Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1312524rwb; Thu, 15 Dec 2022 08:38:46 -0800 (PST) X-Google-Smtp-Source: AA0mqf5V+OaXt/Trex7sKRkw/xA/kVIj7SjOX0SKcPL5yQhYkbcqwapdfuTZ7gG0Dj0YLfgWgNpE X-Received: by 2002:a17:902:f646:b0:185:441e:224a with SMTP id m6-20020a170902f64600b00185441e224amr16549273plg.69.1671122326722; Thu, 15 Dec 2022 08:38:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671122326; cv=none; d=google.com; s=arc-20160816; b=xGMahjTVfRq6yVC8uNz6OsYgqZYfV2YrQS9/RWgb3ytULCXuHBrP5v9nckcG9lfW0f OYSo+XtWRcu3AoUdRDDZMkdAggVohe3SpYjmbzo9k7Dt88gwKMuZAGc5xia4eczQ+r8Q brHvpG8Bptlz7mM3dwDT+FQFWaOlph4ufDawmm+Wq1fBSs22tq3nyYOmH2ZiP1Uo6XeZ oKPhtWG8TLVZ5jWz9TY96Ruw1CRsW1dav200hQ6XW9dBOFNpElq3w3+f0E7ab+KSWOZu M0D4QCWvS14yBO7UuW5fPMGn0swAwBbjrnlir/k7Xna9eg/N/SzZTf/XhuluT6vRe66r LKJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=l9KLsnuhCFGA8onKek+23THAU0dD5exQI7TnED3TAjw=; b=dKledSFAWYdKPwetN6hAk4Zo6dk/tY1XV7jpLA9Lu3Q9NLPlHmTtpw7c5j56lS/AZd PN2xIW6zfkofGddJFlKPS52wNlGgVhWgWBN61XqMDAdmz/CRJRvX4Z8lRuE6qkVLkFzZ AqDPaFvPRGQdwmuYJmR2+WxhaL4AtAL6nx7nkpZnuJzZ+gp/jdkWsBg2DTR632YYbwoa kimqvCfeo0RhGJ7EA6f2FYIlrFijv4UKxatPClxCV/zIAbEe0kEM665H8QFYL9RkooL+ D/EJcNkGvnADyhQ8Z789MCVRxq5ISeKrK4KOPI6t5ZwbXCh9eH+upatvvQm4LM7hpxSx ri+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="cG/dSPSs"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i68-20020a636d47000000b00477bf2ebf14si3599675pgc.266.2022.12.15.08.38.36; Thu, 15 Dec 2022 08:38:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="cG/dSPSs"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230175AbiLOPlX (ORCPT + 68 others); Thu, 15 Dec 2022 10:41:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59382 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229668AbiLOPlU (ORCPT ); Thu, 15 Dec 2022 10:41:20 -0500 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 01EF4EBD for ; Thu, 15 Dec 2022 07:41:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1671118880; x=1702654880; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=2spTJNDqOA3JU359JYb+gDTvNuuQDCTXFiO+1qLec6I=; b=cG/dSPSsYpxfchlazAV25jSZggydNWxLUAdFd53q7TSy1n71PImSseCD PIyvwMT5v2H9nRlPKqsXOXwiFqf8ylB40Nua2Einzbk4+rRxjZ5PiCZDI PRT7uuaVdSj4p2G1qKHDAkMvUHvwE1cprBz/aiLDKivUDV4CNzVeL/xpg qFJODWtlEVIeGjnqzFeUxlwQFO4+726UsDWPfoEQKdZ1Ja1Io5o9d83es NQ5aA1rYUGoDb2MkWoT+817/eimdxVkYZSC/c0XdBOvIzx02eJN4h7UKw yRFj/9NAqhDsjFuFiPBjtbNwf36G6i2ZFWJSNcZMOSn8ZM2GsXTbXiyvS A==; X-IronPort-AV: E=McAfee;i="6500,9779,10562"; a="319872883" X-IronPort-AV: E=Sophos;i="5.96,247,1665471600"; d="scan'208";a="319872883" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Dec 2022 07:40:23 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10562"; a="642962422" X-IronPort-AV: E=Sophos;i="5.96,247,1665471600"; d="scan'208";a="642962422" Received: from milawils-mobl.ger.corp.intel.com (HELO box.shutemov.name) ([10.251.217.73]) by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Dec 2022 07:40:21 -0800 Received: by box.shutemov.name (Postfix, from userid 1000) id 48A1E109448; Thu, 15 Dec 2022 18:40:18 +0300 (+03) Date: Thu, 15 Dec 2022 18:40:18 +0300 From: "Kirill A. Shutemov" To: Dave Hansen Cc: Borislav Petkov , Andy Lutomirski , Kuppuswamy Sathyanarayanan , Thomas Gleixner , Elena Reshetova , x86@kernel.org, linux-coco@lists.linux.dev, linux-kernel@vger.kernel.org Subject: Re: [PATCH 3/4] x86/tdx: Relax SEPT_VE_DISABLE check for debug TD Message-ID: <20221215154018.dyoce56wfpvlihxt@box.shutemov.name> References: <20221209132524.20200-1-kirill.shutemov@linux.intel.com> <20221209132524.20200-4-kirill.shutemov@linux.intel.com> <4e595e75-2c5f-e114-9c2c-37689870639c@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4e595e75-2c5f-e114-9c2c-37689870639c@intel.com> X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 13, 2022 at 03:13:43PM -0800, Dave Hansen wrote: > On 12/9/22 05:25, Kirill A. Shutemov wrote: > > SEPT_VE_DISABLE check is required to keep the TD protected from VMM > > attacks, but it makes harder to debug guest kernel bugs. If guest > > touches unaccepted memory the TD will get terminated without any > > traces on what has happened. > > This is a bit sparse. > > -- > > A "SEPT #VE" occurs when a TDX guest touches memory that is not properly > mapped into the "secure EPT". This can be the result of hypervisor > attacks or bugs, *OR* guest bugs. Most notably, buggy guests might > touch unaccepted memory for lots of different memory safety bugs like > buffer overflows. > > TDX guests do not want to continue in the face of hypervisor attacks or > hypervisor bugs. They want to terminate as fast and safely as possible. > SEPT_VE_DISABLE ensures that TDX guests *can't* continue in the face of > these kinds of issues. > > But, that causes a problem. TDX guests that can't continue can't spit > out oopses or other debugging info. In essence SEPT_VE_DISABLE=1 guests > are not debuggable. That's a problem. > > -- > > Eh? Thanks! > > Relax the SEPT_VE_DISABLE check to warning on debug TD and panic() in > > the #VE handler on EPT-violation on private memory. It will produce > > useful backtrace. > > > > Signed-off-by: Kirill A. Shutemov > > --- > > arch/x86/coco/tdx/tdx.c | 14 ++++++++++++-- > > 1 file changed, 12 insertions(+), 2 deletions(-) > > > > diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c > > index 8ad04d101270..0e47846ff8ff 100644 > > --- a/arch/x86/coco/tdx/tdx.c > > +++ b/arch/x86/coco/tdx/tdx.c > > @@ -38,6 +38,7 @@ > > #define VE_GET_PORT_NUM(e) ((e) >> 16) > > #define VE_IS_IO_STRING(e) ((e) & BIT(4)) > > > > +#define ATTR_DEBUG BIT(0) > > #define ATTR_SEPT_VE_DISABLE BIT(28) > > > > /* TDX Module call error codes */ > > @@ -207,8 +208,15 @@ static void tdx_parse_tdinfo(u64 *cc_mask) > > * TD-private memory. Only VMM-shared memory (MMIO) will #VE. > > */ > > td_attr = out.rdx; > > - if (!(td_attr & ATTR_SEPT_VE_DISABLE)) > > - tdx_panic("TD misconfiguration: SEPT_VE_DISABLE attribute must be set."); > > + if (!(td_attr & ATTR_SEPT_VE_DISABLE)) { > > + const char *msg = "TD misconfiguration: SEPT_VE_DISABLE attribute must be set."; > > + > > + /* Relax SEPT_VE_DISABLE check for debug TD. */ > > + if (td_attr & ATTR_DEBUG) > > + pr_warn("%s\n", msg); > > + else > > + tdx_panic(msg); > > + } > > } > > > > /* > > @@ -682,6 +690,8 @@ static int virt_exception_kernel(struct pt_regs *regs, struct ve_info *ve) > > case EXIT_REASON_CPUID: > > return handle_cpuid(regs, ve); > > case EXIT_REASON_EPT_VIOLATION: > > + if (ve->gpa != cc_mkdec(ve->gpa)) > > + panic("Unexpected EPT-violation on private memory."); > > What's the cc_mkdec() doing? Checks if the GPA is private. I will move it to helper. Like this: static inline bool is_private_gpa(u64 gpa) { return gpa == cc_mkenc(gpa); } -- Kiryl Shutsemau / Kirill A. Shutemov