Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1312524rwb;
        Thu, 15 Dec 2022 08:38:46 -0800 (PST)
X-Google-Smtp-Source: AA0mqf5V+OaXt/Trex7sKRkw/xA/kVIj7SjOX0SKcPL5yQhYkbcqwapdfuTZ7gG0Dj0YLfgWgNpE
X-Received: by 2002:a17:902:f646:b0:185:441e:224a with SMTP id m6-20020a170902f64600b00185441e224amr16549273plg.69.1671122326722;
        Thu, 15 Dec 2022 08:38:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671122326; cv=none;
        d=google.com; s=arc-20160816;
        b=xGMahjTVfRq6yVC8uNz6OsYgqZYfV2YrQS9/RWgb3ytULCXuHBrP5v9nckcG9lfW0f
         OYSo+XtWRcu3AoUdRDDZMkdAggVohe3SpYjmbzo9k7Dt88gwKMuZAGc5xia4eczQ+r8Q
         brHvpG8Bptlz7mM3dwDT+FQFWaOlph4ufDawmm+Wq1fBSs22tq3nyYOmH2ZiP1Uo6XeZ
         oKPhtWG8TLVZ5jWz9TY96Ruw1CRsW1dav200hQ6XW9dBOFNpElq3w3+f0E7ab+KSWOZu
         M0D4QCWvS14yBO7UuW5fPMGn0swAwBbjrnlir/k7Xna9eg/N/SzZTf/XhuluT6vRe66r
         LKJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=l9KLsnuhCFGA8onKek+23THAU0dD5exQI7TnED3TAjw=;
        b=dKledSFAWYdKPwetN6hAk4Zo6dk/tY1XV7jpLA9Lu3Q9NLPlHmTtpw7c5j56lS/AZd
         PN2xIW6zfkofGddJFlKPS52wNlGgVhWgWBN61XqMDAdmz/CRJRvX4Z8lRuE6qkVLkFzZ
         AqDPaFvPRGQdwmuYJmR2+WxhaL4AtAL6nx7nkpZnuJzZ+gp/jdkWsBg2DTR632YYbwoa
         kimqvCfeo0RhGJ7EA6f2FYIlrFijv4UKxatPClxCV/zIAbEe0kEM665H8QFYL9RkooL+
         D/EJcNkGvnADyhQ8Z789MCVRxq5ISeKrK4KOPI6t5ZwbXCh9eH+upatvvQm4LM7hpxSx
         ri+w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b="cG/dSPSs";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id i68-20020a636d47000000b00477bf2ebf14si3599675pgc.266.2022.12.15.08.38.36;
        Thu, 15 Dec 2022 08:38:46 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b="cG/dSPSs";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230175AbiLOPlX (ORCPT <rfc822;2014014876lha@gmail.com>
        + 68 others); Thu, 15 Dec 2022 10:41:23 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59382 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229668AbiLOPlU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Dec 2022 10:41:20 -0500
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 01EF4EBD
        for <linux-kernel@vger.kernel.org>; Thu, 15 Dec 2022 07:41:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1671118880; x=1702654880;
  h=date:from:to:cc:subject:message-id:references:
   mime-version:in-reply-to;
  bh=2spTJNDqOA3JU359JYb+gDTvNuuQDCTXFiO+1qLec6I=;
  b=cG/dSPSsYpxfchlazAV25jSZggydNWxLUAdFd53q7TSy1n71PImSseCD
   PIyvwMT5v2H9nRlPKqsXOXwiFqf8ylB40Nua2Einzbk4+rRxjZ5PiCZDI
   PRT7uuaVdSj4p2G1qKHDAkMvUHvwE1cprBz/aiLDKivUDV4CNzVeL/xpg
   qFJODWtlEVIeGjnqzFeUxlwQFO4+726UsDWPfoEQKdZ1Ja1Io5o9d83es
   NQ5aA1rYUGoDb2MkWoT+817/eimdxVkYZSC/c0XdBOvIzx02eJN4h7UKw
   yRFj/9NAqhDsjFuFiPBjtbNwf36G6i2ZFWJSNcZMOSn8ZM2GsXTbXiyvS
   A==;
X-IronPort-AV: E=McAfee;i="6500,9779,10562"; a="319872883"
X-IronPort-AV: E=Sophos;i="5.96,247,1665471600"; 
   d="scan'208";a="319872883"
Received: from orsmga007.jf.intel.com ([10.7.209.58])
  by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Dec 2022 07:40:23 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10562"; a="642962422"
X-IronPort-AV: E=Sophos;i="5.96,247,1665471600"; 
   d="scan'208";a="642962422"
Received: from milawils-mobl.ger.corp.intel.com (HELO box.shutemov.name) ([10.251.217.73])
  by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Dec 2022 07:40:21 -0800
Received: by box.shutemov.name (Postfix, from userid 1000)
        id 48A1E109448; Thu, 15 Dec 2022 18:40:18 +0300 (+03)
Date:   Thu, 15 Dec 2022 18:40:18 +0300
From:   "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
To:     Dave Hansen <dave.hansen@intel.com>
Cc:     Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
        Kuppuswamy Sathyanarayanan 
        <sathyanarayanan.kuppuswamy@linux.intel.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Elena Reshetova <elena.reshetova@intel.com>, x86@kernel.org,
        linux-coco@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/4] x86/tdx: Relax SEPT_VE_DISABLE check for debug TD
Message-ID: <20221215154018.dyoce56wfpvlihxt@box.shutemov.name>
References: <20221209132524.20200-1-kirill.shutemov@linux.intel.com>
 <20221209132524.20200-4-kirill.shutemov@linux.intel.com>
 <4e595e75-2c5f-e114-9c2c-37689870639c@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4e595e75-2c5f-e114-9c2c-37689870639c@intel.com>
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Dec 13, 2022 at 03:13:43PM -0800, Dave Hansen wrote:
> On 12/9/22 05:25, Kirill A. Shutemov wrote:
> > SEPT_VE_DISABLE check is required to keep the TD protected from VMM
> > attacks, but it makes harder to debug guest kernel bugs. If guest
> > touches unaccepted memory the TD will get terminated without any
> > traces on what has happened.
> 
> This is a bit sparse.
> 
> --
> 
> A "SEPT #VE" occurs when a TDX guest touches memory that is not properly
> mapped into the "secure EPT".  This can be the result of hypervisor
> attacks or bugs, *OR* guest bugs.  Most notably, buggy guests might
> touch unaccepted memory for lots of different memory safety bugs like
> buffer overflows.
> 
> TDX guests do not want to continue in the face of hypervisor attacks or
> hypervisor bugs.  They want to terminate as fast and safely as possible.
>  SEPT_VE_DISABLE ensures that TDX guests *can't* continue in the face of
> these kinds of issues.
> 
> But, that causes a problem.  TDX guests that can't continue can't spit
> out oopses or other debugging info.  In essence SEPT_VE_DISABLE=1 guests
> are not debuggable.  That's a problem.
> 
> --
> 
> Eh?

Thanks!

> > Relax the SEPT_VE_DISABLE check to warning on debug TD and panic() in
> > the #VE handler on EPT-violation on private memory. It will produce
> > useful backtrace.
> > 
> > Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
> > ---
> >  arch/x86/coco/tdx/tdx.c | 14 ++++++++++++--
> >  1 file changed, 12 insertions(+), 2 deletions(-)
> > 
> > diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c
> > index 8ad04d101270..0e47846ff8ff 100644
> > --- a/arch/x86/coco/tdx/tdx.c
> > +++ b/arch/x86/coco/tdx/tdx.c
> > @@ -38,6 +38,7 @@
> >  #define VE_GET_PORT_NUM(e)	((e) >> 16)
> >  #define VE_IS_IO_STRING(e)	((e) & BIT(4))
> >  
> > +#define ATTR_DEBUG		BIT(0)
> >  #define ATTR_SEPT_VE_DISABLE	BIT(28)
> >  
> >  /* TDX Module call error codes */
> > @@ -207,8 +208,15 @@ static void tdx_parse_tdinfo(u64 *cc_mask)
> >  	 * TD-private memory.  Only VMM-shared memory (MMIO) will #VE.
> >  	 */
> >  	td_attr = out.rdx;
> > -	if (!(td_attr & ATTR_SEPT_VE_DISABLE))
> > -		tdx_panic("TD misconfiguration: SEPT_VE_DISABLE attribute must be set.");
> > +	if (!(td_attr & ATTR_SEPT_VE_DISABLE)) {
> > +		const char *msg = "TD misconfiguration: SEPT_VE_DISABLE attribute must be set.";
> > +
> > +		/* Relax SEPT_VE_DISABLE check for debug TD. */
> > +		if (td_attr & ATTR_DEBUG)
> > +			pr_warn("%s\n", msg);
> > +		else
> > +			tdx_panic(msg);
> > +	}
> >  }
> >  
> >  /*
> > @@ -682,6 +690,8 @@ static int virt_exception_kernel(struct pt_regs *regs, struct ve_info *ve)
> >  	case EXIT_REASON_CPUID:
> >  		return handle_cpuid(regs, ve);
> >  	case EXIT_REASON_EPT_VIOLATION:
> > +		if (ve->gpa != cc_mkdec(ve->gpa))
> > +			panic("Unexpected EPT-violation on private memory.");
> 
> What's the cc_mkdec() doing?

Checks if the GPA is private. I will move it to helper. Like this:

static inline bool is_private_gpa(u64 gpa)
{
	return gpa == cc_mkenc(gpa);
}

-- 
  Kiryl Shutsemau / Kirill A. Shutemov