From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DC617C88CB6 for ; Mon, 12 Jun 2023 16:40:55 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5B81F8E0002; Mon, 12 Jun 2023 12:40:55 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 568876B0075; Mon, 12 Jun 2023 12:40:55 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 457118E0002; Mon, 12 Jun 2023 12:40:55 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 36F266B0074 for ; Mon, 12 Jun 2023 12:40:55 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id C5D6D1C7708 for ; Mon, 12 Jun 2023 16:40:54 +0000 (UTC) X-FDA: 80894660028.02.40472E5 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by imf18.hostedemail.com (Postfix) with ESMTP id 91CD21C0021 for ; Mon, 12 Jun 2023 16:40:51 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=IoUIkLLm; spf=pass (imf18.hostedemail.com: domain of dave.hansen@intel.com designates 134.134.136.20 as permitted sender) smtp.mailfrom=dave.hansen@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1686588051; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=SsyuGGvqtFGUX/Z5ePwINztIAiw84wO83gTODyk4o4k=; b=NIJSRbOLLHJ1sPI1XfvkAtwdpw89yz7Ln3r4Kmk8aEPEqBCjrOBu8q+msFduCHxtJFJSXQ ol22DxrJXZAqWJrCk/ZzzmJDJ5TVHudgaP7UlG28N6xMmc/8iO9VDJYWnA7BRGaw9ZFoux xxUf8hfJCpNoq2iMtUvR/F2i8VUdQSU= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1686588051; a=rsa-sha256; cv=none; b=G4rMeSItbB/SoadQIX9JXq46RyML0VG9Ez9cJogrvqjrZOjjSLCOwWEtVYQGrcZALchIKC IF4+cLe45TnFRFTBF6IXKMOUAt21Rsx3+zp/W61ZQCix/mO7XCpTPf7JwqFXm0FLsJCKz1 00j1D0Rkxiy1FvFhoDJqxLtLMF2AGnM= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=IoUIkLLm; spf=pass (imf18.hostedemail.com: domain of dave.hansen@intel.com designates 134.134.136.20 as permitted sender) smtp.mailfrom=dave.hansen@intel.com; dmarc=pass (policy=none) header.from=intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1686588051; x=1718124051; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=1vf2gpsw1WTcumfYJQxjWdVtrfbml7pTawG9Tbh2CEs=; b=IoUIkLLmmFPLG+whbp04gb0JXQTjSkkJTWK82v3CEH2PLDDY1PROmAjl qiqyqeyNum3VXmQVBPu4EEYTeMQMVKdDZK4YhRSNFU3v7OU2DREIo2nm7 K0aqPb/Zugb0CBfqh2AqsCy9BNGkY+Mgjutz2c2GziEGZ0ntqJvAFhElZ pGZe8bW56zl4k7YUoQNs57fkBu98cLMalkGgs9mJBjpk4KJFU6kW6ALnE q/IOU1OQVgF/cml3V9+6Yh4mWzWgdcITHUq8QD/4MWZT64+sM5hoZFDG+ FdEFP2M7e2MuWWdylFO5q1MsMz/mct9LYBPA5+ky7JX4HtE084PuDdnoM Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10739"; a="347750435" X-IronPort-AV: E=Sophos;i="6.00,236,1681196400"; d="scan'208";a="347750435" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jun 2023 09:40:49 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10739"; a="661645619" X-IronPort-AV: E=Sophos;i="6.00,236,1681196400"; d="scan'208";a="661645619" Received: from spmantha-mobl1.amr.corp.intel.com (HELO [10.209.43.2]) ([10.209.43.2]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jun 2023 09:40:48 -0700 Message-ID: Date: Mon, 12 Jun 2023 09:40:48 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Subject: Re: [PATCH RFC v9 13/51] x86/fault: Handle RMP page faults for user addresses Content-Language: en-US To: Michael Roth , kvm@vger.kernel.org Cc: linux-coco@lists.linux.dev, linux-mm@kvack.org, linux-crypto@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org, tglx@linutronix.de, mingo@redhat.com, jroedel@suse.de, thomas.lendacky@amd.com, hpa@zytor.com, ardb@kernel.org, pbonzini@redhat.com, seanjc@google.com, vkuznets@redhat.com, jmattson@google.com, luto@kernel.org, dave.hansen@linux.intel.com, slp@redhat.com, pgonda@google.com, peterz@infradead.org, srinivas.pandruvada@linux.intel.com, rientjes@google.com, dovmurik@linux.ibm.com, tobin@ibm.com, bp@alien8.de, vbabka@suse.cz, kirill@shutemov.name, ak@linux.intel.com, tony.luck@intel.com, marcorr@google.com, sathyanarayanan.kuppuswamy@linux.intel.com, alpergun@google.com, dgilbert@redhat.com, jarkko@kernel.org, ashish.kalra@amd.com, nikunj.dadhania@amd.com, liam.merwick@oracle.com, zhi.a.wang@intel.com, Brijesh Singh , Jarkko Sakkinen References: <20230612042559.375660-1-michael.roth@amd.com> <20230612042559.375660-14-michael.roth@amd.com> From: Dave Hansen In-Reply-To: <20230612042559.375660-14-michael.roth@amd.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 91CD21C0021 X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: 9699ssdq8yfwwdhwjqnww5ihy9ytz8ja X-HE-Tag: 1686588051-510463 X-HE-Meta: U2FsdGVkX1/d5N8DSAT9QzHRgSPQrF9FjFapuT+iVqK6eQHmGR2t0m/YSuQ0o6CTMEc+8QfxMsT+6Ts9Gx7SYzC4f0JwFxvdvVuqz4DRfIWhBml/VPMX0RWnYVQuhDh59SIRb3A91rDfDYNNAUWft55WNqluOcvYj2GknyggbJfKYd118DfiVeToFMrM1BY2uNN+6XIpXEP34GDFyMjC3I69FuOkqKV8qNNlf9tmQ6DMfhq4DjBdmmCO4O+flaybHvxuWOemeEaeSUeHri2RGLS3kDqHRMKC3PyANwG22OW/L7mIuBxlAOubiHrfyjCtbBxNiaZPrch4X7ovceBa5jDjCeqQAd7H5zKD9y175L3le1jlvwi7aGXsrfgNuSy8/3Pbk3vqUVYerVuPjJ3i26DzRnfzDGbyMUC7ZPFvLr/xUYsmQFFQPA0RGCprp5Lx3ieFgqYApS6aNJNngMv38R4lzT17DXuaDAzlUzEDzKG8cJz5gVkjTjOyHg2l7HxMsZfaHZNKb4C8yqkc2VrO7oZRWik/HUPH/ee2K4U5uyLYGF/WGJSOLusviRjr+RatpHriIOpSMGS3MEnQwXFQ7IifdV2/F0OhJvTMq2Deqr+spGFjH1itVbeH7I9KMgXi7VosdxXCRmefeK9i641eztYIwZ5A+bYVsYwkrufo+k5npmsoGKL+JJ9zfoP+3EPdlGsVGNTUisi171uA5wJ5mJ3IkRBHXVdik9DDdo9JK0spwsl3HJuYdwsCMZZNm37LsVuSQ/XWONM36nEcIxsdypPj/BjFNvDmfE2MIuuSnJsAWjICM3MrZNKZR/hyPh+hhG3GbHVs8jHNeTjwauXTGk3JgzC5TAyXSXCBOLR3VDDkuFWnUbET7U/HwHPgaXrUTrTN2kM5K4Cse8DKM8WEItYZMA7bq9KKxDS73XFZ5PUHZa+QeGaHZEuux8qViBQHJlv3vmsBnjIY3z2S5Uy HQZUH5Hq XMgvaABhkG274mZSy0JFaNV8/aO2z5O2iNfOWNKneuLYi/mRU8p2bVwyYjLEv5lut979a9sNlRk3mt09C3HzpSdj8TRGbZquSgCdStbP+Bpk3rNTLnNnfCzJ+dONMdVdFjKvOyumknvpv2huxJFsEQqdD413lXnvweW8lmnqgcxoYyuc= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 6/11/23 21:25, Michael Roth wrote: > From: Brijesh Singh > > When SEV-SNP is enabled globally, a write from the host is subject to > checks performed by the hardware against the RMP table (APM2 15.36.10) > at the end of a page walk: > > 1. Assigned bit in the RMP table is not set (i.e page is shared). > 2. Immutable bit in the RMP table is not set. > 3. If the page table entry that gives the sPA indicates that the > target page size is a large page, then all RMP entries for the 4KB > constituting pages of the target must have the assigned bit 0. > > Nothing constructive can come of an attempt by userspace to violate case > 1) (which will result in writing garbage due to page encryption) or case > 2) (userspace should not ever need or be allowed to write to a page that > the host has specifically needed to mark immutable). What does this _mean_? If nothing constructive can come of it, what does that mean for the kernel? > Case 3) is dependent on the hypervisor. In case of KVM, due to how > shared/private pages are partitioned into separate memory pools via > restricted/guarded memory, there should never be a case where a page in > the private pool overlaps with a shared page: either it is a > hugepage-sized allocation and all the sub-pages are private, or it is a > single-page allocation, in which case it cannot overlap with anything > but itself. > > Therefore, for all 3 cases, it is appropriate to simply kill the > userspace process if it ever generates an RMP #PF. Implement that logic > here. ... > + if (error_code & X86_PF_RMP) { > + pr_err("Unexpected RMP page fault for address 0x%lx, terminating process\n", > + address); > + do_sigbus(regs, error_code, address, VM_FAULT_SIGBUS); > + return; > + } > + This is special-snowflake code. You're making the argument that an RMP fault is a special snowflake and needs special handling. Why should an RMP violation be any different than, say a write to a read-only page (that also ends in signal delivery)? I kinda dislike the entire changelog here. I really don't know what point it's making or what it is arguing.