Received: by 2002:a05:7412:f690:b0:e2:908c:2ebd with SMTP id ej16csp566667rdb; Thu, 19 Oct 2023 12:13:32 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE1EKDIhaPHRI8clAcMaXmyMEuUgpW/87cErdPCufVJcEWL8XLG/N5BJoOeEK/tZQoDSSha X-Received: by 2002:a17:90b:38c8:b0:27d:2c3c:7e25 with SMTP id nn8-20020a17090b38c800b0027d2c3c7e25mr3060031pjb.46.1697742811838; Thu, 19 Oct 2023 12:13:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697742811; cv=none; d=google.com; s=arc-20160816; b=zFoPk9rDhWhqTZPvbfKq6jcDwKloKmepJlGr+4dFNJZ1+QpF9JjV9FX1k8/wsBI1+R +aABhDsZKIY4LHusqsBdiH/MjQya/aHo2GH6DUUXw5M1oN2sOOMf3xl9VN52W3XYdZuE HH9CxH36KzO0VF0fBH0pvJ2vpbeFGHv9JXtqiOjpl4xtQychC3kG2nbXxxalv4bk1uuw Wq3/VKivgYrbEBO6odGKHKqjitl+4uEC8kXAVmLc9/zEpHhUHuEgcB6sv7NBR9mJGOIb D7TSDTUhZ2g+pD2ujpN69xVQt376UetQGP6Kyv9vBJYN9xAn3xmhDvsOLHBIkxMcfF8c stmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:autocrypt :from:references:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=xlQdLwmjsK13UW9ocdXkBrveGOrRV6DqbEPXuM3N0uk=; fh=0lobLjrWsN2E3ZvIksAFJ6Bri+PLC29JVvxCA7Kssxw=; b=EYXnYJ0SLuoUO4UdB7fOIuQgnVPqHUVAYIVOzdgVNBFct0+XMdy/Q6Pm1wtcg5YKhf 6MTtAxglXaTU+e/TVcDai9vpIsjHZYuc8vyJlpwMNAbfKCXZNm/qVB1Op7WJitGJRkRm cek+wb5oPmZ2KjB36f/PAHbfqjqGgPqCOTnm7tlsj/hkbsE9jIuBAd7IDyzfSKG4Qdr2 fOKalncPzICCkle6oVBQDaz9QIOCOKZkrSVFb9TfPLQcMpmgsz2BNcMM1R5hAhZ9zYSV OmRpujl9xigqpHcjtUOWuCpL2I0yCOqUp2zR5GjsZxwdhae0zpDa6J5+PeYovLEBs2+8 zbUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=NyQQOOCm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id oj16-20020a17090b4d9000b0027ce5a78453si315038pjb.29.2023.10.19.12.13.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Oct 2023 12:13:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=NyQQOOCm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id CD33C8273306; Thu, 19 Oct 2023 12:13:30 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345525AbjJSTN0 (ORCPT + 99 others); Thu, 19 Oct 2023 15:13:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49888 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232935AbjJSTNZ (ORCPT ); Thu, 19 Oct 2023 15:13:25 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.93]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7269DBE; Thu, 19 Oct 2023 12:13:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697742804; x=1729278804; h=message-id:date:mime-version:subject:to:references:from: in-reply-to:content-transfer-encoding; bh=ZJC8rrHuNIoci9DqC6b4f56zRDd7mS77CoHPmU6d+kw=; b=NyQQOOCm6L9/FOsUvr94GOEt4eijupD5Qz4/Q5KOQIwVE2teaNw8uehr 3yEjfoMUFC4XLCdghiveQ2ak/8CzhOdKklNy87Go9FkPCktXbOGJNo5xY RsFGnMPlkJ7+q3H6YsKIfsanig/QNqqKQ4E+1OJqgoEolvJ4wmMK7nf+i LdRz8iLu7wdUHdjRuomFNaWe1HgaYfXWECu9g6UDuC2HGT5rcU+pQUz+S dikobMGafKCUinaCe2Fo6+4tvlKQYXyYOWoQ/PF/qQev9bDMzm40UI0l9 BiU07ZcwbEJEHHHW+QVHufPhdmVINwKk0fdi0LjY1IhAc5cXnRozYywIs A==; X-IronPort-AV: E=McAfee;i="6600,9927,10868"; a="383559824" X-IronPort-AV: E=Sophos;i="6.03,238,1694761200"; d="scan'208";a="383559824" Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Oct 2023 12:13:23 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10868"; a="1004344527" X-IronPort-AV: E=Sophos;i="6.03,238,1694761200"; d="scan'208";a="1004344527" Received: from nsuwanda-mobl.amr.corp.intel.com (HELO [10.212.222.219]) ([10.212.222.219]) by fmsmga006-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Oct 2023 12:13:22 -0700 Message-ID: <73b02835-dbd6-4662-91f9-e8324d8cbf98@intel.com> Date: Thu, 19 Oct 2023 12:13:20 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 00/10] Handle set_memory_XXcrypted() errors Content-Language: en-US To: "Michael Kelley (LINUX)" , Rick Edgecombe , "x86@kernel.org" , "tglx@linutronix.de" , "mingo@redhat.com" , "bp@alien8.de" , "dave.hansen@linux.intel.com" , "hpa@zytor.com" , "luto@kernel.org" , "peterz@infradead.org" , "kirill.shutemov@linux.intel.com" , "elena.reshetova@intel.com" , "isaku.yamahata@intel.com" , "seanjc@google.com" , "thomas.lendacky@amd.com" , Dexuan Cui , "sathyanarayanan.kuppuswamy@linux.intel.com" , "linux-mm@kvack.org" , "linux-kernel@vger.kernel.org" , "linux-s390@vger.kernel.org" References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> From: Dave Hansen Autocrypt: addr=dave.hansen@intel.com; keydata= xsFNBE6HMP0BEADIMA3XYkQfF3dwHlj58Yjsc4E5y5G67cfbt8dvaUq2fx1lR0K9h1bOI6fC oAiUXvGAOxPDsB/P6UEOISPpLl5IuYsSwAeZGkdQ5g6m1xq7AlDJQZddhr/1DC/nMVa/2BoY 2UnKuZuSBu7lgOE193+7Uks3416N2hTkyKUSNkduyoZ9F5twiBhxPJwPtn/wnch6n5RsoXsb ygOEDxLEsSk/7eyFycjE+btUtAWZtx+HseyaGfqkZK0Z9bT1lsaHecmB203xShwCPT49Blxz VOab8668QpaEOdLGhtvrVYVK7x4skyT3nGWcgDCl5/Vp3TWA4K+IofwvXzX2ON/Mj7aQwf5W iC+3nWC7q0uxKwwsddJ0Nu+dpA/UORQWa1NiAftEoSpk5+nUUi0WE+5DRm0H+TXKBWMGNCFn c6+EKg5zQaa8KqymHcOrSXNPmzJuXvDQ8uj2J8XuzCZfK4uy1+YdIr0yyEMI7mdh4KX50LO1 pmowEqDh7dLShTOif/7UtQYrzYq9cPnjU2ZW4qd5Qz2joSGTG9eCXLz5PRe5SqHxv6ljk8mb ApNuY7bOXO/A7T2j5RwXIlcmssqIjBcxsRRoIbpCwWWGjkYjzYCjgsNFL6rt4OL11OUF37wL QcTl7fbCGv53KfKPdYD5hcbguLKi/aCccJK18ZwNjFhqr4MliQARAQABzUVEYXZpZCBDaHJp c3RvcGhlciBIYW5zZW4gKEludGVsIFdvcmsgQWRkcmVzcykgPGRhdmUuaGFuc2VuQGludGVs LmNvbT7CwXgEEwECACIFAlQ+9J0CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGg1 lTBwyZKwLZUP/0dnbhDc229u2u6WtK1s1cSd9WsflGXGagkR6liJ4um3XCfYWDHvIdkHYC1t MNcVHFBwmQkawxsYvgO8kXT3SaFZe4ISfB4K4CL2qp4JO+nJdlFUbZI7cz/Td9z8nHjMcWYF IQuTsWOLs/LBMTs+ANumibtw6UkiGVD3dfHJAOPNApjVr+M0P/lVmTeP8w0uVcd2syiaU5jB aht9CYATn+ytFGWZnBEEQFnqcibIaOrmoBLu2b3fKJEd8Jp7NHDSIdrvrMjYynmc6sZKUqH2 I1qOevaa8jUg7wlLJAWGfIqnu85kkqrVOkbNbk4TPub7VOqA6qG5GCNEIv6ZY7HLYd/vAkVY E8Plzq/NwLAuOWxvGrOl7OPuwVeR4hBDfcrNb990MFPpjGgACzAZyjdmYoMu8j3/MAEW4P0z F5+EYJAOZ+z212y1pchNNauehORXgjrNKsZwxwKpPY9qb84E3O9KYpwfATsqOoQ6tTgr+1BR CCwP712H+E9U5HJ0iibN/CDZFVPL1bRerHziuwuQuvE0qWg0+0SChFe9oq0KAwEkVs6ZDMB2 P16MieEEQ6StQRlvy2YBv80L1TMl3T90Bo1UUn6ARXEpcbFE0/aORH/jEXcRteb+vuik5UGY 5TsyLYdPur3TXm7XDBdmmyQVJjnJKYK9AQxj95KlXLVO38lczsFNBFRjzmoBEACyAxbvUEhd GDGNg0JhDdezyTdN8C9BFsdxyTLnSH31NRiyp1QtuxvcqGZjb2trDVuCbIzRrgMZLVgo3upr MIOx1CXEgmn23Zhh0EpdVHM8IKx9Z7V0r+rrpRWFE8/wQZngKYVi49PGoZj50ZEifEJ5qn/H Nsp2+Y+bTUjDdgWMATg9DiFMyv8fvoqgNsNyrrZTnSgoLzdxr89FGHZCoSoAK8gfgFHuO54B lI8QOfPDG9WDPJ66HCodjTlBEr/Cwq6GruxS5i2Y33YVqxvFvDa1tUtl+iJ2SWKS9kCai2DR 3BwVONJEYSDQaven/EHMlY1q8Vln3lGPsS11vSUK3QcNJjmrgYxH5KsVsf6PNRj9mp8Z1kIG qjRx08+nnyStWC0gZH6NrYyS9rpqH3j+hA2WcI7De51L4Rv9pFwzp161mvtc6eC/GxaiUGuH BNAVP0PY0fqvIC68p3rLIAW3f97uv4ce2RSQ7LbsPsimOeCo/5vgS6YQsj83E+AipPr09Caj 0hloj+hFoqiticNpmsxdWKoOsV0PftcQvBCCYuhKbZV9s5hjt9qn8CE86A5g5KqDf83Fxqm/ vXKgHNFHE5zgXGZnrmaf6resQzbvJHO0Fb0CcIohzrpPaL3YepcLDoCCgElGMGQjdCcSQ+Ci FCRl0Bvyj1YZUql+ZkptgGjikQARAQABwsFfBBgBAgAJBQJUY85qAhsMAAoJEGg1lTBwyZKw l4IQAIKHs/9po4spZDFyfDjunimEhVHqlUt7ggR1Hsl/tkvTSze8pI1P6dGp2XW6AnH1iayn yRcoyT0ZJ+Zmm4xAH1zqKjWplzqdb/dO28qk0bPso8+1oPO8oDhLm1+tY+cOvufXkBTm+whm +AyNTjaCRt6aSMnA/QHVGSJ8grrTJCoACVNhnXg/R0g90g8iV8Q+IBZyDkG0tBThaDdw1B2l asInUTeb9EiVfL/Zjdg5VWiF9LL7iS+9hTeVdR09vThQ/DhVbCNxVk+DtyBHsjOKifrVsYep WpRGBIAu3bK8eXtyvrw1igWTNs2wazJ71+0z2jMzbclKAyRHKU9JdN6Hkkgr2nPb561yjcB8 sIq1pFXKyO+nKy6SZYxOvHxCcjk2fkw6UmPU6/j/nQlj2lfOAgNVKuDLothIxzi8pndB8Jju KktE5HJqUUMXePkAYIxEQ0mMc8Po7tuXdejgPMwgP7x65xtfEqI0RuzbUioFltsp1jUaRwQZ MTsCeQDdjpgHsj+P2ZDeEKCbma4m6Ez/YWs4+zDm1X8uZDkZcfQlD9NldbKDJEXLIjYWo1PH hYepSffIWPyvBMBTW2W5FRjJ4vLRrJSUoEfJuPQ3vW9Y73foyo/qFoURHO48AinGPZ7PC7TF vUaNOTjKedrqHkaOcqB185ahG2had0xnFsDPlx5y In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 19 Oct 2023 12:13:31 -0700 (PDT) On 10/19/23 10:05, Michael Kelley (LINUX) wrote: > I'm more in favor of the "simply panic" approach. What you've done > in your Patch 1 and Patch 2 is an intriguing way to try to get the memory > back into a consistent state. But I'm concerned that there are failure > modes that make it less than 100% foolproof (more on that below). If > we can't be sure that the memory is back in a consistent state, then the > original problem isn't fully solved. I'm also not sure of the value of > investing effort to ensure that some errors cases are handled without > panic'ing. The upside benefit of not panic'ing seems small compared to > the downside risk of leaking guest VM data to the host. panic() should be a last resort. We *always* continue unless we know that something is so bad that we're going to make things worse by continuing to run. We shouldn't panic() on the first little thing that goes wrong. If folks want *that*, then they can set panic_on_warn. > My concern about Patches 1 and 2 is that the encryption bit in the PTE > is not a reliable indicator of the state that the host thinks the page is > in. Changing the state requires two steps (in either order): 1) updating > the guest VM PTEs, and 2) updating the host's view of the page state. > Both steps may be done on a range of pages. If #2 fails, the guest > doesn't know which pages in the batch were updated and which were > not, so the guest PTEs may not match the host state. In such a case, > set_memory_encrypted() could succeed based on checking the > PTEs when in fact the host still thinks some of the pages are shared. > Such a mismatch will produce a guest panic later on if the page is > referenced. I think that's OK. In the end, the page state is controlled by the VMM. The guest has zero control. All it can do is make the PTEs consistent and hold on for dear life. That's a general statement and not specific to this problem. In other words, it's fine for CoCo folks to be paranoid. It's fine for them to set panic_on_{warn,oops,whatever}=1. But it's *NOT* fine to say that every TDX guest will want to do that.