Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp1573171iog; Tue, 14 Jun 2022 08:39:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyU5Q8kGaH4AMZqU0y+UxHJlUXB5ojldmBfwHtwwSBRqrjPIBpIfSR15ntGhIbn7Zh5SL9F X-Received: by 2002:a17:906:5352:b0:712:3916:e92 with SMTP id j18-20020a170906535200b0071239160e92mr4839754ejo.756.1655221170121; Tue, 14 Jun 2022 08:39:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655221170; cv=none; d=google.com; s=arc-20160816; b=dUA2iJhnCaUTMmEALomeXi8aw1qIxnC71mDc21o9eUN6olVNYzVwqiq48C/ZVIQxmV QbIrejR3C2q6Gm3RxELaGMnjbf1gp/ZOO0mj4B6VytSRDmJ9ppzW2ByfsJI0tFIFtMj7 SyRJpt3bjiS9uEyzZpBqG/9ZPQ/oDNpBlja5yEucRC8NIzNv5U/Ygj6mzRyzd1FcVIqQ CbsXmfCysYi45fkzaVyVkVoGFEzeXJNOTh5nbG1ttEM6uez7bc/ynbZ2CtCBS+Dhd162 guIv6HbzHStBwxpZWlUK5q1WQ1FJO4zxWR9P3cowRxLSeWkE8OEMPF+YHn1hB5ec1Tih +oNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=fn8gtxL6sSNRSsiDRRI9nlOANxjqFwtwIBrOJj9PDX4=; b=obnqM/uBNP3vSsC7uhmKw9Wxww97fQLlX5jGb+5H3C/fW4JuhdL9y0SMFO8uTGMlcu jWh6vctsx051x4CANLvr0jCX2MGICnD+MOK/X5rSx2TgFRli25rY45ZvNHIlZA88H3a+ 2mIMaE3emjaf3NwWLWLCG0w27k37JodPqf249oZCb2j/cw2Kyi4KADp/7sxR3nadQ9Oz otsJDudU+kdZIGC5tGddnQ9brOZ1WQPexC3+ZUqy8/CFgu58FvoKNuZP1zUvTXEUAI+8 vqNibh2yltzAxMqA4hB5+ujD9DA/O2sxPMSnQ1E8TJXsFJ0tnayDKgczQAl8t2Ej7IVW mbxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="LT/lyo0G"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dp18-20020a170906c15200b00718cd011cd9si5413867ejc.59.2022.06.14.08.38.49; Tue, 14 Jun 2022 08:39:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="LT/lyo0G"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237783AbiFNPh4 (ORCPT + 99 others); Tue, 14 Jun 2022 11:37:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46578 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236865AbiFNPhz (ORCPT ); Tue, 14 Jun 2022 11:37:55 -0400 Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5C14531528 for ; Tue, 14 Jun 2022 08:37:53 -0700 (PDT) Received: by mail-lj1-x236.google.com with SMTP id l18so10157876lje.13 for ; Tue, 14 Jun 2022 08:37:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fn8gtxL6sSNRSsiDRRI9nlOANxjqFwtwIBrOJj9PDX4=; b=LT/lyo0Gkm8vUesqRnJoPnu//GtJ2a4J7xk0YQo1fVzKIPstZDTs4ocVHUhOQzAzDf 1mhknKFZFcyuP+FcITbRZ9C3Zb5IygQ+dSD/d5sDSo5jPxZ3Xod61S+96JIZEmvp/ioU ZLBYWsR7cCtO3xXbwzi+P+VOMS8qTkNT6dLd5qwOG4wKAOBEMDsF5IyyBzSoJSpbj7Ps 0sLvaRhd6KXmBxBx5Mnte8TQS/1qrwy08MCnMdz9Rwv7O5iKxxqDYqsRoQXOdKe/qqv/ D1JOHgxvD7xtNV5gXfizVs33keuKhzIJmtdRXlLVfle9UauwzrlzB+MCJvLuXXUxDdkT 328Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fn8gtxL6sSNRSsiDRRI9nlOANxjqFwtwIBrOJj9PDX4=; b=q2ROgdG2hltPj54SFr/ezSEcvcSO1bMDnCjcUVHfO1Hk0NuzStgxcqsvcyzcyQHtc5 7+KUgPzRf43Uz622YLyiTZ3hIcpfFQPIZHgxYFDdTQ2l4aQo9ZfFpaPUg7oTNvSqCpzF e3J3Ow9zZq3pkZAqk/QmfZHe9Ht8G2VA/05v6Nq1FhBJPVRsovB8qsb3c4O50BGCaDd9 t1i7ZGc8X/NpoB0ArnsUUkzdrD4yL3DfEUXThX4yEhwFXZbWSNKaB0rgVKBT0aXbwDb6 HzdWWMhPiDmriy3KWpQ9fUGrx6bwWJ1g+gw/MuvaksmTE0ZgAWp2cOlnKAub8+AACcUh Lhng== X-Gm-Message-State: AJIora9BRkjlZOxFrV5cZAe+I3R0XtU9jfE2dxQct+fzP70pO2OapXU+ EI9PSzQFL4u8PhyjJsq1XY2VAQuKd0LNiLmZ5+LnWHC/t8DfoBVr X-Received: by 2002:a2e:547:0:b0:255:703a:d9ae with SMTP id 68-20020a2e0547000000b00255703ad9aemr2756675ljf.282.1655221071098; Tue, 14 Jun 2022 08:37:51 -0700 (PDT) MIME-Version: 1.0 References: <20210820155918.7518-1-brijesh.singh@amd.com> <20210820155918.7518-24-brijesh.singh@amd.com> <1cadca0d-c3dc-68ed-075f-f88ccb0ccc0a@amd.com> In-Reply-To: From: Peter Gonda Date: Tue, 14 Jun 2022 09:37:39 -0600 Message-ID: Subject: Re: [PATCH Part2 v5 23/45] KVM: SVM: Add KVM_SNP_INIT command To: Ashish Kalra Cc: Alper Gun , Brijesh Singh , Ashish Kalra , "the arch/x86 maintainers" , LKML , kvm list , linux-coco@lists.linux.dev, linux-mm@kvack.org, Linux Crypto Mailing List , Thomas Gleixner , Ingo Molnar , Joerg Roedel , Tom Lendacky , "H. Peter Anvin" , Ard Biesheuvel , Paolo Bonzini , Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Andy Lutomirski , Dave Hansen , Sergio Lopez , Peter Zijlstra , Srinivas Pandruvada , David Rientjes , Dov Murik , Tobin Feldman-Fitzthum , Borislav Petkov , Michael Roth , Vlastimil Babka , "Kirill A . Shutemov" , Andi Kleen , Tony Luck , Marc Orr , Sathyanarayanan Kuppuswamy , Pavan Kumar Paluri Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Mon, Jun 13, 2022 at 6:21 PM Ashish Kalra wrote: > > > On 6/13/22 23:33, Alper Gun wrote: > > On Mon, Jun 13, 2022 at 4:15 PM Ashish Kalra wrote: > >> Hello Alper, > >> > >> On 6/13/22 20:58, Alper Gun wrote: > >>> static int sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp) > >>>> { > >>>> + bool es_active = (argp->id == KVM_SEV_ES_INIT || argp->id == KVM_SEV_SNP_INIT); > >>>> struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info; > >>>> - bool es_active = argp->id == KVM_SEV_ES_INIT; > >>>> + bool snp_active = argp->id == KVM_SEV_SNP_INIT; > >>>> int asid, ret; > >>>> > >>>> if (kvm->created_vcpus) > >>>> @@ -249,12 +269,22 @@ static int sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp) > >>>> return ret; > >>>> > >>>> sev->es_active = es_active; > >>>> + sev->snp_active = snp_active; > >>>> asid = sev_asid_new(sev); > >>>> if (asid < 0) > >>>> goto e_no_asid; > >>>> sev->asid = asid; > >>>> > >>>> - ret = sev_platform_init(&argp->error); > >>>> + if (snp_active) { > >>>> + ret = verify_snp_init_flags(kvm, argp); > >>>> + if (ret) > >>>> + goto e_free; > >>>> + > >>>> + ret = sev_snp_init(&argp->error); > >>>> + } else { > >>>> + ret = sev_platform_init(&argp->error); > >>> After SEV INIT_EX support patches, SEV may be initialized in the platform late. > >>> In my tests, if SEV has not been initialized in the platform yet, SNP > >>> VMs fail with SEV_DF_FLUSH required error. I tried calling > >>> SEV_DF_FLUSH right after the SNP platform init but this time it failed > >>> later on the SNP launch update command with SEV_RET_INVALID_PARAM > >>> error. Looks like there is another dependency on SEV platform > >>> initialization. > >>> > >>> Calling sev_platform_init for SNP VMs fixes the problem in our tests. > >> Trying to get some more context for this issue. > >> > >> When you say after SEV_INIT_EX support patches, SEV may be initialized > >> in the platform late, do you mean sev_pci_init()->sev_snp_init() ... > >> sev_platform_init() code path has still not executed on the host BSP ? > >> > > Correct, INIT_EX requires the file system to be ready and there is a > > ccp module param to call it only when needed. > > > > MODULE_PARM_DESC(psp_init_on_probe, " if true, the PSP will be > > initialized on module init. Else the PSP will be initialized on the > > first command requiring it"); > > > > If this module param is false, it won't initialize SEV on the platform > > until the first SEV VM. > > > Ok, that makes sense. > > So the fix will be to call sev_platform_init() unconditionally here in > sev_guest_init(), and both sev_snp_init() and sev_platform_init() are > protected from being called again, so there won't be any issues if these > functions are invoked again at SNP/SEV VM launch if they have been > invoked earlier during module init. That's one solution. I don't know if there is a downside to the system for enabling SEV if SNP is being enabled but another solution could be to just directly place a DF_FLUSH command instead of calling sev_platform_init(). > > Thanks, Ashish >