Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2623871pxb; Sun, 17 Oct 2021 20:49:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw0vlmcC2IN9dPHCXScIDh9gZTpZ/2Ca8chKt7+6Om6axfbl94x2H57+9JUN671FbALUFkp X-Received: by 2002:a17:90a:1a12:: with SMTP id 18mr46674534pjk.113.1634528959127; Sun, 17 Oct 2021 20:49:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634528959; cv=none; d=google.com; s=arc-20160816; b=02jEEpuVFEdgYFVGXlVxcBkJZI/AGoB6laJQoySGHagp6iIB+EuvAFTCyTtFKHZuy2 322zgNVfB3rE/P3aB28BnOFmmHU3nzy5Hl2dMz12vRDGJ8bDYu030+0d+eHlRmZwZHRu LQWIf3/huUtxQEsYz+EuGqFWYBCBcvr7YGJ5sV/bIQk0/RNdXKqsILR8D256T4f7KOsI aEWBpya1IGE6sLoI7/Y1HqKp4cc8vLmtXVk4R8c+qUxDgZqMjaWYchSsV1Sq52oU5D2E KWDe6rL0ZIThbNcHu3quRhFaNiH2b6CtEut+H4cfb5ID9LmcHrci/zcxAX0HSJ9xj9EK oxLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=2amCF2t2yxpSnm4H6NQfAANQp7T0Ry525nyuBhj1de4=; b=aolIMGCjoayaKYlmJCFOzKYXnIcuuZnxpYiGcKDA1GNL6/dgEs5mJObiiehXc54UQs CZUXhGgoBSDNmecRwUmIjgpCPV5HAx63YcgXEwSw98drZFgLYo/xPBfr4D0dT0jFN/ER wOQ8Q6Ds1IEHNd3v6LkrmDeFcXY3DOiJ+IRcHrJmmu0PB+668EevCXc2AgE6ZyB3NtBk 0SpcuKd9q+Z/2hOmrdpqQhxHdSnSVS5OttLLSRtmMDghUrrnBiOK2FA2vrKe9B/W2Fg/ zuTNGATr33rVWyAaHSZ1eXNTX+uJNZ3c0bEZuxtOp3XCPJ/4hvea8ndeDjNb1ar1rAnk g99A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Zy+I2+dW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s4si21363351pfk.108.2021.10.17.20.49.01; Sun, 17 Oct 2021 20:49:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Zy+I2+dW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242825AbhJQWhQ (ORCPT + 98 others); Sun, 17 Oct 2021 18:37:16 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:36579 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233585AbhJQWhO (ORCPT ); Sun, 17 Oct 2021 18:37:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1634510104; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2amCF2t2yxpSnm4H6NQfAANQp7T0Ry525nyuBhj1de4=; b=Zy+I2+dWF2EqKlqxQLcPBxP1gb4kiWxmD1NRCBS5uvPghcZe9dWIkoXHpnJ5JmyMFXe/hw CZ5ZhDy8E3gLLuLjdh46xddeHKb7BjRuh1HFoGs0wgs1SwfBuHBG5f5iRmieA0MjP1vQ2k eAQEbGo82XTKKOWhRNfbq4WYcqvjzPA= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-417-EgQNRQ6LMGiKFyBMoynD_A-1; Sun, 17 Oct 2021 18:35:02 -0400 X-MC-Unique: EgQNRQ6LMGiKFyBMoynD_A-1 Received: by mail-wm1-f72.google.com with SMTP id p12-20020a05600c204c00b0030da46b76daso2633700wmg.9 for ; Sun, 17 Oct 2021 15:35:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=2amCF2t2yxpSnm4H6NQfAANQp7T0Ry525nyuBhj1de4=; b=CrOIOxbmlxUgJsy6Tkpso2YQgDe/2Nm3J32V0J18CKOqB9QUgWLoGy5VaUbzddc8ET cTGwJYnsTvsuFuv0RiSRMxgjar/aWaDx3JiQPS4zyY6mLtRN3GokaixX87mxAiR8n9C2 GHhbT0RqJUkPTb60eyZrMqwTolR5omuEg1whYASVJFKuvJOecklSFRMJ0JyAywX0SanQ JgxFC0W5BVeCByL9jMVq7j93TDeg4QZpbEBecDDREtzWkCNDsIm9iPCtyGJU+toplz7r jIV4+dQFaqEqH9F39oe4lQCFh2OHEThFxwQVf/K/MJRzcs5uzlwIAEuRdxnql/KWdlBx AWhw== X-Gm-Message-State: AOAM530/hxdmycMO4SZW/MU08twb37EQWWoVNaJOFoBu1UPR3ekELfd3 gvw2Mja1GguLaee7oIWYqgLsg+bCB14j1I0eStNiB3ReYx+PdLKwQ6m+S18D21hXEdCYdPitH5B 8bMd7/o4Cf24wfvNmP++7FzAS X-Received: by 2002:adf:bd91:: with SMTP id l17mr31240808wrh.261.1634510101134; Sun, 17 Oct 2021 15:35:01 -0700 (PDT) X-Received: by 2002:adf:bd91:: with SMTP id l17mr31240797wrh.261.1634510100960; Sun, 17 Oct 2021 15:35:00 -0700 (PDT) Received: from redhat.com ([2.55.147.75]) by smtp.gmail.com with ESMTPSA id n7sm5189381wrp.17.2021.10.17.15.34.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 Oct 2021 15:34:59 -0700 (PDT) Date: Sun, 17 Oct 2021 18:34:56 -0400 From: "Michael S. Tsirkin" To: Andi Kleen Cc: linux-kernel@vger.kernel.org, Kuppuswamy Sathyanarayanan Subject: Re: [PATCH v5 16/16] x86/tdx: Add cmdline option to force use of ioremap_host_shared Message-ID: <20211017182145-mutt-send-email-mst@kernel.org> References: <20211011075945-mutt-send-email-mst@kernel.org> <9d0ac556-6a06-0f2e-c4ff-0c3ce742a382@linux.intel.com> <20211011142330-mutt-send-email-mst@kernel.org> <4fe8d60a-2522-f111-995c-dcbefd0d5e31@linux.intel.com> <20211012165705-mutt-send-email-mst@kernel.org> <20211012171846-mutt-send-email-mst@kernel.org> <20211015024923-mutt-send-email-mst@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 15, 2021 at 06:34:17AM -0700, Andi Kleen wrote: > cutting down the insane cc list. > > On 10/14/2021 11:57 PM, Michael S. Tsirkin wrote: > > On Thu, Oct 14, 2021 at 10:50:59PM -0700, Andi Kleen wrote: > > > > I thought you basically create an OperationRegion of SystemMemory type, > > > > and off you go. Maybe the OSPM in Linux is clever and protects > > > > some memory, I wouldn't know. > > > > > > I investigated this now, and it looks like acpi is using ioremap_cache(). We > > > can hook into that and force non sharing. It's probably safe to assume that > > > this is not used on real IO devices. > > > > > > I think there are still some other BIOS mappings that use just plain > > > ioremap() though. > > > > > > > > > -Andi > > Hmm don't you mean the reverse? If you make ioremap shared then OS is > > protected from malicious ACPI? > > > Nope > > > If you don't make it shared then > > malicious ACPI can poke at arbitrary OS memory. > > > When it's private it's protected and when it's shared it can be attacked > > > > > > For BIOS I suspect there's no way around it, it needs to be > > audited since it's executable. > > > The guest BIOS is attested and trusted. The original ACPI tables by the BIOS > are attested and trusted too. > > Just if we map the ACPI tables temporarily shared then an evil hypervisor > could modify them during that time window. > > -Andi I thought some more about it. Fundamentally, ACPI has these types of OperationRegions: SystemIO | SystemMemory | PCI_Config | EmbeddedControl | SMBus | SystemCMOS |  PciBarTarget | IPMI | GeneralPurposeIO | GenericSerialBus | PCC Now, SystemMemory can be used to talk to either BIOS (should be encrypted) or hypervisor (should not be encrypted). I think it's not a great idea to commit to either, or teach users to hack around it with command line flags. Instead there should be a new SystemMemoryUnencrypted API for interface with the hypervisor. Can you guys propose this at the ACPI spec? If not but at least we are in agreement I guess I can try to do it, have a bit of experience with the ACPI spec. And I assume PciBarTarget should be unencrypted so it can work. -- MST