Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp718565pxu; Thu, 7 Jan 2021 16:57:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJxbdZ+Yjqyen7trSkHTq4dNLF1wWEXvi3vu3HaXrWQmXf8nrBjoOX99TeFExU/O+OcVBbO9 X-Received: by 2002:a05:6402:c0b:: with SMTP id co11mr3432797edb.180.1610067464265; Thu, 07 Jan 2021 16:57:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610067464; cv=none; d=google.com; s=arc-20160816; b=uQhBQ2STuR6roif2K93XBVSXUfchgYWBw11BuNToDuIscAkdLcwFUhXz6sFT5AVTfs RTEcR5QUmYehVje57CpqpMrJRx3envxUOz8qAkofsMPYneS1If3vsTEfxNRfxRgkRGNk R6Wey/S/jJGSvFGofHIxGlr6g3PskMA7X8f0X1RRkifdddaj2ZArB4ZCgUOrTXWig0we fsuTBOi+q4t1MWAfBUcFYg+fjjHkf6BgM6CDeXXA5DmI1MNoygMQeoMpE7jKTX7rcEIQ H302Yypfk92TaqC9VPE62jgUcLQYgM/dlA+eFwECYRgRSNIDH8ryAlTZRvm7hMvMYE2F bCeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ZnmKthVAiWe8sv/LE5kigV4DNRxPV19TU/ErS22n0DQ=; b=awLMSxnzNWcR/TxvmtFGBVBKjmjtcwhsikChIOJXovb1uAgtEPAPZKyXlsYROyF67m BnMJpktkf9Sit8JqM+mfgMpGI4TsvZbxBc07HKpA5rRgShOpJkxxJMtkSIngWpj7NxbZ CQ0ZtNeskqR57x3B8hojFtZkqNJxUzAvaagbZ8UOzVN7vYBfvV64zYLjoxCPMxCftjfX Y2eYBEuRAZHJsHPDECFu40PcyP93k9b+IezW+qRHCCuqX5OP7tY8IJfdabhbC0DFDVoK XxkEef8l5KreiOfV67imxBYbmkte2pdWvvwT2pYCGMvHjYmCniMYx1GEUVjjdBFKbctd NYtA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dRLEWSZM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z4si2803995ejw.380.2021.01.07.16.57.12; Thu, 07 Jan 2021 16:57:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dRLEWSZM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729680AbhAHA4H (ORCPT + 99 others); Thu, 7 Jan 2021 19:56:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41746 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729502AbhAHA4G (ORCPT ); Thu, 7 Jan 2021 19:56:06 -0500 Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 57455C0612F4 for ; Thu, 7 Jan 2021 16:55:26 -0800 (PST) Received: by mail-il1-x12c.google.com with SMTP id 14so7382703ilq.2 for ; Thu, 07 Jan 2021 16:55:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZnmKthVAiWe8sv/LE5kigV4DNRxPV19TU/ErS22n0DQ=; b=dRLEWSZMWtVoapId8WgxnfcKOoxNgQwuZH0bcsnEsF7HSicoRYX90rKqfJzqCugeXB gl7ndP2fCPtrXA7FIU72leIxtzig6zMYsqoRPoNmiXz3hWtFReoKM2xvPnMW0ITgFIvY e5hl+GAd117Up9s7bkcKQRq7lMjsZvsdD7BZvWRVvnXQKLCOBwPVKHVDrkpFWiKK60hE mzKjxu9U9eyJI5D5dsFNADAq1rhUNnWLK1r9FYTYFdppQX3f1HJAzrpmE4VgbGymJAEX Uw7ATDH6aGbLxns+cV6w28cnttPozgD3Lvj/VHMevrDUhPalrmRLbdOt6mWSNvWAUiCP ynVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZnmKthVAiWe8sv/LE5kigV4DNRxPV19TU/ErS22n0DQ=; b=UsMv20ecq19t98UkJAy+aS62TRZeYYuMXaQD1Ms7y1XqCKshTUsoORyCoWf4v5H4TY mRNevOk5NWx+vnIqpXGOr5PnkZCyuHTPe6KMQ2J+DxPcb+eSSCs0uN2EgPY6zFD0xcm2 ZLW0Efixu1QTBrV4DWU8LMddb8Cv1CYxqm/6CQf8k8xTIyo4bxEyKB6tycbjIxoJlzeH BORCA/w3KEj4jlldM0qQoDsvkZRB073EhnAJrg2h34SrHWhadjFN235TxUgVvnFK3hkJ KOLSk7IsgVlJnk0rmEUeueLcOO2qx2NSOg4bxlNlIgmlnXXza0eOMLXc7onjg6OC/MB7 INtQ== X-Gm-Message-State: AOAM531Tvw45TpzPzMlqkA6DRBglPY6eZ3CFwxCJR3SzRT6vm1adOjDh Zqo6nckd3GMUeBQHsqKjlDYaew/n9yk4zfdAL3ywyw== X-Received: by 2002:a92:400a:: with SMTP id n10mr1578986ila.212.1610067325502; Thu, 07 Jan 2021 16:55:25 -0800 (PST) MIME-Version: 1.0 References: <20201211225542.GA30409@ashkalra_ubuntu_server> <20201212045603.GA27415@ashkalra_ubuntu_server> <20201218193956.GJ2956@work-vm> <20201218195641.GL2956@work-vm> <20210106230555.GA13999@ashkalra_ubuntu_server> <20210107170728.GA16965@ashkalra_ubuntu_server> <20210107184125.GA17388@ashkalra_ubuntu_server> In-Reply-To: From: Steve Rutherford Date: Thu, 7 Jan 2021 16:54:49 -0800 Message-ID: Subject: Re: [PATCH v2 1/9] KVM: x86: Add AMD SEV specific Hypercall3 To: Sean Christopherson Cc: Ashish Kalra , "Dr. David Alan Gilbert" , "Singh, Brijesh" , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , Joerg Roedel , Borislav Petkov , "Lendacky, Thomas" , X86 ML , KVM list , LKML , "dovmurik@linux.vnet.ibm.com" , "tobin@ibm.com" , "jejb@linux.ibm.com" , "frankeh@us.ibm.com" , "Grimm, Jon" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Supporting merging of consecutive entries (or not) is less important to get right since it doesn't change any of the APIs. If someone runs into performance issues, they can loop back and fix this then. I'm slightly concerned with the behavior for overlapping regions. I also have slight concerns with how we handle re-encrypting small chunks of larger unencrypted regions. I don't think we've seen these in practice, but nothing precludes them afaik. On Thu, Jan 7, 2021 at 11:23 AM Sean Christopherson wrote: > > On Thu, Jan 07, 2021, Ashish Kalra wrote: > > On Thu, Jan 07, 2021 at 09:26:25AM -0800, Sean Christopherson wrote: > > > On Thu, Jan 07, 2021, Ashish Kalra wrote: > > > > Hello Steve, > > > > > > > > On Wed, Jan 06, 2021 at 05:01:33PM -0800, Steve Rutherford wrote: > > > > > Avoiding an rbtree for such a small (but unstable) list seems correct. > > > > > > > > > > For the unencrypted region list strategy, the only questions that I > > > > > have are fairly secondary. > > > > > - How should the kernel upper bound the size of the list in the face > > > > > of malicious guests, but still support large guests? (Something > > > > > similar to the size provided in the bitmap API would work). > > > > > > > > I am thinking of another scenario, where a malicious guest can make > > > > infinite/repetetive hypercalls and DOS attack the host. > > > > > > > > But probably this is a more generic issue, this can be done by any guest > > > > and under any hypervisor, i don't know what kind of mitigations exist > > > > for such a scenario ? > > > > > > > > Potentially, the guest memory donation model can handle such an attack, > > > > because in this model, the hypervisor will expect only one hypercall, > > > > any repetetive hypercalls can make the hypervisor disable the guest ? > > > > > > KVM doesn't need to explicitly bound its tracking structures, it just needs to > > > use GFP_KERNEL_ACCOUNT when allocating kernel memory for the structures so that > > > the memory will be accounted to the task/process/VM. Shadow MMU pages are the > > > only exception that comes to mind; they're still accounted properly, but KVM > > > also explicitly limits them for a variety of reasons. > > > > > > The size of the list will naturally be bounded by the size of the guest; and > > > assuming KVM proactively merges adjancent regions, that upper bound is probably > > > reasonably low compared to other allocations, e.g. the aforementioned MMU pages. > > > > > > And, using a list means a malicious guest will get automatically throttled as > > > the latency of walking the list (to merge/delete existing entries) will increase > > > with the size of the list. > > > > Just to add here, potentially there won't be any proactive > > merging/deletion of existing entries, as the only static entries will be > > initial guest MMIO regions, which are contigious guest PA ranges but not > > necessarily adjacent. > > My point was that, if the guest is malicious, eventually there will be adjacent > entries, e.g. the worst case scenario is that the encrypted status changes on > every 4k page. Anyways, not really all that important, I mostly thinking out > loud :-) Agreed. Tagging this with GFP_KERNEL_ACCOUNT means we don't need to upper bound the number of pages. I now don't think there is any unusual DoS potential here. Perhaps, if the guest tries really hard to make a massive list, they could get a softlockup on the host. Not sure how important that is to fix.