Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3089756pxv; Mon, 12 Jul 2021 09:03:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy2y13FD6jcEEBg2bWVIC15eJ+658slgBUF53rK6bu+Xdc22XpF0yRa255H6TkTzHd0Figv X-Received: by 2002:aa7:c39a:: with SMTP id k26mr12525655edq.24.1626105836280; Mon, 12 Jul 2021 09:03:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626105836; cv=none; d=google.com; s=arc-20160816; b=E9gfT5jyBOAwght7yOsh8rMtSMzwq4txWwyz1YX4JWcR8UevytlfTD051WsO57CO9/ RrGuDB8Q8AHJ/Dq74KGniFS870VaPBgL1XplxpxDTuzz1pkh0RriwVDlgz/cEMBctRzP qvjLuyM1vLoji0mPqHkuyvdU00s0sH5Y7aoaEfkS68XWVjLD639+Z3P0tltiJpqtFjtN nAtp/3plkdayZW8Gn1gTKp2+n0eY1oid+pqP44CCxBtXivJ0G6/ifNF/nEIHLVFO2/Vt ++58JofCtGN97hu7SecYHHoMqzFSOX9SAXeahbT7rmpoYMiDKQEY5q5WY6S6Cw1j3m08 Sb/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:autocrypt:from :references:cc:to:subject; bh=kDFRXplR9e94RWaqT8p512M18yPl32n33bqhXiOxS0U=; b=O3WgFkG085YyMlfADs+5KOWOQ3EMRvkEu1U4WyI6mC4oWB0z/vDi3anCmGHVWCNBmu GF091tQJe/wurW/y7kRSWcJs4JCPcPrqLkYnFgMd99svHYGTkFxKpKJTgAd8d3+ePYr0 fm/s8ySVUtdLVeJh3hsL51nsOelXQykdcdb+2S/WEQqFapblT+YtIwwEmmfg9Pl+twiu jwY99MLzAbpL5ASwufKjS4zDY6Qux/hgW9k26hkhawy0wgB3aUXIwYqYYcYHlKdzXaqu dDq9GRNPI0QP/0JFv4q7F8C4v9Z6+g1gh+mMRISavQoQggI/9uzQbnU8Di8Bv8A5vFw6 UEiA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b18si18949278edd.151.2021.07.12.09.03.26; Mon, 12 Jul 2021 09:03:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233708AbhGLQD6 (ORCPT + 99 others); Mon, 12 Jul 2021 12:03:58 -0400 Received: from mga04.intel.com ([192.55.52.120]:5970 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229475AbhGLQD6 (ORCPT ); Mon, 12 Jul 2021 12:03:58 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10043"; a="208187470" X-IronPort-AV: E=Sophos;i="5.84,234,1620716400"; d="scan'208";a="208187470" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jul 2021 09:01:01 -0700 X-IronPort-AV: E=Sophos;i="5.84,234,1620716400"; d="scan'208";a="459231372" Received: from kpurma-mobl.amr.corp.intel.com (HELO [10.212.163.17]) ([10.212.163.17]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jul 2021 09:00:59 -0700 Subject: Re: [PATCH Part2 RFC v4 10/40] x86/fault: Add support to handle the RMP fault for user address To: Brijesh Singh , x86@kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-efi@vger.kernel.org, platform-driver-x86@vger.kernel.org, linux-coco@lists.linux.dev, linux-mm@kvack.org, linux-crypto@vger.kernel.org Cc: Thomas Gleixner , Ingo Molnar , Joerg Roedel , Tom Lendacky , "H. Peter Anvin" , Ard Biesheuvel , Paolo Bonzini , Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Andy Lutomirski , Dave Hansen , Sergio Lopez , Peter Gonda , Peter Zijlstra , Srinivas Pandruvada , David Rientjes , Dov Murik , Tobin Feldman-Fitzthum , Borislav Petkov , Michael Roth , Vlastimil Babka , tony.luck@intel.com, npmccallum@redhat.com, brijesh.ksingh@gmail.com References: <20210707183616.5620-1-brijesh.singh@amd.com> <20210707183616.5620-11-brijesh.singh@amd.com> <3c6b6fc4-05b2-8d18-2eb8-1bd1a965c632@intel.com> <2b4accb6-b68e-02d3-6fed-975f90558099@amd.com> From: Dave Hansen Autocrypt: addr=dave.hansen@intel.com; keydata= xsFNBE6HMP0BEADIMA3XYkQfF3dwHlj58Yjsc4E5y5G67cfbt8dvaUq2fx1lR0K9h1bOI6fC oAiUXvGAOxPDsB/P6UEOISPpLl5IuYsSwAeZGkdQ5g6m1xq7AlDJQZddhr/1DC/nMVa/2BoY 2UnKuZuSBu7lgOE193+7Uks3416N2hTkyKUSNkduyoZ9F5twiBhxPJwPtn/wnch6n5RsoXsb ygOEDxLEsSk/7eyFycjE+btUtAWZtx+HseyaGfqkZK0Z9bT1lsaHecmB203xShwCPT49Blxz VOab8668QpaEOdLGhtvrVYVK7x4skyT3nGWcgDCl5/Vp3TWA4K+IofwvXzX2ON/Mj7aQwf5W iC+3nWC7q0uxKwwsddJ0Nu+dpA/UORQWa1NiAftEoSpk5+nUUi0WE+5DRm0H+TXKBWMGNCFn c6+EKg5zQaa8KqymHcOrSXNPmzJuXvDQ8uj2J8XuzCZfK4uy1+YdIr0yyEMI7mdh4KX50LO1 pmowEqDh7dLShTOif/7UtQYrzYq9cPnjU2ZW4qd5Qz2joSGTG9eCXLz5PRe5SqHxv6ljk8mb ApNuY7bOXO/A7T2j5RwXIlcmssqIjBcxsRRoIbpCwWWGjkYjzYCjgsNFL6rt4OL11OUF37wL QcTl7fbCGv53KfKPdYD5hcbguLKi/aCccJK18ZwNjFhqr4MliQARAQABzShEYXZpZCBDaHJp c3RvcGhlciBIYW5zZW4gPGRhdmVAc3I3MS5uZXQ+wsF7BBMBAgAlAhsDBgsJCAcDAgYVCAIJ CgsEFgIDAQIeAQIXgAUCTo3k0QIZAQAKCRBoNZUwcMmSsMO2D/421Xg8pimb9mPzM5N7khT0 2MCnaGssU1T59YPE25kYdx2HntwdO0JA27Wn9xx5zYijOe6B21ufrvsyv42auCO85+oFJWfE K2R/IpLle09GDx5tcEmMAHX6KSxpHmGuJmUPibHVbfep2aCh9lKaDqQR07gXXWK5/yU1Dx0r VVFRaHTasp9fZ9AmY4K9/BSA3VkQ8v3OrxNty3OdsrmTTzO91YszpdbjjEFZK53zXy6tUD2d e1i0kBBS6NLAAsqEtneplz88T/v7MpLmpY30N9gQU3QyRC50jJ7LU9RazMjUQY1WohVsR56d ORqFxS8ChhyJs7BI34vQusYHDTp6PnZHUppb9WIzjeWlC7Jc8lSBDlEWodmqQQgp5+6AfhTD kDv1a+W5+ncq+Uo63WHRiCPuyt4di4/0zo28RVcjtzlGBZtmz2EIC3vUfmoZbO/Gn6EKbYAn rzz3iU/JWV8DwQ+sZSGu0HmvYMt6t5SmqWQo/hyHtA7uF5Wxtu1lCgolSQw4t49ZuOyOnQi5 f8R3nE7lpVCSF1TT+h8kMvFPv3VG7KunyjHr3sEptYxQs4VRxqeirSuyBv1TyxT+LdTm6j4a mulOWf+YtFRAgIYyyN5YOepDEBv4LUM8Tz98lZiNMlFyRMNrsLV6Pv6SxhrMxbT6TNVS5D+6 UorTLotDZKp5+M7BTQRUY85qARAAsgMW71BIXRgxjYNCYQ3Xs8k3TfAvQRbHccky50h99TUY sqdULbsb3KhmY29raw1bgmyM0a4DGS1YKN7qazCDsdQlxIJp9t2YYdBKXVRzPCCsfWe1dK/q 66UVhRPP8EGZ4CmFYuPTxqGY+dGRInxCeap/xzbKdvmPm01Iw3YFjAE4PQ4hTMr/H76KoDbD cq62U50oKC83ca/PRRh2QqEqACvIH4BR7jueAZSPEDnzwxvVgzyeuhwqHY05QRK/wsKuhq7s UuYtmN92Fasbxbw2tbVLZfoidklikvZAmotg0dwcFTjSRGEg0Gr3p/xBzJWNavFZZ95Rj7Et db0lCt0HDSY5q4GMR+SrFbH+jzUY/ZqfGdZCBqo0cdPPp58krVgtIGR+ja2Mkva6ah94/oQN lnCOw3udS+Eb/aRcM6detZr7XOngvxsWolBrhwTQFT9D2NH6ryAuvKd6yyAFt3/e7r+HHtkU kOy27D7IpjngqP+b4EumELI/NxPgIqT69PQmo9IZaI/oRaKorYnDaZrMXViqDrFdD37XELwQ gmLoSm2VfbOYY7fap/AhPOgOYOSqg3/Nxcapv71yoBzRRxOc4FxmZ65mn+q3rEM27yRztBW9 AnCKIc66T2i92HqXCw6AgoBJRjBkI3QnEkPgohQkZdAb8o9WGVKpfmZKbYBo4pEAEQEAAcLB XwQYAQIACQUCVGPOagIbDAAKCRBoNZUwcMmSsJeCEACCh7P/aaOLKWQxcnw47p4phIVR6pVL e4IEdR7Jf7ZL00s3vKSNT+nRqdl1ugJx9Ymsp8kXKMk9GSfmZpuMQB9c6io1qZc6nW/3TtvK pNGz7KPPtaDzvKA4S5tfrWPnDr7n15AU5vsIZvgMjU42gkbemkjJwP0B1RkifIK60yQqAAlT YZ14P0dIPdIPIlfEPiAWcg5BtLQU4Wg3cNQdpWrCJ1E3m/RIlXy/2Y3YOVVohfSy+4kvvYU3 lXUdPb04UPw4VWwjcVZPg7cgR7Izion61bGHqVqURgSALt2yvHl7cr68NYoFkzbNsGsye9ft M9ozM23JSgMkRylPSXTeh5JIK9pz2+etco3AfLCKtaRVysjvpysukmWMTrx8QnI5Nn5MOlJj 1Ov4/50JY9pXzgIDVSrgy6LYSMc4vKZ3QfCY7ipLRORyalFDF3j5AGCMRENJjHPD6O7bl3Xo 4DzMID+8eucbXxKiNEbs21IqBZbbKdY1GkcEGTE7AnkA3Y6YB7I/j9mQ3hCgm5muJuhM/2Fr OPsw5tV/LmQ5GXH0JQ/TZXWygyRFyyI2FqNTx4WHqUn3yFj8rwTAU1tluRUYyeLy0ayUlKBH ybj0N71vWO936MqP6haFERzuPAIpxj2ezwu0xb1GjTk4ynna6h5GjnKgdfOWoRtoWndMZxbA z5cecg== Message-ID: Date: Mon, 12 Jul 2021 09:00:56 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <2b4accb6-b68e-02d3-6fed-975f90558099@amd.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 7/12/21 8:43 AM, Brijesh Singh wrote: >>> +    /* >>> +     * The backing page level is higher than the RMP page level, >>> request >>> +     * to split the page. >>> +     */ >>> +    if (level > rmp_level) >>> +        return RMP_FAULT_PAGE_SPLIT; >> >> This can theoretically trigger on a hugetlbfs page.  Right? > > Yes, theoretically. > > In the current implementation, the VMM is enlightened to not use the > hugetlbfs for backing page when creating the SEV-SNP guests. "The VMM"? We try to write kernel code so that it "works" and doesn't do unexpected things with whatever userspace might throw at it. This seems to be written with an assumption that no VMM will ever use hugetlbfs with SEV-SNP. That worries me. Not only because someone is sure to try it, but it's the kind of assumption that an attacker or a fuzzer might try. Could you please test this kernel code in practice with hugetblfs? >> I also suspect you can just set VM_FAULT_SIGBUS and let the do_sigbus() >> call later on in the function do its work. >>>   +static int handle_split_page_fault(struct vm_fault *vmf) >>> +{ >>> +    if (!IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT)) >>> +        return VM_FAULT_SIGBUS; >>> + >>> +    __split_huge_pmd(vmf->vma, vmf->pmd, vmf->address, false, NULL); >>> +    return 0; >>> +} >> >> What will this do when you hand it a hugetlbfs page? > > VMM is updated to not use the hugetlbfs when creating SEV-SNP guests. > So, we should not run into it. Please fix this code to handle hugetlbfs along with any other non-THP source of level>0 mappings. DAX comes to mind. "Handle" can mean rejecting these. You don't have to find some way to split them and make the VM work, just fail safely, ideally as early as possible. To me, this is a fundamental requirement before this code can be accepted. How many more parts of this series are predicated on the behavior of the VMM like this?