Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp875386rwi; Thu, 27 Oct 2022 08:30:55 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4eVwsIEimXzzjJ3obj1WM+9+OQCwuLuq9PE+BT4v78NVZKVm27CH81nn6hqVKLUVJgbTqa X-Received: by 2002:a17:907:b16:b0:7ad:855b:c08c with SMTP id h22-20020a1709070b1600b007ad855bc08cmr6028890ejl.667.1666884654850; Thu, 27 Oct 2022 08:30:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666884654; cv=none; d=google.com; s=arc-20160816; b=H/XWosNOzSFS9sIyllAIra61FxUuAeoB1JCWYxCOBZ+hhpzgyOPTaosak+7lgwTDWW J2szYudgbqv8TTbBPAr6dJwqbukMKx1xYfL+vLuwyoTfLNEC9Cdort3LGMxgMbpoh/gF sf4APQgowitc8S1fAApih0ShL0XZqYP9hTCqlY89AbMCaKO6D4rDlxT7M3T1k6bVCCiI 5PeJSdaFqTTHwpAO7sJjHbU4+Z7zE2DgYXebxWya3eFpinGIsX4EGDESpIUbOn9Pi7o7 KVjdmQDl4DBCpCzfxCusfgyVqsItRK9itwRD+a8nYEnsEuNIrDr/NrQ9d08q1Re8MLk3 zoRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:references:mime-version :message-id:in-reply-to:date:dkim-signature; bh=co6QgImvBY6rg4iltv5GQDLPg23wAqLBYYMlaysrcLQ=; b=GU3cgBUwrb5y8H4cewCwPFjjVmcl2ioDOiQD/treZWNDyf+A2JvfNyfY90okg/l2j/ KhgRkEqwrwNKiHhnyykrMBFoTc3yR6Xt/1oy9/5hTxZZv6HTOaD1aplfoWTtY5M+1JMb 2j9+hMh+9/M5SlbpfmpIDOa4xVoGKDbHYWe7UhrVWPkV7kN03gg2dryqfvCWe546rESH JW691lnZMYLsIoWSWvAl5wVQaUWhlPSxMyzjm0EYUQkQUFNIq9s2eUMZMrMuUzNPNWNU TNWrzZ/eqRjkqGeG9o9vpsIk2YkJdYY01/KY0x8hW2MJRoSaVHQq/ko/gzawBdZIdueK nHww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=RKr2mNOD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f18-20020a056402355200b00461f1a036f0si1490716edd.335.2022.10.27.08.30.28; Thu, 27 Oct 2022 08:30:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=RKr2mNOD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235703AbiJ0PGT (ORCPT + 99 others); Thu, 27 Oct 2022 11:06:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49730 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235650AbiJ0PGH (ORCPT ); Thu, 27 Oct 2022 11:06:07 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6FBEBDCEB9 for ; Thu, 27 Oct 2022 08:06:06 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-36fc0644f51so15175647b3.17 for ; Thu, 27 Oct 2022 08:06:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:references:mime-version:message-id:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=co6QgImvBY6rg4iltv5GQDLPg23wAqLBYYMlaysrcLQ=; b=RKr2mNODlbVwgZbH8QfPexb80BB0KK62G47Vn4P9JLluupGBH+f9mnrZWxTXWE+8EQ 6W2sgp5Je3yj/2tgVl/WulUUZTGUx27d7Kkhf74NeinxvMQNG6a9fD+8Ded7sxkFqj39 02sboYXwqP5ihDu2EZum47cC30JOM56VEBtwWCaG6qB4lyVYhMcR2v6WSctPyd5Hkcdw xa9YrtTEhKUl+UJOL462AsY3y2urK/U1cF3g6+JXQDyG1iNXPCYf15h8E9OuMT0kE7+N glt3+SDD5dM++vBlIsdM1rMfcKxND/joOkoFZAYfJJoH0kvdj5H8pGxWJAT1eVFh3Lfa z8rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:references:mime-version:message-id:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=co6QgImvBY6rg4iltv5GQDLPg23wAqLBYYMlaysrcLQ=; b=Ieus2oAOWAOmZm0jr/OL5EsYPLwc/I2RN48y6aCxzSLqM+7wdbOnOXIzBRAxRz4pKj SYFFG0+HQraNhXacEO4rfeUaeNBKL3AsAmIp4BRfdDmRj6sk6psNjbT/7WDLKWTpk4Hc LEyL+ImYqkSsO9YLHtrZGVVg8p1JsMg1UHmAsHiL2A61tWfgabOAPrtKtcoLsb8M48eE 29l9qmuDCiZMQtZCGSMpVfOEwi2F8mUpeRN70mc73QwtKvUIhNh6lbjPNGr9reWbT1QG Jy5a5rZHtLtE3odGUGiL8g6u8MMgtHOV4xz5nzMjXVs+K535FJJIx8U2iAE6rSmJMh8W RsCQ== X-Gm-Message-State: ACrzQf0rjXGAAoQSjhi5nb2N10KDJdOkPhwDfe9cJyjbAWEuw/QIUuaw eI9gTIN+NMgYPcv+3uewugekFgoev3U= X-Received: from pgonda1.kir.corp.google.com ([2620:0:1008:11:da0c:de35:6ecf:7c48]) (user=pgonda job=sendgmr) by 2002:a25:9885:0:b0:6b3:e9a7:4952 with SMTP id l5-20020a259885000000b006b3e9a74952mr48322400ybo.294.1666883165611; Thu, 27 Oct 2022 08:06:05 -0700 (PDT) Date: Thu, 27 Oct 2022 08:05:58 -0700 In-Reply-To: <20221027150558.722062-1-pgonda@google.com> Message-Id: <20221027150558.722062-3-pgonda@google.com> Mime-Version: 1.0 References: <20221027150558.722062-1-pgonda@google.com> X-Mailer: git-send-email 2.38.0.135.g90850a2211-goog Subject: [PATCH V3 2/2] virt: sev: Allow for retrying SNP extended requests From: Peter Gonda To: thomas.lendacky@amd.com Cc: Peter Gonda , Borislav Petkov , Michael Roth , Haowen Bai , Yang Yingliang , Marc Orr , David Rientjes , Ashish Kalra , linux-kernel@vger.kernel.org, kvm@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If an SNP Extended Request is placed without enough data pages the host will return an error to the guest and tell it the number of required data pages. If we place an extended request without enogh data page we can retry the command portion of the request using an SNP Request. This allows us to keep our command sequence numbers with the ASP in sync while also supporting the SNP Extended Request's data size querying capability. This happens inside of snp_issue_guest_request() to keep the safety of the sequence numbers easy. Any failure snp_issue_guest_request() should result in no further of the VMCPK due to issues with the sequence number being the IV in the AES-GCM communication channel. IV reuse, meaning sequence number reuse in this driver, can result in the secure channel being compromised. Signed-off-by: Peter Gonda Cc: Borislav Petkov Cc: Tom Lendacky Cc: Michael Roth Cc: Haowen Bai Cc: Yang Yingliang Cc: Marc Orr Cc: David Rientjes Cc: Ashish Kalra Cc: linux-kernel@vger.kernel.org Cc: kvm@vger.kernel.org --- arch/x86/include/asm/svm.h | 6 ++++++ arch/x86/kernel/sev.c | 28 ++++++++++++++++++++----- drivers/virt/coco/sev-guest/sev-guest.c | 2 +- 3 files changed, 30 insertions(+), 6 deletions(-) diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h index 0361626841bc..3886b8ea18ae 100644 --- a/arch/x86/include/asm/svm.h +++ b/arch/x86/include/asm/svm.h @@ -585,6 +585,12 @@ struct vmcb { (unsigned long *)&ghcb->save.valid_bitmap); \ } \ \ + static __always_inline void ghcb_clear_##field(const struct ghcb *ghcb) \ + { \ + clear_bit(GHCB_BITMAP_IDX(field), \ + (unsigned long *)&ghcb->save.valid_bitmap); \ + } \ + \ static __always_inline u64 ghcb_get_##field(struct ghcb *ghcb) \ { \ return ghcb->save.field; \ diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c index a428c62330d3..3f7e2105ef97 100644 --- a/arch/x86/kernel/sev.c +++ b/arch/x86/kernel/sev.c @@ -2213,12 +2213,30 @@ int snp_issue_guest_request(u64 exit_code, struct snp_req_data *input, unsigned goto e_put; if (ghcb->save.sw_exit_info_2) { - /* Number of expected pages are returned in RBX */ + /* For a SNP Extended Request, if the request was placed with + * insufficient data pages. The host will return the number of + * pages required using RBX in the GHCB. We can than retry the + * call as an SNP Request to fulfill the command without getting + * the extended request data. + */ if (exit_code == SVM_VMGEXIT_EXT_GUEST_REQUEST && - ghcb->save.sw_exit_info_2 == SNP_GUEST_REQ_INVALID_LEN) - input->data_npages = ghcb_get_rbx(ghcb); - - *fw_err = ghcb->save.sw_exit_info_2; + ghcb->save.sw_exit_info_2 == SNP_GUEST_REQ_INVALID_LEN) { + int npages = ghcb_get_rbx(ghcb); + + ghcb_clear_rax(ghcb); + ghcb_clear_rbx(ghcb); + + ret = sev_es_ghcb_hv_call(ghcb, &ctxt, + SVM_VMGEXIT_GUEST_REQUEST, + input->req_gpa, + input->resp_gpa); + if (ret) + goto e_put; + + input->data_npages = npages; + *fw_err = SNP_GUEST_REQ_INVALID_LEN; + } else + *fw_err = ghcb->save.sw_exit_info_2; ret = -EIO; } diff --git a/drivers/virt/coco/sev-guest/sev-guest.c b/drivers/virt/coco/sev-guest/sev-guest.c index 8c54ea84bc57..ede07c0ec0c3 100644 --- a/drivers/virt/coco/sev-guest/sev-guest.c +++ b/drivers/virt/coco/sev-guest/sev-guest.c @@ -496,7 +496,7 @@ static int get_ext_report(struct snp_guest_dev *snp_dev, struct snp_guest_reques if (!resp) return -ENOMEM; - snp_dev->input.data_npages = sizeof(*snp_dev->certs_data) >> PAGE_SHIFT; + snp_dev->input.data_npages = req_cert_len >> PAGE_SHIFT; ret = handle_guest_request(snp_dev, SVM_VMGEXIT_EXT_GUEST_REQUEST, arg->msg_version, SNP_MSG_REPORT_REQ, &req.data, sizeof(req.data), resp->data, resp_len, &arg->fw_err); -- 2.38.0.135.g90850a2211-goog