Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37C97C433EF for ; Sat, 4 Dec 2021 05:14:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229854AbhLDFR5 (ORCPT ); Sat, 4 Dec 2021 00:17:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53942 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229568AbhLDFR4 (ORCPT ); Sat, 4 Dec 2021 00:17:56 -0500 Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E0ACC061354 for ; Fri, 3 Dec 2021 21:14:31 -0800 (PST) Received: by mail-ot1-x330.google.com with SMTP id v15-20020a9d604f000000b0056cdb373b82so6153114otj.7 for ; Fri, 03 Dec 2021 21:14:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Y/BPPy9m8im+hhuoZQePxpZc51/ab2hLFWDQfb5X/9I=; b=H/yNUwm9CmyzcLUNDWhTAbx9TbIVhmUtwt6S8HUeOWOQUkumfeJyGUUBwJZCkQCGEU Wd5v6YpjOsoRq+h9GBVAuMtKOkHWzYBXzGI/hojTku8VZe0d9CuWMfyV72VPe4Py4DQU RAyZwjgaTFtPBYZMNLJmYJAPkRZAVt5IqbAuuKXaEP5X0r/tyY7PPBA4+IMB/0ZsmJkg BdhsVki9tZHwgatH9YKV+VFltcFLkLMbljykbb2zQ3yusTle/TLdcx9Qi6Wm66Ahm+V/ Oyn6yc2xM28C8AgaLPkN+cqwLDtuQtDm2F0hPD0elLYgtMFTyRTS7Y2QzS8SexxWs25E ENtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Y/BPPy9m8im+hhuoZQePxpZc51/ab2hLFWDQfb5X/9I=; b=E3Pf0Q6oAsMaXx/BWusl3H7kEnKRtJ7DcXCRifdiyuqJE7ahEiarqDMaT8gCZaM8cB Gv87DvCck9xUIeMP8QCwigVByhPJsq+oLHqEQR4AKXR3v8qU5eCgEBFGX1AUVRNnx7K0 FshxuBdVkgJCKeUj3AAzxdoG0FEaERAjTnUOPtPUInTnPsabDyHBQH8llVvlDEgTpig2 a+SkW5TC8uVKcn25HeueBA1Uul4xkckTJHHWHZ4bErPxB4Xe3oKL+hHpDgwp1wQImkNF kC1vp32sSQIwR1iHayTnCfjiVThk4A1BpUnJaGci/JHFdbIrkmxUpg1jLScsPSiWkq9i AGWw== X-Gm-Message-State: AOAM5329AYbjHPm4mJHFgm6TOjM9Ql/TP6egrx0uOl0e0MF3ZR0l/Soi WFO45a7x1crx5h+OaSVCjOfoTOWWox4OyxlEZhP4lw== X-Google-Smtp-Source: ABdhPJxghcCQpyrr8AC+WikPzYCuxK5sEzUgYuWtzGi5NXwaoYNBCMWGWG914X6+tpfyQSCRghgwxpXCcIclt3k0vsw= X-Received: by 2002:a9d:6389:: with SMTP id w9mr19659797otk.29.1638594870449; Fri, 03 Dec 2021 21:14:30 -0800 (PST) MIME-Version: 1.0 References: <9ac5cf9c-0afb-86d1-1ef2-b3a7138010f2@amd.com> In-Reply-To: <9ac5cf9c-0afb-86d1-1ef2-b3a7138010f2@amd.com> From: Marc Orr Date: Fri, 3 Dec 2021 21:14:19 -0800 Message-ID: Subject: Re: [PATCH] KVM: SVM: Do not terminate SEV-ES guests on GHCB validation failure To: Tom Lendacky Cc: Sean Christopherson , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, x86@kernel.org, Paolo Bonzini , Jim Mattson , Joerg Roedel , Vitaly Kuznetsov , Wanpeng Li , Borislav Petkov , Dave Hansen , Ingo Molnar , Thomas Gleixner , "H. Peter Anvin" , Brijesh Singh Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 3, 2021 at 11:00 AM Tom Lendacky wrote: > > On 12/3/21 10:39 AM, Sean Christopherson wrote: > > On Thu, Dec 02, 2021, Tom Lendacky wrote: > > >> > >> - return -EINVAL; > >> + return false; > > > > I'd really prefer that this helper continue to return 0/-EINVAL, there's no hint > > in the function name that this return true/false. And given the usage, there's > > no advantage to returning true/false. On the contrary, if there's a future > > condition where this needs to exit to userspace, we'll end up switching this all > > back to int. > > I don't have any objection to that. I think Sean's review makes a pretty compelling case that we should keep the int return value for `setup_vmgexit_scratch()`. In particular, failing to allocate a host kernel buffer definitely seems like a host error that should return to userspace. Though, failing to read the guest GPA seems less clear cut on who is at fault (host vs. guest), as Tom mentioned. My understanding from the commit description is that the entire point of the patch is to protect the guest from mis-behaving guest userspace code. So I would think that if we have a case like mapping the guest GPA that could fail due to the guest or the host, we should probably go ahead and use the new GHCB error codes to return back to the guest in this case. But either way, having an int return code seems like the way to go for `setup_vmgexit_scratch()`. Because if we are wrong in either direction, it's a trivial fix. It's not as obvious to me that converting `sev_es_validate_vmgexit()` to return a bool is not cleaner than returning an int. This function seems to pretty much just process the GHCB buffer as a self-contained set of bits. So it's hard to imagine how this could fail in a way where exiting to userspace is the right thing to do. That being said, I do not have a strong objection to returning an int. Sean is right that an int is definitely more future proof. And I'm sure Sean (and Tom) have much better insight into how validating the bits written into the GHCB could potentially require code that could justify exiting out to userspace.