From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75F7FC4332F for ; Wed, 1 Nov 2023 06:27:31 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EB95E8E0005; Wed, 1 Nov 2023 02:27:30 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E695D8E0002; Wed, 1 Nov 2023 02:27:30 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D31038E0005; Wed, 1 Nov 2023 02:27:30 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id C099B8E0002 for ; Wed, 1 Nov 2023 02:27:30 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 9AE63A0348 for ; Wed, 1 Nov 2023 06:27:30 +0000 (UTC) X-FDA: 81408403860.16.D2F289A Received: from bee.tesarici.cz (bee.tesarici.cz [77.93.223.253]) by imf01.hostedemail.com (Postfix) with ESMTP id 8E0CE40011 for ; Wed, 1 Nov 2023 06:27:28 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=tesarici.cz header.s=mail header.b=3gVKElee; dmarc=pass (policy=none) header.from=tesarici.cz; spf=pass (imf01.hostedemail.com: domain of petr@tesarici.cz designates 77.93.223.253 as permitted sender) smtp.mailfrom=petr@tesarici.cz ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1698820049; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=H2yOlVZfYQeBsmQXhTZWmkRgzc1TE0pjmNFOBWOhoRw=; b=HLzw77EoWsyyWATBa3/iAOCef/Wt59kh1C4OX9wIpcbemTBCFNKma/wJK2NBpAAejpRvnF g3Qr9jv20XiY2zTYYjgQRfQKJgHAcmF9QVABSLFGZHCvi/hzqRBixFgWjISIvufOgDO302 3ommI9tWC95SUfRztnfN2JfupDAfYlY= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=tesarici.cz header.s=mail header.b=3gVKElee; dmarc=pass (policy=none) header.from=tesarici.cz; spf=pass (imf01.hostedemail.com: domain of petr@tesarici.cz designates 77.93.223.253 as permitted sender) smtp.mailfrom=petr@tesarici.cz ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1698820049; a=rsa-sha256; cv=none; b=C+pbouXwWDm3NLVAKAjmcB9bVC6GvS8O1EEyqIPTayLwVkXiM2ZDu1nwUoG2AywusAkTNe 7foYSQM7rqGus2MeNJX68ct0EZsUOhsWFX4mlLFM7exUjcuKvzCwuOjxmc9lEDPKY/zovX Or9XDmy0FM1kNSaOC+EyfP/IM+SktqE= Received: from meshulam.tesarici.cz (dynamic-2a00-1028-83b8-1e7a-b985-910f-39e1-703f.ipv6.o2.cz [IPv6:2a00:1028:83b8:1e7a:b985:910f:39e1:703f]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bee.tesarici.cz (Postfix) with ESMTPSA id 1F6671922D4; Wed, 1 Nov 2023 07:27:25 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tesarici.cz; s=mail; t=1698820045; bh=2K38LTZ5EoAOqClnClNnktlaqykSFUpuuZUZg3QG0Xs=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=3gVKEleekoVAHcBLOfcL+izq2BI4OydQGxObjHIt3+wSzt5Yd2uF7ZIgn5MXx6YYX O6q4MsnkcxkoMLELGHuTkKwnvHGvH0bu40gmZctNfY2hTWvHoN+AluJrxZ17iey9/f wJ2nItTpXDczp1AvNybKWUGfhGFuu4Wb3badjbRg7I7t6NlUZOPmu9LKn4ejW5lrgS EGbbSsTRO7jZCUrXB5orn9YIZgwbN8Ao7Xkb/aPrAelyV7uA5Bczegnm0mjyszr45M eFDTksnSvTIqHkylNovjtcs+B2f91lFBN1OdgZG4+RODglkiuvS4xNcKcIrS8o6Fl2 J6iadcl/6oyHQ== Date: Wed, 1 Nov 2023 07:27:23 +0100 From: Petr =?UTF-8?B?VGVzYcWZw61r?= To: "Edgecombe, Rick P" Cc: "Lutomirski, Andy" , "iommu@lists.linux.dev" , "dave.hansen@linux.intel.com" , "thomas.lendacky@amd.com" , "robin.murphy@arm.com" , "Reshetova, Elena" , "linux-kernel@vger.kernel.org" , "mingo@redhat.com" , "Christopherson,, Sean" , "kirill.shutemov@linux.intel.com" , "tglx@linutronix.de" , "Yamahata, Isaku" , "Cui, Dexuan" , "mikelley@microsoft.com" , "m.szyprowski@samsung.com" , "hch@lst.de" , "linux-mm@kvack.org" , "hpa@zytor.com" , "peterz@infradead.org" , "bp@alien8.de" , "linux-s390@vger.kernel.org" , "sathyanarayanan.kuppuswamy@linux.intel.com" , "x86@kernel.org" Subject: Re: [PATCH 04/10] swiotlb: Use free_decrypted_pages() Message-ID: <20231101072723.44d00721@meshulam.tesarici.cz> In-Reply-To: <3903bbaade7ba9577da88d053b67b8bfdf0d3582.camel@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> <20231017202505.340906-5-rick.p.edgecombe@intel.com> <20231031114316.0bfa8d91@meshulam.tesarici.cz> <20231031181340.30233c17@meshulam.tesarici.cz> <3903bbaade7ba9577da88d053b67b8bfdf0d3582.camel@intel.com> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; x86_64-suse-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 8E0CE40011 X-Stat-Signature: enid4xjpa9j7brakn7fqpsyit6oiqhtn X-Rspam-User: X-HE-Tag: 1698820048-323324 X-HE-Meta: U2FsdGVkX1+KUWqSPOunx3+t3jCRr9l9GrhWwQ6sdFgI9iYUBfXxlZl0RAUcaGouW9UZ2EfRDdrWnWOxz/1fPPr0hxt1KUapPUyCafBJAATTVPXLVoAciyeqnaJjDF7bH56OsZNGpZQlGHTtyJrJUWlZtn/dzcWqaADL+P/4iePTosXqU/uQqdOHC6SCqZmgzN5IEGcSEjTxO4qSWqVrtVGU3XpV6c6sukDpO8WyoBkJ7XMwjK6kLA3351rdnSDTK/xbPY+uTecNC1BsQLbvn1OIEPn5WIuRkk1rC/qInFLzH7AhY7prCTk0cOes6xzb4gUB2N5Qx1oTHp7iW5jjxwntvFj8yopLkdJ59DAuAov1eMoNGtGE5m7MTuNTlJerGgV3h89/7dx/04S241sVnN0H1qAFJivsiE1u2xOEI/QmVqWSJoTyb/ss4NcEn+2lHGQczYe382a/auk1YvfFdrwLwyZbmRqY/sOj3wTpRMrSHvBlnpHwHgILaL+04Uawf/1j8eGFSj1VfcDQLzB2oX6GPHQsYZxwD3omkZPi1FoEBuy/wMfEFYa90wo/8jY3/+dtvsSEKwLCx3+BUcraRLd5W6XJp2JZGM3NavGUVu1zMMR2DN9xavax76AJwoj8wmh7uE62X11EAXlTPIllszKXPUOgobaO3MaX2QZJxsD4W9cvJs1TcTftsITtVXo9Tm3HyCDc1eLhZPk6m9sskizBMO3qof9XBMPM2wyiN6s+7edHJiPMCeZtR9VkXc8i0o45HtCh3xGePG4itRee4T77WALYRCqplgYa0OIJr3u+3tTUJ2o3YJamgEhBwLXNfnZYgtbxU9JTc7U+cBBEjCRelJIfbxYXiP7haZaiLzHyIHD/7fijGZ8aouHf/oF6M65pYTWsn1Fq7Yk0JHtQKxuQ3UJUGw0amY/DhBKMTVBwwFml8Wsl5RgKJUVv49dl7OnQUuMTcyVrc5BpB7S 1v/Jekaz c6XIRRB2BfnVoo0ykrrn8dz5Ei0AY9kjioArTj5G2b8VmGrCD2jQX+sG/4Js+yIuWGA4riBMJIPU0e6i8LtxytCCAT89uuzBtlgZjy2b5iJ9+UdIpKzTNsuZElSG0Md03pGYFoqARuaPtLN0GWaxgb2bDQ/88SyyhlEH+vlpXPiRag9+z8WKOON4grdBJDAyvYXjmYklMyepqwNi8jMB7L+VGt+nQaTaiiEgpwH33vxGqHjL1Ssg7WmQiRqzKrpsKgMuhDWy7CB8vdRt1Sqgnb2dGcygqk9c9v+LcLDVhaCG8qFUM7RuwX74KW6JT493evnmpM7Nu63H22vJBGU+seMZqEZV83tEzyqrX+Y3Fyf87D8wEdyua8w6ogA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000046, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi, On Tue, 31 Oct 2023 17:29:25 +0000 "Edgecombe, Rick P" wrote: > On Tue, 2023-10-31 at 18:13 +0100, Petr Tesa=C5=99=C3=ADk wrote: > > Thank you for the explanation. So, after set_memory_decrypted() > > fails, > > the pages become Schroedinger-crypted, but since its true state > > cannot > > be observed by the guest kernel, it stays as such forever. > >=20 > > Sweet. > > =20 > Yes... The untrusted host (the part of the VMM TDX is defending > against) gets to specify the return code of these operations (success > or failure). But the coco(a general term for TDX and similar from other > vendors) threat model doesn't include DOS. So the guest should trust > the return code as far as trying to not crash, but not trust it in > regards to the potential to leak data. >=20 > It's a bit to ask of the callers, but the other solution we discussed > was to panic the guest if any weirdness is observed by the VMM, in > which case the callers would never see the error. And of course > panicing the kernel is Bad. So that is how we arrived at this request > of the callers. Appreciate the effort to handle it on that side. >=20 >=20 > > Hm, should I incorporate this knowledge into a v2 of my patch and > > address both issues? =20 >=20 > That sounds good to me! Feel free to CC me if you would like, and I can > scrutinize it for this particular issue. I'm sorry I missed that free_decrypted_pages() is added by the very same series, so I cannot use it just yet. I can open-code it and let you convert the code to the new function. You may then also want to convert another open-coded instance further down in swiotlb_free_tlb(). In any case, there is an interdependency between the two patches, so we should agree in which order to apply them. Petr T