Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp1587893pxv; Fri, 16 Jul 2021 12:44:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxS20Fkw4J31aZsVOT2DVHng70IrFXwqycFPOECGwPDCZHIpkVtMg4vakiZBeOVWSOvTZi2 X-Received: by 2002:a17:907:7b9f:: with SMTP id ne31mr12942803ejc.133.1626464663793; Fri, 16 Jul 2021 12:44:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626464663; cv=none; d=google.com; s=arc-20160816; b=D0PgRreiYK4KA3/4ZE8aEQ05jKGxNRUvSxjYWX6je4XbR7TgNf40FDMxxFPNumytDT G1M8YWrx++8ibjUkPSvsiraC/oWRu2SIE2w5gE6KOR7AgiBNmCpmiJPtItVpnsHr19iZ NtYmdK1n1oaW4ILHT0GanrZ6Xn/4wrsgHmONidGuf8/ye7jlMWvJoH4UigUo74YqKcQT /JrCLQ6UhShuF3yNGLmoLZArqBv0hhmiePNNuwLtFAkLirDoBQ/JBIZBhHvc/LmL3yiD oQzGRgPNGE76NjgY+u3+Z2V27XiYCaG44fwR1+ZaHBzMXSXks4Nu5qmTdqGt1JRfE3rY +IuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=83K5jMwRtU/8epKCi74MjZFtuEQ6yN7WQlDQ6zpTzOI=; b=wlbIuE6jFS7/MlnJmEXi82vNF/aah4Zi/A4Mh388UXzqyCe4oJAHDziV3nMzm5L6Qd dHLHHOAEH3I0GbLhyq7bRG+KrLtN64OMQa/Imp4KwCb8o6fPnq7I5VZ2LP1egv4l1O5T vWprzVgvz4jTSASLdumYf8sinYVnZuFHws9eezVtKv8rEmXgcmsY/s1WRnsZrsLoVsHQ 71lOhCKeO5xp5+EMrwpuDeQl91HK8QayjnhLzvJ141k/O/3cfmf7kJEH9glNAHwf4IIg my5r3MBcSmB9Wf1t7SF7SMaeejqgkc+jtb6+GXxHe2EM3rhfP4RQ76/eHzMv+yuFf6nZ AcXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lkbUEbSi; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id zd21si11789355ejb.736.2021.07.16.12.43.47; Fri, 16 Jul 2021 12:44:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lkbUEbSi; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233434AbhGPTqS (ORCPT + 99 others); Fri, 16 Jul 2021 15:46:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57442 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233227AbhGPTqR (ORCPT ); Fri, 16 Jul 2021 15:46:17 -0400 Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36ECDC06175F for ; Fri, 16 Jul 2021 12:43:22 -0700 (PDT) Received: by mail-pg1-x52b.google.com with SMTP id a6so3657332pgw.3 for ; Fri, 16 Jul 2021 12:43:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=83K5jMwRtU/8epKCi74MjZFtuEQ6yN7WQlDQ6zpTzOI=; b=lkbUEbSiAYqlKY11gnL039G8UTLE9ReSNGRswHTVCITBK249PJmM4zFH1PCO3bnAHq Gqpiug0qyGCG3JcFQ+pQ8DmFeGSoHMZ/InG+dRThu092lmCPhQnnjRO9PZPx6EtwJ1ak dDWsyzpHhKQTXIr5QN83tehLx5uPNETwEp8uFoGZxR3mpfBl8XieP9MbqVlKM3J+qeSI cQo2lUFtDrcBMVp1BBOcNblM5S+qeYM4ztZRNk5sSHwUGb5sRyLcBUdHDIpIBeNbhtcH c1++Zt9Nlev9yuAtbczha/ycvWPCxtGirSrfHxiMKhM/WXBYRH41G2aQxSpn75Rkx0bY jF9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=83K5jMwRtU/8epKCi74MjZFtuEQ6yN7WQlDQ6zpTzOI=; b=f/sEEV6GN4TNMQHmcgSlG+TMa3YYMXnYmvJZcmvvVwgqeCfAu8lPg43LrLEsTNryS9 Z9Xr7DbcDlSNw/sLynPafbYef/GrCEd3JWe1kRROJ/ddntxWG6ASaSoJytvNxecSneEz Nf1fL01gd0+SkU5/ZRoSg/bvP/VFwxKudPXPSxi0SKCqz6VZgzqpxecq4KTqSrJE7S5k USYYPSVud3YSiY1KPTjun0nC4OoZt8YQqxrYLw42WWXRrRq7v5TU39MQqgX44f6bG/dM uEIjhz2F9zVWRAbKD5K5iDGufERzsn1EDR1ULf4AFehePx2Rp2KVN4SvM//227RRbTRb z4AA== X-Gm-Message-State: AOAM5301Ur+MLEzWmNzW5BQZsX6yWAoNSIvH6ABhES9CHJE1W8F+YY1a il3i9UHn8CNCfBlXxrAIdxGZHA== X-Received: by 2002:a05:6a00:10cd:b029:30a:ea3a:4acf with SMTP id d13-20020a056a0010cdb029030aea3a4acfmr12500876pfu.51.1626464601496; Fri, 16 Jul 2021 12:43:21 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id g9sm12163800pgh.40.2021.07.16.12.43.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Jul 2021 12:43:21 -0700 (PDT) Date: Fri, 16 Jul 2021 19:43:17 +0000 From: Sean Christopherson To: Brijesh Singh Cc: x86@kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-efi@vger.kernel.org, platform-driver-x86@vger.kernel.org, linux-coco@lists.linux.dev, linux-mm@kvack.org, linux-crypto@vger.kernel.org, Thomas Gleixner , Ingo Molnar , Joerg Roedel , Tom Lendacky , "H. Peter Anvin" , Ard Biesheuvel , Paolo Bonzini , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Andy Lutomirski , Dave Hansen , Sergio Lopez , Peter Gonda , Peter Zijlstra , Srinivas Pandruvada , David Rientjes , Dov Murik , Tobin Feldman-Fitzthum , Borislav Petkov , Michael Roth , Vlastimil Babka , tony.luck@intel.com, npmccallum@redhat.com, brijesh.ksingh@gmail.com Subject: Re: [PATCH Part2 RFC v4 23/40] KVM: SVM: Add KVM_SEV_SNP_LAUNCH_START command Message-ID: References: <20210707183616.5620-1-brijesh.singh@amd.com> <20210707183616.5620-24-brijesh.singh@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210707183616.5620-24-brijesh.singh@amd.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, Jul 07, 2021, Brijesh Singh wrote: > @@ -1527,6 +1530,100 @@ static int sev_receive_finish(struct kvm *kvm, struct kvm_sev_cmd *argp) > return sev_issue_cmd(kvm, SEV_CMD_RECEIVE_FINISH, &data, &argp->error); > } > > +static void *snp_context_create(struct kvm *kvm, struct kvm_sev_cmd *argp) > +{ > + struct sev_data_snp_gctx_create data = {}; > + void *context; > + int rc; > + > + /* Allocate memory for context page */ Eh, I'd drop this comment. It's quite obvious that a page is being allocated and that it's being assigned to the context. > + context = snp_alloc_firmware_page(GFP_KERNEL_ACCOUNT); > + if (!context) > + return NULL; > + > + data.gctx_paddr = __psp_pa(context); > + rc = __sev_issue_cmd(argp->sev_fd, SEV_CMD_SNP_GCTX_CREATE, &data, &argp->error); > + if (rc) { > + snp_free_firmware_page(context); > + return NULL; > + } > + > + return context; > +} > + > +static int snp_bind_asid(struct kvm *kvm, int *error) > +{ > + struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info; > + struct sev_data_snp_activate data = {}; > + int asid = sev_get_asid(kvm); > + int ret, retry_count = 0; > + > + /* Activate ASID on the given context */ > + data.gctx_paddr = __psp_pa(sev->snp_context); > + data.asid = asid; > +again: > + ret = sev_issue_cmd(kvm, SEV_CMD_SNP_ACTIVATE, &data, error); > + > + /* Check if the DF_FLUSH is required, and try again */ Please provide more info on why this may be necessary. I can see from the code that it does a flush and retries, but I have no idea why a flush would be required in the first place, e.g. why can't KVM guarantee that everything is in the proper state before attempting to bind an ASID? > + if (ret && (*error == SEV_RET_DFFLUSH_REQUIRED) && (!retry_count)) { > + /* Guard DEACTIVATE against WBINVD/DF_FLUSH used in ASID recycling */ > + down_read(&sev_deactivate_lock); > + wbinvd_on_all_cpus(); > + ret = snp_guest_df_flush(error); > + up_read(&sev_deactivate_lock); > + > + if (ret) > + return ret; > + > + /* only one retry */ Again, please explain why. Is this arbitrary? Is retrying more than once guaranteed to be useless? > + retry_count = 1; > + > + goto again; > + } > + > + return ret; > +} ... > void sev_vm_destroy(struct kvm *kvm) > { > struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info; > @@ -1847,7 +1969,15 @@ void sev_vm_destroy(struct kvm *kvm) > > mutex_unlock(&kvm->lock); > > - sev_unbind_asid(kvm, sev->handle); > + if (sev_snp_guest(kvm)) { > + if (snp_decommission_context(kvm)) { > + pr_err("Failed to free SNP guest context, leaking asid!\n"); I agree with Peter that this likely warrants a WARN. If a WARN isn't justified, e.g. this can happen without a KVM/CPU bug, then there absolutely needs to be a massive comment explaining why we have code that result in memory leaks. > + return; > + } > + } else { > + sev_unbind_asid(kvm, sev->handle); > + } > + > sev_asid_free(sev); > } > > diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h > index b9ea99f8579e..bc5582b44356 100644 > --- a/arch/x86/kvm/svm/svm.h > +++ b/arch/x86/kvm/svm/svm.h > @@ -67,6 +67,7 @@ struct kvm_sev_info { > u64 ap_jump_table; /* SEV-ES AP Jump Table address */ > struct kvm *enc_context_owner; /* Owner of copied encryption context */ > struct misc_cg *misc_cg; /* For misc cgroup accounting */ > + void *snp_context; /* SNP guest context page */ > }; > > struct kvm_svm { > diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h > index 989a64aa1ae5..dbd05179d8fa 100644 > --- a/include/uapi/linux/kvm.h > +++ b/include/uapi/linux/kvm.h > @@ -1680,6 +1680,7 @@ enum sev_cmd_id { > > /* SNP specific commands */ > KVM_SEV_SNP_INIT = 256, > + KVM_SEV_SNP_LAUNCH_START, > > KVM_SEV_NR_MAX, > }; > @@ -1781,6 +1782,14 @@ struct kvm_snp_init { > __u64 flags; > }; > > +struct kvm_sev_snp_launch_start { > + __u64 policy; > + __u64 ma_uaddr; > + __u8 ma_en; > + __u8 imi_en; > + __u8 gosvw[16]; Hmm, I'd prefer to pad this out to be 8-byte sized. > +}; > + > #define KVM_DEV_ASSIGN_ENABLE_IOMMU (1 << 0) > #define KVM_DEV_ASSIGN_PCI_2_3 (1 << 1) > #define KVM_DEV_ASSIGN_MASK_INTX (1 << 2) > -- > 2.17.1 >