From: Jue Wang <juew@google.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Erdem Aktas <erdemaktas@google.com>,
almasrymina@google.com, dave.hansen@linux.intel.com,
gthelen@google.com, jiaqiyan@google.com, linux-mm@kvack.org,
naoya.horiguchi@nec.com, seanjc@google.com, tony.luck@intel.com
Subject: Re: [RFC] Expose a memory poison detector ioctl to user space.
Date: Fri, 29 Apr 2022 12:46:40 -0700 [thread overview]
Message-ID: <CAPcxDJ40r7p=dmCNYA6Nvvgc0gwTiKnX71291aXa59_=D1F89A@mail.gmail.com> (raw)
In-Reply-To: <6f99684f-172c-ccf2-0be3-9aca85451079@intel.com>
Thanks Erdem and Dave, as a summary:
1. Reading via direct mapping from guest private memory should not
generate #MC and it should result in expected memory error poisoning
behavior (to be confirmed).
2. Reading via direct mapping from SEV-SNP guest private memory does
not generate #MC or #PF.
Per seanjc@google.com:
TDX doesn't support #MC exception injection, but IRQ "injection" via
posted interrupts is supported. Accesses to machine check MSRs will
#VE, i.e. can be emulated by KVM, so CMCI should work fine for TDX
guests.
Proactively scanning for memory error should benefit TDX guests
preventing potential host shutdowns.
It seems the current proposed design can cover TDX & SEV-SNP if the
direct mapping to guest private memory is preserved?
Thanks,
-Jue
On Thu, Apr 28, 2022 at 9:34 AM Dave Hansen <dave.hansen@intel.com> wrote:
>
> On 4/28/22 09:15, Erdem Aktas wrote:
> >> On 4/26/22 12:23, Jue Wang wrote:
> >>> On Tue, Apr 26, 2022 at 11:18 AM Dave Hansen <dave.hansen@intel.com> wrote:
> >> I shouldn't speak for Intel as a whole, but I'll give you my personal
> >> perspective.
> >>
> >> Right now, hosts can't scan TDX private memory, period. If you wanted
> >> to do scanning, the guest has to do it or you have to kill the guest and
> >> make the memory non-private.
> >
> > Actually, afaiu, the host can read tdx private memory. This should NOT generate
> > #MC due to integrity/TD ownership but return a fixed value of "0"s. I do not
> > know if this will also trigger #MCs due to memory errors.
>
> I think you're right, at least in the normal case where the access is
> performed with the TME KeyID. "An introductory overview of the Intel
> TDX technology"[1] says:
>
> > The TD-bit associated with the line in memory seeks to
> > detect software or devices attempting to read memory
> > encrypted with private KeyID, using a shared KeyID, to reveal
> > the ciphertext. On such accesses, the MKTME returns a fixed
> > pattern to prevent ciphertext analysis.
>
> I guess, in practice, the read would need to go all the way out to the
> memory controller to get the TD-bit. But, it's definitely not
> well-defined in the spec.
>
> 1.
> https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html
next prev parent reply other threads:[~2022-04-29 19:46 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-25 16:34 Jue Wang
2022-04-26 15:40 ` Dave Hansen
2022-04-26 17:57 ` Jue Wang
2022-04-26 18:02 ` Jue Wang
2022-04-26 18:21 ` Dave Hansen
2022-04-26 19:25 ` Jue Wang
2022-04-26 19:52 ` Luck, Tony
2022-04-26 20:06 ` Jue Wang
2022-04-26 18:20 ` Dave Hansen
2022-04-26 19:23 ` Jue Wang
2022-04-26 19:39 ` Dave Hansen
2022-04-26 19:50 ` Jue Wang
2022-04-28 16:15 ` Erdem Aktas
2022-04-28 16:34 ` Dave Hansen
2022-04-29 19:46 ` Jue Wang [this message]
2022-04-29 21:10 ` Dave Hansen
2022-04-29 21:32 ` Jue Wang
2022-04-29 21:44 ` Jue Wang
2022-04-29 22:29 ` Dave Hansen
2022-04-29 22:53 ` Jue Wang
2022-05-02 15:30 ` Dave Hansen
2022-05-02 17:19 ` David Hildenbrand
2022-05-02 17:30 ` Jue Wang
2022-05-02 17:33 ` David Hildenbrand
2022-05-02 17:36 ` Jue Wang
2022-05-02 17:38 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPcxDJ40r7p=dmCNYA6Nvvgc0gwTiKnX71291aXa59_=D1F89A@mail.gmail.com' \
--to=juew@google.com \
--cc=almasrymina@google.com \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=erdemaktas@google.com \
--cc=gthelen@google.com \
--cc=jiaqiyan@google.com \
--cc=linux-mm@kvack.org \
--cc=naoya.horiguchi@nec.com \
--cc=seanjc@google.com \
--cc=tony.luck@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox