Re: [RFC Part1 PATCH 06/13] x86/compressed: rescinds and validate the memory used for the GHCB

From: Tom Lendacky
Date: Tue Apr 06 2021 - 15:42:51 EST

Next message: kernel test robot: "include/linux/fortify-string.h:27:30: warning: '__builtin_strncpy' output truncated before terminating nul copying 11 bytes from a string of the same length"
Previous message: Steve Rutherford: "Re: [PATCH v11 10/13] KVM: x86: Introduce new KVM_FEATURE_SEV_LIVE_MIGRATION feature & Custom MSR."
In reply to: Brijesh Singh: "Re: [RFC Part1 PATCH 06/13] x86/compressed: rescinds and validate the memory used for the GHCB"
Next in thread: Borislav Petkov: "Re: [RFC Part1 PATCH 06/13] x86/compressed: rescinds and validate the memory used for the GHCB"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/6/21 10:47 AM, Brijesh Singh wrote:
>
> On 4/6/21 5:33 AM, Borislav Petkov wrote:
>> On Wed, Mar 24, 2021 at 11:44:17AM -0500, Brijesh Singh wrote:
>>

...

>> *Any* and *all* page state changes which fail immediately terminate a
>> guest? Why?
>
>
> The hypervisor uses the RMPUPDATE instruction to add the pages in the
> RMP table. If RMPUPDATE fails, then it will be communicated to the
> guest. Now its up to guest on what it wants to do. I choose to terminate
> because guest can't resolve this step on its own. It needs help from the
> hypervisor and hypervisor has bailed on it. Depending on request type,
> the next step will either fail or we go into infinite loop. Lets
> consider an example:
>
> 1. Guest asked to add a page as a private in RMP table.
>
> 2. Hypervisor fail to add the page in the RMP table and return an error.
>
> 3. Guest ignored the error code and moved to the step to validate the page.
>
> 4. The page validation instruction expects that page must be added in
> the RMP table. In our case the page was not added in the RMP table. So
> it will cause #NPF (rmp violation).
>
> 5. On #NPF, hypervisor will try adding the page as private but it will
> fail (same as #2). This will keep repeating and guest will not make any
> progress.
>
> I choose to return "void" from page_state_change() because caller can't
> do anything with error code. Some of the failure may have security
> implication, terminate the guest as soon as we detect an error condition.
>
>
>> Then, how do we communicate this to the guest user what has happened?
>>
>> Can GHCB_SEV_ES_REASON_GENERAL_REQUEST be something special like
>>
>> GHCB_SEV_ES_REASON_PSC_FAILURE
>>
>> or so, so that users know what has happened?
>
>
> Current GHCB does not have special code for this. But I think Linux
> guest can define a special code which can be used to indicate the
> termination reason.
>
> Tom,
>
> Any other suggestion ?

The GHCB spec only defines the "0" reason code set. We could provide Linux
it's own reason code set with some more specific reason codes for
failures, if that is needed.

Thanks,
Tom

>
>
>>

Next message: kernel test robot: "include/linux/fortify-string.h:27:30: warning: '__builtin_strncpy' output truncated before terminating nul copying 11 bytes from a string of the same length"
Previous message: Steve Rutherford: "Re: [PATCH v11 10/13] KVM: x86: Introduce new KVM_FEATURE_SEV_LIVE_MIGRATION feature & Custom MSR."
In reply to: Brijesh Singh: "Re: [RFC Part1 PATCH 06/13] x86/compressed: rescinds and validate the memory used for the GHCB"
Next in thread: Borislav Petkov: "Re: [RFC Part1 PATCH 06/13] x86/compressed: rescinds and validate the memory used for the GHCB"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]