On 7/20/2021 2:11 AM, Joerg Roedel wrote:
I am not sure how it is implemented in TDX hardware, but for SNP the
guest _must_ _not_ double-validate or even double-invalidate memory.
In TDX it just zeroes the data. If you can tolerate zeroing it's fine.
Of course for most data that's not tolerable, but for kexec (minus
kernel itself) it is.
What I sent here is actually v2 of my proposal, v1 had a much more lazy
approach like you are proposing here. But as I learned what can happen
is this:
* Hypervisor maps GPA X to HPA A
* Guest validates GPA X
Hardware enforces that HPA A always maps to GPA X
* Hypervisor remaps GPA X to HPA B
* Guest lazily re-validates GPA X
Hardware enforces that HPA B always maps to GPA X
The situation we have now is that host pages A and B are validated for
the same guest page, and the hypervisor can switch between them at will,
without the guest being able to notice it.
I don't believe that's possible on TDX
This can open various attack vectors from the hypervisor towards the
guest, like tricking the guest into a code-path where it accidentially
reveals its secrets.
Well things would certainly easier if you had a purge interface then.
But for the kexec crash case it would be just attacks against the crash
dump, which I assume are not a real security concern. The crash kexec
mostly runs in its own memory, which doesn't need this, or is small
enough that it can be fully pre-accepted. And for the previous memory
view probably these issues are acceptable.
That leaves the non crash kexec case, but perhaps it is acceptable to
just restart the guest in such a case instead of creating complicated
and fragile new interfaces.
If the device filter is active it won't.
We are not going to pohibit dma_alloc_coherent() in SNP guests just
because we are too lazy to implement memory re-validation.
dma_alloc_coherent is of course allowed, just not freeing. Or rather if
you free you would need a pool to recycle there.
If you have anything that free coherent dma frequently the performance
would be terrible so you should probably avoid that at all costs anyways.
But since pretty much all the current IO models rely on a small number
of static bounce buffers that's not a problem.
-Andi