Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp632119imw; Fri, 8 Jul 2022 08:59:09 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uFvwnpWECygQ37Yq1uNC/LWRbB8Qn932Pfo0qvfXjfOWAYMoc+k7ZCX5sTYcB9j/TPczfX X-Received: by 2002:a17:902:9b95:b0:16c:28fd:67fd with SMTP id y21-20020a1709029b9500b0016c28fd67fdmr1953482plp.87.1657295949211; Fri, 08 Jul 2022 08:59:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657295949; cv=none; d=google.com; s=arc-20160816; b=CbYjtz0lRReO7mK3UP4IhHnvfIw+IVwvjAuYkgMrT1y7Sr7mRIAB9I6/x+PQ5PyAGi h4CSl5EVypntHdtzHG8/72mG2q5dlMYgWCsxLuMFOGvvWbl/3GoRuG8h05G5ur7uFVAL vDgQLpRen9O84tbUP1ZdKTWt+ojNV/oxlaWTWVwzAYShL133wmBPvzCNGQyrQApUL7qq 7Jwxx+U0eRpRlUi06oLsDOwn5CPNUrBt7eM+9N/H5OeyRGeeX3k2+SyEL1ZQBiY92k2D jSZdwkNWe+B6Z4TNpcHY8Xm8ocF8VZ6xizktEo0P+XY4gqj75WJPZyobLejfR3+B29o3 SZsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=/os5t3S4cPsz3I/S9Mj4qyigjvCHgQQtkEVeDgJ05RM=; b=wjwQc+4ng0wPKU1n0IuEXYLe/ES7ZNh299/zkxsUZCh2UatrKPNB+ONdoJxTpzXnbA OqAxPWzdncSYu1GTCs/SXX0KlQ6Zgq7LTQzsJqnxo0b90hhZv6gxfkY4ykLLE6SFP6Ae Ll+BMzqPoo+nytDv6KVzv0mTjWGI0VMVbrv+bx2FzF+Yagh4+vhbEfQDm/1yJ77EOzQt jtxQ+8bcK4h5l+bhe/cxEqFr7Di7xsjwRgOwXI92HUz6tLmXwOcDMBlTM95alQJrcosN Kr1rfPK3nXNgH75ML4FFluWOjTjmPomrU94aPOABZGmndHNF7SOlvrsbGTX44T/5NNCS Aanw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=PsBVmJ6R; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l8-20020a056a0016c800b0051b8c526443si23178pfc.171.2022.07.08.08.58.49; Fri, 08 Jul 2022 08:59:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=PsBVmJ6R; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238825AbiGHPyl (ORCPT + 99 others); Fri, 8 Jul 2022 11:54:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39064 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238830AbiGHPyk (ORCPT ); Fri, 8 Jul 2022 11:54:40 -0400 Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E1F2970E56 for ; Fri, 8 Jul 2022 08:54:37 -0700 (PDT) Received: by mail-lf1-x134.google.com with SMTP id z25so19449808lfr.2 for ; Fri, 08 Jul 2022 08:54:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=/os5t3S4cPsz3I/S9Mj4qyigjvCHgQQtkEVeDgJ05RM=; b=PsBVmJ6R6GowUlEMeEe8ZRY8jb52v2WfXzscfT5jLoCOQsbZ36cbawSyHAtGiHnafj HaFtIhvPwrjTsy3gBfiNpXk6CLJYS++w+8CYIEoISvqmxuuVetqxorhjsydgFa23mZKQ 5/cnrNL72sWZGEGfjILngANqq9MIg3cWbdiTWVR/h5IQrycCXuvQ4YGYcrr2ICC+JjoL DyDSxQSfjivojcSr1c9UT0BUbasRhFYlNTGM0VY5acbNpT07M1F5BIlW4gQlVvfNsmya l77+tZgU/wKnuxcPYeZ/vqIStbc7H1V+E0CACaXVs84rluFvh1bSyYJPimKqQ++dB94y p0rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=/os5t3S4cPsz3I/S9Mj4qyigjvCHgQQtkEVeDgJ05RM=; b=lBHcIDI+LYq9qcivszdgN4JfgrQAF9ysBqzgnd+cdiimyeRgxVBfFfg/7d4HfC5PEn YNSkNiO0DOV9jeYbn5WxzfHaDKtUXUMNnrADMw46rYCtgNjPT4xff81N/UL58KbrSJXj FswRaW+WStw3PVESFLkwinAAdU7zO9UAhVQV2srFuiYk5cru23zenthpBpGvC1Ht1Vn1 lFGeomU8We6p2Y9cGrdc233/+q6j/QVhCE0iyikPKh0gdu1gB02Mx6XluoBx38ab42CG 3Th3yFH6F+XElrGlfVkbqJZTlMSa5EElm3cVy7bCf2ZdEgVvRyIBIAoq3bz9ATUCtdjc DjFQ== X-Gm-Message-State: AJIora+sY9ZyWepvI5E31sgxabRu0ATQPk3gn4/tJNstKzOmZTQ2Iqk7 jysy/kBHxiGwpkFTGZZnh+YURv1eYu+SPJJ5YtwfQw== X-Received: by 2002:a05:6512:a8c:b0:484:73f8:704d with SMTP id m12-20020a0565120a8c00b0048473f8704dmr3076083lfu.193.1657295675981; Fri, 08 Jul 2022 08:54:35 -0700 (PDT) MIME-Version: 1.0 References: <7845d453af6344d0b156493eb4555399aad78615.1655761627.git.ashish.kalra@amd.com> In-Reply-To: From: Peter Gonda Date: Fri, 8 Jul 2022 09:54:24 -0600 Message-ID: Subject: Re: [PATCH Part2 v6 35/49] KVM: SVM: Remove the long-lived GHCB host map To: "Kalra, Ashish" Cc: "the arch/x86 maintainers" , LKML , kvm list , "linux-coco@lists.linux.dev" , "linux-mm@kvack.org" , Linux Crypto Mailing List , Thomas Gleixner , Ingo Molnar , Joerg Roedel , "Lendacky, Thomas" , "H. Peter Anvin" , Ard Biesheuvel , Paolo Bonzini , Sean Christopherson , Vitaly Kuznetsov , Jim Mattson , Andy Lutomirski , Dave Hansen , Sergio Lopez , Peter Zijlstra , Srinivas Pandruvada , David Rientjes , Dov Murik , Tobin Feldman-Fitzthum , Borislav Petkov , "Roth, Michael" , Vlastimil Babka , "Kirill A . Shutemov" , Andi Kleen , Tony Luck , Marc Orr , Sathyanarayanan Kuppuswamy , Alper Gun , "Dr. David Alan Gilbert" , "jarkko@kernel.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, Jul 7, 2022 at 2:31 PM Kalra, Ashish wrote: > > [AMD Official Use Only - General] > > Hello Peter, > > >> >There is a perf cost to this suggestion but it might make accessing > >> >the GHCB safer for KVM. Have you thought about just using > >> >kvm_read_guest() or copy_from_user() to fully copy out the GCHB into = a KVM owned buffer, then copying it back before the VMRUN. That way the KVM= doesn't need to guard against page_state_changes on the GHCBs, that could = be a perf ?>>improvement in a follow up. > >> > >> Along with the performance costs you mentioned, the main concern here > >> will be the GHCB write-back path (copying it back) before VMRUN: this > >> will again hit the issue we have currently with > >> kvm_write_guest() / copy_to_user(), when we use it to sync the scratch > >> buffer back to GHCB. This can fail if guest RAM is mapped using huge-p= age(s) and RMP is 4K. Please refer to the patch/fix mentioned below, kvm_wr= ite_guest() potentially can fail before VMRUN in case of SNP : > >> > >> commit 94ed878c2669532ebae8eb9b4503f19aa33cd7aa > >> Author: Ashish Kalra > >> Date: Mon Jun 6 22:28:01 2022 +0000 > >> > >> KVM: SVM: Sync the GHCB scratch buffer using already mapped ghcb > >> > >> Using kvm_write_guest() to sync the GHCB scratch buffer can fail > >> due to host mapping being 2M, but RMP being 4K. The page fault han= dling > >> in do_user_addr_fault() fails to split the 2M page to handle RMP f= ault due > >> to it being called here in a non-preemptible context. Instead use > >> the already kernel mapped ghcb to sync the scratch buffer when the > >> scratch buffer is contained within the GHCB. > > >Ah I didn't see that issue thanks for the pointer. > > >The patch description says "When SEV-SNP is enabled the mapped GPA needs= to be protected against a page state change." since if the guest were to c= onvert the GHCB page to private when the host is using the GHCB the host co= uld get an RMP violation right? > > Right. > > >That RMP violation would cause the host to crash unless we use some copy= _to_user() type protections. > > As such copy_to_user() will only swallow the RMP violation and return fai= lure, so the host can retry the write. > > > I don't see anything mechanism for this patch to add the page state cha= nge protection discussed. Can't another vCPU still convert the GHCB to priv= ate? > > We do have the protections for GHCB getting mapped to private specificall= y, there are new post_{map|unmap}_gfn functions added to verify if it is sa= fe to map > GHCB pages. There is a PSC spinlock added which protects again page state= change for these mapped pages. > Below is the reference to this patch: > https://lore.kernel.org/lkml/cover.1655761627.git.ashish.kalra@amd.com/T/= #mafcaac7296eb9a92c0ea58730dbd3ca47a8e0756 > > But do note that there is protection only for GHCB pages and there is a n= eed to add generic post_{map,unmap}_gfn() ops that can be used to verify > that it's safe to map a given guest page in the hypervisor. This is a TOD= O right now and probably this is something which UPM can address more clean= ly. Thank you Ashish. I had missed that. Can you help me understand why its OK to use kvm_write_guest() for the |snp_certs_data| inside of snp_handle_ext_guest_request() in patch 42/49? I would have thought we'd have the same 2M vs 4K mapping issues. > > >I was wrong about the importance of this though seanjc@ walked me throug= h how UPM will solve this issue so no worries about this until the series i= s rebased on to UPM. > > Thanks, > Ashish