Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23A73C433F5 for ; Thu, 13 Jan 2022 15:57:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236414AbiAMP5D (ORCPT ); Thu, 13 Jan 2022 10:57:03 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:35774 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236394AbiAMP47 (ORCPT ); Thu, 13 Jan 2022 10:56:59 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1642089418; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iVjjhSTO5jv7G5CNfPQaqxy98s1YUf5RmxMVGvagrRU=; b=Xa2IvCLSn1NJkghg+fHEUAg3CaorunNZLNb70+nOfuukIZ0/qwV5xeHgBDgnoi+1BgZ1lS 5P/Zz/Vh3MsmkAnkYM4JoHlGODVsmy9MtOjTCBXhN2K98eytlr5IelRtgIOgjOmeP0cxOE yJz+OCg2tmDW+hncUv5+KaS5OxnPWX4= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-460-71wX__fQPh6qs77Rqs_UFg-1; Thu, 13 Jan 2022 10:56:56 -0500 X-MC-Unique: 71wX__fQPh6qs77Rqs_UFg-1 Received: by mail-ed1-f70.google.com with SMTP id h1-20020aa7cdc1000000b0040042dd2fe4so4473388edw.17 for ; Thu, 13 Jan 2022 07:56:56 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:organization:in-reply-to :content-transfer-encoding; bh=iVjjhSTO5jv7G5CNfPQaqxy98s1YUf5RmxMVGvagrRU=; b=VZZznXkWr+tniyRfweVIqiZdmHZLI4NoXcLqlTcd+VLBfF5x0rcR7R/GREfv0DfX7N BBoD0OhgF32rly7wg7jMAL8UmHV9uujoy/AaDq/FmclVti0/YqOwm9YLMuGlcB/1ltKz w+YKetqqCGXacTcLinjpnUGZwz1aT3Q5ZhrOBzA5uzR8X94kBM6odj67Ud2+hxOIdHnp 1ESLQpjVTSNMeF0lDNXI57bS8bllHM3/4LkOjsowSPSFjE4b+3ndyPtqXVpafXov4kjB TPEDQVX8LQbsb8YWvbXZc0mYfv+XgAhlu0F7eE7DsyagrBa3Do8ENQxdOrsIguASg8gA Qwkg== X-Gm-Message-State: AOAM5304Xpkm9ygtb/3T8Cw9XeeMOmzszLww/i7WIYpB8huB8kdwSUCU RCCkj9Zb/Fd9qS5hcUwppBherTD2Mf78DZrArWUu+XRXLdMa5b/XfSeYDi1OKAcPPkGt9bz3jeN h37oiiIKmbhfQGsOnf/LL+z7+ X-Received: by 2002:a17:907:3ea2:: with SMTP id hs34mr3985616ejc.191.1642089415174; Thu, 13 Jan 2022 07:56:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJxdEZGBZ+SY0OUOH5+ulUWsavApWdL/E+Vnbzgt7kPf6DLvU3IuDpfFk7n3gAZ11fQX3pswoQ== X-Received: by 2002:a17:907:3ea2:: with SMTP id hs34mr3985577ejc.191.1642089414855; Thu, 13 Jan 2022 07:56:54 -0800 (PST) Received: from ?IPV6:2003:cb:c703:e200:8511:ed0f:ac2c:42f7? (p200300cbc703e2008511ed0fac2c42f7.dip0.t-ipconnect.de. [2003:cb:c703:e200:8511:ed0f:ac2c:42f7]) by smtp.gmail.com with ESMTPSA id f29sm986699ejj.209.2022.01.13.07.56.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 13 Jan 2022 07:56:54 -0800 (PST) Message-ID: <0893e873-20c4-7e07-e7e4-3971dbb79118@redhat.com> Date: Thu, 13 Jan 2022 16:56:53 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.4.0 Subject: Re: [PATCH v3 kvm/queue 01/16] mm/shmem: Introduce F_SEAL_INACCESSIBLE Content-Language: en-US To: Chao Peng Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, qemu-devel@nongnu.org, Paolo Bonzini , Jonathan Corbet , Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, "H . Peter Anvin" , Hugh Dickins , Jeff Layton , "J . Bruce Fields" , Andrew Morton , Yu Zhang , "Kirill A . Shutemov" , luto@kernel.org, john.ji@intel.com, susie.li@intel.com, jun.nakajima@intel.com, dave.hansen@intel.com, ak@linux.intel.com References: <20211223123011.41044-1-chao.p.peng@linux.intel.com> <20211223123011.41044-2-chao.p.peng@linux.intel.com> <7eb40902-45dd-9193-37f1-efaca381529b@redhat.com> <20220106130638.GB43371@chaop.bj.intel.com> From: David Hildenbrand Organization: Red Hat In-Reply-To: <20220106130638.GB43371@chaop.bj.intel.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06.01.22 14:06, Chao Peng wrote: > On Tue, Jan 04, 2022 at 03:22:07PM +0100, David Hildenbrand wrote: >> On 23.12.21 13:29, Chao Peng wrote: >>> From: "Kirill A. Shutemov" >>> >>> Introduce a new seal F_SEAL_INACCESSIBLE indicating the content of >>> the file is inaccessible from userspace in any possible ways like >>> read(),write() or mmap() etc. >>> >>> It provides semantics required for KVM guest private memory support >>> that a file descriptor with this seal set is going to be used as the >>> source of guest memory in confidential computing environments such >>> as Intel TDX/AMD SEV but may not be accessible from host userspace. >>> >>> At this time only shmem implements this seal. >>> >>> Signed-off-by: Kirill A. Shutemov >>> Signed-off-by: Chao Peng >>> --- >>> include/uapi/linux/fcntl.h | 1 + >>> mm/shmem.c | 37 +++++++++++++++++++++++++++++++++++-- >>> 2 files changed, 36 insertions(+), 2 deletions(-) >>> >>> diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h >>> index 2f86b2ad6d7e..e2bad051936f 100644 >>> --- a/include/uapi/linux/fcntl.h >>> +++ b/include/uapi/linux/fcntl.h >>> @@ -43,6 +43,7 @@ >>> #define F_SEAL_GROW 0x0004 /* prevent file from growing */ >>> #define F_SEAL_WRITE 0x0008 /* prevent writes */ >>> #define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */ >>> +#define F_SEAL_INACCESSIBLE 0x0020 /* prevent file from accessing */ >> >> I think this needs more clarification: the file content can still be >> accessed using in-kernel mechanisms such as MEMFD_OPS for KVM. It >> effectively disallows traditional access to a file (read/write/mmap) >> that will result in ordinary MMU access to file content. >> >> Not sure how to best clarify that: maybe, prevent ordinary MMU access >> (e.g., read/write/mmap) to file content? > > Or: prevent userspace access (e.g., read/write/mmap) to file content? The issue with that phrasing is that userspace will be able to access that content, just via a different mechanism eventually ... e.g., via the KVM MMU indirectly. If that makes it clearer what I mean :) >> >>> /* (1U << 31) is reserved for signed error codes */ >>> >>> /* >>> diff --git a/mm/shmem.c b/mm/shmem.c >>> index 18f93c2d68f1..faa7e9b1b9bc 100644 >>> --- a/mm/shmem.c >>> +++ b/mm/shmem.c >>> @@ -1098,6 +1098,10 @@ static int shmem_setattr(struct user_namespace *mnt_userns, >>> (newsize > oldsize && (info->seals & F_SEAL_GROW))) >>> return -EPERM; >>> >>> + if ((info->seals & F_SEAL_INACCESSIBLE) && >>> + (newsize & ~PAGE_MASK)) >>> + return -EINVAL; >>> + >> >> What happens when sealing and there are existing mmaps? > > I think this is similar to ftruncate, in either case we just allow that. > The existing mmaps will be unmapped and KVM will be notified to > invalidate the mapping in the secondary MMU as well. This assume we > trust the userspace even though it can not access the file content. Can't we simply check+forbid instead? -- Thanks, David / dhildenb