Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp2119067pxb; Mon, 23 Aug 2021 12:24:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxP3wQmf5k6E3pCyPtWHmHc6CNa7jRR9C5XkDOgYI/xAmut/9op3hxStTPjAWI5z2CH8Sj5 X-Received: by 2002:aa7:c2da:: with SMTP id m26mr20032699edp.351.1629746645069; Mon, 23 Aug 2021 12:24:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629746645; cv=none; d=google.com; s=arc-20160816; b=lK89zCW7FmaGE8f9wxt+WR2S7ohTKcbsmQHkT20NE5WvjZOoVl0WRkVtX2G+j/JHiX QQvvE2XKYmbIvV6HVU3AisyDQvOKKpNLHiLF8cHXMW87rfwVGt7Em4E3ueELt+S16PnJ C09zhFSIUhQV2zemVSUQ2ztMsWqraM2Ik/D3ZfbBZnDs6T9FeEUx+n2MI57hjkhzWBck wyx6rB2qaXsLHtsD62Wvsho2Uf2kW3TSYzCg2iNrstn5XWmikR656vy3ftsuNPaWAvNz wVWylNOgDq0hDjKddrG6/wKv9MONc37Gsm3bxKRnmqtoe5ZwcaJ/p3q6E1j5D9QGDw/v H7/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=T6iKivFntL9jO7A0bCG8XT9/kFuKhYKYNxAQLHLMCA8=; b=eyK01p62gxbL1kz1nse0948zq8KT8aTrPBaw8rdJfaySJlf9m3n1VskbMz56TnyRvH xnsZsHxJSJ7chKjB0nbsTOtpyrzHmDKASC5fDoZFQioUSgeF0ndPTmQu/dO+Vdx4JxqV opZv2UTfOdHaZqZZ/fKASZfeFUX1nfPIqCj9HnMynspejXyp+5BYNL04HOIJJqXctseM MU0R9BfB+q20OiY2a2q8WbF0d2Wvzh9qFQYGshk1wBu27R3wRqXjQDmJ3fQQdyQQOItz Nh7wQxmqzrRWtGuIEzFdh+iOOklWu6a6BtR/akXWFsJEu6F/wVouPvIg1csZEz6iJDQZ xmrA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=BSRfZn3m; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k23si8231826edj.270.2021.08.23.12.23.41; Mon, 23 Aug 2021 12:24:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=BSRfZn3m; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231612AbhHWTWz (ORCPT + 99 others); Mon, 23 Aug 2021 15:22:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41646 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229622AbhHWTWy (ORCPT ); Mon, 23 Aug 2021 15:22:54 -0400 Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B520BC061575 for ; Mon, 23 Aug 2021 12:22:11 -0700 (PDT) Received: by mail-qv1-xf2a.google.com with SMTP id c14so10325567qvs.9 for ; Mon, 23 Aug 2021 12:22:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=T6iKivFntL9jO7A0bCG8XT9/kFuKhYKYNxAQLHLMCA8=; b=BSRfZn3mjcrNmw8pFTD0zSn1xAXWxcKMU9J2TF+jD2LkWw9I7AhfhljTQwfgv51OLf mE/H3lpQQMB55BLYil6FkPi+0QlqRcAbP2GaIJFgcDsEvfHQE0nlkGDRpvRvr3qSYXp9 i0NnD/y0GbccrRSpP11Icq9wQ2gr/o0otdPKnjS8aYOI681yCT0GilYqs4683pADtHDn jM0Ir2gvmWRo7/awhQZYFYC69CaNV02Evw6mk74Tiik+azOAb1lI5u4Chuycy89p0RWO +rG2TqaSvk6TOtF9TPpgsCHa+YPl2YT29z3zUFDSNayYtOk3VdaquRQcmR37SY8L1Agp 6q9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=T6iKivFntL9jO7A0bCG8XT9/kFuKhYKYNxAQLHLMCA8=; b=JiefDSDKvE4uVMsh0uRLRPZw5KP1Y+Kio2t4U+fVVmR3s72Rqam+LXl3dH9U1cSvFN 9MClmwNWdm2cBFh0WbJE62/z2C0tc2AoVHDgOc6OTN+jg0Gq07iWPvWB8MzhznAZ9Hgx 5P78yETGXalbVBNji86rxlerYzTcisOPtMFbFYvoi/ndZoT0z155cowQHmvd6pz965E9 tpCDvgu4OncFxcy2Ma9L5ADiUCg9Ckx1z9Kyqyan8gzSKRM0tlxIRKSnkEFvWaZ3sLo9 PaMzfwEU9xc7TZy8CtQ9hCvNunCSyCfug0os5B5KB9usMmSVxmGCGZswZ+XVt2n8iBa4 0Ugw== X-Gm-Message-State: AOAM533SXr99jx/Hy33S+YQjr5iVTiSm2m5PBeLIC9IdSdFlfCT0J86Q 5mKZaaiPtCAFlRC1oXgmdff/yFZQL+Lfb1yIvab1Bg== X-Received: by 2002:a05:6214:240b:: with SMTP id fv11mr33382976qvb.28.1629746530676; Mon, 23 Aug 2021 12:22:10 -0700 (PDT) MIME-Version: 1.0 References: <20210809190157.279332-1-dovmurik@linux.ibm.com> <20210809190157.279332-4-dovmurik@linux.ibm.com> In-Reply-To: From: Andrew Scull Date: Mon, 23 Aug 2021 20:21:59 +0100 Message-ID: Subject: Re: [PATCH 3/3] virt: Add sev_secret module to expose confidential computing secrets To: Dov Murik Cc: Ard Biesheuvel , linux-efi , Borislav Petkov , Ashish Kalra , Brijesh Singh , Tom Lendacky , James Morris , "Serge E. Hallyn" , Andi Kleen , "Dr. David Alan Gilbert" , James Bottomley , Tobin Feldman-Fitzthum , Jim Cadden , linux-coco@lists.linux.dev, linux-security-module@vger.kernel.org, Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 20 Aug 2021 at 19:36, Dov Murik wrote: > > > > On 19/08/2021 16:02, Andrew Scull wrote: > > On Mon, 16 Aug 2021 at 10:57, Ard Biesheuvel wrote: > >> > >> On Fri, 13 Aug 2021 at 15:05, Andrew Scull wrote: > >>> > >>> On Mon, Aug 09, 2021 at 07:01:57PM +0000, Dov Murik wrote: > > [...] > > >>> > >>>> +static int sev_secret_unlink(struct inode *dir, struct dentry *dentry) > >>>> +{ > >>>> + struct sev_secret *s = sev_secret_get(); > >>>> + struct inode *inode = d_inode(dentry); > >>>> + struct secret_entry *e = (struct secret_entry *)inode->i_private; > >>>> + int i; > >>>> + > >>>> + if (e) { > >>>> + /* Zero out the secret data */ > >>>> + memzero_explicit(e->data, secret_entry_data_len(e)); > >>> > >>> Would there be a benefit in flushing these zeros? > >>> > >> > >> Do you mean cache clean+invalidate? Better to be precise here. > > > > At least a clean, to have the zeros written back to memory from the > > cache, in order to overwrite the secret. > > > > I agree, but not sure how to implement this: > > I see there's an arch_wb_cache_pmem exported function which internally > (in arch/x86/lib/usercopy_64.c) calls clean_cache_range which seems to > do what we want (assume the secret can be longer than the cache line). > > But arch_wb_cache_pmem is declared in include/linux/libnvdimm.h and > guarded with #ifdef CONFIG_ARCH_HAS_PMEM_API -- both seem not related to > what I'm trying to do. > > I see there's an exported clflush_cache_range for x86 -- but that's a > clean+flush if I understand correctly. This would be perfectly correct, the invalidation is just unnecessary. > Suggestions on how to approach? I can copy the clean_cache_range > implementation into the sev_secret module but hopefully there's a better > way to reuse. Maybe export clean_cache_range in x86? Exporting sounds much better than duplicating. It looks like the clean-only instruction was added to x86 more recently and with persistent memory as the intended application. d9dc64f30 "x86/asm: Add support for the CLWB instruction" says: "This should be used in favor of clflushopt or clflush in cases where you require the cache line to be written to memory but plan to access the data cache line to be written to memory but plan to access the data" I don't expect the secret table would be accessed with such frequency that it would actually make a difference, but if it's just a quirk of history that the clean-only version isn't exported, now seems as good a time as any to change that! > Since this is for SEV the solution can be x86-specific, but if there's a > generic way I guess it's better (I think all of sev_secret module > doesn't have x86-specific stuff). arch_wb_cache_pmem is the closest to arch agnostic I've seen, but that has it own problems :/