Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp4021755iog; Tue, 28 Jun 2022 07:31:43 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vEbQPXhTY3Ox0C/XxoIP5cYVx5Px+/jrKDXBT+26f9emrAu7/gRIBzI2z3YTz5yQyuw7A6 X-Received: by 2002:a17:902:8e86:b0:168:d6d6:660f with SMTP id bg6-20020a1709028e8600b00168d6d6660fmr4052502plb.35.1656426703387; Tue, 28 Jun 2022 07:31:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656426703; cv=none; d=google.com; s=arc-20160816; b=ZgDBTTd8UCrMUA4ypR0y/fzoPnrd7OesUGhfwI1nCAJiLr2Y/Jd3UqSr8/Z3OnhUZH 7Sac2VB1VQB2SDbPW9HaibeI67QvHPc/vP+Ys5xNWGnMz8+cFtGepaLvd8BxIXHedqXy QDzBlsPP5G6GxlixVKVSU32MBNXKpO4m6kdxBvxb3Mr1ZPB9J4qQJ8BhG4vJiwg75yoC a48XvNeuUWf52WK86eIsbkJjfiJv8h4Mw6jK6ZlPhASCeAY2WSzAFQNTzB7VIJIOeruj iP1b8hJJv+UWRklDfpoH3rt34amxAxsi6K6Wka9NYUVMDFG+zDM5LF34PG5KqQu9alYY 3gYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Tf1deUgt9rwdxUuyNJ03TR1/LhveJ3DTEEiG3eS7IZI=; b=SQc09wC8oSjsz8vtaSq6SifJpRLcO0L/l1TRB/WqP6jKp7k2G2LSviD+bhvKQoFf4T qB0p0WJ8U770/9LnqXYyK4pWK2yczSqVLHVbIfQ2fp0Prjk6IIdsJ6GcgwK/YCFvrYip K2zGedm8Im9wbbwkFaUHYAtK63JMzw5aQ7lSfwWvlD6XSzn9ZGGmsxbfJjq/TeR7Lura qG25Ivb4GGxLSdjRe5qRMLS1xO3xT3UQEkIVo/7BHaT/WpGUl1oNfIEfdHXmhfpsJiFD AThdMwSQC9VoGVkub4bAUzfAw2Liu0X83C3Qc+FqWCHQ0L8mf6X80zOKdgQ5xzm5/LzV IGCg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=S87c1eT5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l5-20020a056a0016c500b0052513e4ac16si20990755pfc.43.2022.06.28.07.31.29; Tue, 28 Jun 2022 07:31:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=S87c1eT5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346881AbiF1N4a (ORCPT + 99 others); Tue, 28 Jun 2022 09:56:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345626AbiF1N42 (ORCPT ); Tue, 28 Jun 2022 09:56:28 -0400 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 612F533378; Tue, 28 Jun 2022 06:56:27 -0700 (PDT) Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25SDWhjQ007289; Tue, 28 Jun 2022 13:56:26 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=Tf1deUgt9rwdxUuyNJ03TR1/LhveJ3DTEEiG3eS7IZI=; b=S87c1eT5kAoQ9ixpRf9aXOekRG/+qJPZ+/+hKP/FXQ6pzqrrU//zIiSv8aL6c1bvV7IH YLZJ+LSX4CIjrB1mg7YTenZGoSLhqZa04XfIkKNXVij2SaNBrdYFl3vzY7nGVfBW6NG+ fivuW8iGqc9Y4CTcdQfIYzJKfkHKomJ9ENVdA83HTIg9xayQ3sLWRJjlWZUIgxK+htUA bv8NfMNN9+j4ZXFh6z5j1SGDf9iPhHTZJ2pDb0xvHRsaqJP8w+CUu9FpacX0p4zrbzPg bWA6h0bGjT9f7a1OF0g+IPjzPCsfFwQctsRskVd9nabzfVcMbl3B9HILG6JZIrfLW4m4 bQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3h02d0hn6w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 28 Jun 2022 13:56:26 +0000 Received: from m0098417.ppops.net (m0098417.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 25SDHIhg005670; Tue, 28 Jun 2022 13:56:26 GMT Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3h02d0hn5f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 28 Jun 2022 13:56:25 +0000 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 25SDp9Js007950; Tue, 28 Jun 2022 13:56:24 GMT Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by ppma03ams.nl.ibm.com with ESMTP id 3gwt08vxrs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 28 Jun 2022 13:56:23 +0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 25SDuKrg7405866 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 28 Jun 2022 13:56:20 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CB3654C040; Tue, 28 Jun 2022 13:56:20 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 70DE84C044; Tue, 28 Jun 2022 13:56:20 +0000 (GMT) Received: from p-imbrenda.boeblingen.de.ibm.com (unknown [9.152.224.40]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 28 Jun 2022 13:56:20 +0000 (GMT) From: Claudio Imbrenda To: kvm@vger.kernel.org Cc: borntraeger@de.ibm.com, frankja@linux.ibm.com, thuth@redhat.com, pasic@linux.ibm.com, david@redhat.com, linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, scgl@linux.ibm.com, mimu@linux.ibm.com, nrb@linux.ibm.com Subject: [PATCH v12 02/18] KVM: s390: pv: handle secure storage violations for protected guests Date: Tue, 28 Jun 2022 15:56:03 +0200 Message-Id: <20220628135619.32410-3-imbrenda@linux.ibm.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220628135619.32410-1-imbrenda@linux.ibm.com> References: <20220628135619.32410-1-imbrenda@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-GUID: _HGAlXFY2nC-jcQflto1mtzSm7M-I211 X-Proofpoint-ORIG-GUID: zPK9c69DJ6rzWgQi_Ob06cOAplfUH5Fk X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-06-28_07,2022-06-28_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=839 impostorscore=0 lowpriorityscore=0 phishscore=0 suspectscore=0 bulkscore=0 spamscore=0 mlxscore=0 priorityscore=1501 adultscore=0 clxscore=1015 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206280057 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org A secure storage violation is triggered when a protected guest tries to access secure memory that has been mapped erroneously, or that belongs to a different protected guest or to the ultravisor. With upcoming patches, protected guests will be able to trigger secure storage violations in normal operation. This happens for example if a protected guest is rebooted with deferred destroy enabled and the new guest is also protected. When the new protected guest touches pages that have not yet been destroyed, and thus are accounted to the previous protected guest, a secure storage violation is raised. This patch adds handling of secure storage violations for protected guests. This exception is handled by first trying to destroy the page, because it is expected to belong to a defunct protected guest where a destroy should be possible. Note that a secure page can only be destroyed if its protected VM does not have any CPUs, which only happens when the protected VM is being terminated. If that fails, a normal export of the page is attempted. This means that pages that trigger the exception will be made non-secure (in one way or another) before attempting to use them again for a different secure guest. Signed-off-by: Claudio Imbrenda Acked-by: Janosch Frank --- arch/s390/include/asm/uv.h | 1 + arch/s390/kernel/uv.c | 55 ++++++++++++++++++++++++++++++++++++++ arch/s390/mm/fault.c | 10 +++++++ 3 files changed, 66 insertions(+) diff --git a/arch/s390/include/asm/uv.h b/arch/s390/include/asm/uv.h index cfea7b77a5b8..ba64e0be03bb 100644 --- a/arch/s390/include/asm/uv.h +++ b/arch/s390/include/asm/uv.h @@ -378,6 +378,7 @@ static inline int is_prot_virt_host(void) } int gmap_make_secure(struct gmap *gmap, unsigned long gaddr, void *uvcb); +int gmap_destroy_page(struct gmap *gmap, unsigned long gaddr); int uv_destroy_owned_page(unsigned long paddr); int uv_convert_from_secure(unsigned long paddr); int uv_convert_owned_from_secure(unsigned long paddr); diff --git a/arch/s390/kernel/uv.c b/arch/s390/kernel/uv.c index a5425075dd25..ce14fd0b573c 100644 --- a/arch/s390/kernel/uv.c +++ b/arch/s390/kernel/uv.c @@ -334,6 +334,61 @@ int gmap_convert_to_secure(struct gmap *gmap, unsigned long gaddr) } EXPORT_SYMBOL_GPL(gmap_convert_to_secure); +/** + * gmap_destroy_page - Destroy a guest page. + * @gmap: the gmap of the guest + * @gaddr: the guest address to destroy + * + * An attempt will be made to destroy the given guest page. If the attempt + * fails, an attempt is made to export the page. If both attempts fail, an + * appropriate error is returned. + */ +int gmap_destroy_page(struct gmap *gmap, unsigned long gaddr) +{ + struct vm_area_struct *vma; + unsigned long uaddr; + struct page *page; + int rc; + + rc = -EFAULT; + mmap_read_lock(gmap->mm); + + uaddr = __gmap_translate(gmap, gaddr); + if (IS_ERR_VALUE(uaddr)) + goto out; + vma = vma_lookup(gmap->mm, uaddr); + if (!vma) + goto out; + /* + * Huge pages should not be able to become secure + */ + if (is_vm_hugetlb_page(vma)) + goto out; + + rc = 0; + /* we take an extra reference here */ + page = follow_page(vma, uaddr, FOLL_WRITE | FOLL_GET); + if (IS_ERR_OR_NULL(page)) + goto out; + rc = uv_destroy_owned_page(page_to_phys(page)); + /* + * Fault handlers can race; it is possible that two CPUs will fault + * on the same secure page. One CPU can destroy the page, reboot, + * re-enter secure mode and import it, while the second CPU was + * stuck at the beginning of the handler. At some point the second + * CPU will be able to progress, and it will not be able to destroy + * the page. In that case we do not want to terminate the process, + * we instead try to export the page. + */ + if (rc) + rc = uv_convert_owned_from_secure(page_to_phys(page)); + put_page(page); +out: + mmap_read_unlock(gmap->mm); + return rc; +} +EXPORT_SYMBOL_GPL(gmap_destroy_page); + /* * To be called with the page locked or with an extra reference! This will * prevent gmap_make_secure from touching the page concurrently. Having 2 diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c index e173b6187ad5..af1ac49168fb 100644 --- a/arch/s390/mm/fault.c +++ b/arch/s390/mm/fault.c @@ -837,6 +837,16 @@ NOKPROBE_SYMBOL(do_non_secure_storage_access); void do_secure_storage_violation(struct pt_regs *regs) { + unsigned long gaddr = regs->int_parm_long & __FAIL_ADDR_MASK; + struct gmap *gmap = (struct gmap *)S390_lowcore.gmap; + + /* + * If the VM has been rebooted, its address space might still contain + * secure pages from the previous boot. + * Clear the page so it can be reused. + */ + if (!gmap_destroy_page(gmap, gaddr)) + return; /* * Either KVM messed up the secure guest mapping or the same * page is mapped into multiple secure guests. -- 2.36.1