From: Vlastimil Babka <vbabka@suse.cz>
To: Chao Peng <chao.p.peng@linux.intel.com>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Jonathan Corbet <corbet@lwn.net>,
Sean Christopherson <seanjc@google.com>,
Vitaly Kuznetsov <vkuznets@redhat.com>,
Wanpeng Li <wanpengli@tencent.com>,
Jim Mattson <jmattson@google.com>, Joerg Roedel <joro@8bytes.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>,
Hugh Dickins <hughd@google.com>, Jeff Layton <jlayton@kernel.org>,
"J . Bruce Fields" <bfields@fieldses.org>,
Andrew Morton <akpm@linux-foundation.org>,
Yu Zhang <yu.c.zhang@linux.intel.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
luto@kernel.org, jun.nakajima@intel.com, dave.hansen@intel.com,
ak@linux.intel.com, david@redhat.com
Subject: Re: [PATCH v4 01/12] mm/shmem: Introduce F_SEAL_INACCESSIBLE
Date: Mon, 7 Feb 2022 13:24:42 +0100 [thread overview]
Message-ID: <64407833-1387-0c46-c569-8b6a3db8e88c@suse.cz> (raw)
In-Reply-To: <20220118132121.31388-2-chao.p.peng@linux.intel.com>
On 1/18/22 14:21, Chao Peng wrote:
> From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
>
> Introduce a new seal F_SEAL_INACCESSIBLE indicating the content of
> the file is inaccessible from userspace through ordinary MMU access
> (e.g., read/write/mmap). However, the file content can be accessed
> via a different mechanism (e.g. KVM MMU) indirectly.
>
> It provides semantics required for KVM guest private memory support
> that a file descriptor with this seal set is going to be used as the
> source of guest memory in confidential computing environments such
> as Intel TDX/AMD SEV but may not be accessible from host userspace.
>
> At this time only shmem implements this seal.
>
> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
> Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
> ---
> include/uapi/linux/fcntl.h | 1 +
> mm/shmem.c | 40 ++++++++++++++++++++++++++++++++++++--
> 2 files changed, 39 insertions(+), 2 deletions(-)
>
> diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h
> index 2f86b2ad6d7e..09ef34754dfa 100644
> --- a/include/uapi/linux/fcntl.h
> +++ b/include/uapi/linux/fcntl.h
> @@ -43,6 +43,7 @@
> #define F_SEAL_GROW 0x0004 /* prevent file from growing */
> #define F_SEAL_WRITE 0x0008 /* prevent writes */
> #define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
> +#define F_SEAL_INACCESSIBLE 0x0020 /* prevent ordinary MMU access (e.g. read/write/mmap) to file content */
> /* (1U << 31) is reserved for signed error codes */
>
> /*
> diff --git a/mm/shmem.c b/mm/shmem.c
> index 18f93c2d68f1..72185630e7c4 100644
> --- a/mm/shmem.c
> +++ b/mm/shmem.c
> @@ -1098,6 +1098,13 @@ static int shmem_setattr(struct user_namespace *mnt_userns,
> (newsize > oldsize && (info->seals & F_SEAL_GROW)))
> return -EPERM;
>
> + if (info->seals & F_SEAL_INACCESSIBLE) {
> + if(i_size_read(inode))
Is this needed? The rest of the function seems to trust oldsize obtained by
plain reading inode->i_size well enough, so why be suddenly paranoid here?
> + return -EPERM;
> + if (newsize & ~PAGE_MASK)
> + return -EINVAL;
> + }
> +
> if (newsize != oldsize) {
> error = shmem_reacct_size(SHMEM_I(inode)->flags,
> oldsize, newsize);
> @@ -1364,6 +1371,8 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
> goto redirty;
> if (!total_swap_pages)
> goto redirty;
> + if (info->seals & F_SEAL_INACCESSIBLE)
> + goto redirty;
>
> /*
> * Our capabilities prevent regular writeback or sync from ever calling
> @@ -2262,6 +2271,9 @@ static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
> if (ret)
> return ret;
>
> + if (info->seals & F_SEAL_INACCESSIBLE)
> + return -EPERM;
> +
> /* arm64 - allow memory tagging on RAM-based files */
> vma->vm_flags |= VM_MTE_ALLOWED;
>
> @@ -2459,12 +2471,15 @@ shmem_write_begin(struct file *file, struct address_space *mapping,
> pgoff_t index = pos >> PAGE_SHIFT;
>
> /* i_rwsem is held by caller */
> - if (unlikely(info->seals & (F_SEAL_GROW |
> - F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))) {
> + if (unlikely(info->seals & (F_SEAL_GROW | F_SEAL_WRITE |
> + F_SEAL_FUTURE_WRITE |
> + F_SEAL_INACCESSIBLE))) {
> if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))
> return -EPERM;
> if ((info->seals & F_SEAL_GROW) && pos + len > inode->i_size)
> return -EPERM;
> + if (info->seals & F_SEAL_INACCESSIBLE)
> + return -EPERM;
> }
>
> return shmem_getpage(inode, index, pagep, SGP_WRITE);
> @@ -2538,6 +2553,21 @@ static ssize_t shmem_file_read_iter(struct kiocb *iocb, struct iov_iter *to)
> end_index = i_size >> PAGE_SHIFT;
> if (index > end_index)
> break;
> +
> + /*
> + * inode_lock protects setting up seals as well as write to
> + * i_size. Setting F_SEAL_INACCESSIBLE only allowed with
> + * i_size == 0.
> + *
> + * Check F_SEAL_INACCESSIBLE after i_size. It effectively
> + * serialize read vs. setting F_SEAL_INACCESSIBLE without
> + * taking inode_lock in read path.
> + */
> + if (SHMEM_I(inode)->seals & F_SEAL_INACCESSIBLE) {
> + error = -EPERM;
> + break;
> + }
> +
> if (index == end_index) {
> nr = i_size & ~PAGE_MASK;
> if (nr <= offset)
> @@ -2663,6 +2693,12 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
> goto out;
> }
>
> + if ((info->seals & F_SEAL_INACCESSIBLE) &&
> + (offset & ~PAGE_MASK || len & ~PAGE_MASK)) {
Could we use PAGE_ALIGNED()?
> + error = -EINVAL;
> + goto out;
> + }
> +
> shmem_falloc.waitq = &shmem_falloc_waitq;
> shmem_falloc.start = (u64)unmap_start >> PAGE_SHIFT;
> shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
next prev parent reply other threads:[~2022-02-07 12:24 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-18 13:21 [PATCH v4 00/12] KVM: mm: fd-based approach for supporting KVM guest private memory Chao Peng
2022-01-18 13:21 ` [PATCH v4 01/12] mm/shmem: Introduce F_SEAL_INACCESSIBLE Chao Peng
2022-02-07 12:24 ` Vlastimil Babka [this message]
2022-02-17 12:56 ` Chao Peng
2022-02-11 23:33 ` Andy Lutomirski
2022-02-17 13:06 ` Chao Peng
2022-02-17 19:09 ` Andy Lutomirski
2022-02-23 11:49 ` Chao Peng
2022-02-23 12:05 ` Steven Price
2022-03-04 19:24 ` Andy Lutomirski
2022-03-07 13:26 ` Chao Peng
2022-03-08 12:17 ` Paolo Bonzini
2022-01-18 13:21 ` [PATCH v4 02/12] mm/memfd: Introduce MFD_INACCESSIBLE flag Chao Peng
2022-01-21 15:50 ` Steven Price
2022-01-24 13:29 ` Chao Peng
2022-02-07 18:51 ` Vlastimil Babka
2022-02-08 8:49 ` David Hildenbrand
2022-02-08 18:22 ` Mike Rapoport
2022-01-18 13:21 ` [PATCH v4 03/12] mm: Introduce memfile_notifier Chao Peng
2022-03-07 15:42 ` Vlastimil Babka
2022-03-08 1:45 ` Chao Peng
2022-01-18 13:21 ` [PATCH v4 04/12] mm/shmem: Support memfile_notifier Chao Peng
2022-02-08 18:29 ` Mike Rapoport
2022-02-17 13:10 ` Chao Peng
2022-02-11 23:40 ` Andy Lutomirski
2022-02-17 13:23 ` Chao Peng
2022-01-18 13:21 ` [PATCH v4 05/12] KVM: Extend the memslot to support fd-based private memory Chao Peng
2022-01-18 13:21 ` [PATCH v4 06/12] KVM: Use kvm_userspace_memory_region_ext Chao Peng
2022-01-18 13:21 ` [PATCH v4 07/12] KVM: Add KVM_EXIT_MEMORY_ERROR exit Chao Peng
2022-01-18 13:21 ` [PATCH v4 08/12] KVM: Use memfile_pfn_ops to obtain pfn for private pages Chao Peng
2022-01-18 13:21 ` [PATCH v4 09/12] KVM: Handle page fault for private memory Chao Peng
2022-01-18 13:21 ` [PATCH v4 10/12] KVM: Register private memslot to memory backing store Chao Peng
2022-01-18 13:21 ` [PATCH v4 11/12] KVM: Zap existing KVM mappings when pages changed in the private fd Chao Peng
2022-01-18 13:21 ` [PATCH v4 12/12] KVM: Expose KVM_MEM_PRIVATE Chao Peng
2022-01-25 20:20 ` Maciej S. Szmigiero
2022-02-17 13:45 ` Chao Peng
2022-02-22 1:16 ` Maciej S. Szmigiero
2022-02-23 12:00 ` Chao Peng
2022-02-23 18:32 ` Maciej S. Szmigiero
2022-02-24 8:07 ` Chao Peng
2022-01-28 16:47 ` [PATCH v4 00/12] KVM: mm: fd-based approach for supporting KVM guest private memory Steven Price
2022-02-02 2:28 ` Nakajima, Jun
2022-02-02 9:23 ` Steven Price
2022-02-02 20:47 ` Nakajima, Jun
2022-02-08 18:33 ` Mike Rapoport
2022-02-17 13:47 ` Chao Peng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=64407833-1387-0c46-c569-8b6a3db8e88c@suse.cz \
--to=vbabka@suse.cz \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=bfields@fieldses.org \
--cc=bp@alien8.de \
--cc=chao.p.peng@linux.intel.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=david@redhat.com \
--cc=hpa@zytor.com \
--cc=hughd@google.com \
--cc=jlayton@kernel.org \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=jun.nakajima@intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=x86@kernel.org \
--cc=yu.c.zhang@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox