From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80868C43217 for ; Wed, 10 Nov 2021 22:08:53 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 20D026112F for ; Wed, 10 Nov 2021 22:08:53 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 20D026112F Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amd.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 5C1696B0095; Wed, 10 Nov 2021 17:08:33 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 54B376B0096; Wed, 10 Nov 2021 17:08:33 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 40FA56B0098; Wed, 10 Nov 2021 17:08:33 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0139.hostedemail.com [216.40.44.139]) by kanga.kvack.org (Postfix) with ESMTP id 295E36B0095 for ; Wed, 10 Nov 2021 17:08:33 -0500 (EST) Received: from smtpin31.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id D920C1823DAA3 for ; Wed, 10 Nov 2021 22:08:32 +0000 (UTC) X-FDA: 78794410464.31.128E0C8 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2042.outbound.protection.outlook.com [40.107.220.42]) by imf14.hostedemail.com (Postfix) with ESMTP id 75CB860019AC for ; Wed, 10 Nov 2021 22:08:31 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YyqyVAbpRWVdd0yW/5QWW7n4Etgx49DCknkk84cONcLLVPnooDr5cLM2uvEebRxWQZJiWeh6zwUYfwFiNN0LWec8o83T7oPtsGTkVxGL/bBUv1hijTuiylRg28YW7NVhVYzTaaGgwB3h8skTUqfoGtQzDoZsEeeB7PSNHQ8XJ8qtu7kctPSdA2ibgIcItJ63wTwmSO7goJmFtYowtmDPprdS4jUxPNPctcD8BvBet1eRzD+65EGJybWC1ntyQx2J+CfU1hkM5EToMa5IuMMw5gIvS1IVdI/KKZ/HHzs/wS9cS/s5mRSo18oGsqucAM5YBGqRpV5zi/geCvXI9Zwhzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FlRxsj6164/0wSXmGAZZJDg5tyHMewD2wqaTdPxZ8r4=; b=PzVvaOEAmsuDLk5c05f+Ta2fgheGd4kUEGRlZOP8eIE8FhmHW06NDsr+209s4APG3afGl+JYeoCl7COslfY6h/3W+jzOVaZi9ArmOiWhWNvKli2PXYdVM3rbWsuBYuYZii72DaIgasGO2y3Gj27ZLy0oYyEWfUa/X6BICss9GVKGZ89e36rjL+NEBIRMMxYuXXbUINOzg3DzTaqZQx/1e14luwh2TDle2oGmnwYJGqdP07jwxm2MkN9gF7JjQdMzYn6fkutqC5RFFZ8Zkm5ta6gcv+srFJjU7IRqrDfijZC0P+Xxu7myCR8xWcztJgmSyooaFJuXLm8r8y0F0/VQDg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FlRxsj6164/0wSXmGAZZJDg5tyHMewD2wqaTdPxZ8r4=; b=2vt+wxJC+SBOnSt+jQ/ezZbE6q78v3PqxlTn+/gvCduD0mUY0D+J3ENuMA8nslcbvFWw5l7uTzBR2UzoqOdzowWlRm4nQ9yqn3B7S5xnXJoU5trJZrZhk/Ke7+FDp/xKBjW+VCPntsWbdFSkN9c1MhTudpX8+satbBzXtc2/W54= Received: from DM5PR13CA0013.namprd13.prod.outlook.com (2603:10b6:3:23::23) by MN2PR12MB4206.namprd12.prod.outlook.com (2603:10b6:208:1d5::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.13; Wed, 10 Nov 2021 22:08:21 +0000 Received: from DM6NAM11FT066.eop-nam11.prod.protection.outlook.com (2603:10b6:3:23:cafe::58) by DM5PR13CA0013.outlook.office365.com (2603:10b6:3:23::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.15 via Frontend Transport; Wed, 10 Nov 2021 22:08:21 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; kernel.org; dkim=none (message not signed) header.d=none;kernel.org; dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; Received: from SATLEXMB04.amd.com (165.204.84.17) by DM6NAM11FT066.mail.protection.outlook.com (10.13.173.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.4690.15 via Frontend Transport; Wed, 10 Nov 2021 22:08:20 +0000 Received: from sbrijesh-desktop.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.17; Wed, 10 Nov 2021 16:08:14 -0600 From: Brijesh Singh To: , , , , , , CC: Thomas Gleixner , Ingo Molnar , Joerg Roedel , Tom Lendacky , "H. Peter Anvin" , Ard Biesheuvel , Paolo Bonzini , Sean Christopherson , "Vitaly Kuznetsov" , Jim Mattson , "Andy Lutomirski" , Dave Hansen , Sergio Lopez , Peter Gonda , "Peter Zijlstra" , Srinivas Pandruvada , David Rientjes , Dov Murik , Tobin Feldman-Fitzthum , Borislav Petkov , Michael Roth , Vlastimil Babka , "Kirill A . Shutemov" , Andi Kleen , "Dr . David Alan Gilbert" , , , , Brijesh Singh Subject: [PATCH v7 14/45] x86/compressed: Add helper for validating pages in the decompression stage Date: Wed, 10 Nov 2021 16:07:00 -0600 Message-ID: <20211110220731.2396491-15-brijesh.singh@amd.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211110220731.2396491-1-brijesh.singh@amd.com> References: <20211110220731.2396491-1-brijesh.singh@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c1cabcf2-37bd-42dc-68d0-08d9a4969b7d X-MS-TrafficTypeDiagnostic: MN2PR12MB4206: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: IVrwfuaK2oAijLysUWmHhHKYFJRXyg3wyP0cVVDRhSwCA1IWwH82G77j3kjzrcG//0ZHSM0STZVdOHL5QceetbJ39ULFux7aUCDq4x76yI+9Ai9MV/9DNNAzz+zEPCbAnaTmGLX0vz0qaPRJivOUqw4AYRAKzRNw2aWt/WWp0E2y95uNCUvuMGWWi1B1/JVDiNPiw/uMUW+7okcK5CpYRCEnok6VzZOneiEQoyELlM9AMPuE+W+qhh72saJbjkSDs4ZzV5xi120LL3GQUykxiW7WHTqJUJoVTCI2m9LutbCAsfqNFJPB614BY1gNdHrczeHw1ckZZVnUwZ4fsfLILgg3WmWdcr+UGtkbMkFLd29FiSGXYnUjf2fOqgsi+6q3g4f67Usqp6q1fSBYNQiMyB5Lxa6fdyFKbEJGlwyZM5CZbxaEpMyWTx0EXwtb01AyGZoeQ3u97sd+GH1Px2H4xnUsOQYtMFLtT42H0285XV6pnBBegSR3LMrL75Zi+3kZOq7YJxpZOG8/vdwjYCH5HXkb8x00bh/5Tfk3Q/S1V25EAkFT43Q3SPZDZDUg+U25GvUxXSgMLe4sOoCAIvbmdUbzoYd9KFZAwTpQdgNYRMP3FESZhwFRF1eAPTVR31gvzmCiZ6SS0M/yW7EhKqaUGLbgIFSKSE+EbSNeCcw8qzgbYBaveZO2GRHN0l0LaUmb967OGB+j6tslCQFXMF3TF9sRIStpasr/yNVG40/+oB0pwtMP6S7jXkuNNpCxPwmB X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(4636009)(36840700001)(46966006)(16526019)(186003)(316002)(336012)(6666004)(1076003)(5660300002)(7696005)(70206006)(82310400003)(26005)(8676002)(54906003)(81166007)(70586007)(47076005)(36756003)(2616005)(83380400001)(356005)(2906002)(110136005)(4326008)(8936002)(44832011)(7416002)(508600001)(7406005)(36860700001)(86362001)(426003)(2101003)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Nov 2021 22:08:20.9313 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c1cabcf2-37bd-42dc-68d0-08d9a4969b7d X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT066.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR12MB4206 X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 75CB860019AC X-Stat-Signature: 4f973purjrs9hbm5st547empgnaogkj4 Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=amd.com header.s=selector1 header.b=2vt+wxJC; dmarc=pass (policy=quarantine) header.from=amd.com; spf=pass (imf14.hostedemail.com: domain of brijesh.singh@amd.com designates 40.107.220.42 as permitted sender) smtp.mailfrom=brijesh.singh@amd.com X-HE-Tag: 1636582111-182148 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Many of the integrity guarantees of SEV-SNP are enforced through the Reverse Map Table (RMP). Each RMP entry contains the GPA at which a particular page of DRAM should be mapped. The VMs can request the hypervisor to add pages in the RMP table via the Page State Change VMGEXI= T defined in the GHCB specification. Inside each RMP entry is a Validated flag; this flag is automatically cleared to 0 by the CPU hardware when a new RMP entry is created for a guest. Each VM page can be either validated or invalidated, as indicated by the Validated flag in the RMP entry. Memory access to a private page that is not validated generates a #VC. A VM must use PVALIDATE instruction to validate the private page before using it. To maintain the security guarantee of SEV-SNP guests, when transitioning pages from private to shared, the guest must invalidate the pages before asking the hypervisor to change the page state to shared in the RMP table= . After the pages are mapped private in the page table, the guest must issu= e a page state change VMGEXIT to make the pages private in the RMP table an= d validate it. On boot, BIOS should have validated the entire system memory. During the kernel decompression stage, the VC handler uses the set_memory_decrypted() to make the GHCB page shared (i.e clear encryption attribute). And while exiting from the decompression, it calls the set_page_encrypted() to make the page private. Add sev_snp_set_page_{private,shared}() helper that is used by the set_memory_{decrypt,encrypt}() to change the page state in the RMP table. Signed-off-by: Brijesh Singh --- arch/x86/boot/compressed/ident_map_64.c | 18 ++++++++++- arch/x86/boot/compressed/misc.h | 4 +++ arch/x86/boot/compressed/sev.c | 41 +++++++++++++++++++++++++ arch/x86/include/asm/sev-common.h | 26 ++++++++++++++++ 4 files changed, 88 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/compressed/ident_map_64.c b/arch/x86/boot/comp= ressed/ident_map_64.c index f7213d0943b8..3cf7a7575f5c 100644 --- a/arch/x86/boot/compressed/ident_map_64.c +++ b/arch/x86/boot/compressed/ident_map_64.c @@ -275,15 +275,31 @@ static int set_clr_page_flags(struct x86_mapping_in= fo *info, * Changing encryption attributes of a page requires to flush it from * the caches. */ - if ((set | clr) & _PAGE_ENC) + if ((set | clr) & _PAGE_ENC) { clflush_page(address); =20 + /* + * If the encryption attribute is being cleared, then change + * the page state to shared in the RMP table. + */ + if (clr) + snp_set_page_shared(pte_pfn(*ptep) << PAGE_SHIFT); + } + /* Update PTE */ pte =3D *ptep; pte =3D pte_set_flags(pte, set); pte =3D pte_clear_flags(pte, clr); set_pte(ptep, pte); =20 + /* + * If the encryption attribute is being set, then change the page state= to + * private in the RMP entry. The page state must be done after the PTE + * is updated. + */ + if (set & _PAGE_ENC) + snp_set_page_private(pte_pfn(*ptep) << PAGE_SHIFT); + /* Flush TLB after changing encryption attribute */ write_cr3(top_level_pgt); =20 diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/m= isc.h index 23e0e395084a..01cc13c12059 100644 --- a/arch/x86/boot/compressed/misc.h +++ b/arch/x86/boot/compressed/misc.h @@ -124,6 +124,8 @@ static inline void console_init(void) void sev_enable(struct boot_params *bp); void sev_es_shutdown_ghcb(void); extern bool sev_es_check_ghcb_fault(unsigned long address); +void snp_set_page_private(unsigned long paddr); +void snp_set_page_shared(unsigned long paddr); #else static inline void sev_enable(struct boot_params *bp) { } static inline void sev_es_shutdown_ghcb(void) { } @@ -131,6 +133,8 @@ static inline bool sev_es_check_ghcb_fault(unsigned l= ong address) { return false; } +static inline void snp_set_page_private(unsigned long paddr) { } +static inline void snp_set_page_shared(unsigned long paddr) { } #endif =20 /* acpi.c */ diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/se= v.c index 21feb7f4f76f..f85094dd957f 100644 --- a/arch/x86/boot/compressed/sev.c +++ b/arch/x86/boot/compressed/sev.c @@ -147,6 +147,47 @@ static bool is_vmpl0(void) return true; } =20 +static void __page_state_change(unsigned long paddr, enum psc_op op) +{ + u64 val; + + if (!sev_snp_enabled()) + return; + + /* + * If private -> shared then invalidate the page before requesting the + * state change in the RMP table. + */ + if (op =3D=3D SNP_PAGE_STATE_SHARED && pvalidate(paddr, RMP_PG_SIZE_4K,= 0)) + sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PVALIDATE); + + /* Issue VMGEXIT to change the page state in RMP table. */ + sev_es_wr_ghcb_msr(GHCB_MSR_PSC_REQ_GFN(paddr >> PAGE_SHIFT, op)); + VMGEXIT(); + + /* Read the response of the VMGEXIT. */ + val =3D sev_es_rd_ghcb_msr(); + if ((GHCB_RESP_CODE(val) !=3D GHCB_MSR_PSC_RESP) || GHCB_MSR_PSC_RESP_V= AL(val)) + sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PSC); + + /* + * Now that page is added in the RMP table, validate it so that it is + * consistent with the RMP entry. + */ + if (op =3D=3D SNP_PAGE_STATE_PRIVATE && pvalidate(paddr, RMP_PG_SIZE_4K= , 1)) + sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PVALIDATE); +} + +void snp_set_page_private(unsigned long paddr) +{ + __page_state_change(paddr, SNP_PAGE_STATE_PRIVATE); +} + +void snp_set_page_shared(unsigned long paddr) +{ + __page_state_change(paddr, SNP_PAGE_STATE_SHARED); +} + static bool do_early_sev_setup(void) { if (!sev_es_negotiate_protocol()) diff --git a/arch/x86/include/asm/sev-common.h b/arch/x86/include/asm/sev= -common.h index d426c30ae7b4..1c76b6b775cc 100644 --- a/arch/x86/include/asm/sev-common.h +++ b/arch/x86/include/asm/sev-common.h @@ -57,6 +57,32 @@ #define GHCB_MSR_AP_RESET_HOLD_REQ 0x006 #define GHCB_MSR_AP_RESET_HOLD_RESP 0x007 =20 +/* + * SNP Page State Change Operation + * + * GHCBData[55:52] - Page operation: + * 0x0001 =E2=80=93 Page assignment, Private + * 0x0002 =E2=80=93 Page assignment, Shared + */ +enum psc_op { + SNP_PAGE_STATE_PRIVATE =3D 1, + SNP_PAGE_STATE_SHARED, +}; + +#define GHCB_MSR_PSC_REQ 0x014 +#define GHCB_MSR_PSC_REQ_GFN(gfn, op) \ + /* GHCBData[55:52] */ \ + (((u64)((op) & 0xf) << 52) | \ + /* GHCBData[51:12] */ \ + ((u64)((gfn) & GENMASK_ULL(39, 0)) << 12) | \ + /* GHCBData[11:0] */ \ + GHCB_MSR_PSC_REQ) + +#define GHCB_MSR_PSC_RESP 0x015 +#define GHCB_MSR_PSC_RESP_VAL(val) \ + /* GHCBData[63:32] */ \ + (((u64)(val) & GENMASK_ULL(63, 32)) >> 32) + /* GHCB Hypervisor Feature Request/Response */ #define GHCB_MSR_HV_FT_REQ 0x080 #define GHCB_MSR_HV_FT_RESP 0x081 --=20 2.25.1