Received: by 2002:a05:6500:1b41:b0:1fb:d597:ff75 with SMTP id cz1csp216945lqb; Tue, 4 Jun 2024 09:15:50 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWU5pxPwP/ZQlgS8AH6uYMf5mdzGYwPBB2uZAPlMmsQCr/dQUY1a4dbsvuGJnyeegwPHwz0rwPR1uiGVCuKIgxZ+hFJ2K59PetmugJvog== X-Google-Smtp-Source: AGHT+IEEW1Jl24NiZCKIKGsDBbUepAb4iDUkuUKWRzGUdcUvQouCKg4Vl5qwexXzCZd8HmnWb03w X-Received: by 2002:a05:6102:441:b0:48b:d61d:e14f with SMTP id ada2fe7eead31-48bf237e3f5mr2205697137.15.1717517750623; Tue, 04 Jun 2024 09:15:50 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717517750; cv=pass; d=google.com; s=arc-20160816; b=Z0rz62JIC27OuKy6caC2Sq5qZOVp01Fsg5inNMxBMJxAeLTzWtYAgF64scNK0uZJiZ yFYiaYxXEBPqUsg2Lkl6nJLdyKxSRPBmtcgrHJNGrE58dIo6nnm8Z5/3MyOVFrh7TjVS r/KzzWehs2BU5DRBBphv+JgZz2Z3XjQ+X+PORaYFk5imf/9fGJvoJyMzIzQwpEi266Xk 4Wu4Vo/gP5zkhuHBfRJzJ9srywtfAR7MpJd+QO0E3tcu+6NEAPUL/ji0ELcQyOy/jXDc G1oYNcNq+67eODSwCY4I66bAlTHJCNqRfDLMFvIM7GSHfVeJ+llkHDMNxBUtecTelcn0 vqRQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=GuzgtHHO+4u627F9UmMMAvCCzRmR83/qTkJhH4+qOMU=; fh=46UXBNXzKCaH+wfVSmuaW1Qwq/JpZwSnvxh177Sotzw=; b=fY7BRDNci12ByXQ0PXihHjEHM454zJKQmD1hr6Z79X2nV06Jyylf5PzMBfAuBbc6cd 9PBRmEjsPo4j8cfY6m7eyGfDoYAMtlUUvK693Co1gWWF+fPTwPWqiOMTe9eAW7hHCMoI LYVbSqztbLjPXh4XOfvxOR1a0VQrM8tL05k9lsjcKJxw8II0RfCzHBJvoALjgdEisbmv 71Hg++EiDQSTL/tcATM0wIBUBKKf7Bzw4dtwmgwwkBRZuBIXvagjUI2IQLolu8NPT0fD YHgkQZzDvOTlaIS/pCRo56K70XtKjxr3MdcwbUxlI6sxilCWNzaULOezZ82hviOhMlt1 7jmg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=WtLHZuiA; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-201048-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-201048-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id ada2fe7eead31-48bbcff2d35si2074083137.556.2024.06.04.09.15.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Jun 2024 09:15:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-201048-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=WtLHZuiA; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-201048-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-201048-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 569111C220BE for ; Tue, 4 Jun 2024 16:15:50 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 172461482FD; Tue, 4 Jun 2024 16:15:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="WtLHZuiA" Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AA0DE77A1E; Tue, 4 Jun 2024 16:15:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.19 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717517742; cv=none; b=BhzuxEfBlfywyJp+pg8/4oUetD/dVlGjbcTfy2FsjvcoQ/i3g4vzySCIf66eNI7AJMkjMRch27HHwZ0MEBBeGdlCLUvh2d2hQId5viQjr2zjo3pOmgyE2I/3jyNWcT31lnrs2B17X3/1MYpRt1rwio8UBZ3++hhk5AslcIb5eoc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717517742; c=relaxed/simple; bh=FdB/ePnDZSRVgvQ6ho4nvAZLZ9MKKUp6zPgj0fsmBT0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=RCjSD9MR6E69Fx4SVDxO9+hsX+S68QNyPTXyFPJzTQ48+hPa6KnTWSFMlF7KvK3Ov2A1qPT3Xl7Ib3DaE0Z6jdEsMEGsoXehFpjK4uwwLxMiLiqQOaoHwUkgKO6NIcb1dNOBjDFfMlCjC1HNs16tLLW82h0v6H/NiLjZG4tU+ww= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=WtLHZuiA; arc=none smtp.client-ip=198.175.65.19 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1717517741; x=1749053741; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=FdB/ePnDZSRVgvQ6ho4nvAZLZ9MKKUp6zPgj0fsmBT0=; b=WtLHZuiASEMrXgjJqjQPZXl2HU2zcLDGJTTcGKZyVjMa3OgsdAD475ia CtL2L3j1PeKZBg+WHtBs8jq71GcXIzTL10ywFpbnDqbcHxZF6U9ZnSxgv dq47qaXooPFEkVnQeh8XIbOepjLUruiEbKPu6y7ASWQA9cUL0M48ZGWHZ Ic1veRPSHx3ozyI64xTIDHuxJ1/EAhyq5kuD61kSA64VO8qno/crNuzyt mZa7mVT3RATKavf75OE4Bvf70rBciaguJwBNFeDxQQo3dReNIDIvqOfoa vDGTFE5m/fk6A0kQebQGIJ+GVHDEXEsmoNxnaN8iqM+7mgANmka9B615f g==; X-CSE-ConnectionGUID: +vwpHT7LQIiUlhy7kiJ4bQ== X-CSE-MsgGUID: lBm2DoanTMq8Yn+juoclMg== X-IronPort-AV: E=McAfee;i="6600,9927,11093"; a="13919193" X-IronPort-AV: E=Sophos;i="6.08,214,1712646000"; d="scan'208";a="13919193" Received: from orviesa007.jf.intel.com ([10.64.159.147]) by orvoesa111.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Jun 2024 09:14:09 -0700 X-CSE-ConnectionGUID: 0CVQCKxPTSCYB4M9kCwP9g== X-CSE-MsgGUID: TiJr7ixrT6GQ0MRToY57eA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.08,214,1712646000"; d="scan'208";a="37927043" Received: from black.fi.intel.com ([10.237.72.28]) by orviesa007.jf.intel.com with ESMTP; 04 Jun 2024 09:14:01 -0700 Received: by black.fi.intel.com (Postfix, from userid 1000) id 427362DC; Tue, 04 Jun 2024 19:14:00 +0300 (EEST) Date: Tue, 4 Jun 2024 19:14:00 +0300 From: "Kirill A. Shutemov" To: Dave Hansen Cc: Borislav Petkov , adrian.hunter@intel.com, ardb@kernel.org, ashish.kalra@amd.com, bhe@redhat.com, dave.hansen@linux.intel.com, elena.reshetova@intel.com, haiyangz@microsoft.com, hpa@zytor.com, jun.nakajima@intel.com, kai.huang@intel.com, kexec@lists.infradead.org, kys@microsoft.com, linux-acpi@vger.kernel.org, linux-coco@lists.linux.dev, linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org, ltao@redhat.com, mingo@redhat.com, peterz@infradead.org, rafael@kernel.org, rick.p.edgecombe@intel.com, sathyanarayanan.kuppuswamy@linux.intel.com, seanjc@google.com, tglx@linutronix.de, thomas.lendacky@amd.com, x86@kernel.org Subject: Re: [PATCHv11.1 11/19] x86/tdx: Convert shared memory back to private on kexec Message-ID: References: <20240531151442.GMZlnpYkDCRlg1_YS0@fat_crate.local> <20240602142303.3263551-1-kirill.shutemov@linux.intel.com> <20240603083754.GAZl2A4uXvVB5w4l9u@fat_crate.local> <78d33a31-0ef2-417b-a240-b2880b64518e@intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <78d33a31-0ef2-417b-a240-b2880b64518e@intel.com> On Tue, Jun 04, 2024 at 08:47:22AM -0700, Dave Hansen wrote: > On 6/4/24 08:32, Kirill A. Shutemov wrote: > > What about the comment below? > > > > /* > > * One possible reason for the failure is if kexec raced > > * with memory conversion. In this case shared bit in > > * page table got set (or not cleared) during > > * shared<->private conversion, but the page is actually > > * private. So this failure is not going to affect the > > * kexec'ed kernel. > > * > > * The only thing one can do at this point on failure > > * at this point is panic. In absence of better options, > > * it is reasonable to proceed, hoping the failure is a > > * benign shared bit mismatch due to the race. > > * > > * Also, even if the failure is real and the page cannot > > * be touched as private, the kdump kernel will boot > > * fine as it uses pre-reserved memory. What happens > > * next depends on what the dumping process does and > > * there's a reasonable chance to produce useful dump > > * on crash. > > * > > * Regardless, the print leaves a trace in the log to > > * give a clue for debug. > > */ > > It's rambling too much for my taste. > > Let's boil this down to what matters: > > 1. Failures to change encryption status here can lead a future kernel > to touch shared memory with a private mapping > 2. That causes an immediate unrecoverable guest shutdown (right?) Right. > 3. kdump kernels should not be affected since they have their own > memory ranges and its encryption status is not being tweawked here > 4. The pr_err() may help make some sense out of #2 when it happens > > I'm not sure the reason behind the failed conversion is important here. The important part is that failure can be benign. It explains "can" in #1. But okay. > I wouldn't mention panic(). > > We don't need to opine about what the next kernel might or might not do. Is this any better? /* * If tdx_enc_status_changed() fails, it leaves memory * in an unknown state. If the memory remains shared, * it can result in an unrecoverable guest shutdown on * the first accessed through a private mapping. * * The kdump kernel boot is not impacted as it uses * a pre-reserved memory range that is always private. * However, gathering crash information could lead to * a crash if it accesses unconverted memory through * a private mapping. * * pr_err() may assist in understanding such crashes. */ -- Kiryl Shutsemau / Kirill A. Shutemov