Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp3517984pxb; Fri, 5 Nov 2021 17:30:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzjWyApmrXTQOvP7DjhgKbNe72Zri6NpKZOdVE8m8yDPlVBa34OTIWkrEwOSkbjrXRoR8iw X-Received: by 2002:aa7:d8d5:: with SMTP id k21mr49619503eds.209.1636158611329; Fri, 05 Nov 2021 17:30:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1636158611; cv=none; d=google.com; s=arc-20160816; b=MwG2TU8Fe1I+yYk7c4Want0k1Mm52ymwHxlRTiTNLtv3TBmD4VU1ETdNh1vG9KYSB4 xfgQMPPKm2GEGDGq7XrNRPUz2ilqttRLE+SUiRiHNZONErKm3ca8gsUhk5AGzxtrYB6Z p+ktGZhAcip9IS6cpaHCz4fij7fx/pA28yn1dyUmMlPpSXhkWpgcmppQlXe4ple4uIi+ gtU3KnYYeXIRia0IOi+kOyQMSdzUxFmU3vJiloiKqwjJFP7FaPTQ+6R/2XM8QS/HxYZC sZ5VzEG5/GOx8Pq8A5b3UrrD5LpG4ZS9i3tHSAdqEnAvHf21D8TTgZtznGKuMmyjLHqg 6dWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=RKFhKV3LHdn4kWJrl1IZufQaNytFJcypgLXt2t47CaE=; b=RtX6xDa9zEBSAA4E8rPX6dLksgB6dC7eaaipC14dtsPrKCB9v6LpHm1oAmDt03x2ow oMVyAo+0e6u3rUuHVGqcvzLIoyBpDagLTXbp2n/TJvGIUG4Fd154VHeEwzCXLAUoqMWt gS7SIfjkYCIaXkt7EfZIxPFeSPe8QnoNUtCFYeeIJ9lPkluU1XXwtxXqUUFYqJg76KBV Lfk7iTVX/6uv3MxIIiWjgztcr5EYB6M4YB2Bat0AOo/9OcXmjCp5p3E8dy6XBCXF0q7K 7UcErM4cnKDnRsQ64nH08IDp6dJjxVutAnQs+MiyK6HyApWWOvkuuv/zwICvjnXB1TXh JYhQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=AFqc0U7z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z22si20667104edd.417.2021.11.05.17.29.48; Fri, 05 Nov 2021 17:30:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=AFqc0U7z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233968AbhKEWoC (ORCPT + 99 others); Fri, 5 Nov 2021 18:44:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53594 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233958AbhKEWoB (ORCPT ); Fri, 5 Nov 2021 18:44:01 -0400 Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 90F12C061570 for ; Fri, 5 Nov 2021 15:41:21 -0700 (PDT) Received: by mail-pf1-x435.google.com with SMTP id 127so10129399pfu.1 for ; Fri, 05 Nov 2021 15:41:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=RKFhKV3LHdn4kWJrl1IZufQaNytFJcypgLXt2t47CaE=; b=AFqc0U7z1fdj5Fc1F6jpUP7OMzpwvRabNaAKrNSmNaIOXCwF5Px19CeoDSsVsekX+H qGNq1bLpE7HU4u0jK8O0jpWcSMdustiZI69p1x8FR2Y4W7by/UQE/+kqCrTuRzbEkNV/ nfq1gWgFw7NBJNUrjIOJ1ZeUrVP8peLWPL2GH8mNbHo3RvYbohLmsBh8BB+w8SXQ3G05 iOcwBui9ZdOxmGb6T/nMW9HbmOX93tU86QN9V6l/Un4i0dxoffgRTAYSAn0AaIxe4M5N QiRrI5dyR3cJ5MSjsRZKqpVA27r8L7inC3TUP6wEwbaq3wN6Vq32+rRR7FdEL4vLWbju 76bA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=RKFhKV3LHdn4kWJrl1IZufQaNytFJcypgLXt2t47CaE=; b=MqaYnmZUDUbfIw5AaAt/A5Ynfulmk4rRyrA4NYUmG7pKc55wnEMkbUTLrxoIMVoIo+ 0IMlY7ZoGRDd0AIfNwlTrz0RDP27oVVO5mdoXcW1cpa5WzNF2w4oisHqZQX3l3LTUarH T37CgsmyGL3yFF8yA0ckD9c9aS+S/hZd8m6t1dy2GVD6d5GkHXWvsxiybxj1yy6XOV5d eWGXY3syOfHzT7CZceGtu09v1zH6kb8g+HIH//XmgTzzDS/iuHDWbqSJ+PgQFLbF4iQ7 SKLkc1ErDLA0g/YSlk2qbOgMg2SQlGAfBVEGdMUh7CU/MM7kfhT9+LtR2U9wQ/BwxBYY CXfA== X-Gm-Message-State: AOAM533nqCrS+EKmla8+/G3NnSVh8603Gwu4XaRd/bfiYExMbmWBZF07 RMfz22YFLUmziEHSKgjlP2QssQ== X-Received: by 2002:a05:6a00:16cb:b0:44b:bd38:e068 with SMTP id l11-20020a056a0016cb00b0044bbd38e068mr62757719pfc.34.1636152080786; Fri, 05 Nov 2021 15:41:20 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id u38sm3165193pfg.0.2021.11.05.15.41.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Nov 2021 15:41:20 -0700 (PDT) Date: Fri, 5 Nov 2021 22:41:16 +0000 From: Sean Christopherson To: Kuppuswamy Sathyanarayanan Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, Paolo Bonzini , David Hildenbrand , Andrea Arcangeli , Josh Poimboeuf , "H . Peter Anvin" , Dave Hansen , Tony Luck , Dan Williams , Andi Kleen , Kirill Shutemov , Kuppuswamy Sathyanarayanan , linux-kernel@vger.kernel.org Subject: Re: [PATCH v7 09/10] x86/tdx: Handle in-kernel MMIO Message-ID: References: <20211005204136.1812078-1-sathyanarayanan.kuppuswamy@linux.intel.com> <20211005204136.1812078-10-sathyanarayanan.kuppuswamy@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20211005204136.1812078-10-sathyanarayanan.kuppuswamy@linux.intel.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 05, 2021, Kuppuswamy Sathyanarayanan wrote: > @@ -207,6 +210,103 @@ static void tdx_handle_io(struct pt_regs *regs, u32 exit_qual) > } > } > > +static unsigned long tdx_mmio(int size, bool write, unsigned long addr, > + unsigned long *val) > +{ > + struct tdx_hypercall_output out = {0}; > + u64 err; > + > + err = _tdx_hypercall(EXIT_REASON_EPT_VIOLATION, size, write, > + addr, *val, &out); > + *val = out.r11; Val should not be written on error, and writing it for "write" is also weird. > + return err; > +} > + > +static int tdx_handle_mmio(struct pt_regs *regs, struct ve_info *ve) > +{ > + char buffer[MAX_INSN_SIZE]; > + unsigned long *reg, val; > + struct insn insn = {}; > + enum mmio_type mmio; > + int size, ret; > + u8 sign_byte; > + > + if (user_mode(regs)) { > + ret = insn_fetch_from_user(regs, buffer); > + if (!ret) > + return -EFAULT; > + if (!insn_decode_from_regs(&insn, regs, buffer, ret)) > + return -EFAULT; > + } else { > + ret = copy_from_kernel_nofault(buffer, (void *)regs->ip, > + MAX_INSN_SIZE); > + if (ret) > + return -EFAULT; > + insn_init(&insn, buffer, MAX_INSN_SIZE, 1); > + insn_get_length(&insn); > + } > + > + mmio = insn_decode_mmio(&insn, &size); > + if (mmio == MMIO_DECODE_FAILED) > + return -EFAULT; > + > + if (mmio != MMIO_WRITE_IMM && mmio != MMIO_MOVS) { > + reg = insn_get_modrm_reg_ptr(&insn, regs); > + if (!reg) > + return -EFAULT; > + } > + > + switch (mmio) { > + case MMIO_WRITE: > + memcpy(&val, reg, size); > + ret = tdx_mmio(size, true, ve->gpa, &val); > + break; > + case MMIO_WRITE_IMM: > + val = insn.immediate.value; > + ret = tdx_mmio(size, true, ve->gpa, &val); > + break; > + case MMIO_READ: > + ret = tdx_mmio(size, false, ve->gpa, &val); val is never set, i.e. this is leaking stack data to the untrusted VMM. > + if (ret) > + break; > + /* Zero-extend for 32-bit operation */ > + if (size == 4) > + *reg = 0; > + memcpy(reg, &val, size); > + break; > + case MMIO_READ_ZERO_EXTEND: > + ret = tdx_mmio(size, false, ve->gpa, &val); And here. > + if (ret) > + break; > + > + /* Zero extend based on operand size */ > + memset(reg, 0, insn.opnd_bytes); > + memcpy(reg, &val, size); > + break; > + case MMIO_READ_SIGN_EXTEND: > + ret = tdx_mmio(size, false, ve->gpa, &val); And here. > + if (ret) > + break; > + > + if (size == 1) > + sign_byte = (val & 0x80) ? 0xff : 0x00; > + else > + sign_byte = (val & 0x8000) ? 0xff : 0x00; > + > + /* Sign extend based on operand size */ > + memset(reg, sign_byte, insn.opnd_bytes); > + memcpy(reg, &val, size); > + break; > + case MMIO_MOVS: > + case MMIO_DECODE_FAILED: > + return -EFAULT; > + } > + > + if (ret) > + return -EFAULT; > + return insn.length; > +} > + > unsigned long tdx_get_ve_info(struct ve_info *ve) > { > struct tdx_module_output out = {0}; > @@ -256,6 +356,14 @@ int tdx_handle_virtualization_exception(struct pt_regs *regs, > case EXIT_REASON_IO_INSTRUCTION: > tdx_handle_io(regs, ve->exit_qual); > break; > + case EXIT_REASON_EPT_VIOLATION: > + /* Currently only MMIO triggers EPT violation */ > + ve->instr_len = tdx_handle_mmio(regs, ve); > + if (ve->instr_len < 0) { > + pr_warn_once("MMIO failed\n"); That's not remotely helpful. Why not? if (WARN_ON_ONCE(ve->instr_len < 0)) return -EFAULT; > + return -EFAULT; > + } > + break; > default: > pr_warn("Unexpected #VE: %lld\n", ve->exit_reason); > return -EFAULT; > -- > 2.25.1 >