From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=d3XW=HO=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E1D16C433E0
	for <linux-mm@archiver.kernel.org>; Fri, 12 Feb 2021 21:42:11 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 68D1F64DD5
	for <linux-mm@archiver.kernel.org>; Fri, 12 Feb 2021 21:42:11 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 68D1F64DD5
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.intel.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id EC1538D0096; Fri, 12 Feb 2021 16:42:10 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id E729F8D0060; Fri, 12 Feb 2021 16:42:10 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id D884E8D0096; Fri, 12 Feb 2021 16:42:10 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0219.hostedemail.com [216.40.44.219])
	by kanga.kvack.org (Postfix) with ESMTP id C40868D0060
	for <linux-mm@kvack.org>; Fri, 12 Feb 2021 16:42:10 -0500 (EST)
Received: from smtpin24.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id 8D05A183F6A36
	for <linux-mm@kvack.org>; Fri, 12 Feb 2021 21:42:10 +0000 (UTC)
X-FDA: 77810939220.24.copy90_4e13cd927624
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin24.hostedemail.com (Postfix) with ESMTP id 63BAB1A4A0
	for <linux-mm@kvack.org>; Fri, 12 Feb 2021 21:42:10 +0000 (UTC)
X-HE-Tag: copy90_4e13cd927624
X-Filterd-Recvd-Size: 2854
Received: from mga18.intel.com (mga18.intel.com [134.134.136.126])
	by imf19.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Fri, 12 Feb 2021 21:42:09 +0000 (UTC)
IronPort-SDR: YPXbE/xr3hRO1uwCkgcMRdMS6qSVqrvdGOdpBTEh5okBXJWyqtj+Vca0AzA1B0xadsBvDb5VXt
 ybUwGIZCt8vg==
X-IronPort-AV: E=McAfee;i="6000,8403,9893"; a="170147958"
X-IronPort-AV: E=Sophos;i="5.81,174,1610438400"; 
   d="scan'208";a="170147958"
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
  by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Feb 2021 13:42:07 -0800
IronPort-SDR: whNNAx5IajR+HcYRKhIUF6GFuPf4tmFl+vABzNvbv2zN10gOZ5Eo7ahkooYTNk4q/rrWVhScyH
 /JFIvxq4FxmA==
X-IronPort-AV: E=Sophos;i="5.81,174,1610438400"; 
   d="scan'208";a="381871699"
Received: from tassilo.jf.intel.com ([10.54.74.11])
  by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Feb 2021 13:42:07 -0800
Date: Fri, 12 Feb 2021 13:42:05 -0800
From: Andi Kleen <ak@linux.intel.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Joerg Roedel <jroedel@suse.de>, David Rientjes <rientjes@google.com>,
	Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
	Sean Christopherson <seanjc@google.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Jon Grimm <jon.grimm@amd.com>, Thomas Gleixner <tglx@linutronix.de>,
	Christoph Hellwig <hch@lst.de>, Paolo Bonzini <pbonzini@redhat.com>,
	Ingo Molnar <mingo@redhat.com>, x86@kernel.org, linux-mm@kvack.org
Subject: Re: AMD SEV-SNP/Intel TDX: validation of memory pages
Message-ID: <20210212214205.GF365765@tassilo.jf.intel.com>
References: <7515a81a-19e-b063-2081-3f5e79f0f7a8@google.com>
 <20210212131907.GI5453@suse.de>
 <YCaOFeZRlUleMSu2@hirez.programming.kicks-ass.net>
 <20210212145318.GK5453@suse.de>
 <YCacenGvoQsTmVcy@hirez.programming.kicks-ass.net>
 <20210212152813.GA28884@suse.de>
 <YCao+fmjH/aEFUN/@hirez.programming.kicks-ass.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <YCao+fmjH/aEFUN/@hirez.programming.kicks-ass.net>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

> > I don't know the details about TDX and #VE, but could a malicious HV not
> > trigger a #VE basically everywhere by mapping around pages? So 'fail'
> > means panic() in this case, right?
> 
> Right.

Well we might not be able to reliably panic if we don't run on a IST
if it hits the syscall gap. Otherwise you might end up with panic
running on the ring 3 stack.

Given it's a bit muddled threat model - would need both a
malicious process in the hypervisor and inside the secure guest,
but I presume that's possible.

That seems to argue that an IST for #VE is actually required.

-Andi