From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6E6DCDB474 for ; Tue, 17 Oct 2023 20:25:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D8E7F8006B; Tue, 17 Oct 2023 16:25:39 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CD1738006F; Tue, 17 Oct 2023 16:25:39 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 994AF8006B; Tue, 17 Oct 2023 16:25:39 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 777F08006D for ; Tue, 17 Oct 2023 16:25:39 -0400 (EDT) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 4FB4E40CD7 for ; Tue, 17 Oct 2023 20:25:39 +0000 (UTC) X-FDA: 81356083998.22.5DA3F19 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by imf05.hostedemail.com (Postfix) with ESMTP id 3CC59100013 for ; Tue, 17 Oct 2023 20:25:37 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=Um+2RAUy; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697574337; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=vc5v4fgr1CopUvy+HOCx9sW27JhlZQAVdbpIzt3MAOc=; b=qE7PvG7Rp1JLCi8M6e0v0tKCTKovh9RCwD76ZMGsOPhqYhYoSymO77YpRw2nrhxs3z1nVc l5oO6aKL2bMPML7plRLlzwqUw6RjdsUkW+EhkJTZOcoFWmBf+YfL8j0H+ausibtiJQ2l2S /Ui8haRU3rFY/e35i+vxWaPolUliovg= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=Um+2RAUy; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697574337; a=rsa-sha256; cv=none; b=b+wR7U/CsUa7C0oyqineDAvKAY85MzfWL+96x5dD9wlGjuEr5/hGG7oOvI65DuZa0SB8uq ahmVNb45m/gJ8QgsikCGE7HAOKoKBYMbOfa4TAUo2nPEayQ9i5+t2xosaFFoROi5St60T0 YD82SvziWLkNIrW8pgNBf3wb6hLgKws= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574337; x=1729110337; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=xSf/vP0NH+csMyG/vIllMJkrSA3cYI1t+FXhK7zth7Y=; b=Um+2RAUycHg4eO51TJWq4jYMYZ6sC8BRA31uq0cfcE7e/l2kMDKlCic+ XXbJWSGe/0QxqaqPMuEFCrlu32xJ1yPAxbJ7PB7pb9OdP7xXDHWoy02s+ ZgLnqmBz6NdOqZLxWy+uS9iDfBz+/EzJ9gs9uuEa5AKYBdGkZBmLx4aq1 qNTxNpFhF+rxvwnuUXS0TctXsQWuEK4Nx2EeDyVZYsgqSpaJubi4Dksjf 8BxRN8SyEAJueIixOnv+Vg39pppoDdUzYkjnvWwH3VoM+PM+ihlz80IjU GukS1tRaIzt1FdHk2VegNZuk3AC3Wc2MQHcJxCjxjneFjggAHcLAGjrTh g==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429586" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429586" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:37 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040471" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040471" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:33 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , linux-hyperv@vger.kernel.org Subject: [RFC 08/10] hv: Track decrypted status in vmbus_gpadl Date: Tue, 17 Oct 2023 13:25:03 -0700 Message-Id: <20231017202505.340906-9-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 3CC59100013 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 5d6m8eojm61a9a9ydgrpyectsb14ygru X-HE-Tag: 1697574337-979730 X-HE-Meta: U2FsdGVkX19vfsirivakYks73o8TKmgtu9lrzVO0b6rPkO7TQvbR/13cY8PD+fdkOpDf7QU6eD5wZIv/hoqZG0lQ/ju7DQjNl8KVxNGyD8jMr2c+CpkDa4PsQnRKY4WKuOjsKp6RwZj194Psot+mv2UR1H0PtBWrprl0k3JBFmgiG3aPdyodAXTXcv7/9wgGDnw34I6q0mpdWWTCG9XtAu0oP7q87kikOH4+PqS8Uz8sCIEVkXVAFDkZmC9sHbhegYdgpvvESpezfsI9WxVNHLaP455UOpqAtvCd+Wyta3KsRT5Ilhh11nR2w5QWMDY+9e7m6iyWIk/Ae230ejaVgSpZHlEsn2CDXHhEjyev6BcExXqIe9HgU5o/Oez7FFHZLFNApc9AmLPS27mKIxIGf703MkXi2N3fFMInDtKGufiY8RCKP5lTLjHy+6iFIeUBmL9fwpMgjd4qbpBPsE5Y2xIjv5KWuvMOZ9bmNU98qslwuSVR4lUeVgl9w8jk/qZYLDd/H35he5emRzekcIErvZR4pq07foRF7ejByztXmLyzcFzUqYYSPSQ3PR25cgQpyGK8xklh8ZkdIYA6/0rla6Zlwl5sinS5lrElqmojyLBOXlLX86hDWVONcuUGqqbC9vF5kk3O9bS6vJOH9E9WzzK8y/tpums3eRXO3aBL98aFBAIouSCT3Qp7xOsT0F1rFsdwx5Mzv4Y9DtXpBgScmfwBY3vuZVsejT62DLb27x+HneE7CpVCrGZjPfEPCFTVd8PC3VP9MqHiyW+lJFbTuQFbTY5yo+SQglKCHrsZT1SZZiqoT+x72PkaLIj0Fz3eGgvwKIl+JaHHoxA4sWHQ0kOit7lntsuzuqA6utl5p+tqsjsfiAoUuLuzqZ6LYOSfKovgMIbhy4oDHw6GwduOU8qTYO0kwQGRhC1Nuad5ZymumEd0Fk/VxuPYbQp6Bdt+2l1hdmjjuZvSrzQ7XOh xnS4T1rG 4rQfiDwSNZFWuIImxrm32RwvxtdlTw31j7aOsWMsZ1vOQ9dYFoe8qQulzqoijqfjNC0m9KSE6gMU9Ut3E+rZrtKOHHMZmwUg0fn92U8EdjjkIfGqWVGW2JyeCElGVbwTVMNp5rm+EfDJzKfjirWhqzeyx2z1zAeg5DC70ZNuzMZcMhM+ChkQQGb3JMzAx2t5uwoYp2K6Zhe7H9aap4Wj3/rtq+stjkkQP+cj5cwaDlul+8ONGXo80qgFZQIKXeGQn3ff5Ofh48mCBsQk/ziuJ4uYHLqRjEZ22MwTj X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. In order to make sure caller's of vmbus_establish_gpadl() and vmbus_teardown_gpadl() don't return decrypted/shared pages to allocators, add a field in struct vmbus_gpadl to keep track of the decryption status of the buffer's. This will allow the callers to know if they should free or leak the pages. Only compile tested. Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Wei Liu Cc: Dexuan Cui Cc: linux-hyperv@vger.kernel.org Signed-off-by: Rick Edgecombe --- drivers/hv/channel.c | 11 ++++++++--- include/linux/hyperv.h | 1 + 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c index 1ad8f7fabe06..0a7dcbb48140 100644 --- a/drivers/hv/channel.c +++ b/drivers/hv/channel.c @@ -479,6 +479,7 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, ret = set_memory_decrypted((unsigned long)kbuffer, PFN_UP(size)); if (ret) { + gpadl->decrypted = false; dev_warn(&channel->device_obj->device, "Failed to set host visibility for new GPADL %d.\n", ret); @@ -551,6 +552,7 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, gpadl->gpadl_handle = gpadlmsg->gpadl; gpadl->buffer = kbuffer; gpadl->size = size; + gpadl->decrypted = true; cleanup: @@ -564,9 +566,10 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, kfree(msginfo); - if (ret) - set_memory_encrypted((unsigned long)kbuffer, - PFN_UP(size)); + if (ret) { + if (set_memory_encrypted((unsigned long)kbuffer, PFN_UP(size))) + gpadl->decrypted = false; + } return ret; } @@ -887,6 +890,8 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, struct vmbus_gpadl *gpad if (ret) pr_warn("Fail to set mem host visibility in GPADL teardown %d.\n", ret); + gpadl->decrypted = ret; + return ret; } EXPORT_SYMBOL_GPL(vmbus_teardown_gpadl); diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h index 2b00faf98017..5bac136c268c 100644 --- a/include/linux/hyperv.h +++ b/include/linux/hyperv.h @@ -812,6 +812,7 @@ struct vmbus_gpadl { u32 gpadl_handle; u32 size; void *buffer; + bool decrypted; }; struct vmbus_channel { -- 2.34.1