNMKt (ORCPT ); Tue, 14 Jul 2020 08:10:49 -0400 Received: from theia.8bytes.org (8bytes.org [IPv6:2a01:238:4383:600:38bc:a715:4b6d:a889]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E0D6C061755; Tue, 14 Jul 2020 05:10:49 -0700 (PDT) Received: from cap.home.8bytes.org (p5b006776.dip0.t-ipconnect.de [91.0.103.118]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by theia.8bytes.org (Postfix) with ESMTPSA id 6066F93D; Tue, 14 Jul 2020 14:10:45 +0200 (CEST) From: Joerg Roedel To: x86@kernel.org Cc: Joerg Roedel , Joerg Roedel , hpa@zytor.com, Andy Lutomirski , Dave Hansen , Peter Zijlstra , Jiri Slaby , Dan Williams , Tom Lendacky , Juergen Gross , Kees Cook , David Rientjes , Cfir Cohen , Erdem Aktas , Masami Hiramatsu , Mike Stunes , Sean Christopherson , Martin Radev , linux-kernel@vger.kernel.org, kvm@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: [PATCH v4 23/75] x86/boot/compressed/64: Unmap GHCB page before booting the kernel Date: Tue, 14 Jul 2020 14:08:25 +0200 Message-Id: <20200714120917.11253-24-joro@8bytes.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200714120917.11253-1-joro@8bytes.org> References: <20200714120917.11253-1-joro@8bytes.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Joerg Roedel Force a page-fault on any further accesses to the GHCB page when they shouldn't happen anymore. This will catch the bugs where a #VC exception is raised when no one is expected anymore. Signed-off-by: Joerg Roedel --- arch/x86/boot/compressed/ident_map_64.c | 17 +++++++++++++++-- arch/x86/boot/compressed/misc.h | 6 ++++++ arch/x86/boot/compressed/sev-es.c | 14 ++++++++++++++ 3 files changed, 35 insertions(+), 2 deletions(-) diff --git a/arch/x86/boot/compressed/ident_map_64.c b/arch/x86/boot/compressed/ident_map_64.c index 05742f641a06..063a60edcf99 100644 --- a/arch/x86/boot/compressed/ident_map_64.c +++ b/arch/x86/boot/compressed/ident_map_64.c @@ -298,6 +298,11 @@ int set_page_encrypted(unsigned long address) return set_clr_page_flags(&mapping_info, address, _PAGE_ENC, 0); } +int set_page_non_present(unsigned long address) +{ + return set_clr_page_flags(&mapping_info, address, 0, _PAGE_PRESENT); +} + static void do_pf_error(const char *msg, unsigned long error_code, unsigned long address, unsigned long ip) { @@ -316,8 +321,14 @@ static void do_pf_error(const char *msg, unsigned long error_code, void do_boot_page_fault(struct pt_regs *regs, unsigned long error_code) { - unsigned long address = native_read_cr2() & PMD_MASK; - unsigned long end = address + PMD_SIZE; + unsigned long address = native_read_cr2(); + unsigned long end; + bool ghcb_fault; + + ghcb_fault = sev_es_check_ghcb_fault(address); + + address &= PMD_MASK; + end = address + PMD_SIZE; /* * Check for unexpected error codes. Unexpected are: @@ -327,6 +338,8 @@ void do_boot_page_fault(struct pt_regs *regs, unsigned long error_code) */ if (error_code & (X86_PF_PROT | X86_PF_USER | X86_PF_RSVD)) do_pf_error("Unexpected page-fault:", error_code, address, regs->ip); + else if (ghcb_fault) + do_pf_error("Page-fault on GHCB page:", error_code, address, regs->ip); /* * Error code is sane - now identity map the 2M region around diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h index 4d37a28370ed..2e5f82acc122 100644 --- a/arch/x86/boot/compressed/misc.h +++ b/arch/x86/boot/compressed/misc.h @@ -100,6 +100,7 @@ static inline void choose_random_location(unsigned long input, #ifdef CONFIG_X86_64 extern int set_page_decrypted(unsigned long address); extern int set_page_encrypted(unsigned long address); +extern int set_page_non_present(unsigned long address); extern unsigned char _pgtable[]; #endif @@ -117,8 +118,13 @@ void set_sev_encryption_mask(void); #ifdef CONFIG_AMD_MEM_ENCRYPT void sev_es_shutdown_ghcb(void); +extern bool sev_es_check_ghcb_fault(unsigned long address); #else static inline void sev_es_shutdown_ghcb(void) { } +static inline bool sev_es_check_ghcb_fault(unsigned long address) +{ + return false; +} #endif /* acpi.c */ diff --git a/arch/x86/boot/compressed/sev-es.c b/arch/x86/boot/compressed/sev-es.c index 7e2cec170026..e3abf8737015 100644 --- a/arch/x86/boot/compressed/sev-es.c +++ b/arch/x86/boot/compressed/sev-es.c @@ -121,6 +121,20 @@ void sev_es_shutdown_ghcb(void) */ if (set_page_encrypted((unsigned long)&boot_ghcb_page)) error("Can't map GHCB page encrypted"); + + /* + * GHCB page is mapped encrypted again and flushed from the cache. + * Mark it non-present now to catch bugs when #VC exceptions trigger + * after this point. + */ + if (set_page_non_present((unsigned long)&boot_ghcb_page)) + error("Can't unmap GHCB page"); +} + +bool sev_es_check_ghcb_fault(unsigned long address) +{ + /* Check whether the fault was on the GHCB page */ + return ((address & PAGE_MASK) == (unsigned long)&boot_ghcb_page); } void do_boot_stage2_vc(struct pt_regs *regs, unsigned long exit_code) -- 2.27.0