Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2948118pxb; Tue, 21 Sep 2021 10:56:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzr42MSYoZ15CzflTVCReciPcY6jVGJHBS57JshP2sFA09V3tOek548cc3SM0IXPQGwPoVy X-Received: by 2002:a05:6e02:1a03:: with SMTP id s3mr22714876ild.156.1632247004580; Tue, 21 Sep 2021 10:56:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632247004; cv=none; d=google.com; s=arc-20160816; b=I2HZfKcZrb64q+ktYtRJpVAjW0BKCiWY8b5tRVK7lFDNFeLz1xSmFyv9h5eC8WNRfb h/XRxxPgxqLTVaogEdIvIUU5Y0v68JHW+HJdHryU6VMBjXlJ4596JGqMwU+BCksZCAOf XLIUcn0pJ2jLij/2v1bGyCYV3qwY1d578Bmo2ipbMBFlHTojj6L1zb/FIb4MfoKvYhFh iYzjZxa+VE6NvpL9zz0DCGiW5kJ/ifnnMyXO/FfoGdLtJreI93jEdW3s6+W2To4XHCJ3 4OK6Fs/VnxMt/d1ghdLpDfRQ1lLNtHHWgoLK41FRkdwM41eWs44uJmD7jSTDCKU9ePmY uc+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=9i/9hjImBidlUHv+Kt5Nf7id/F15Vwrv4hNmN253GQ0=; b=jg6wAsU5faA4dQ1BDCpYn8ba+ma9DEtJTNFMzvBLSFWVF7kp69XgjZ1dJxSxOt+x8D P0fuktOWI3mxId25jhlXRVsybnh0h0wKCeqdU+n0qkIPVr1GW4+RaMOblQB8+3/CS3d/ jJRkkRVu92TgKiYypm5NI5ewRwC3x2zwWxF02MzrOOkMwW3HkSWTxGF5V+lqF5YOEx0U MvnqTyyMOzHiBHuGxgwVPf2EclS8GqFgoP4OzoeS1QF7IbEdyzoq1/KqxR6Os21lBZNh 11cnUhN61wh0geN1s/Z1D46BlRkTMfLxZwXOjLAS+uOCAwoJhJ58mRDldYzVDtaK8XVy dVig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=JAOvQSZo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h15si17100712ili.51.2021.09.21.10.56.31; Tue, 21 Sep 2021 10:56:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=JAOvQSZo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231899AbhIURzz (ORCPT + 99 others); Tue, 21 Sep 2021 13:55:55 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:24528 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231748AbhIURzx (ORCPT ); Tue, 21 Sep 2021 13:55:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1632246865; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9i/9hjImBidlUHv+Kt5Nf7id/F15Vwrv4hNmN253GQ0=; b=JAOvQSZo4Grwl3n56Csfc25ViVFE7Vq3AHwO7oc5L4QCDvtDV/ixYcR4kK3K6wr3qOwY9D k5DOPSwOlUzrGWZgsB7NKRQTxMTjC0lQNV0PQnaVxnP95ZLr2eCMtOwuQa5sK2ZInmbC07 tTvW4j9Bs2bJ37yHkxerPfOCOJUrCQs= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-134-EfBztuAOMPKx87TDuuaK1A-1; Tue, 21 Sep 2021 13:54:23 -0400 X-MC-Unique: EfBztuAOMPKx87TDuuaK1A-1 Received: by mail-ed1-f70.google.com with SMTP id o23-20020a509b17000000b003d739e2931dso18170445edi.4 for ; Tue, 21 Sep 2021 10:54:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=9i/9hjImBidlUHv+Kt5Nf7id/F15Vwrv4hNmN253GQ0=; b=U8YnDYb7LaDRHKD38dxDReDYWr9EgTBXNp1qG0cf8r8jeaiaA/GglmtnciH5TnA2Lp ej+pjUAmtr8IMRpBtPp0+dCjgumzTC+4eEjfstF7sG0777nsnF9DmA0nrY5Ajnl4SVDq PDTTKVSid1PpbaLGR0DCwgcZQqLzgsCATjkC4H8lc1wFPXelhNz8SIcaWGcDJbXmmMUc XbiPTN6HCglFWhc1sAFu34xdv66879vClN329NmqMLBLg8Z78OwTrlkS421doOGWgT5L SF4mASmTKn6QlKel/+ehzgRTtj6+ZCp5xG8+uP3EzXbmzLdHjEJ1g9lWqAALOev3DznB 7dKQ== X-Gm-Message-State: AOAM533an64dJTJOMPzQqpKxapZesxp8ee7wbuIAEP+wQT5LJcUgM7P9 csod9flspezrfgCsvEJ7hjjcJuRJxUYgx49e+ttlyfZo2swmSXue0vT54SAG6wTXD9hQEXnGPbu 8xmzyUitf+UGxVnHfs/p3H48+DKsqCnAoai1Hj82O2M6aAoC5PywuP1h9IQ5xdn/MNa2fR77/BY AS X-Received: by 2002:a50:d948:: with SMTP id u8mr16796376edj.306.1632246861586; Tue, 21 Sep 2021 10:54:21 -0700 (PDT) X-Received: by 2002:a50:d948:: with SMTP id u8mr16796349edj.306.1632246861323; Tue, 21 Sep 2021 10:54:21 -0700 (PDT) Received: from ?IPv6:2001:b07:6468:f312:c8dd:75d4:99ab:290a? ([2001:b07:6468:f312:c8dd:75d4:99ab:290a]) by smtp.gmail.com with ESMTPSA id r23sm6462323edw.39.2021.09.21.10.54.20 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 21 Sep 2021 10:54:20 -0700 (PDT) Subject: Re: [PATCH V2] KVM: SEV: Acquire vcpu mutex when updating VMSA To: Marc Orr , Peter Gonda Cc: kvm list , Sean Christopherson , Brijesh Singh , stable@vger.kernel.org, LKML References: <20210915171755.3773766-1-pgonda@google.com> From: Paolo Bonzini Message-ID: Date: Tue, 21 Sep 2021 19:54:19 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 16/09/21 00:40, Marc Orr wrote: > On Wed, Sep 15, 2021 at 10:18 AM Peter Gonda wrote: >> >> Adds vcpu mutex guard to the VMSA updating code. Refactors out >> __sev_launch_update_vmsa() function to deal with per vCPU parts >> of sev_launch_update_vmsa(). > > Can you expand the changelog, and perhaps add a comment into the > source code as well, to explain what grabbing the mutex protects us > from? I assume that it's a poorly behaved user-space, rather than a > race condition in a well-behaved user-space VMM, but I'm not certain. > > Other than that, the patch itself seems fine to me. I added this: The update-VMSA ioctl touches data stored in struct kvm_vcpu, and therefore should not be performed concurrently with any VCPU ioctl that might cause KVM or the processor to use the same data. Paolo >> >> Fixes: ad73109ae7ec ("KVM: SVM: Provide support to launch and run an SEV-ES guest") >> >> Signed-off-by: Peter Gonda >> Cc: Marc Orr >> Cc: Paolo Bonzini >> Cc: Sean Christopherson >> Cc: Brijesh Singh >> Cc: kvm@vger.kernel.org >> Cc: stable@vger.kernel.org >> Cc: linux-kernel@vger.kernel.org >> --- >> >> V2 >> * Refactor per vcpu work to separate function. >> * Remove check to skip already initialized VMSAs. >> * Removed vmsa struct zeroing. >> >> --- >> arch/x86/kvm/svm/sev.c | 53 ++++++++++++++++++++++++------------------ >> 1 file changed, 30 insertions(+), 23 deletions(-) >> >> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c >> index 75e0b21ad07c..766510fe3abb 100644 >> --- a/arch/x86/kvm/svm/sev.c >> +++ b/arch/x86/kvm/svm/sev.c >> @@ -595,43 +595,50 @@ static int sev_es_sync_vmsa(struct vcpu_svm *svm) >> return 0; >> } >> >> -static int sev_launch_update_vmsa(struct kvm *kvm, struct kvm_sev_cmd *argp) >> +static int __sev_launch_update_vmsa(struct kvm *kvm, struct kvm_vcpu *vcpu, >> + int *error) >> { >> - struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info; >> struct sev_data_launch_update_vmsa vmsa; >> + struct vcpu_svm *svm = to_svm(vcpu); >> + int ret; >> + >> + /* Perform some pre-encryption checks against the VMSA */ >> + ret = sev_es_sync_vmsa(svm); >> + if (ret) >> + return ret; >> + >> + /* >> + * The LAUNCH_UPDATE_VMSA command will perform in-place encryption of >> + * the VMSA memory content (i.e it will write the same memory region >> + * with the guest's key), so invalidate it first. >> + */ >> + clflush_cache_range(svm->vmsa, PAGE_SIZE); >> + >> + vmsa.reserved = 0; >> + vmsa.handle = to_kvm_svm(kvm)->sev_info.handle; >> + vmsa.address = __sme_pa(svm->vmsa); >> + vmsa.len = PAGE_SIZE; >> + return sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE_VMSA, &vmsa, error); >> +} >> + >> +static int sev_launch_update_vmsa(struct kvm *kvm, struct kvm_sev_cmd *argp) >> +{ >> struct kvm_vcpu *vcpu; >> int i, ret; >> >> if (!sev_es_guest(kvm)) >> return -ENOTTY; >> >> - vmsa.reserved = 0; >> - >> - kvm_for_each_vcpu(i, vcpu, kvm) { >> - struct vcpu_svm *svm = to_svm(vcpu); >> - >> - /* Perform some pre-encryption checks against the VMSA */ >> - ret = sev_es_sync_vmsa(svm); >> + kvm_for_each_vcpu(i, vcpu, kvm) { >> + ret = mutex_lock_killable(&vcpu->mutex); >> if (ret) >> return ret; >> >> - /* >> - * The LAUNCH_UPDATE_VMSA command will perform in-place >> - * encryption of the VMSA memory content (i.e it will write >> - * the same memory region with the guest's key), so invalidate >> - * it first. >> - */ >> - clflush_cache_range(svm->vmsa, PAGE_SIZE); >> + ret = __sev_launch_update_vmsa(kvm, vcpu, &argp->error); >> >> - vmsa.handle = sev->handle; >> - vmsa.address = __sme_pa(svm->vmsa); >> - vmsa.len = PAGE_SIZE; >> - ret = sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE_VMSA, &vmsa, >> - &argp->error); >> + mutex_unlock(&vcpu->mutex); >> if (ret) >> return ret; >> - >> - svm->vcpu.arch.guest_state_protected = true; >> } >> >> return 0; >> -- >> 2.33.0.464.g1972c5931b-goog >> >