Re: [RFC v2-fix 1/1] x86/tdx: Handle in-kernel MMIO

[Andi Kleen]

On 5/18/2021 8:00 AM, Dave Hansen wrote:
> On 5/17/21 5:48 PM, Kuppuswamy Sathyanarayanan wrote:
> > From: "Kirill A. Shutemov" <kirill.shutemov@xxxxxxxxxxxxxxx>
> >
> > In traditional VMs, MMIO tends to be implemented by giving a
> > guest access to a mapping which will cause a VMEXIT on access.
> > That's not possible in TDX guest.
> Why is it not possible?

For once the TDX module doesn't support uncached mappings (IgnorePAT is 
always 1)




> > For now we only handle a subset of instructions that the kernel
> > uses for MMIO operations. User-space access triggers SIGBUS.
> How do you know which instructions the kernel uses?

They're all in MMIO macros.


>   How do you know
> that the compiler won't change them?

The macros try hard to prevent that because it would likely break real 
MMIO too.

Besides it works for others, like AMD-SEV today and of course all the 
hypervisors that do the same.




> That sounds like something objective we can measure.  Does this cost 1
> byte of extra text per readl/writel?  10?  100?

Alternatives are at least a pointer, but also the extra alternative 
code. It's definitely more than 10, I would guess 40+



> I thought there were more than a few ways that userspace could get
> access to MMIO mappings.

Yes and they will all fault in TDX guests.


> > +	if (user_mode(regs)) {
> > +		pr_err("Unexpected user-mode MMIO access.\n");
> > +		force_sig_fault(SIGBUS, BUS_ADRERR, (void __user *) ve->gla);
> 						       extra space ^
>
> Is a non-ratelimited pr_err() appropriate here?  I guess there shouldn't
> be any MMIO passthrough to userspace on these systems.
Yes rate limiting makes sense.