Re: [PATCH kernel] KVM: SVM: Fix SVM_VMGEXIT_EXT_GUEST_REQUEST to follow the rest of API

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Alexey,

On 2/6/2023 7:24 PM, Alexey Kardashevskiy wrote:


On 07/02/2023 08:57, Kalra, Ashish wrote:
On 2/5/2023 9:13 PM, Alexey Kardashevskiy wrote:
When SVM VM is up, KVM uses sev_issue_cmd_external_user() with an open
/dev/sev fd which ensures that the SVM initialization was done correctly. The only helper not following the scheme is snp_guest_ext_guest_request()
which bypasses the fd check.

Change the SEV API to require passing a file.

Handle errors with care in the SNP Extended Guest Request handler
(snp_handle_ext_guest_request()) as there are actually 3 types of errors:
- @rc: return code SEV device's sev_issue_cmd() which is int==int32;
- @err: a psp return code in sev_issue_cmd(), also int==int32 (probably
a mistake but kvm_sev_cmd::error uses __u32 for some time now);
- (added by this) @exitcode: GHCB's exit code sw_exit_info_2, uint64.

Use the right types, remove cast to int* and return ENOSPC from SEV
device for converting it to the GHCB's exit code
SNP_GUEST_REQ_INVALID_LEN==BIT(32).

Fixes: 17f1d0c995ac ("KVM: SVM: Provide support for SNP_GUEST_REQUEST NAE event")
While at this, preserve the original error in snp_cleanup_guest_buf().

Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxx>
---

This can easily be squashed into what it fixes.

The patch is made for
https://github.com/AMDESE/linux/commits/upmv10-host-snp-v7-rfc
---
  include/linux/psp-sev.h      | 62 +++++++++++---------
  arch/x86/kvm/svm/sev.c       | 50 +++++++++++-----
  drivers/crypto/ccp/sev-dev.c | 11 ++--
  3 files changed, 73 insertions(+), 50 deletions(-)

diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h
index 970a9de0ed20..466b1a6e7d7b 100644
--- a/include/linux/psp-sev.h
+++ b/include/linux/psp-sev.h
@@ -848,6 +848,36 @@ int sev_platform_status(struct sev_user_data_status *status, int *error);
  int sev_issue_cmd_external_user(struct file *filep, unsigned int id,
                  void *data, int *error);
+/**
+ * sev_issue_cmd_external_user_cert - issue SEV command by other driver with a file + * handle and return certificates set onto SEV device via SNP_SET_EXT_CONFIG;
+ * intended for use by the SNP extended guest request command defined
+ * in the GHCB specification.
+ *
+ * @filep - SEV device file pointer
+ * @cmd - command to issue
+ * @data - command buffer
+ * @vaddr: address where the certificate blob need to be copied.
+ * @npages: number of pages for the certificate blob.
+ *    If the specified page count is less than the certificate blob size, then the
+ *    required page count is returned with ENOSPC error code.
+ *    If the specified page count is more than the certificate blob size, then + *    page count is updated to reflect the amount of valid data copied in the
+ *    vaddr.
+ *
+ * @error: SEV command return code
+ *
+ * Returns:
+ * 0 if the sev successfully processed the command
+ * -%ENODEV    if the sev device is not available
+ * -%ENOTSUPP  if the sev does not support SEV
+ * -%ETIMEDOUT if the sev command timed out
+ * -%EIO       if the sev returned a non-zero return code
+ * -%ENOSPC    if the specified page count is too small
+ */
+int sev_issue_cmd_external_user_cert(struct file *filep, unsigned int cmd, void *data, +                     unsigned long vaddr, unsigned long *npages, int *error);
+
  /**
   * sev_guest_deactivate - perform SEV DEACTIVATE command
   *
@@ -945,32 +975,6 @@ void snp_free_firmware_page(void *addr);
   */
  void snp_mark_pages_offline(unsigned long pfn, unsigned int npages);
-/**
- * snp_guest_ext_guest_request - perform the SNP extended guest request command
- *  defined in the GHCB specification.
- *
- * @data: the input guest request structure
- * @vaddr: address where the certificate blob need to be copied.
- * @npages: number of pages for the certificate blob.
- *    If the specified page count is less than the certificate blob size, then the - *    required page count is returned with error code defined in the GHCB spec. - *    If the specified page count is more than the certificate blob size, then - *    page count is updated to reflect the amount of valid data copied in the
- *    vaddr.
- *
- * @sev_ret: sev command return code
- *
- * Returns:
- * 0 if the sev successfully processed the command
- * -%ENODEV    if the sev device is not available
- * -%ENOTSUPP  if the sev does not support SEV
- * -%ETIMEDOUT if the sev command timed out
- * -%EIO       if the sev returned a non-zero return code
- */
-int snp_guest_ext_guest_request(struct sev_data_snp_guest_request *data,
-                unsigned long vaddr, unsigned long *npages,
-                unsigned long *error);
-
  #else    /* !CONFIG_CRYPTO_DEV_SP_PSP */
  static inline int
@@ -1013,9 +1017,9 @@ static inline void *snp_alloc_firmware_page(gfp_t mask)
  static inline void snp_free_firmware_page(void *addr) { }
-static inline int snp_guest_ext_guest_request(struct sev_data_snp_guest_request *data,
-                          unsigned long vaddr, unsigned long *n,
-                          unsigned long *error)
+static inline int sev_issue_cmd_external_user_cert(struct file *filep, unsigned int cmd,
+                           void *data, unsigned long vaddr,
+                           unsigned long *npages, int *error)
  {
      return -ENODEV;
  }
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index d0e58cffd1ed..b268c35efab4 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -394,6 +394,23 @@ static int sev_issue_cmd(struct kvm *kvm, int id, void *data, int *error)
      return __sev_issue_cmd(sev->fd, id, data, error);
  }
+static int sev_issue_cmd_cert(struct kvm *kvm, int id, void *data,
+                  unsigned long vaddr, unsigned long *npages, int *error)
+{
+    struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;
+    struct fd f;
+    int ret;
+
+    f = fdget(sev->fd);
+    if (!f.file)
+        return -EBADF;
+
+    ret = sev_issue_cmd_external_user_cert(f.file, id, data, vaddr, npages, error);
+
+    fdput(f);
+    return ret;
+}
+
  static int sev_launch_start(struct kvm *kvm, struct kvm_sev_cmd *argp)
  {
      struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;
@@ -3587,11 +3604,11 @@ static void snp_cleanup_guest_buf(struct sev_data_snp_guest_request *data, unsig
      int ret;
      ret = snp_page_reclaim(pfn);
-    if (ret)
+    if (ret && (*rc == SEV_RET_SUCCESS))
          *rc = SEV_RET_INVALID_ADDRESS;
      ret = rmp_make_shared(pfn, PG_LEVEL_4K);
-    if (ret)
+    if (ret && (*rc == SEV_RET_SUCCESS))
          *rc = SEV_RET_INVALID_ADDRESS;
  }

I believe we need to fix this as per the GHCB specifications.

As per GHCB 2.0 specifications:

SW_EXITINFO2
...
State from Hypervisor: Upper
32-bits (63:32) will contain the
return code from the hypervisor.
Lower 32-bits (31:0) will contain
the return code from the firmware
call (0 = success)

So i believe the FW error code (which is the FW error code from SNP_GUEST_REQUEST or *rc here) should be contained in the lower 32-bits and the error code being returned back due to response buffer pages reclaim failure and/or failure to transisition these pages back to shared state is basically hypervisor (error) return code and that should be returned in the upper 32-bit of the exitinfo.

There is work in progress to check conformance of SNP v7 patches to GHCB 2.0 specifications, so probably this fix can be included as part of those patches.

Yes, please :)


Yes, will address this in the GHCB specs conformance patch-set for SNP as per the following revisions of the GHCB specs:

The SNP Guest Request and SNP Extended Guest Request have been updated to expand on the use of the SW_EXITINFO2 return value to better allow for the hypervisor to return error codes.



@@ -3638,8 +3655,9 @@ static void snp_handle_ext_guest_request(struct vcpu_svm *svm, gpa_t req_gpa, gp
      struct kvm *kvm = vcpu->kvm;
      unsigned long data_npages;
      struct kvm_sev_info *sev;
-    unsigned long rc, err;

This needs to be looked at more carefully. The SEV firmware status code is defined as 32-bit, but is being handled as unsigned long in the KVM/SNP code and as int in the CCP driver. So this needs to be fixed consistently across,

Ultimately it should be explicit u32 in SEV and u64 in GHCB because PSP and GHCB are binary interfaces and the sizes should be explicit. Error codes between KVM and CCP can be anything (unsigned long, u64) as it is the same binary.


Again, as lower 32-bits (31:0) of SW_EXITINFO2 is supposed to be set
to the return code from the firmware, so this should also be u32 in GHCB and same in KVM/SNP code.

 > snp_setup_guest_buf() return value will need to be
fixed accordingly.

+    unsigned long exitcode;
      u64 data_gpa;
+    int err, rc;
      if (!sev_snp_guest(vcpu->kvm)) {
          rc = SEV_RET_INVALID_GUEST;
@@ -3669,17 +3687,16 @@ static void snp_handle_ext_guest_request(struct vcpu_svm *svm, gpa_t req_gpa, gp
       */
      if (sev->snp_certs_len) {
          if ((data_npages << PAGE_SHIFT) < sev->snp_certs_len) {
-            rc = -EINVAL;
-            err = SNP_GUEST_REQ_INVALID_LEN;
+            rc = -ENOSPC;

Why do we need to introduce ENOSPC error code?

To distinguish it from other errors and return SNP_GUEST_REQ_INVALID_LEN when needed (the commit log mentions this).


If we continue to use SNP_GUEST_REQ_INVALID_LEN we don't need to map ENOSPC to SNP_GUEST_REQ_INVALID_LEN below. And the CCP driver can return SNP_GUEST_REQ_INVALID_LEN as earlier via the fw_err parameter.

imho this is a bad idea.

SNP_GUEST_REQ_INVALID_LEN is defined in the GHCB spec and GHCB is between KVM and VM, /dev/sev is neither GHCB nor KVM. err here is for the firmware errors but SNP_GUEST_REQ_INVALID_LEN is not from the firmware and for not-from-the-firmware-errors we already have "return rc" so lets just use that. Also err is 32bit across the place, in things like sev_issue_cmd() and then there is this ugly cast to int*. Thanks,


Ok, that does make sense.

Thanks,
Ashish



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux