Re: [Patch v3 05/14] x86/mm: Handle decryption/re-encryption of bss_decrypted consistently

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "Michael Kelley (LINUX)" <mikelley@xxxxxxxxxxxxx>
Subject: Re: [Patch v3 05/14] x86/mm: Handle decryption/re-encryption of bss_decrypted consistently
From: Borislav Petkov <bp@xxxxxxxxx>
Date: Mon, 28 Nov 2022 11:50:45 +0100
Cc: Sathyanarayanan Kuppuswamy <sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx>, "hpa@xxxxxxxxx" <hpa@xxxxxxxxx>, KY Srinivasan <kys@xxxxxxxxxxxxx>, Haiyang Zhang <haiyangz@xxxxxxxxxxxxx>, "wei.liu@xxxxxxxxxx" <wei.liu@xxxxxxxxxx>, Dexuan Cui <decui@xxxxxxxxxxxxx>, "luto@xxxxxxxxxx" <luto@xxxxxxxxxx>, "peterz@xxxxxxxxxxxxx" <peterz@xxxxxxxxxxxxx>, "davem@xxxxxxxxxxxxx" <davem@xxxxxxxxxxxxx>, "edumazet@xxxxxxxxxx" <edumazet@xxxxxxxxxx>, "kuba@xxxxxxxxxx" <kuba@xxxxxxxxxx>, "pabeni@xxxxxxxxxx" <pabeni@xxxxxxxxxx>, "lpieralisi@xxxxxxxxxx" <lpieralisi@xxxxxxxxxx>, "robh@xxxxxxxxxx" <robh@xxxxxxxxxx>, "kw@xxxxxxxxx" <kw@xxxxxxxxx>, "bhelgaas@xxxxxxxxxx" <bhelgaas@xxxxxxxxxx>, "arnd@xxxxxxxx" <arnd@xxxxxxxx>, "hch@xxxxxxxxxxxxx" <hch@xxxxxxxxxxxxx>, "m.szyprowski@xxxxxxxxxxx" <m.szyprowski@xxxxxxxxxxx>, "robin.murphy@xxxxxxx" <robin.murphy@xxxxxxx>, "thomas.lendacky@xxxxxxx" <thomas.lendacky@xxxxxxx>, "brijesh.singh@xxxxxxx" <brijesh.singh@xxxxxxx>, "tglx@xxxxxxxxxxxxx" <tglx@xxxxxxxxxxxxx>, "mingo@xxxxxxxxxx" <mingo@xxxxxxxxxx>, "dave.hansen@xxxxxxxxxxxxxxx" <dave.hansen@xxxxxxxxxxxxxxx>, Tianyu Lan <Tianyu.Lan@xxxxxxxxxxxxx>, "kirill.shutemov@xxxxxxxxxxxxxxx" <kirill.shutemov@xxxxxxxxxxxxxxx>, "ak@xxxxxxxxxxxxxxx" <ak@xxxxxxxxxxxxxxx>, "isaku.yamahata@xxxxxxxxx" <isaku.yamahata@xxxxxxxxx>, "Williams, Dan J" <dan.j.williams@xxxxxxxxx>, "jane.chu@xxxxxxxxxx" <jane.chu@xxxxxxxxxx>, "seanjc@xxxxxxxxxx" <seanjc@xxxxxxxxxx>, "tony.luck@xxxxxxxxx" <tony.luck@xxxxxxxxx>, "x86@xxxxxxxxxx" <x86@xxxxxxxxxx>, "linux-kernel@xxxxxxxxxxxxxxx" <linux-kernel@xxxxxxxxxxxxxxx>, "linux-hyperv@xxxxxxxxxxxxxxx" <linux-hyperv@xxxxxxxxxxxxxxx>, "netdev@xxxxxxxxxxxxxxx" <netdev@xxxxxxxxxxxxxxx>, "linux-pci@xxxxxxxxxxxxxxx" <linux-pci@xxxxxxxxxxxxxxx>, "linux-arch@xxxxxxxxxxxxxxx" <linux-arch@xxxxxxxxxxxxxxx>, "iommu@xxxxxxxxxxxxxxx" <iommu@xxxxxxxxxxxxxxx>
In-reply-to: <BYAPR21MB168873879B0EEF71DED3D460D70D9@BYAPR21MB1688.namprd21.prod.outlook.com>
References: <1668624097-14884-1-git-send-email-mikelley@microsoft.com> <1668624097-14884-6-git-send-email-mikelley@microsoft.com> <01d7c7cc-bd4e-ee9b-f5b2-73ea367e602f@linux.intel.com> <BYAPR21MB1688A31ED795ED1B5ACB6D26D7099@BYAPR21MB1688.namprd21.prod.outlook.com> <Y3uNj0z26EjkHeCn@zn.tnic> <6b5129cf-6986-bbb1-7e60-37849fc383fc@linux.intel.com> <BYAPR21MB168873879B0EEF71DED3D460D70D9@BYAPR21MB1688.namprd21.prod.outlook.com>

On Tue, Nov 22, 2022 at 05:59:04PM +0000, Michael Kelley (LINUX) wrote:
> Right.  But here's my point:  With current code and an image built with
> CONFIG_AMD_MEM_ENCRYPT=y and running as a TDX guest,
> sme_postprocess_startup() will not decrypt the bss_decrypted section.
> Then later mem_encrypt_free_decrypted_mem() will run, see that
> CC_ATTR_MEM_ENCRYPT is true, and try to re-encrypt the memory.
> In other words, a TDX guest would break in the same way as a Hyper-V
> vTOM guest would break.  This patch fixes the problem for both cases.

I guess making the check more concrete by checking sme_me_mask directly
along with a comment makes sense.

We need to be very careful here not to fragment the code too much for
all the different guest types.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

References:
- [Patch v3 00/14] Add PCI pass-thru support to Hyper-V Confidential VMs
  - From: Michael Kelley
- [Patch v3 05/14] x86/mm: Handle decryption/re-encryption of bss_decrypted consistently
  - From: Michael Kelley
- Re: [Patch v3 05/14] x86/mm: Handle decryption/re-encryption of bss_decrypted consistently
  - From: Sathyanarayanan Kuppuswamy
- RE: [Patch v3 05/14] x86/mm: Handle decryption/re-encryption of bss_decrypted consistently
  - From: Michael Kelley (LINUX)
- Re: [Patch v3 05/14] x86/mm: Handle decryption/re-encryption of bss_decrypted consistently
  - From: Borislav Petkov
- Re: [Patch v3 05/14] x86/mm: Handle decryption/re-encryption of bss_decrypted consistently
  - From: Sathyanarayanan Kuppuswamy
- RE: [Patch v3 05/14] x86/mm: Handle decryption/re-encryption of bss_decrypted consistently
  - From: Michael Kelley (LINUX)

Prev by Date: Re: [PATCH V2 3/3] SH: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
Next by Date: Re: [Patch v3 05/14] x86/mm: Handle decryption/re-encryption of bss_decrypted consistently
Previous by thread: RE: [Patch v3 05/14] x86/mm: Handle decryption/re-encryption of bss_decrypted consistently
Next by thread: RE: [Patch v3 05/14] x86/mm: Handle decryption/re-encryption of bss_decrypted consistently
Index(es):
- Date
- Thread

[Index of Archives] [Linux Kernel] [Kernel Newbies] [x86 Platform Driver] [Netdev] [Linux Wireless] [Netfilter] [Bugtraq] [Linux Filesystems] [Yosemite Discussion] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Device Mapper]