Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp4651159rdh; Wed, 29 Nov 2023 07:11:45 -0800 (PST) X-Google-Smtp-Source: AGHT+IEJPK8u4bd0zzC8jFyLAgRHTFN0YGP6xA+97uxXXNK9HIRyGlSUAEMZeM6Ba62PnNNyorQl X-Received: by 2002:a05:6a20:9390:b0:18c:5178:9649 with SMTP id x16-20020a056a20939000b0018c51789649mr18313813pzh.14.1701270705544; Wed, 29 Nov 2023 07:11:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701270705; cv=none; d=google.com; s=arc-20160816; b=PZLeLlFmj35S0KGDytF5MdhnWsr3uSV2J7TmKPy0detdk718ttTtbxzXPdzTcaP764 rt4UuytQOac+c7YnM1ZoSNV5maCUPavqMajXJMK+4ObZT7mXklvJ/CEzV4sjrLyUuRQQ +I5RDu9q9xfyDdIoe9DLq8Jy3wN2qNtjJw9pYGbD5FZ5OtCNai2zocHdYRHhciBi3LCo /O36AZi28i71jnWZnkqo4oQX075IshKAmm4Llf9PFlEa0bM8QfbjT5VrA0qeNtq9fCVs q/1YyNfA/DfAYaNZjQpn/VFPR5JsqT0qTAv0ypX2yEU/Ij4m11u5lriXa8nQ57M/fOIa qXrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=btN5tbam3yqIPjlfWdTIz2dHUDvBepULrUMXX0YMLuQ=; fh=kei6SBN4xws1RAuYOx3AQc5F+MJ0RjC8wypkIV1b5+M=; b=GoGYdkmiMVBS4d9bnESUb1EbEz2iDBRUgwmJHCjEf1GzHPWqJwxFrYXRLTp4clkNkS BzCGr5UwwSGXpTurNRHSpXXfX0lXbmFBMkDLJIEFYU8tL6wWolZIO2w504h3iEea2q1b wLiXJkBoDni+vu3o6cuhjir7C7ac0uwONzB/y1Wh2vBoFhQDMAH2NcCuokNR1rUHZ9kT wHzqafbJcRVz00F0Wi3sqHp1hh62eoMwaL9e/XNEUxIstDyL3uI5JUbnVf7YLuMbYuM2 KMrbCdQ9vn+ECtavoL5AL5E5lMscu9Ht2LqCLv80c5OMZDj8rJJQhEAxoKQzMrHq6gT3 YPPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=H2BP+IkY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from pete.vger.email (pete.vger.email. [2620:137:e000::3:6]) by mx.google.com with ESMTPS id y15-20020a056a00190f00b006cbe3c123a6si14477789pfi.9.2023.11.29.07.11.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Nov 2023 07:11:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) client-ip=2620:137:e000::3:6; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=H2BP+IkY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 5B6B580AE548; Wed, 29 Nov 2023 07:11:42 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231215AbjK2PL1 (ORCPT + 99 others); Wed, 29 Nov 2023 10:11:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48660 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230489AbjK2PLT (ORCPT ); Wed, 29 Nov 2023 10:11:19 -0500 X-Greylist: delayed 62 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 29 Nov 2023 07:11:25 PST Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.13]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B5F1CA3; Wed, 29 Nov 2023 07:11:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1701270686; x=1732806686; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=+WmXrJbd+4V27ux01qGWHb6jKBIycuX+25UjSdydb/I=; b=H2BP+IkYuW3BxhwKR0bIzT/geZs7X8pGilk4etDN7bJGROnTX0ZbJtzX MVxfMZvh1RqaYri3twMfU1KHotqyT0pAKXtYYByofonYDJecsTNwYJ1p3 y45V5bKj/zV2GIVvUlm9YZbJLfFNCsfBXshKnYHGq3PaZbrJ238YSYaT4 H8TtPw23Obh46DGz+K+hVLYg65S4GLpACXcSRvLIU2Fb77dz819gi9tQB UYaW+68ILcm/00CzVphkl9EfYyrYeSrIUJj4h9TZGgjNdVsYWOCcX+098 ID5XhADax4t4apkxMypjfLlc4uLOaT2fvpgvCrwxSAIXagJyjwKf2j7iP A==; X-IronPort-AV: E=McAfee;i="6600,9927,10909"; a="162829" X-IronPort-AV: E=Sophos;i="6.04,235,1695711600"; d="scan'208";a="162829" Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orvoesa105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Nov 2023 07:10:23 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10909"; a="1016292536" X-IronPort-AV: E=Sophos;i="6.04,235,1695711600"; d="scan'208";a="1016292536" Received: from padamowi-mobl1.ger.corp.intel.com (HELO box.shutemov.name) ([10.252.60.113]) by fmsmga006-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Nov 2023 07:10:16 -0800 Received: by box.shutemov.name (Postfix, from userid 1000) id E10D010A424; Wed, 29 Nov 2023 18:10:12 +0300 (+03) Date: Wed, 29 Nov 2023 18:10:12 +0300 From: "kirill.shutemov@linux.intel.com" To: Michael Kelley Cc: "tglx@linutronix.de" , "mingo@redhat.com" , "bp@alien8.de" , "dave.hansen@linux.intel.com" , "x86@kernel.org" , "hpa@zytor.com" , "kys@microsoft.com" , "haiyangz@microsoft.com" , "wei.liu@kernel.org" , "decui@microsoft.com" , "luto@kernel.org" , "peterz@infradead.org" , "akpm@linux-foundation.org" , "urezki@gmail.com" , "hch@infradead.org" , "lstoakes@gmail.com" , "thomas.lendacky@amd.com" , "ardb@kernel.org" , "jroedel@suse.de" , "seanjc@google.com" , "rick.p.edgecombe@intel.com" , "sathyanarayanan.kuppuswamy@linux.intel.com" , "linux-kernel@vger.kernel.org" , "linux-coco@lists.linux.dev" , "linux-hyperv@vger.kernel.org" , "linux-mm@kvack.org" Subject: Re: [PATCH v2 0/8] x86/coco: Mark CoCo VM pages not present when changing encrypted state Message-ID: <20231129151012.4un33hvk4nrsicou@box> References: <20231121212016.1154303-1-mhklinux@outlook.com> <20231124100627.avltdnuhminwuzax@box> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Wed, 29 Nov 2023 07:11:42 -0800 (PST) On Tue, Nov 28, 2023 at 07:12:33PM +0000, Michael Kelley wrote: > From: kirill.shutemov@linux.intel.com Sent: Friday, November 24, 2023 2:06 AM > > > > On Tue, Nov 21, 2023 at 01:20:08PM -0800, mhkelley58@gmail.com wrote: > > > From: Michael Kelley > > > > > > In a CoCo VM when a page transitions from encrypted to decrypted, or vice > > > versa, attributes in the PTE must be updated *and* the hypervisor must > > > be notified of the change. > > > > Strictly speaking it is not true for TDX. Conversion to shared can be > > implicit: set shared bit and touch the page will do the conversion. MapGPA > > is optional. > > Interesting. Given that, is there a reason to use the explicit > hypervisor callbacks in for private->shared transitions in > __set_mem_enc_pgtable()? It probably doesn't have direct relevance > to this patch series, but I'm just trying to understand the tradeoffs of > the implicit vs. explicit approach. And am I correct that > shared->private transitions must use the explicit approach? It must be explicit in sense, that the memory has to be accepted before use. MapGPA() is still optional. I don't like this implicit tricks. I spent a lot of time debugging an issue that was obscured by this semantics. But I think it is going to say :/ > > > Because there are two separate steps, there's > > > a window where the settings are inconsistent. Normally the code that > > > initiates the transition (via set_memory_decrypted() or > > > set_memory_encrypted()) ensures that the memory is not being accessed > > > during a transition, so the window of inconsistency is not a problem. > > > However, the load_unaligned_zeropad() function can read arbitrary memory > > > pages at arbitrary times, which could read a transitioning page during > > > the window. In such a case, CoCo VM specific exceptions are taken > > > (depending on the CoCo architecture in use). Current code in those > > > exception handlers recovers and does "fixup" on the result returned by > > > load_unaligned_zeropad(). Unfortunately, this exception handling can't > > > work in paravisor scenarios (TDX Paritioning and SEV-SNP in vTOM mode) > > > if the exceptions are routed to the paravisor. The paravisor can't > > > do load_unaligned_zeropad() fixup, so the exceptions would need to > > > be forwarded from the paravisor to the Linux guest, but there are > > > no architectural specs for how to do that. > > > > Hm. Can't we inject #PF (or #GP) into L2 if #VE/#VC handler in L1 sees > > cross-page access to shared memory while no fixup entry for the page in > > L1. It would give L2 chance to handle the situation in a transparent way. > > > > Maybe I miss something, I donno. > > I'm recounting what the Hyper-V paravisor folks say without knowing all the > details. :-( But it seems like any kind of forwarding scheme needs to be a > well-defined contract that would work for both TDX and SEV-SNP. The > paravisor in L1 might or might not be Linux-based, so the contract must be OS > independent. And the L2 guest might or might not be Linux, so there's > potential for some other kind of error to be confused with a Linux > load_unaligned_zeropad() reference. Okay, fair enough. I have hard time reasoning if it is okay for L2 which is not Linux. -- Kiryl Shutsemau / Kirill A. Shutemov