Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1304990rwd; Tue, 16 May 2023 15:15:28 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5qLEiiGk3aRr5MmXtA5OoQHQc6O1nYlBb5jCL8/oZsmhkg1K0HUDAWc2yKUH5mWaEeLTzz X-Received: by 2002:a17:902:db06:b0:1ac:712d:2049 with SMTP id m6-20020a170902db0600b001ac712d2049mr42138394plx.6.1684275327998; Tue, 16 May 2023 15:15:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684275327; cv=none; d=google.com; s=arc-20160816; b=FIoBVT05pCpJoARQLUR/yEXKtJpDdKWRbkQmORFrBueMlfMtsMbXNCDniNWBglqhOR nLlrB1ECii6heWU4QnrOq5Cg80J051rw3bZZspSHHo6aZtkoTiL3TMwcXtKM/LWUqZBt 1gDnRTQ94uG3BwfraiPQFVHM5OSVZtV7ov/aD9RFjNVZzGqpAXPQsHRXiexvkUp37cvI WACoBANmAz2dnDDN9kfxaI4MSDlYa0DuzwBKlkeFeKnOVC1/jlmX8gZOJ0vm3gRGPZ8f Lf80jkwKbOJRRxw37Pi5L1uOjwaPhVTBA/oFw9lCXyqXKmgjzXgLfuuiTq6eFaqOscCt gO8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=s4NMYlbcbAELmud9duZpKgCq1uqCZlFQAmRIaN7vKFY=; b=vscUSu2I8Ds+AVqDTi5aqrCMFHOKKF0pxfg0Umz9g9t/PxY3UBDJ1SQIQ6A8rP7ngl 8kfqNXQIUwWy08D+cgR/ySYJguAx34dJdkvYZ2UqngY4PNQWkVtRo9+7oK+K19fdm60y ykjgvmzBbgViso6zkO/CPsNbP9U/1x0NzpQoet9roFQ3wIBS21DjU/m8LlSggSCWajeg 8eERnR8s1cCEegih0yKigwV4lTWZ0qDqD/6wwI9/BwqbG9cEFeUwKQidC4dbI8V97i+w gCfgihlhrPAvxhcv0sDpjRt0EBphmaY3PM8SYB5e4y5k+rRUBYx7o6WwIVBBjZBi4VFL AdEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=TpNKLP4V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z3-20020a170903018300b001a24efe1f22si20947565plg.64.2023.05.16.15.15.16; Tue, 16 May 2023 15:15:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=TpNKLP4V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230272AbjEPWAM (ORCPT + 99 others); Tue, 16 May 2023 18:00:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42758 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229578AbjEPWAK (ORCPT ); Tue, 16 May 2023 18:00:10 -0400 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 52B0810EC; Tue, 16 May 2023 15:00:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1684274409; x=1715810409; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=/gElHzywUsJHlUOft8PJljOmt4C9JPUiaPG7wwx26iQ=; b=TpNKLP4VK+BdeciInAAjTaVzx9bdrb4F5hQtBpsAuKRhh8ciTS3scwZv gRwtTkGPT5jPlrSrlL16c7m13BX6zo9Flu3FglVTZkgcOsvFzlYsRryvw Ff3ypO/0NS0SxEGrEkyk76lwIk0ToSbo7QPnve6bSZjldXTvt0TbbLJHp SjIvoKVYWSwuKlTgDt2I+7j+FaXoq/Os4dbeTmaOYHEtn5T7S8ryq5nBz nhAdxNUZ2usMeU31q11uSQ94ErusUhRfxvMHFML5F+jiLIYy3c41rmHCv 0K2snU1HOxkXjG+j+ua95FFYCMCjJrbkZW7dh6vzPnV/lV/JdTsGvWHvn Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10712"; a="340980067" X-IronPort-AV: E=Sophos;i="5.99,280,1677571200"; d="scan'208";a="340980067" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 May 2023 15:00:08 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10712"; a="813612412" X-IronPort-AV: E=Sophos;i="5.99,280,1677571200"; d="scan'208";a="813612412" Received: from mtpanu-mobl1.amr.corp.intel.com (HELO [10.212.203.6]) ([10.212.203.6]) by fmsmga002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 May 2023 14:59:56 -0700 Message-ID: Date: Tue, 16 May 2023 14:59:56 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [PATCHv11 6/9] efi/unaccepted: Avoid load_unaligned_zeropad() stepping into unaccepted memory Content-Language: en-US To: "Kirill A. Shutemov" Cc: Ard Biesheuvel , "Kirill A. Shutemov" , Borislav Petkov , Andy Lutomirski , Sean Christopherson , Andrew Morton , Joerg Roedel , Andi Kleen , Kuppuswamy Sathyanarayanan , David Rientjes , Vlastimil Babka , Tom Lendacky , Thomas Gleixner , Peter Zijlstra , Paolo Bonzini , Ingo Molnar , Dario Faggioli , Mike Rapoport , David Hildenbrand , Mel Gorman , marcelo.cerri@canonical.com, tim.gardner@canonical.com, khalid.elmously@canonical.com, philip.cox@canonical.com, aarcange@redhat.com, peterx@redhat.com, x86@kernel.org, linux-mm@kvack.org, linux-coco@lists.linux.dev, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, Dave Hansen References: <20230513220418.19357-1-kirill.shutemov@linux.intel.com> <20230513220418.19357-7-kirill.shutemov@linux.intel.com> <6fe42f66-819c-f2c8-176b-759c1c5a9cf5@intel.com> <20230516215210.pviqojbr5o4hd6bb@box.shutemov.name> From: Dave Hansen In-Reply-To: <20230516215210.pviqojbr5o4hd6bb@box.shutemov.name> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/16/23 14:52, Kirill A. Shutemov wrote: > On Tue, May 16, 2023 at 01:03:32PM -0700, Dave Hansen wrote: >> On 5/16/23 11:35, Ard Biesheuvel wrote: >>>>> Does this mean that the kernel maps memory before accepting it? As >>>>> otherwise, I would assume that such an access would page fault inside >>>>> the guest before triggering an exception related to the unaccepted >>>>> state. >>>> Yes, the kernel maps memory before accepting it (modulo things like >>>> DEBUG_PAGEALLOC). >>>> >>> OK, and so the architecture stipulates that prefetching or other >>> speculative accesses must never deliver exceptions to the host >>> regarding such ranges? >> I don't know of anywhere that this is explicitly written. It's probably >> implicit _somewhere_ in the reams of VMX/TDX and base SDM docs, but heck >> if I know where it is. ???? > It is not specific to TDX: on x86 (and all architectures with precise > exceptions) exception handling is delayed until instruction retirement and > will not happen if speculation turned out to be wrong. And prefetching > never generates exceptions. Not to be Debbie Downer too much here, but it's *totally* possible for speculative execution to go read memory that causes you to machine check. We've had such bugs in Linux. We just happen to be lucky in this case that the unaccepted memory exceptions don't generate machine checks *AND* TDX hardware does not machine check on speculative accesses that would _just_ violate TDX security properties. You're right for normal, sane exceptions, though.