Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp3904649ioa; Tue, 26 Apr 2022 12:03:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyqXQa9bVbTgvxnjIkQ5o59WL4ol14xjmXTJXGtAyR0KRFheXmfbXcnAkc0tawPC/4i8fQe X-Received: by 2002:a05:6830:4128:b0:605:6729:1ff8 with SMTP id w40-20020a056830412800b0060567291ff8mr8734079ott.143.1650999813148; Tue, 26 Apr 2022 12:03:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650999813; cv=none; d=google.com; s=arc-20160816; b=ZsANuYmJwunw3ZiraYZ63xCctMkMN3sDcm7i0SLmwgMfbJZBjJo5AorS3mX+hjzwuT Wrm1dkutammCpaD2cJu3BCSCSbL2Bob9V9eZjiwTXWfA5q24qJozDkB1PhwgJD/9yn7A DzY9B/5he5c/nK6nRzVz5W7eCaycEiXsa2qtgrQ3ZNEE7DHd7zKl3/ZLTFtcPQoP/qAt giioWv/SmKkGRs53bDmwl7bSfM87acVGxEhP4vfgfUbchIGykzvp2gvHZ34FJiGD3lD/ gww1oQQM60YjzbxqrwXcuG2+LnhTfhF/2Gg2W4DMfP9WFA4pm3Z/bv6XuYLYwX+v7thP 6XLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=a3zMhYLA8xJP/xWtcO5iRzbIKMDvtVGp5u0drnw/ibg=; b=K1fWNIY2yAZTrrP4l5p64Jf3v7bSAiMbWYSacufae5y8w4V/vdBxx5+7SV2cbUhJPc BvbKz4BVtcI720B8SenxcXnX8d4eQVdRt/VXbKgtQvLdbZC2Up3ZNpMmfSRTv8BSHH3/ xhnmUaokzRs7sFwSrUSczSkHz1Dl22w8N/9K1bwhSE33f4LCV54hc1ilFI5fSMUyBSYY Szt9e/gECy/VHus8jbx3/mdhOfqQ4UD1O1Nd8vltzLgmBC8LhNmSiqzySptMNOM3rfQB eGob6EkQY2VP8luHIcXFBpNHKd5bXE0OQne480Q/o7uc0EOEsQ91tZaJMlnFTHoOE/QI zCiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=lfxkzJGU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z4-20020a056808048400b0032256e2b584si9864894oid.143.2022.04.26.12.03.15; Tue, 26 Apr 2022 12:03:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=lfxkzJGU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349718AbiDZMAS (ORCPT + 99 others); Tue, 26 Apr 2022 08:00:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51254 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239509AbiDZMAR (ORCPT ); Tue, 26 Apr 2022 08:00:17 -0400 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5AA8B53A53; Tue, 26 Apr 2022 04:57:09 -0700 (PDT) Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23Q9ZCEe002053; Tue, 26 Apr 2022 11:57:05 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : date : mime-version : subject : to : cc : references : from : in-reply-to : content-type : content-transfer-encoding; s=pp1; bh=a3zMhYLA8xJP/xWtcO5iRzbIKMDvtVGp5u0drnw/ibg=; b=lfxkzJGUurXcetmqygvnIpGcoRSEnKIky3jbQutWyUIePuBMtN5/pbGnKkE36Q+E6vX8 2ktEHjB5N7qIFpmx+LTy4ECRYYQYwD7CAdDJZswpuGkANhygnk1vAJcLpjgA0JEN45hp jB/5XpXa6HTsSKuBF6GsoPkPxSjd1Y6eIM3erTDzhU/vYE25Q0oCqiMm39vOqCJu+A6p v0RvIJ82xayvatn5sR7YvnxecAeEfGSs/AnBcs7l2LSucvAVzOsvuG/Ag3mfSH3mhszJ 9V96CFxAO7delV6cXOenhNEpCVjajHSI9v82V4VHqwwMyx4zEZ8LCDDH9yW9Z4iWlnEx QQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3fpbyh5fwd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Apr 2022 11:57:05 +0000 Received: from m0098421.ppops.net (m0098421.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 23QBv5dk002095; Tue, 26 Apr 2022 11:57:05 GMT Received: from ppma01fra.de.ibm.com (46.49.7a9f.ip4.static.sl-reverse.com [159.122.73.70]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3fpbyh5fvn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Apr 2022 11:57:04 +0000 Received: from pps.filterd (ppma01fra.de.ibm.com [127.0.0.1]) by ppma01fra.de.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 23QBrmfe027493; Tue, 26 Apr 2022 11:57:03 GMT Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by ppma01fra.de.ibm.com with ESMTP id 3fm938uchc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Apr 2022 11:57:03 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 23QBuxYJ52429144 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 26 Apr 2022 11:56:59 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 56F6CA405B; Tue, 26 Apr 2022 11:56:59 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3F635A4054; Tue, 26 Apr 2022 11:56:58 +0000 (GMT) Received: from [9.171.92.107] (unknown [9.171.92.107]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 26 Apr 2022 11:56:58 +0000 (GMT) Message-ID: <80ca4468-6b0a-e8d9-9922-1fae2a1f0fcc@linux.ibm.com> Date: Tue, 26 Apr 2022 13:56:57 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH v2 0/2] Dirtying, failing memop: don't indicate suppression Content-Language: en-US To: Janosch Frank , Christian Borntraeger , Claudio Imbrenda Cc: David Hildenbrand , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Sven Schnelle , Paolo Bonzini , kvm@vger.kernel.org, Shuah Khan , linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org References: <20220425100147.1755340-1-scgl@linux.ibm.com> <8095d0de-dd99-0388-b1d4-e59b01dc4be0@linux.ibm.com> <13d0d706-abc4-3e4d-88c3-6447636fd1fd@linux.ibm.com> <1ccb1333-2233-8832-4102-a6c082b29108@linux.ibm.com> <40038a9a-5647-c355-bad2-297b0a2baf4f@linux.ibm.com> From: Janis Schoetterl-Glausch In-Reply-To: <40038a9a-5647-c355-bad2-297b0a2baf4f@linux.ibm.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 0vrkjp9KAsI56VkB80KM_TaNI0Sf3ufs X-Proofpoint-GUID: m2Zua9dnvj6lbL_fTw9YYUs0X7QiWkDl X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-26_02,2022-04-26_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 spamscore=0 bulkscore=0 adultscore=0 mlxlogscore=760 lowpriorityscore=0 suspectscore=0 priorityscore=1501 phishscore=0 mlxscore=0 malwarescore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204260074 X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/26/22 09:25, Janosch Frank wrote: > On 4/26/22 08:19, Christian Borntraeger wrote: >> >> >> Am 25.04.22 um 19:29 schrieb Janis Schoetterl-Glausch: >>> On 4/25/22 18:30, Christian Borntraeger wrote: >>>> Am 25.04.22 um 12:01 schrieb Janis Schoetterl-Glausch: >>>>> If a memop fails due to key checked protection, after already having >>>>> written to the guest, don't indicate suppression to the guest, as that >>>>> would imply that memory wasn't modified. >>>>> >>>>> This could be considered a fix to the code introducing storage key >>>>> support, however this is a bug in KVM only if we emulate an >>>>> instructions writing to an operand spanning multiple pages, which I >>>>> don't believe we do. >>>>> >>>> >>>> Thanks applied. I think it makes sense for 5.18 nevertheless. >>> >>> Janosch had some concerns because the protection code being 000 implies >>> that the effective address in the TEID is unpredictable. >>> Let's see if he chimes in. >> >> z/VM does exactly the same on key protection crossing a page boundary. The >> architecture was written in a way to allow all zeros exactly for this case. >> (hypervisor emulation of key protection crossing pages). >> This is even true for ESOP-2. See Figure 3-5 or figure 3-8 (the first line) >> which allows to NOT have a valid address in the TEID for key controlled >> protection. The question is if this is the best way to do it. Janosch brought up interruptible instructions, for those you would want to just consider the current unit of operation to be suppressed. Now this is not actually relevant, I guess PFMF is the only interruptible instruction we'd emulate and that ignores keys when clearing memory. But maybe there are other edge cases. >> >> The only question is, do we need to change the suppression parameter in >> access_guest_with_key >> >>    (mode != GACC_STORE) || (idx == 0) >> >> to also check for prot != PROT_TYPE_KEYC >> ? I think we do not need this as we have checked other reasons before. Yes, it is not necessary, the control flow is such that a protection exception implies that is due to keys. > > To me this measure looks like a last resort option and the POP doesn't state a 100% what is to be done. Some instructions can mandate suppression instead of termination according to the architects. > > My intuition tells me that if we are in a situation where this would happen then we would be much better off just doing it by hand (i.e. in the instruction emulation code) and not letting this function decide. For the instructions we currently need to emulate in KVM we should be fine. So the question is what's best for the future and for instructions emulated by user space. Upward in the call stack (including user space), we don't know the failing address, which complicates handling it in the emulation code. You could chop up the memop in page chunks to find out, but that might have other issues. Since this behavior is very implicit and easy to overlook maybe we should document it in the description of the memop ioctl? > > So I'm not entirely sure if we're replacing something that is not correct with something that also won't be correct for all cases. That may be the case, which option is more correct/less incorrect tho? It's hard to say because one would have to consider all instructions/possibilities, but indicating not suppression when we've already written to memory, seems to make sense more often than not doing so. > > But to summarize this: I'm not entirely sure even after reading the POP for more than an hour and consulting an architect