Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3213854pxb; Fri, 12 Feb 2021 12:09:51 -0800 (PST) X-Google-Smtp-Source: ABdhPJyLJvCgdRiuhFHmeAJRdlnqfSDje+Ws+NUdg+M0rabDu733bmEUsWtJp4T7LP1qcQWpkXir X-Received: by 2002:aa7:da55:: with SMTP id w21mr5291653eds.138.1613160591602; Fri, 12 Feb 2021 12:09:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613160591; cv=none; d=google.com; s=arc-20160816; b=nLLj2HbPzZ4j3yLYV8+EwLKGGRSeQqSX2cJldkeE9fRESmGEFJvou0b/3oCzqrmBr9 HWgCfLz6tUuT4C683ShhU+Xb+wbxBeNF0k/6fkw7/CmKwS11B2fuecvrmVF12UN781fr QrsSBs55MW1GfJKH8VXrO/kceXOGuGPJMV76Qhejl0o31BSB/jd/MTGIJOTjvMBOKgx8 cEo6s1oR7UyNg8CeRDmWz1lvx2FkIWIzMW+jLrmzPwHGT158osDt+jjaZvtJHdr3zy8i Ul88OFUzytN1HZEmU4BmIwveffiabW+UjAtI14bgu/E2gD2Zx+56zX36xb5rRVxQiIS8 kHmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=o1P4JemX5J+i5nAkTEumF3u9rjmcEBtmi1IYaMYgYNs=; b=OEL+qYQYl3erkya+yjn7JoxlqFzSSuOMG4S8c/G1Kz5quo7qF21LX6QNbEr+ZU/FXQ TkSN6mJejXAGeWO6OQXGzKk3TsG3DJnfeaptIIQC1HaXWqurFegFeUpc32h20WmF64eX Aa/Vs5OI+5hxL7mNKBMALZ6lEVAcLkORXJobBOZs3mbetfusHZMMDAY/6sVeUEHvhQwv rwzqcZufBQBSVCOu8mcW18nKluhQG3L9zn3rMLMymdzgbYZ+pI4e8jnVrHiG5VPH501B 9xBUQdGsy6ngO/x3d6FGkEGPH99z4Jzpj5DBiZ/XQoLYAplNldR4BnQ6vdBfWRfqbH9k 7qfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=n5BlLvwz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g2si7042584ejw.453.2021.02.12.12.09.27; Fri, 12 Feb 2021 12:09:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=n5BlLvwz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230043AbhBLUHW (ORCPT + 99 others); Fri, 12 Feb 2021 15:07:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53804 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229648AbhBLUHV (ORCPT ); Fri, 12 Feb 2021 15:07:21 -0500 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 87E36C061574 for ; Fri, 12 Feb 2021 12:06:41 -0800 (PST) Received: by mail-pj1-x1030.google.com with SMTP id my11so759037pjb.1 for ; Fri, 12 Feb 2021 12:06:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=o1P4JemX5J+i5nAkTEumF3u9rjmcEBtmi1IYaMYgYNs=; b=n5BlLvwz/MS7vwkbwkidddTXXLQywbrX4trcafMxoKNOhmnu1BRmXbY2zfVYcftQsw dupfU597OK2ac7WfVVKqOmvMA55W5X3eztQgO19NjGds/dS2lftAGPMNvYHJEpj2tH0a GvmG2zE6hfF0t/6FjqTl5kiAhHhsIhsWoJtg6HuF3CVn143O31XuAcC7MZljH16cvmzE ZzBZgbVsnzegnfYy/Ofky/GUEmKiZ4tBy3SsxRMLqU/5YyOEFDFSIudqwMhWYjXIEL43 mXTZQa4F9DTEoG8nAMLsXCRpBvxknWVdTwiyIor6upRDUZHBpe2+t2j/9Hi2/5Ep4TJb fwVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=o1P4JemX5J+i5nAkTEumF3u9rjmcEBtmi1IYaMYgYNs=; b=MUKolu50Z+NPY3bD8o45ItjCSFbj2TuNp+uhertsCKJouuBhdgABAntOJ/DeZFZcvE BZB/ZzcgQehGUh5xUnnxIeL4/3Tp98d43COcN+SLpiKn3ZLBAjSjZovxP5SLTWmjz1xj u3cHwnUlzBTjTNhHKHP1Qcoyg5rSRZIgY3MfHwcESOgfLIfDTD929m6HTkpjX5CoferK UVdhdiRakAl60tyg3Mug12I9ZtksLQUuDBAv04Q+u271ZOf6q6KLj6HwvZkFDRvLTceG g34DZWBbLNleTt3CMd6OIG+dwFmhpdhXMiI3vukqNRhIL53VIWjwyhABlw4WUsL8jv4r RyAQ== X-Gm-Message-State: AOAM531fJqKNVkpAx82v+jsjhzCXmj3s1tDRUY2Lgq6PP54qri1dcFlt TV+44pgKI8hEq8IA3hVnO8ypnQ== X-Received: by 2002:a17:902:b28a:b029:e3:2067:3e04 with SMTP id u10-20020a170902b28ab02900e320673e04mr4172154plr.18.1613160400720; Fri, 12 Feb 2021 12:06:40 -0800 (PST) Received: from google.com ([2620:15c:f:10:b407:1780:13d2:b27]) by smtp.gmail.com with ESMTPSA id w187sm6301128pfb.208.2021.02.12.12.06.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Feb 2021 12:06:39 -0800 (PST) Date: Fri, 12 Feb 2021 12:06:33 -0800 From: Sean Christopherson To: Andy Lutomirski Cc: Kuppuswamy Sathyanarayanan , Peter Zijlstra , Dave Hansen , Andi Kleen , Kirill Shutemov , Kuppuswamy Sathyanarayanan , Dan Williams , Raj Ashok , LKML , Sean Christopherson Subject: Re: [RFC v1 05/26] x86/traps: Add #VE support for TDX guest Message-ID: References: <48a702f536ccf953eee5778023ed6d1a452f6dcf.1612563142.git.sathyanarayanan.kuppuswamy@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 12, 2021, Andy Lutomirski wrote: > On Fri, Feb 5, 2021 at 3:39 PM Kuppuswamy Sathyanarayanan > wrote: > > > > From: "Kirill A. Shutemov" > > > > The TDX module injects #VE exception to the guest TD in cases of > > disallowed instructions, disallowed MSR accesses and subset of CPUID > > leaves. Also, it's theoretically possible for CPU to inject #VE > > exception on EPT violation, but the TDX module makes sure this does > > not happen, as long as all memory used is properly accepted using > > TDCALLs. > > By my very cursory reading of the TDX arch specification 9.8.2, > "Secure" EPT violations don't send #VE. But the docs are quite > unclear, or at least the docs I found are. The version I have also states that SUPPRESS_VE is always set. So either there was a change in direction, or the public docs need to be updated. Lazy accept requires a #VE, either from hardware or from the module. The latter would require walking the Secure EPT tables on every EPT violation... > What happens if the guest attempts to access a secure GPA that is not > ACCEPTed? For example, suppose the VMM does THH.MEM.PAGE.REMOVE on a secure > address and the guest accesses it, via instruction fetch or data access. > What happens? Well, as currently written in the spec, it will generate an EPT violation and the host will have no choice but to kill the guest.