Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp894770iob; Wed, 18 May 2022 15:53:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxWMQPABJ2M0vShCoTNHGxY06FGhkxAlZ47jXiO3ozlpA0eSJf8a9uzRlK+izHoUhG7VSIK X-Received: by 2002:a17:906:358a:b0:6f4:2903:417e with SMTP id o10-20020a170906358a00b006f42903417emr1685677ejb.592.1652914422014; Wed, 18 May 2022 15:53:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652914422; cv=none; d=google.com; s=arc-20160816; b=05a7bVboNm4pHW8YWZpRCNUG+uIjX+E30ol4FDXvglBe74Q6Cc0I5tVWZEas0WQrH/ QfZHh4Silm8jWihohQNZREmMxH6rpiWtr8Xx4Qj1ViAmzhUrltDYuvB5eLueF9HoCEF7 IM/exh/1CIg1OWTX1Yo38nyEwvmV2QetzyJdDjEAytSPECdHpbSVbZqiBOaKNYDWHSCe q6w66kMcEfikQc0uepP1hDv7zXcOjo4b1JvDSyK7De0zMJrN1bn6InLA8BUC6l9r3lUf GmaPvMpLb6z5RRIDgYVhCYcgf+Cj5HDol+kaijYkPH8ZqvoT5lKwb2PuFXbqTWfuHfB2 uVKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=+m9W8seUbvXKl6nr+C4wVmU3fKzJvSA46/4AFIxjC/g=; b=N3+E96VaUde2OqDJsGBoDTYF1JuAm96bhzA46txUY/XfRCmA+mW9Qk5CA87NnOF+lt Ns2yHx5qsZapz5VuoXkn7NrNrftOZMTxZBTUDe4T2qnazqQjeOAJos45nZwV5MZEiYlk s01G8QmV2mOXeYvuHWsUls9glByWHsTH9xzSlXuoneOsQGEPWWRaywUOgy48Km/6tKbK EohWPjQWU+a8irvL7fgIZyddGcaBs/sAuWiPgqI5XyUjztgi2ToFGvM2SH5Wau89+mzW MRB8M3RaBbtWZSetK7rVfSWbPMY7R1O6nxButmu7nAXrylG7AU+0BwULsToEIoU5d+k4 u6xg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=oFY8lh88; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o16-20020a056402439000b0042ace5d1a4bsi4299441edc.257.2022.05.18.15.53.14; Wed, 18 May 2022 15:53:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=oFY8lh88; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229952AbiERWaW (ORCPT + 99 others); Wed, 18 May 2022 18:30:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40832 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229920AbiERWaU (ORCPT ); Wed, 18 May 2022 18:30:20 -0400 Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com [IPv6:2607:f8b0:4864:20::1133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6CD8421A97B for ; Wed, 18 May 2022 15:30:19 -0700 (PDT) Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-2f16645872fso39665647b3.4 for ; Wed, 18 May 2022 15:30:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+m9W8seUbvXKl6nr+C4wVmU3fKzJvSA46/4AFIxjC/g=; b=oFY8lh88qWhUOzYIBD52Kxc5Hp9y99aSHxVmukR1bQJlMjeSiN6SogZ7KZFbPWSYeE Wy5jBPwDCNorEsYR+kqPfu/DS9a/8xtA+EzpEGXUZNe9J5DgIRnosJ7AJRWiFPuneEGn e1S+/iemZP111JJUQWlY7QGahlueLVXAqKVtU7iPVjX160f0hbEJwucuFdzMMuWZ/Rlh 4sREXo8vxkl6aTmga2pZPJcxfr4MNI232OuvlAaLRCxxplDoXdlv2mlBfFKKizxyR1wy CMGv3py6k+XbWVQ5B6bYoQIgKLLd6nEoxguoICnGcFio4OgP9zVMePafWLNT1DIK8i6y sMhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+m9W8seUbvXKl6nr+C4wVmU3fKzJvSA46/4AFIxjC/g=; b=bnrXw0MrDwsTsg92FXz7NO5A6YPqS/ya5gZdI60K2zevNScKe++iOQg9SZWM8sFrnn 7DhR7ow7cBfInc+GhmjHOMYcjH8u6fHyub5b3BsimxGUExSBj+SuZVxMXm2l9IMu+Dou HPCMAAg6H/aHc+BdlZHK1KY6u4+hN+PCKKPnP3Jb37+jNpqKEJQMfwtXM6gNdB2tehmh /znr20CIQnkGnwDt+LJLwjd6L+Yv5I3KFbgPRGi6WvnobyaxW+Mnq4b8MbVdUk7aE+eE vbJoPP4eyt3Z/mJF2Pb3wtHfQe6Do2x22Vzaw7Fztf6RdDphD50edvUceNbjeHETess1 PA1g== X-Gm-Message-State: AOAM530m2KL5zb5WConQQpW0ilSWKRh05cPLyjbtaLtQKfqEcRht8B9t /Bbg4qlz6ppFuObfydGwQS/C1azoEJ9zEASVxFVrZg== X-Received: by 2002:a81:6188:0:b0:2eb:4bd3:9b86 with SMTP id v130-20020a816188000000b002eb4bd39b86mr1664631ywb.46.1652913018341; Wed, 18 May 2022 15:30:18 -0700 (PDT) MIME-Version: 1.0 References: <145620795852bf24ba2124a3f8234fd4aaac19d4.1649219184.git.kai.huang@intel.com> <0bab7221179229317a11311386c968bd0d40e344.camel@intel.com> In-Reply-To: <0bab7221179229317a11311386c968bd0d40e344.camel@intel.com> From: Sagi Shahar Date: Wed, 18 May 2022 15:30:07 -0700 Message-ID: Subject: Re: [PATCH v3 09/21] x86/virt/tdx: Get information about TDX module and convertible memory To: Kai Huang Cc: Dave Hansen , linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Sean Christopherson , Paolo Bonzini , len.brown@intel.com, tony.luck@intel.com, rafael.j.wysocki@intel.com, reinette.chatre@intel.com, dan.j.williams@intel.com, peterz@infradead.org, ak@linux.intel.com, kirill.shutemov@linux.intel.com, sathyanarayanan.kuppuswamy@linux.intel.com, "Yamahata, Isaku" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 27, 2022 at 5:15 PM Kai Huang wrote: > > On Wed, 2022-04-27 at 15:15 -0700, Dave Hansen wrote: > > On 4/5/22 21:49, Kai Huang wrote: > > > TDX provides increased levels of memory confidentiality and integrity. > > > This requires special hardware support for features like memory > > > encryption and storage of memory integrity checksums. Not all memory > > > satisfies these requirements. > > > > > > As a result, TDX introduced the concept of a "Convertible Memory Region" > > > (CMR). During boot, the firmware builds a list of all of the memory > > > ranges which can provide the TDX security guarantees. The list of these > > > ranges, along with TDX module information, is available to the kernel by > > > querying the TDX module via TDH.SYS.INFO SEAMCALL. > > > > > > Host kernel can choose whether or not to use all convertible memory > > > regions as TDX memory. Before TDX module is ready to create any TD > > > guests, all TDX memory regions that host kernel intends to use must be > > > configured to the TDX module, using specific data structures defined by > > > TDX architecture. Constructing those structures requires information of > > > both TDX module and the Convertible Memory Regions. Call TDH.SYS.INFO > > > to get this information as preparation to construct those structures. > > > > > > Signed-off-by: Kai Huang > > > --- > > > arch/x86/virt/vmx/tdx/tdx.c | 131 ++++++++++++++++++++++++++++++++++++ > > > arch/x86/virt/vmx/tdx/tdx.h | 61 +++++++++++++++++ > > > 2 files changed, 192 insertions(+) > > > > > > diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c > > > index ef2718423f0f..482e6d858181 100644 > > > --- a/arch/x86/virt/vmx/tdx/tdx.c > > > +++ b/arch/x86/virt/vmx/tdx/tdx.c > > > @@ -80,6 +80,11 @@ static DEFINE_MUTEX(tdx_module_lock); > > > > > > static struct p_seamldr_info p_seamldr_info; > > > > > > +/* Base address of CMR array needs to be 512 bytes aligned. */ > > > +static struct cmr_info tdx_cmr_array[MAX_CMRS] __aligned(CMR_INFO_ARRAY_ALIGNMENT); > > > +static int tdx_cmr_num; > > > +static struct tdsysinfo_struct tdx_sysinfo; > > > > I really dislike mixing hardware and software structures. Please make > > it clear which of these are fully software-defined and which are part of > > the hardware ABI. > > Both 'struct tdsysinfo_struct' and 'struct cmr_info' are hardware structures. > They are defined in tdx.h which has a comment saying the data structures below > this comment is hardware structures: > > +/* > + * TDX architectural data structures > + */ > > It is introduced in the P-SEAMLDR patch. > > Should I explicitly add comments around the variables saying they are used by > hardware, something like: > > /* > * Data structures used by TDH.SYS.INFO SEAMCALL to return CMRs and > * TDX module system information. > */ > > ? > > > > > > static bool __seamrr_enabled(void) > > > { > > > return (seamrr_mask & SEAMRR_ENABLED_BITS) == SEAMRR_ENABLED_BITS; > > > @@ -468,6 +473,127 @@ static int tdx_module_init_cpus(void) > > > return seamcall_on_each_cpu(&sc); > > > } > > > > > > +static inline bool cmr_valid(struct cmr_info *cmr) > > > +{ > > > + return !!cmr->size; > > > +} > > > + > > > +static void print_cmrs(struct cmr_info *cmr_array, int cmr_num, > > > + const char *name) > > > +{ > > > + int i; > > > + > > > + for (i = 0; i < cmr_num; i++) { > > > + struct cmr_info *cmr = &cmr_array[i]; > > > + > > > + pr_info("%s : [0x%llx, 0x%llx)\n", name, > > > + cmr->base, cmr->base + cmr->size); > > > + } > > > +} > > > + > > > +static int sanitize_cmrs(struct cmr_info *cmr_array, int cmr_num) > > > +{ > > > + int i, j; > > > + > > > + /* > > > + * Intel TDX module spec, 20.7.3 CMR_INFO: > > > + * > > > + * TDH.SYS.INFO leaf function returns a MAX_CMRS (32) entry > > > + * array of CMR_INFO entries. The CMRs are sorted from the > > > + * lowest base address to the highest base address, and they > > > + * are non-overlapping. > > > + * > > > + * This implies that BIOS may generate invalid empty entries > > > + * if total CMRs are less than 32. Skip them manually. > > > + */ > > > + for (i = 0; i < cmr_num; i++) { > > > + struct cmr_info *cmr = &cmr_array[i]; > > > + struct cmr_info *prev_cmr = NULL; > > > + > > > + /* Skip further invalid CMRs */ > > > + if (!cmr_valid(cmr)) > > > + break; > > > + > > > + if (i > 0) > > > + prev_cmr = &cmr_array[i - 1]; > > > + > > > + /* > > > + * It is a TDX firmware bug if CMRs are not > > > + * in address ascending order. > > > + */ > > > + if (prev_cmr && ((prev_cmr->base + prev_cmr->size) > > > > + cmr->base)) { > > > + pr_err("Firmware bug: CMRs not in address ascending order.\n"); > > > + return -EFAULT; > > > > -EFAULT is a really weird return code to use for this. I'd use -EINVAL. > > OK thanks. > > > > > > + } > > > + } > > > + > > > + /* > > > + * Also a sane BIOS should never generate invalid CMR(s) between > > > + * two valid CMRs. Sanity check this and simply return error in > > > + * this case. > > > + * > > > + * By reaching here @i is the index of the first invalid CMR (or > > > + * cmr_num). Starting with next entry of @i since it has already > > > + * been checked. > > > + */ > > > + for (j = i + 1; j < cmr_num; j++) > > > + if (cmr_valid(&cmr_array[j])) { > > > + pr_err("Firmware bug: invalid CMR(s) among valid CMRs.\n"); > > > + return -EFAULT; > > > + } > > > > Please add brackets for the for(). > > OK. > > > > > > + /* > > > + * Trim all tail invalid empty CMRs. BIOS should generate at > > > + * least one valid CMR, otherwise it's a TDX firmware bug. > > > + */ > > > + tdx_cmr_num = i; > > > + if (!tdx_cmr_num) { > > > + pr_err("Firmware bug: No valid CMR.\n"); > > > + return -EFAULT; > > > + } > > > + > > > + /* Print kernel sanitized CMRs */ > > > + print_cmrs(tdx_cmr_array, tdx_cmr_num, "Kernel-sanitized-CMR"); > > > + > > > + return 0; > > > +} > > > + > > > +static int tdx_get_sysinfo(void) > > > +{ > > > + struct tdx_module_output out; > > > + u64 tdsysinfo_sz, cmr_num; > > > + int ret; > > > + > > > + BUILD_BUG_ON(sizeof(struct tdsysinfo_struct) != TDSYSINFO_STRUCT_SIZE); > > > + > > > + ret = seamcall(TDH_SYS_INFO, __pa(&tdx_sysinfo), TDSYSINFO_STRUCT_SIZE, > > > + __pa(tdx_cmr_array), MAX_CMRS, NULL, &out); > > > + if (ret) > > > + return ret; > > > + > > > + /* > > > + * If TDH.SYS.CONFIG succeeds, RDX contains the actual bytes > > > + * written to @tdx_sysinfo and R9 contains the actual entries > > > + * written to @tdx_cmr_array. Sanity check them. > > > + */ > > > + tdsysinfo_sz = out.rdx; > > > + cmr_num = out.r9; > > > > Please vertically align things like this: > > > > tdsysinfo_sz = out.rdx; > > cmr_num = out.r9; > > OK. > > > > > > + if (WARN_ON_ONCE((tdsysinfo_sz > sizeof(tdx_sysinfo)) || !tdsysinfo_sz || > > > + (cmr_num > MAX_CMRS) || !cmr_num)) > > > + return -EFAULT; > > > > Sanity checking is good, but this makes me wonder how much is too much. > > I don't see a lot of code for instance checking if sys_write() writes > > more than how much it was supposed to. > > > > Why are these sanity checks necessary here? Is the TDX module expected > > to be *THAT* buggy? The thing that's providing, oh, basically all of > > the security guarantees of this architecture. It's overflowing the > > buffers you hand it? > > I think this check can be removed. Will remove. > > > > > > + pr_info("TDX module: vendor_id 0x%x, major_version %u, minor_version %u, build_date %u, build_num %u", > > > + tdx_sysinfo.vendor_id, tdx_sysinfo.major_version, > > > + tdx_sysinfo.minor_version, tdx_sysinfo.build_date, > > > + tdx_sysinfo.build_num); > > > + > > > + /* Print BIOS provided CMRs */ > > > + print_cmrs(tdx_cmr_array, cmr_num, "BIOS-CMR"); > > > + sanitize_cmrs already prints the cmrs in case of success. So for valid cmrs we are going to print them twice. Would it be better to only print cmrs here in case sanitize_cmrs fails? > > > + return sanitize_cmrs(tdx_cmr_array, cmr_num); > > > +} > > > > Does sanitize_cmrs() sanitize anything? It looks to me like it *checks* > > the CMRs. But, sanitizing is an active operation that writes to the > > data being sanitized. This looks read-only to me. check_cmrs() would > > be a better name for a passive check. > > Sure will change to check_cmrs(). > > > > > > static int init_tdx_module(void) > > > { > > > int ret; > > > @@ -482,6 +608,11 @@ static int init_tdx_module(void) > > > if (ret) > > > goto out; > > > > > > + /* Get TDX module information and CMRs */ > > > + ret = tdx_get_sysinfo(); > > > + if (ret) > > > + goto out; > > > > Couldn't we get rid of that comment if you did something like: > > > > ret = tdx_get_sysinfo(&tdx_cmr_array, &tdx_sysinfo); > > Yes will do. > > > > > and preferably make the variables function-local. > > 'tdx_sysinfo' will be used by KVM too. > > > > -- > Thanks, > -Kai > > Sagi