Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Message-ID: <4e68ae1c-e0ed-2620-fbd1-0f0f7eb28c4f@amd.com>
Date:   Fri, 21 Jan 2022 09:38:23 +0530
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.3.2
Cc:     Paolo Bonzini <pbonzini@redhat.com>,
        Sean Christopherson <seanjc@google.com>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        Wanpeng Li <wanpengli@tencent.com>,
        Jim Mattson <jmattson@google.com>,
        Joerg Roedel <joro@8bytes.org>,
        Brijesh Singh <brijesh.singh@amd.com>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        kvm list <kvm@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Bharata B Rao <bharata@amd.com>
Subject: Re: [RFC PATCH 6/6] KVM: SVM: Pin SEV pages in MMU during
 sev_launch_update_data()
Content-Language: en-US
To:     Peter Gonda <pgonda@google.com>
References: <20220118110621.62462-1-nikunj@amd.com>
 <20220118110621.62462-7-nikunj@amd.com>
 <CAMkAt6p1-82LTRNB3pkPRwYh=wGpreUN=jcUeBj_dZt8ss9w0Q@mail.gmail.com>
From:   "Nikunj A. Dadhania" <nikunj@amd.com>
In-Reply-To: <CAMkAt6p1-82LTRNB3pkPRwYh=wGpreUN=jcUeBj_dZt8ss9w0Q@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?cDUyTmxrbDNHeHpxdGpVSFNlYk16RUdSWG1KUEx2VThqcURQTGxCbXlrWEox?=
 =?utf-8?B?SDJTMEx6NzFxQUpBVDVxUVdDY0VxYWdDTWd4aWgxREZURDcxaHMxZGxwQjgx?=
 =?utf-8?B?UjB6aVVvblQvWjJpNFZycGdsb1lnczRPMkt5WVdpSStyTGxkaFZ0MmJMVTB0?=
 =?utf-8?B?cUV3MzBqcVNFZ3diY2dENjBtT2k5S0dMVUtHdkFQYVVWeEJOT2IrN3ZTRVow?=
 =?utf-8?B?QzBjV1NKYjNncFp6cDNrdWJodHVTNXY1Wk5IcmZlL0t5UWNVMWlFbGNzUDg1?=
 =?utf-8?B?cjI2c2lqTFo0MlBkNjBXeUNYYjB5YWtlbUVvSXdQUG5UVjNZcFFwVlJGS1Vx?=
 =?utf-8?B?bmVVUldybzY3eU1YY1dwVTV6RFY5RmRqQ3plcEp0UjVJZnU4RlJwMGl4U3VC?=
 =?utf-8?B?dGZ0N09EYzQyay81S05VNEhUSEMvWkVJODg0ZTUySGQ5TzR2S1Q0ZVpuOUly?=
 =?utf-8?B?T0FVd1dZWHFMRHRkOUtzRjVQQjZEQ2xBNURJMmx2bWgxNG5acnhvYThWWlBm?=
 =?utf-8?B?N1h1eDgzV09yOG80bCtTdFd1VHd1eVA0VXI1ZUVGTUtOSEw4TUo1ZW9oMHpG?=
 =?utf-8?B?c2Q3VjZFaUtTd1lseVVNM1FOVEd4L3ZFRGtZajNlaVRXWTRybGJBb1RzSXls?=
 =?utf-8?B?S0ttNENIcnVxdnFwTGxSaFlqdUU2ZWp5TUlnVW5LeExHSGJMR1RkMXNlL3ha?=
 =?utf-8?B?UjlRV3BuMmd2dGZjejFGMmJmcjQ4a2Q5UWNNL3A2UDB5ZnI0Z0M3QUpkZUNP?=
 =?utf-8?B?SzZsb1NjS2JHanlrLzVQM2w0VmU0d1ljdEhnT3dCNkRSdXA5eU5jZktTMlJt?=
 =?utf-8?B?aFNOOWVnTGJkL3RFQ0MrSHVJYUtMVVM1b3hvKzVoYjZYZzlwK0tBWmE5UGV5?=
 =?utf-8?B?Rzhma0NNcDZKTXlHdUgzNm1VaTQ4cnNYeGxvamkzbWlva2ZjdUFCVHBqUXhm?=
 =?utf-8?B?Y3VhSDFwenp5TWZqTTR6enVoK1Z2MlJQbTlKbHFwTEZqYjZxZDd5VUJKZ0N0?=
 =?utf-8?B?Uk9oWVl6bjRCckl5a3JXaisremNqVkxTWHpmdEpHOEI2dUdzTndYTWZlNzky?=
 =?utf-8?B?Z0xFNWlBeDc0OW4xaTlzYVJkVmhJRmlCdDB3WFArbWdXQ3EzVUhoN3YrMkFR?=
 =?utf-8?B?Q0kzTlByOVB0TDRQYUVWeHZOVzIzVGVEV3V5YTRoQjJjZmRCU1BvVlR2RVlK?=
 =?utf-8?B?TzJyeU80Q3JRM2MrcGpCUFR2QU4zMDUyRDRNQUhKaVVCQzBlbnRZQytacmQr?=
 =?utf-8?B?SDVIMGppQkh0eGZGWlJKVHBrTzdOT1pBUG1JMkNBaU1td2ViOGtqU3puVWNn?=
 =?utf-8?B?YjhIenRrQUlaRXdHRTQzSE9OTWNyaDdGZ0k1bVVpajJ2bFVKL0tjMUI5KzJH?=
 =?utf-8?B?eXYwcU03ZGh2ZGh6aENJY1hXd250YXZLeGMwcC9LK1ExNUIvLzIycGt0Sk1s?=
 =?utf-8?B?UElPU2tqRTF5R1ZGNEo0SGVDbmM0aHNENkM0TGsveVZlQWgxdzhNSXdaWlZN?=
 =?utf-8?B?SGVjS3d1RHVzUnJ6Q2hSQUhrcVFGVW5FbVI5dUQ1SkdFMCtVV05kVzhxcDNp?=
 =?utf-8?B?L3JEdENmc0NwK0plTEFkWHdoRURva3JHSU1xVGFmTSs2UXFiVmJNM3N3dWQ0?=
 =?utf-8?B?MjB4YmYwbHphRWNtb1NqblJiVDlmOXQwaTJCb0hGL2pBalYwcForZExqdWJP?=
 =?utf-8?B?bTlESU1UcTNVL0UyelZOdlBkZ2wvTEVtZDFLM1JLMkFGUHNab0tPL1VuaFVW?=
 =?utf-8?B?QU4vc3oyRHhpUXlFMTEwblFFRFNQTCtlbHBFcWFSak4zL1I4RzNqeTBKRkFT?=
 =?utf-8?B?NWVPSG1mYjV5eTIyNkl2MWovTnVoNjNMYWdiUGVrbUZEcENlbmE3K2JwbFhw?=
 =?utf-8?B?YkFBd29hMVpyMURYVDlUVWhVKzFHcU1lT0ZPdzNaVEVTYXNoTVR2a1VycmUv?=
 =?utf-8?B?V09nSHJBU2NZdkhGcXFka0dZN1NQQU5pOXduOUw1Y0JkZC9BNXFkSDc3SzlF?=
 =?utf-8?B?MDdkWFBWQ0dUY1VzUkpyd3FwNWoxNk4zTk9NV0FQK3FIZjE5bFhoelhVeEFj?=
 =?utf-8?B?VkFkWm15amppdmo4Z3M3RmdJam9UYlFESXg1d0NCTXJlUGljK1FFNEowVmxu?=
 =?utf-8?B?Y2F1ZGlKTzd4SzlEYkJ0RUV4VUpFemNDM2sxcm4wT0JKK2ZydGlGUkZhNkNO?=
 =?utf-8?Q?LPPos+qeTrvl5ZzspoZFoYQ=3D?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: df264885-48f4-4780-ecac-08d9dc93b168
X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB2470.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Jan 2022 04:08:35.0632
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: u/dgXr2H9QOPavgXdMClDZeiW9+C+oagp/ogOlQGSM0hk+l0c9uZFtzQhIp4qEq84/yZ25WXs5QiQJsw6w2WjQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR12MB3540
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 1/20/2022 9:47 PM, Peter Gonda wrote:
> On Tue, Jan 18, 2022 at 4:07 AM Nikunj A Dadhania <nikunj@amd.com> wrote:
>>
>> From: Sean Christopherson <sean.j.christopherson@intel.com>
>>
>> Pin the memory for the data being passed to launch_update_data()
>> because it gets encrypted before the guest is first run and must
>> not be moved which would corrupt it.
>>
>> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
>> [ * Changed hva_to_gva() to take an extra argument and return gpa_t.
>>   * Updated sev_pin_memory_in_mmu() error handling.
>>   * As pinning/unpining pages is handled within MMU, removed
>>     {get,put}_user(). ]
>> Signed-off-by: Nikunj A Dadhania <nikunj@amd.com>
>> ---
>>  arch/x86/kvm/svm/sev.c | 122 ++++++++++++++++++++++++++++++++++++++++-
>>  1 file changed, 119 insertions(+), 3 deletions(-)
>>
>> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
>> index 14aeccfc500b..1ae714e83a3c 100644
>> --- a/arch/x86/kvm/svm/sev.c
>> +++ b/arch/x86/kvm/svm/sev.c
>> @@ -22,6 +22,7 @@
>>  #include <asm/trapnr.h>
>>  #include <asm/fpu/xcr.h>
>>
>> +#include "mmu.h"
>>  #include "x86.h"
>>  #include "svm.h"
>>  #include "svm_ops.h"
>> @@ -490,6 +491,110 @@ static unsigned long get_num_contig_pages(unsigned long idx,
>>         return pages;
>>  }
>>
>> +#define SEV_PFERR_RO (PFERR_USER_MASK)
>> +#define SEV_PFERR_RW (PFERR_WRITE_MASK | PFERR_USER_MASK)
>> +
>> +static struct kvm_memory_slot *hva_to_memslot(struct kvm *kvm,
>> +                                             unsigned long hva)
>> +{
>> +       struct kvm_memslots *slots = kvm_memslots(kvm);
>> +       struct kvm_memory_slot *memslot;
>> +       int bkt;
>> +
>> +       kvm_for_each_memslot(memslot, bkt, slots) {
>> +               if (hva >= memslot->userspace_addr &&
>> +                   hva < memslot->userspace_addr +
>> +                   (memslot->npages << PAGE_SHIFT))
>> +                       return memslot;
>> +       }
>> +
>> +       return NULL;
>> +}
>> +
>> +static gpa_t hva_to_gpa(struct kvm *kvm, unsigned long hva, bool *ro)
>> +{
>> +       struct kvm_memory_slot *memslot;
>> +       gpa_t gpa_offset;
>> +
>> +       memslot = hva_to_memslot(kvm, hva);
>> +       if (!memslot)
>> +               return UNMAPPED_GVA;
>> +
>> +       *ro = !!(memslot->flags & KVM_MEM_READONLY);
>> +       gpa_offset = hva - memslot->userspace_addr;
>> +       return ((memslot->base_gfn << PAGE_SHIFT) + gpa_offset);
>> +}
>> +
>> +static struct page **sev_pin_memory_in_mmu(struct kvm *kvm, unsigned long addr,
>> +                                          unsigned long size,
>> +                                          unsigned long *npages)
>> +{
>> +       struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;
>> +       struct kvm_vcpu *vcpu;
>> +       struct page **pages;
>> +       unsigned long i;
>> +       u32 error_code;
>> +       kvm_pfn_t pfn;
>> +       int idx, ret = 0;
>> +       gpa_t gpa;
>> +       bool ro;
>> +
>> +       pages = sev_alloc_pages(sev, addr, size, npages);
>> +       if (IS_ERR(pages))
>> +               return pages;
>> +
>> +       vcpu = kvm_get_vcpu(kvm, 0);
>> +       if (mutex_lock_killable(&vcpu->mutex)) {
>> +               kvfree(pages);
>> +               return ERR_PTR(-EINTR);
>> +       }
>> +
>> +       vcpu_load(vcpu);
>> +       idx = srcu_read_lock(&kvm->srcu);
>> +
>> +       kvm_mmu_load(vcpu);
>> +
>> +       for (i = 0; i < *npages; i++, addr += PAGE_SIZE) {
>> +               if (signal_pending(current)) {
>> +                       ret = -ERESTARTSYS;
>> +                       break;
>> +               }
>> +
>> +               if (need_resched())
>> +                       cond_resched();
>> +
>> +               gpa = hva_to_gpa(kvm, addr, &ro);
>> +               if (gpa == UNMAPPED_GVA) {
>> +                       ret = -EFAULT;
>> +                       break;
>> +               }
>> +
>> +               error_code = ro ? SEV_PFERR_RO : SEV_PFERR_RW;
>> +
>> +               /*
>> +                * Fault in the page and sev_pin_page() will handle the
>> +                * pinning
>> +                */
>> +               pfn = kvm_mmu_map_tdp_page(vcpu, gpa, error_code, PG_LEVEL_4K);
>> +               if (is_error_noslot_pfn(pfn)) {
>> +                       ret = -EFAULT;
>> +                       break;
>> +               }
>> +               pages[i] = pfn_to_page(pfn);
>> +       }
>> +
>> +       kvm_mmu_unload(vcpu);
>> +       srcu_read_unlock(&kvm->srcu, idx);
>> +       vcpu_put(vcpu);
>> +       mutex_unlock(&vcpu->mutex);
>> +
>> +       if (!ret)
>> +               return pages;
>> +
>> +       kvfree(pages);
>> +       return ERR_PTR(ret);
>> +}
>> +
>>  static int sev_launch_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
>>  {
>>         unsigned long vaddr, vaddr_end, next_vaddr, npages, pages, size, i;
>> @@ -510,15 +615,21 @@ static int sev_launch_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
>>         vaddr_end = vaddr + size;
>>
>>         /* Lock the user memory. */
>> -       inpages = sev_pin_memory(kvm, vaddr, size, &npages, 1);
>> +       if (atomic_read(&kvm->online_vcpus))
>> +               inpages = sev_pin_memory_in_mmu(kvm, vaddr, size, &npages);
> 
> IIUC we can only use the sev_pin_memory_in_mmu() when there is an
> online vCPU because that means the MMU has been setup enough to use?
> Can we add a variable and a comment to help explain that?
> 
> bool mmu_usable = atomic_read(&kvm->online_vcpus) > 0;

Sure, will add comment and the variable.

> 
>> +       else
>> +               inpages = sev_pin_memory(kvm, vaddr, size, &npages, 1);
> 
> So I am confused about this case. Since svm_register_enc_region() is
> now a NOOP how can a user ensure that memory remains pinned from
> sev_launch_update_data() to when the memory would be demand pinned?
> 
> Before users could svm_register_enc_region() which pins the region,
> then sev_launch_update_data(), then the VM could run an the data from
> sev_launch_update_data() would have never moved. I don't think that
> same guarantee is held here?

Yes, you are right. One way is to error out of this call if MMU is not setup.
Other one would require us to maintain all list of pinned memory via sev_pin_memory() 
and unpin them in the destroy path.

>>         if (IS_ERR(inpages))
>>                 return PTR_ERR(inpages);
>>
>>         /*
>>          * Flush (on non-coherent CPUs) before LAUNCH_UPDATE encrypts pages in
>>          * place; the cache may contain the data that was written unencrypted.
>> +        * Flushing is automatically handled if the pages can be pinned in the
>> +        * MMU.
>>          */
>> -       sev_clflush_pages(inpages, npages);
>> +       if (!atomic_read(&kvm->online_vcpus))
>> +               sev_clflush_pages(inpages, npages);
>>
>>         data.reserved = 0;
>>         data.handle = sev->handle;
>> @@ -553,8 +664,13 @@ static int sev_launch_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
>>                 set_page_dirty_lock(inpages[i]);
>>                 mark_page_accessed(inpages[i]);
>>         }
>> +
>>         /* unlock the user pages */
>> -       sev_unpin_memory(kvm, inpages, npages);
>> +       if (atomic_read(&kvm->online_vcpus))
>> +               kvfree(inpages);

>> +       else
>> +               sev_unpin_memory(kvm, inpages, npages);

And not unpin here in this case.

Regards
Nikunj