Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp2555447lqt; Mon, 22 Apr 2024 14:24:11 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCU4jAL8Sk720I6LjIyctnGtnissEQVXzCFdLkjGqjvOB8jJQlZJV2E0Gltflis8vgWhobbnKryOUbSUPIBMJZQU0Ucch8aBU5APBvpMCA== X-Google-Smtp-Source: AGHT+IH++qfulV1wDQ4KF/wZo4hniJdJC8wGj5NepxD2RSsOZ1gxOaBOKzhOg69K0xTkOOaFEK6I X-Received: by 2002:a17:907:d9e:b0:a51:d522:13c8 with SMTP id go30-20020a1709070d9e00b00a51d52213c8mr8238441ejc.60.1713821051659; Mon, 22 Apr 2024 14:24:11 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713821051; cv=pass; d=google.com; s=arc-20160816; b=Eoszuudcy30QMDQvB4Ej3cygq8sHpe5c0cqHyNleeV2gnDTmFFYyOlU98MBEtR5RCk anXIlQeKDNwq8vhSt7YdyTcbquVvA6os/gBRLxwtTVC/ZhXFI7FrPIZuwzCaiLdxHzp+ QAozKg1CpnRqJvmQYW2rCMZq5s1BVDdqrBWTLugTB3cLxN++5jHfZfBV2dqrNST5xUWF HF2rA/MSWoY0pt+Cg8Q3WLEIeKNLBIufD/TYmjnqdVkRQZdVLiGSmmRfz5m2HZOPRsMQ TXxdlnGMcpVAiMdHJKlvZXkC5WJnjWvsvZ9X+oiTCO2s3IZl6WUT3lrKwwS66TQUWhD0 nGrg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:from:subject:message-id:references:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:in-reply-to:date :dkim-signature; bh=5uVx/t9/onkYc8i256VPb5hdTG5OQAkMTur1j7RQo/Y=; fh=p21ARqVva5A2tdrmth8JD/B/A7j6Yx9NtjST9KM9x/4=; b=yWYImzFmZcChFffgq3yXZTcPIa0Y+x4ExDXBKUEjfGcaqiAUiBRo/twQ5ZyKXlgZG6 uSAp1vHqwdxL1u6Q9zCy9L+z4MkDE1s+YvoUqEa7v968Aap4257hahluvtWsolm/eTt3 fHTF5E1ex4Y71IlzAFbchD1Imi2uSuoLfdR3BwDxYmxaajk2hSktxe5OLcy95wQBjMxZ x7s+xQI9SD3rVPqrdbLyHRc+n8fbzUCql5FrU0zmR9ibFmemXHaXT0q/QjuFM46QzD0u vNqbN9WDJgItzZhNR3lDAcGsWrXWeI27g3QyCuqXGS9CAl1Xza14c8BGsU9CgTA67aYu a0XA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=b5OdWMtw; arc=pass (i=1 spf=pass spfdomain=flex--seanjc.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-154042-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-154042-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id u12-20020a170906b10c00b00a55b037fe3fsi2280736ejy.104.2024.04.22.14.24.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 14:24:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-154042-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=b5OdWMtw; arc=pass (i=1 spf=pass spfdomain=flex--seanjc.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-154042-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-154042-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 3ADD91F21D8A for ; Mon, 22 Apr 2024 21:24:11 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F1B5C1CD2E; Mon, 22 Apr 2024 21:24:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="b5OdWMtw" Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 908AF1CAAE for ; Mon, 22 Apr 2024 21:23:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713821041; cv=none; b=XGJASs2zfvtyK3CJtgLxOMecs5TYiY2PtT/U3f6AQZ2+7iYVoKZLwkuTyNhlm0hJVR9njcz5xpN24halcmV0hPlxRhse2SagRLtMfX+9IvOb+H9sw/ot+p6ojzwjscPeJ9r3jEzZLzszd76LOauB99DICNZsytJ00job4DVcJ3Q= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713821041; c=relaxed/simple; bh=IKLpE47qOBMBz0cAqZg5lsOAv2Lseafvdp0sCBMbxdA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=U7oy/XgqaacpxWRoXut3Pmc47C1lyrwg+Oku+YZ+CgbnYI6PlZn0Cyu3YHNn+0plSW+gYKF41vuJJx10lIWWciKl+TWne3w5uH6V9w2kiHAiDhk804RysVOzatbroAg9josT34jEuh4klKV+FB+jQCr1TSKh6T+h2VBjb4Juvqs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=b5OdWMtw; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-61afa79081dso85249847b3.2 for ; Mon, 22 Apr 2024 14:23:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713821038; x=1714425838; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=5uVx/t9/onkYc8i256VPb5hdTG5OQAkMTur1j7RQo/Y=; b=b5OdWMtwdKVXMDE2I4Du0g5UBvi8jdS4PAmeDFdpmP3tG/guCHTvf6iDFJupZOkTDO QHvEjBvnB+h4Gr9VTSigi95/oUF8GjwLXTU4/S706eb+iqur5g0Cnbwuj8csiOkVyLvt ukHsJFBYl2hO4HrJBGoT0O7eKNZgfmeq80ECMyqSgmil9uKqV9IIt3yVCA33hcOeT8Ud eJ6C7sxiLnVaR/QZLupHaMBO2dLpcirDxDT/S6M+SWuXkUmKkTuWsS2H8PRrM6bubp3Y XL2eK1Ynib5vKpg/b6JUIjBeop0i6i0CgUqMgAJ4u9i8SPn8RMyD7R84zoZTBmTt5jAl /ENA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713821038; x=1714425838; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5uVx/t9/onkYc8i256VPb5hdTG5OQAkMTur1j7RQo/Y=; b=NfHMnc53o6W/xgHRa0MRb9Gllixjnvmxdi8/evTyi2l8C2CSqJoyjfeAPQni5pTd/Z xRkcG64h9g1TOop0e3wKYX0MRUQuX27CTjnYkvCJUJ21eznA6vPa1X0mwv/A91MnTb73 tIreB8oXz1AZCyeP2DdB1Rzcfi5e2wJJueUTh/47BbEkmpEGAS0ZJAwQDfxHwWmNrTxn koeedVG2dp9NOpR1aiLM6yX8yl9Tuv8zP1OxLS9XQwFVNKXgJSF8ZkoggEjgYrXNZCyr EVSNEYwqqplF3c2F9ss9zmRcVXa9Y5xEu2WzdycYntFxZ+x/j5YeEsteA8V/rz6Akpv+ /Pgw== X-Forwarded-Encrypted: i=1; AJvYcCUhyfNWiYY1YnEjCvoJgyU41Yoip97XpWbrpeXwQUwMsv6ZPV6jnEKm6ZMWbHzNNT/ySG5OTe2/loYlYwrPUiTLdPpgsrqHoWatcRGK X-Gm-Message-State: AOJu0YxtjNiuzoga5d/XKkzQssE2BkmDXaHFx1tP5rzVEFaGqLP5Z0eZ kY6klWKcbSm7eaa7qnKOLCip28WqsecZttwI7NHS9OJFVZKQ0UEeyOsOSjVf1dhvhlTKsg1Jps3 J8A== X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a05:690c:13:b0:61b:3a8:3360 with SMTP id bc19-20020a05690c001300b0061b03a83360mr2745903ywb.1.1713821038654; Mon, 22 Apr 2024 14:23:58 -0700 (PDT) Date: Mon, 22 Apr 2024 14:23:57 -0700 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: Message-ID: Subject: Re: [RFC PATCH v5 09/29] KVM: selftests: TDX: Add report_fatal_error test From: Sean Christopherson To: Yan Zhao Cc: Ackerley Tng , sagis@google.com, linux-kselftest@vger.kernel.org, afranji@google.com, erdemaktas@google.com, isaku.yamahata@intel.com, pbonzini@redhat.com, shuah@kernel.org, pgonda@google.com, haibo1.xu@intel.com, chao.p.peng@linux.intel.com, vannapurve@google.com, runanwang@google.com, vipinsh@google.com, jmattson@google.com, dmatlack@google.com, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-mm@kvack.org Content-Type: text/plain; charset="us-ascii" On Thu, Apr 18, 2024, Yan Zhao wrote: > On Tue, Apr 16, 2024 at 11:50:19AM -0700, Sean Christopherson wrote: > > On Mon, Apr 15, 2024, Yan Zhao wrote: > > > On Mon, Apr 15, 2024 at 08:05:49AM +0000, Ackerley Tng wrote: > > > > >> The Intel GHCI Spec says in R12, bit 63 is set if the GPA is valid. As a > > > > > But above "__LINE__" is obviously not a valid GPA. > > > > > > > > > > Do you think it's better to check "data_gpa" is with shared bit on and > > > > > aligned in 4K before setting bit 63? > > > > > > > > > > > > > I read "valid" in the spec to mean that the value in R13 "should be > > > > considered as useful" or "should be passed on to the host VMM via the > > > > TDX module", and not so much as in "validated". > > > > > > > > We could validate the data_gpa as you suggested to check alignment and > > > > shared bit, but perhaps that could be a higher-level function that calls > > > > tdg_vp_vmcall_report_fatal_error()? > > > > > > > > If it helps, shall we rename "data_gpa" to "data" for this lower-level, > > > > generic helper function and remove these two lines > > > > > > > > if (data_gpa) > > > > error_code |= 0x8000000000000000; > > > > > > > > A higher-level function could perhaps do the validation as you suggested > > > > and then set bit 63. > > > This could be all right. But I'm not sure if it would be a burden for > > > higher-level function to set bit 63 which is of GHCI details. > > > > > > What about adding another "data_gpa_valid" parameter and then test > > > "data_gpa_valid" rather than test "data_gpa" to set bit 63? > > > > Who cares what the GHCI says about validity? The GHCI is a spec for getting > > random guests to play nice with random hosts. Selftests own both, and the goal > > of selftests is to test that KVM (and KVM's dependencies) adhere to their relevant > > specs. And more importantly, KVM is NOT inheriting the GHCI ABI verbatim[*]. > > > > So except for the bits and bobs that *KVM* (or the TDX module) gets involved in, > > just ignore the GHCI (or even deliberately abuse it). To put it differently, use > > selftests verify *KVM's* ABI and functionality. > > > > As it pertains to this thread, while I haven't looked at any of this in detail, > > I'm guessing that whether or not bit 63 is set is a complete "don't care", i.e. > > KVM and the TDX Module should pass it through as-is. > > > > [*] https://lore.kernel.org/all/Zg18ul8Q4PGQMWam@google.com > Ok. It makes sense to KVM_EXIT_TDX. > But what if the TDVMCALL is handled in TDX specific code in kernel in future? > (not possible?) KVM will "handle" ReportFatalError, and will do so before this code lands[*], but I *highly* doubt KVM will ever do anything but forward the information to userspace, e.g. as KVM_SYSTEM_EVENT_CRASH with data[] filled in with the raw register information. > Should guest set bits correctly according to GHCI? No. Selftests exist first and foremost to verify KVM behavior, not to verify firmware behavior. We can and should use selftests to verify that *KVM* doesn't *violate* the GHCI, but that doesn't mean that selftests themselves can't ignore and/or abuse the GCHI, especially since the GHCI definition for ReportFatalError is frankly awful. E.g. the GHCI prescibes actual behavior for R13, but then doesn't say *anything* about what's in the data page. Why!?!?! If the format in the data page is completely undefined, what's the point of restricting R13 to only be allowed to hold a GPA? And the wording is just as awful: The VMM must validate that this GPA has the Shared bit set. In other words, that a shared-mapping is used, and that this is a valid mapping for the TD. I'm pretty sure it's just saying that the TDX module isn't going to verify the operate, i.e. that the VMM needs to protect itself, but it would be so much better to simply state "The TDX Module does not verify this GPA", because saying the VMM "must" do something leads to pointless discussions like this one, where we're debating over whether or *our* VMM should inject an error into *our* guest. Anyways, we should do what makes sense for selftests and ignore the stupidity of the GHCI when doing so yields better code. If that means abusing R13, go for it. If it's a sticking point for anyone, just use one of the "optional" registers. Whatever we do, bury the host and guest side of selftests behind #defines or helpers so that there are at most two pieces of code that care which register holds which piece of information. [*] https://lore.kernel.org/all/20240404230247.GU2444378@ls.amr.corp.intel.com