Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp4180967pxf;
        Tue, 6 Apr 2021 09:45:10 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwrNxR9LDxh3lTjlsMo0wNwJBosHOvtLvCRrdgrroy/DyH6aeLfJ2tmD8cWGCaD4628O/1h
X-Received: by 2002:aa7:ca12:: with SMTP id y18mr24112788eds.41.1617727509965;
        Tue, 06 Apr 2021 09:45:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617727509; cv=none;
        d=google.com; s=arc-20160816;
        b=LQwzBLEXrxopF8J4VtqLfXTvWrNEtDzm9lE20VrqWy/Cl6Rln3EoGbAIIwx40AKyBv
         TW/e7IDghoQzSwRHy4FpfPSYE8gurlKuzWg0n2V8RuN0tM1T7Z8nFIYTciBjqTPfH6LI
         wqr9vF9HlZDvVLXjAMO9pHqbksgx56LljobVXIWCOMUgg5rkzUqR3kKh+6pToaE09Qvz
         4U6xoLzdIo5GrezFcc03doDLAX8u69ZDRXzu1qIg3woQa+QuxaIo46JppJePMBOgAWbt
         jOIv4f5pJFxwCktmq3YL/gCfXuvnYmDRGXf5w5gSNn/LnR2PqXLT+UAGOR8xnCucO+Qw
         4Z1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:subject
         :organization:from:references:cc:to:dkim-signature;
        bh=FF1uXJ/ehFZn2D0SiRBmUa38k2IDpVhcvasGXt63J3A=;
        b=dlMFLX9Iddw62qY4TBoIkiGkBtJ6stQ0Upz1kKXitKWre7E9tpMcFmQF73pEFRpVCj
         Wej2bFUaM5b/HxdUN7cyE+WAXysW2yhrCUUIE6q+QoCdoXqOjifPg+ij6ZNjB+YNstzc
         hfT7nq5es1C+WAu0EDzPYLKuwmSXXOD+7IG5AAA01hd9QhrwRwVJXCMVanbvfEn0qnNI
         8Sok5csqMobpKim5D6XpylOg7lPco+rjzk3Kd8A8Rrb/rJlh12M4WS4Np595SbxRKuHf
         ZXL53DoF7u+4OLUZxKNCjMAfSoiEwuIYNqUyPRGGam2gFwIGLL8Qds+95WAZ6wK9kvzN
         dCXg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YtmaRP3g;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id aj16si8289886ejc.96.2021.04.06.09.44.45;
        Tue, 06 Apr 2021 09:45:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YtmaRP3g;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234455AbhDFHo1 (ORCPT
        <rfc822;linuxmailingsubscription@gmail.com> + 99 others);
        Tue, 6 Apr 2021 03:44:27 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:24218 "EHLO
        us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S232942AbhDFHo0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 6 Apr 2021 03:44:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1617695058;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=FF1uXJ/ehFZn2D0SiRBmUa38k2IDpVhcvasGXt63J3A=;
        b=YtmaRP3gkAc4e5P+fscZF15Ayy0LbUCXtcKnzKaM6SBSdthCvgZKkOqvXPe0I5g7x64ncq
        DchLTckc8MtCyNeLoestE1BF4Z71q7Kf0INf7oR2EhNytH8gGMbxjxW5iYbdudakBnVIyo
        vrReZLiSiXbhesFRf+Vywf+mWcMd3jo=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-330-hwQxCJHxMGKyMmXMnWp8dQ-1; Tue, 06 Apr 2021 03:44:14 -0400
X-MC-Unique: hwQxCJHxMGKyMmXMnWp8dQ-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EBAB5612A2;
        Tue,  6 Apr 2021 07:44:12 +0000 (UTC)
Received: from [10.36.113.79] (ovpn-113-79.ams2.redhat.com [10.36.113.79])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 6FED65D741;
        Tue,  6 Apr 2021 07:44:08 +0000 (UTC)
To:     "Kirill A. Shutemov" <kirill@shutemov.name>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Andy Lutomirski <luto@kernel.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Sean Christopherson <seanjc@google.com>,
        Jim Mattson <jmattson@google.com>
Cc:     David Rientjes <rientjes@google.com>,
        "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
        "Kleen, Andi" <andi.kleen@intel.com>,
        "Yamahata, Isaku" <isaku.yamahata@intel.com>, x86@kernel.org,
        kvm@vger.kernel.org, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org,
        "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
References: <20210402152645.26680-1-kirill.shutemov@linux.intel.com>
 <20210402152645.26680-8-kirill.shutemov@linux.intel.com>
From:   David Hildenbrand <david@redhat.com>
Organization: Red Hat GmbH
Subject: Re: [RFCv1 7/7] KVM: unmap guest memory using poisoned pages
Message-ID: <c5f2580d-0733-4523-d1e8-c43b487f0aaf@redhat.com>
Date:   Tue, 6 Apr 2021 09:44:07 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.8.1
MIME-Version: 1.0
In-Reply-To: <20210402152645.26680-8-kirill.shutemov@linux.intel.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 02.04.21 17:26, Kirill A. Shutemov wrote:
> TDX architecture aims to provide resiliency against confidentiality and
> integrity attacks. Towards this goal, the TDX architecture helps enforce
> the enabling of memory integrity for all TD-private memory.
> 
> The CPU memory controller computes the integrity check value (MAC) for
> the data (cache line) during writes, and it stores the MAC with the
> memory as meta-data. A 28-bit MAC is stored in the ECC bits.
> 
> Checking of memory integrity is performed during memory reads. If
> integrity check fails, CPU poisones cache line.
> 
> On a subsequent consumption (read) of the poisoned data by software,
> there are two possible scenarios:
> 
>   - Core determines that the execution can continue and it treats
>     poison with exception semantics signaled as a #MCE
> 
>   - Core determines execution cannot continue,and it does an unbreakable
>     shutdown
> 
> For more details, see Chapter 14 of Intel TDX Module EAS[1]
> 
> As some of integrity check failures may lead to system shutdown host
> kernel must not allow any writes to TD-private memory. This requirment
> clashes with KVM design: KVM expects the guest memory to be mapped into
> host userspace (e.g. QEMU).

So what you are saying is that if QEMU would write to such memory, it 
could crash the kernel? What a broken design.

"As some of integrity check failures may lead to system shutdown host" 
-- usually we expect to recover from an MCE by killing the affected 
process, which would be the right thing to do here.

How can it happen that "Core determines execution cannot continue,and it 
does an unbreakable shutdown". Who is "Core"? CPU "core", MM "core" ? 
And why would it decide to do a shutdown instead of just killing the 
process?

-- 
Thanks,

David / dhildenb