Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp753154pxb; Fri, 3 Sep 2021 12:39:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwOQnct/pPRlZJ75ZUgoPaCjoJNCEsHwGdzVwngTRtWm1kgzCvxtu954SIrmxGoVaaqLGsm X-Received: by 2002:a92:cd81:: with SMTP id r1mr402776ilb.298.1630697967685; Fri, 03 Sep 2021 12:39:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630697967; cv=none; d=google.com; s=arc-20160816; b=0ycRpav9UYpzuCQaPTwNqHBALjgEx8e34QJgsqa/Q5sVAGDboAGWQkWkHupnRsqPQv UGymQ95xuymtXTP0EPm+U+0USN46GkAgB2OqWZ4H1F9soIswQNhYzw35Cq9VvZsupXgs UCnZFnDRrUXD4txBTEIwEOM5YTTJAZ/rr2WewAcLsxTH/7rODPZa6kFsqJi9JMfCXbsC XdjHVb8DFkC/hTnX6bXouJnwGlGG1jxrgdmCyFXzYTELBvb/GumbfK2HQipSTUEBdBFY NCpOb3wJW8/MWxqsn1aOE8Rfgq1mc/zUE3Qdj3Nbrcj4uG2yc1af/3XGCfUFTR7zRJXl b+Kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=qzhaz9XxDSm1ugGQAic1jSV4h3dO1CWRqJG/Wa1eKqo=; b=NMzjiJyUlnxBO9UyvbUj1O7YmgYIdPQMDuwaAstV3IwmijiXmj6uy1htlPlLBWDuK1 E5B1KXv3pL4aMxhFQOZLJ7NoddBboYd3n9ShrwMXFZbz6pLIK1n++5WNlJW9Uxh6Ir7N n/B716fGGdvwf8bB1PnFvg9cf0R+vxDYPWlFK7n5Q3LN8JOEj8NM8XZJuAsxqn9c3/eZ nqIB19IK83XonFrk774wgcnRahePCJ2bv8SVUGh5WTbu1SDCMfQpU9ROKyrydAFbO6HK 0SP5Cj9zPSnNNQGMjbNYOcrHa2W9q+ikd79eVhPt6bc8vcCAdnQjyHhdynVKR3ozJ9mF vW2g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="Q4g8O/XP"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a2si197273ilf.15.2021.09.03.12.38.59; Fri, 03 Sep 2021 12:39:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="Q4g8O/XP"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348939AbhICTjt (ORCPT + 99 others); Fri, 3 Sep 2021 15:39:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54096 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349865AbhICTjr (ORCPT ); Fri, 3 Sep 2021 15:39:47 -0400 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 977A6C0613C1 for ; Fri, 3 Sep 2021 12:38:47 -0700 (PDT) Received: by mail-pj1-x1033.google.com with SMTP id n13-20020a17090a4e0d00b0017946980d8dso231262pjh.5 for ; Fri, 03 Sep 2021 12:38:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=qzhaz9XxDSm1ugGQAic1jSV4h3dO1CWRqJG/Wa1eKqo=; b=Q4g8O/XPm2u0b/cy1Hw89zcNMj9oiX+bRd+8mJDYqYQ8LqTxTaTrNWdtwP4bLcnUkU eMWjtXHzk5yzQKvQBZz1g+zzocaHQ9MQmA8qY4buy+vaNmp5diQC16nhwre2uxT+p8vV JaPlc6nRsTMCMhGj/qmDvfSk+tKUB6VvKpq9Gv4jj25FmVwK/Bdzgw/LlzdZO6aAJQv5 f1EqIV23Wb6apk3n3WO4d0Tzr00atX0sfTt+1Q6zmCti6z/NPft5/mzAJJpR+1wmv7ml Q385PdhiwJginqPZ/Re4d9EE91NU4GLKOycCnmXK4odaYvOj4A5XwF2/tqj8Hh6UoDX4 Ku8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=qzhaz9XxDSm1ugGQAic1jSV4h3dO1CWRqJG/Wa1eKqo=; b=j8fEZm1A2XBvYkYZtIdxO64gD0MAxTKahxDQODFmuR/0RNWdXe0uQ5cXbv1ea60auZ xYMzf+q5Yp+aJs8aySQ2lSNVfgyPAqpEPC4nOXgRCi1E1C+Fjbj4GMQwtxzUmmdEAKNX OkcXQbLf3smWuiIysD+qg8dc+g05Szme9iIuqCAUQVcXZoPhzXe1fnyh0mjj+wiYDfMS BH/yDg9UtW71C0UC/gsQp9vvrMnhuv0n7GutVCPg+p/Uuu84mB5pBv8WK6dEG1btl9zk XIWQ1QWJBGlYFTVnxjzRT0U3c7DYmORLxqxWblKxGjkpDSpNb5EwDyR2xlL3x1WAyWCT IuVA== X-Gm-Message-State: AOAM532NCcJWnUDEFBecqKWobJ/hvdw+TPiPskfJ4vqs6yurtXegAXkN /XnstGS/gFZgeK/PvpUo49dzzQ== X-Received: by 2002:a17:90b:4b4f:: with SMTP id mi15mr497532pjb.120.1630697926927; Fri, 03 Sep 2021 12:38:46 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id q20sm180458pgu.31.2021.09.03.12.38.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 12:38:46 -0700 (PDT) Date: Fri, 3 Sep 2021 19:38:42 +0000 From: Sean Christopherson To: Mingwei Zhang Cc: Paolo Bonzini , Brijesh Singh , Tom Lendacky , John Allen , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, Alper Gun , Borislav Petkov , David Rienjes , Marc Orr , Peter Gonda , Vipin Sharma Subject: Re: [PATCH v2 3/4] KVM: SVM: move sev_bind_asid to psp Message-ID: References: <20210818053908.1907051-1-mizhang@google.com> <20210818053908.1907051-4-mizhang@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210818053908.1907051-4-mizhang@google.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, Aug 18, 2021, Mingwei Zhang wrote: > @@ -336,11 +322,9 @@ static int sev_launch_start(struct kvm *kvm, struct kvm_sev_cmd *argp) > goto e_free_session; > > /* Bind ASID to this guest */ > - ret = sev_bind_asid(kvm, start.handle, error); > - if (ret) { > - sev_guest_decommission(start.handle, NULL); > + ret = sev_guest_bind_asid(sev_get_asid(kvm), start.handle, error); > + if (ret) > goto e_free_session; > - } > > /* return handle to userspace */ > params.handle = start.handle; ... > diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c > index e2d49bedc0ef..325e79360d9e 100644 > --- a/drivers/crypto/ccp/sev-dev.c > +++ b/drivers/crypto/ccp/sev-dev.c > @@ -903,6 +903,21 @@ int sev_guest_activate(struct sev_data_activate *data, int *error) > } > EXPORT_SYMBOL_GPL(sev_guest_activate); > > +int sev_guest_bind_asid(int asid, unsigned int handle, int *error) > +{ > + struct sev_data_activate activate; > + int ret; > + > + /* activate ASID on the given handle */ > + activate.handle = handle; > + activate.asid = asid; > + ret = sev_guest_activate(&activate, error); > + if (ret) > + sev_guest_decommission(handle, NULL); Hrm, undoing state like this is a bad API. It assumes the caller is well-behaved, e.g. has already done something that requires decommissioning, and it surprises the caller, e.g. the KVM side (above) looks like it's missing error handling. Something like this would be cleaner overall: /* create memory encryption context */ ret = __sev_issue_cmd(argp->sev_fd, SEV_CMD_RECEIVE_START, &start, error); if (ret) goto e_free_session; /* Bind ASID to this guest */ ret = sev_guest_activate(sev_get_asid(kvm), start.handle, error); if (ret) goto e_decommision; params.handle = start.handle; if (copy_to_user((void __user *)(uintptr_t)argp->data, ¶ms, sizeof(struct kvm_sev_receive_start))) { ret = -EFAULT; goto e_deactivate; } sev->handle = start.handle; sev->fd = argp->sev_fd; e_deactivate: sev_guest_deactivate(sev_get_asid(kvm), start.handle, error); e_decommision: sev_guest_decommission(start.handle, error); e_free_session: kfree(session_data); e_free_pdh: kfree(pdh_data); However, I don't know that that's a good level of abstraction, e.g. the struct details are abstracted from KVM but the exact sequencing is not, which is odd to say the least. Which is a good segue into my overarching complaint about the PSP API and what made me suggest this change in the first place. IMO, the API exposed to KVM (and others) is too low level, e.g. KVM is practically making direct calls to the PSP via sev_issue_cmd_external_user(). Even the partially-abstracted helpers that take a "struct sev_data_*" are too low level, KVM really shouldn't need to know the hardware-defined structures for an off-CPU device. My intent with the suggestion was to start driving toward a mostly-abstracted API across the board, with an end goal of eliminating sev_issue_cmd_external_user() and moving all of the sev_data* structs out of psp-sev.h and into a private header. However, I think we should all explicitly agree on the desired level of abstraction before shuffling code around. My personal preference is obviously to work towards an abstracted API. And if we decide to go that route, I think we should be much more aggressive with respect to what is abstracted. Many of the functions will be rather gross due to the sheer number of params, but I think the end result will be a net positive in terms of readability and separation of concerns. E.g. get KVM looking like this static int sev_receive_start(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info; struct kvm_sev_receive_start params; int ret; if (!sev_guest(kvm)) return -ENOTTY; /* Get parameter from the userspace */ if (copy_from_user(¶ms, (void __user *)(uintptr_t)argp->data, sizeof(struct kvm_sev_receive_start))) return -EFAULT; ret = sev_guest_receive_start(argp->sev_fd, &arpg->error, sev->asid, ¶ms.handle, params.policy, params.pdh_uaddr, params.pdh_len, params.session_uaddr, params.session_len); if (ret) return ret; /* Copy params back to user even on failure, e.g. for error info. */ if (copy_to_user((void __user *)(uintptr_t)argp->data, ¶ms, sizeof(struct kvm_sev_receive_start))) return -EFAULT; sev->handle = params.handle; sev->fd = argp->sev_fd; return 0; }