From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael S. Tsirkin" Subject: Re: [PATCH v5 16/16] x86/tdx: Add cmdline option to force use of ioremap_host_shared Date: Fri, 15 Oct 2021 02:57:16 -0400 Message-ID: <20211015024923-mutt-send-email-mst@kernel.org> References: <20211009070132-mutt-send-email-mst@kernel.org> <8c906de6-5efa-b87a-c800-6f07b98339d0@linux.intel.com> <20211011075945-mutt-send-email-mst@kernel.org> <9d0ac556-6a06-0f2e-c4ff-0c3ce742a382@linux.intel.com> <20211011142330-mutt-send-email-mst@kernel.org> <4fe8d60a-2522-f111-995c-dcbefd0d5e31@linux.intel.com> <20211012165705-mutt-send-email-mst@kernel.org> <20211012171846-mutt-send-email-mst@kernel.org> Mime-Version: 1.0 Return-path: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1634281047; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=XrPIV2fprNlCi1MFN3D9uad/uIU7Ev00FM5PU9k9D8g=; b=Qgf3GGlyDPnKnoFaLjOTrOZm7VTVos1S2qv4K1YAPtP16vSr5ZcPliY+Erzkw/LFbGJyMM O0o10K9RxcMAy0BxIwkOOR/2NtqjFsGvegTxHuARb95ZSuQ+QtuAb4u3sFrYAv4gbG/vIQ odEEJSY/4+Xac8edmRAcoM9xlwdtz+g= Content-Disposition: inline In-Reply-To: List-ID: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Andi Kleen Cc: Kuppuswamy Sathyanarayanan , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Peter Zijlstra , Andy Lutomirski , Bjorn Helgaas , Richard Henderson , Thomas Bogendoerfer , James E J Bottomley , Helge Deller , "David S . Miller" , Arnd Bergmann , Jonathan Corbet , Paolo Bonzini , David Hildenbrand , Andrea Arcangeli , Josh Poimboeuf , Peter H Anvin On Thu, Oct 14, 2021 at 10:50:59PM -0700, Andi Kleen wrote: > > > I thought you basically create an OperationRegion of SystemMemory type, > > and off you go. Maybe the OSPM in Linux is clever and protects > > some memory, I wouldn't know. > > > I investigated this now, and it looks like acpi is using ioremap_cache(). We > can hook into that and force non sharing. It's probably safe to assume that > this is not used on real IO devices. > > I think there are still some other BIOS mappings that use just plain > ioremap() though. > > > -Andi Hmm don't you mean the reverse? If you make ioremap shared then OS is protected from malicious ACPI? If you don't make it shared then malicious ACPI can poke at arbitrary OS memory. Looks like making ioremap non shared by default is actually less safe than shared. Interesting. For BIOS I suspect there's no way around it, it needs to be audited since it's executable. -- MST From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14C87C433F5 for ; Fri, 15 Oct 2021 06:57:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E8462611BD for ; Fri, 15 Oct 2021 06:57:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235801AbhJOG7f (ORCPT ); Fri, 15 Oct 2021 02:59:35 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:22155 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235796AbhJOG7e (ORCPT ); Fri, 15 Oct 2021 02:59:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1634281048; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=XrPIV2fprNlCi1MFN3D9uad/uIU7Ev00FM5PU9k9D8g=; b=GwGEbBaFXzzU9REDj1BMs3OjLs1HY0aJfHc/a+BJs6vuO0yix4OQclcAkiHiv1kYUhz722 xAFnGbVhG5my5OxhrPr3N3g1lTb8X+zidtpCKY67Q5trfQw/4cSbUyo/+jWUMFt9aJnieF CKM+HW1fLTN7z2tsVptUIFJFqhBauno= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-187-g_a5Qgx3PwKStO2Oaqhd0Q-1; Fri, 15 Oct 2021 02:57:26 -0400 X-MC-Unique: g_a5Qgx3PwKStO2Oaqhd0Q-1 Received: by mail-ed1-f70.google.com with SMTP id cy14-20020a0564021c8e00b003db8c9a6e30so7379404edb.1 for ; Thu, 14 Oct 2021 23:57:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=XrPIV2fprNlCi1MFN3D9uad/uIU7Ev00FM5PU9k9D8g=; b=atyzy3CinY9W4Nozfq4oqQ4W80bxjWcKmFfuQ2Vels4xRcNlj1ZV/pKiuIBzLuh1na 4CkuN961YX7JYoOodF8a9D/34oJTBJnp6iJN14zHCVnoJwE+VhaLDJtOpTZsymKvOa7n j21SXmCF2WCWHlXTYh5lE4nPPkH6bjBBzKR1SsFLXY0iGQm11yRVkG9kOrnoQDSzxbKT vv+eK68LIwMzA/AT+RvBPQfvDPoQZP6XGIqwjm3ngIjxyS9zt5Er/EjHz/2rfe1y1upv GwnFkUQAuYuqapT+Sa98asVsLxb29Ltk9yGVtVKKOHcqQNvWxrU2BkGhbeSHi7+/vG4y zbyw== X-Gm-Message-State: AOAM533zxtLkeFOOGnmu5EBRr9PQq2NGjXT/M0IFO5YdTGKM02+dtDtP 1MMFEcpfT9FWb6T5LS2cCrVL3c4TqN9aDDSJS/c26hO3/Pc454QEaUYOx0Rno7UahyumrNw511V KYP2WP8O6WKCzP4p3H+NoxA== X-Received: by 2002:a05:6402:447:: with SMTP id p7mr15322737edw.261.1634281045395; Thu, 14 Oct 2021 23:57:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw3wsrR7axiFHmfph2bLnxYqxO8ciYC1BIDrnzojSmvwa6tk0pkkVI5pGdF1DtDsbmx8LCmYQ== X-Received: by 2002:a05:6402:447:: with SMTP id p7mr15322726edw.261.1634281045218; Thu, 14 Oct 2021 23:57:25 -0700 (PDT) Received: from redhat.com ([2.55.1.196]) by smtp.gmail.com with ESMTPSA id e11sm4094212edl.70.2021.10.14.23.57.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Oct 2021 23:57:24 -0700 (PDT) Date: Fri, 15 Oct 2021 02:57:16 -0400 From: "Michael S. Tsirkin" To: Andi Kleen Cc: Kuppuswamy Sathyanarayanan , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Peter Zijlstra , Andy Lutomirski , Bjorn Helgaas , Richard Henderson , Thomas Bogendoerfer , James E J Bottomley , Helge Deller , "David S . Miller" , Arnd Bergmann , Jonathan Corbet , Paolo Bonzini , David Hildenbrand , Andrea Arcangeli , Josh Poimboeuf , Peter H Anvin , Dave Hansen , Tony Luck , Dan Williams , Kirill Shutemov , Sean Christopherson , Kuppuswamy Sathyanarayanan , x86@kernel.org, linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, linux-alpha@vger.kernel.org, linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org, sparclinux@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: Re: [PATCH v5 16/16] x86/tdx: Add cmdline option to force use of ioremap_host_shared Message-ID: <20211015024923-mutt-send-email-mst@kernel.org> References: <20211009070132-mutt-send-email-mst@kernel.org> <8c906de6-5efa-b87a-c800-6f07b98339d0@linux.intel.com> <20211011075945-mutt-send-email-mst@kernel.org> <9d0ac556-6a06-0f2e-c4ff-0c3ce742a382@linux.intel.com> <20211011142330-mutt-send-email-mst@kernel.org> <4fe8d60a-2522-f111-995c-dcbefd0d5e31@linux.intel.com> <20211012165705-mutt-send-email-mst@kernel.org> <20211012171846-mutt-send-email-mst@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-arch@vger.kernel.org On Thu, Oct 14, 2021 at 10:50:59PM -0700, Andi Kleen wrote: > > > I thought you basically create an OperationRegion of SystemMemory type, > > and off you go. Maybe the OSPM in Linux is clever and protects > > some memory, I wouldn't know. > > > I investigated this now, and it looks like acpi is using ioremap_cache(). We > can hook into that and force non sharing. It's probably safe to assume that > this is not used on real IO devices. > > I think there are still some other BIOS mappings that use just plain > ioremap() though. > > > -Andi Hmm don't you mean the reverse? If you make ioremap shared then OS is protected from malicious ACPI? If you don't make it shared then malicious ACPI can poke at arbitrary OS memory. Looks like making ioremap non shared by default is actually less safe than shared. Interesting. For BIOS I suspect there's no way around it, it needs to be audited since it's executable. -- MST From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C41E4C433EF for ; Fri, 15 Oct 2021 06:57:33 +0000 (UTC) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 679CF6108B for ; Fri, 15 Oct 2021 06:57:33 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 679CF6108B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.linux-foundation.org Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 1E2D3401AF; Fri, 15 Oct 2021 06:57:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MOaZPIC-yDZX; Fri, 15 Oct 2021 06:57:32 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 9785840012; Fri, 15 Oct 2021 06:57:31 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 68ECBC000F; Fri, 15 Oct 2021 06:57:31 +0000 (UTC) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id F31FCC000D for ; Fri, 15 Oct 2021 06:57:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id C5980606D4 for ; Fri, 15 Oct 2021 06:57:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp3.osuosl.org (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLfcbDdVwRsB for ; Fri, 15 Oct 2021 06:57:29 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp3.osuosl.org (Postfix) with ESMTPS id 1610660670 for ; Fri, 15 Oct 2021 06:57:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1634281047; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=XrPIV2fprNlCi1MFN3D9uad/uIU7Ev00FM5PU9k9D8g=; b=Qgf3GGlyDPnKnoFaLjOTrOZm7VTVos1S2qv4K1YAPtP16vSr5ZcPliY+Erzkw/LFbGJyMM O0o10K9RxcMAy0BxIwkOOR/2NtqjFsGvegTxHuARb95ZSuQ+QtuAb4u3sFrYAv4gbG/vIQ odEEJSY/4+Xac8edmRAcoM9xlwdtz+g= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-460-y9KpwBOZOuG0neQ8W6DxeA-1; Fri, 15 Oct 2021 02:57:26 -0400 X-MC-Unique: y9KpwBOZOuG0neQ8W6DxeA-1 Received: by mail-ed1-f70.google.com with SMTP id l22-20020aa7c316000000b003dbbced0731so7374157edq.6 for ; Thu, 14 Oct 2021 23:57:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=XrPIV2fprNlCi1MFN3D9uad/uIU7Ev00FM5PU9k9D8g=; b=5XVSB0hZZKLbvLvJ/o/XukBiTRvO3qypwdexiUfM0/5GbLPeGSels9vc29T8yxWqC9 zBqDX31hZqo3sZaankfkSpa8G1j+lK2++8+CLeQpRuc8NNSn1po0oAL3/kol4e5liVys 0/JyVn0SFub604jsysogHkQKGDnhVmopxLVo6raXc5RXYI6v/bcSsHeTCkFKkxjf4W9h oqsdv/qi3WXBDwRLtTAxQWQNEkxIIVJ1fqw/5B9MwVY1H75DDjgRyoQu3/C6qppa25TS yCzK3Q3QKdpC/Y49RrsdmAQLfNGnxNMN2UrILdIcwnCuujlxB7BvyiaQFVLCkZPy3r5C bEBQ== X-Gm-Message-State: AOAM532VhZDnNVhg50IokXl9iJQClzefBb5+Uagl2/PSbIVnCr69fVxT GsJrBuViCzd3iop+IJKaMz3LCcd2OxsJoQM39OR462Gm5uRZby6ETne7+QP22Pexu2XpCYeKOQ8 DPrmA+8HwGF8brw5+hikKPfdNO3/8P+FIVOOgXm+8lw== X-Received: by 2002:a05:6402:447:: with SMTP id p7mr15322745edw.261.1634281045396; Thu, 14 Oct 2021 23:57:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw3wsrR7axiFHmfph2bLnxYqxO8ciYC1BIDrnzojSmvwa6tk0pkkVI5pGdF1DtDsbmx8LCmYQ== X-Received: by 2002:a05:6402:447:: with SMTP id p7mr15322726edw.261.1634281045218; Thu, 14 Oct 2021 23:57:25 -0700 (PDT) Received: from redhat.com ([2.55.1.196]) by smtp.gmail.com with ESMTPSA id e11sm4094212edl.70.2021.10.14.23.57.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Oct 2021 23:57:24 -0700 (PDT) Date: Fri, 15 Oct 2021 02:57:16 -0400 From: "Michael S. Tsirkin" To: Andi Kleen Subject: Re: [PATCH v5 16/16] x86/tdx: Add cmdline option to force use of ioremap_host_shared Message-ID: <20211015024923-mutt-send-email-mst@kernel.org> References: <20211009070132-mutt-send-email-mst@kernel.org> <8c906de6-5efa-b87a-c800-6f07b98339d0@linux.intel.com> <20211011075945-mutt-send-email-mst@kernel.org> <9d0ac556-6a06-0f2e-c4ff-0c3ce742a382@linux.intel.com> <20211011142330-mutt-send-email-mst@kernel.org> <4fe8d60a-2522-f111-995c-dcbefd0d5e31@linux.intel.com> <20211012165705-mutt-send-email-mst@kernel.org> <20211012171846-mutt-send-email-mst@kernel.org> MIME-Version: 1.0 In-Reply-To: Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mst@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline Cc: Kuppuswamy Sathyanarayanan , Kuppuswamy Sathyanarayanan , Peter Zijlstra , linux-pci@vger.kernel.org, linux-mips@vger.kernel.org, James E J Bottomley , Dave Hansen , Peter H Anvin , sparclinux@vger.kernel.org, Thomas Gleixner , Andrea Arcangeli , Jonathan Corbet , Helge Deller , x86@kernel.org, Ingo Molnar , linux-arch@vger.kernel.org, Arnd Bergmann , Tony Luck , Borislav Petkov , Andy Lutomirski , Josh Poimboeuf , Bjorn Helgaas , Dan Williams , virtualization@lists.linux-foundation.org, Richard Henderson , Thomas Bogendoerfer , linux-parisc@vger.kernel.org, Sean Christopherson , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-alpha@vger.kernel.org, Paolo Bonzini , "David S . Miller" , Kirill Shutemov X-BeenThere: virtualization@lists.linux-foundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux virtualization List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: virtualization-bounces@lists.linux-foundation.org Sender: "Virtualization" On Thu, Oct 14, 2021 at 10:50:59PM -0700, Andi Kleen wrote: > > > I thought you basically create an OperationRegion of SystemMemory type, > > and off you go. Maybe the OSPM in Linux is clever and protects > > some memory, I wouldn't know. > > > I investigated this now, and it looks like acpi is using ioremap_cache(). We > can hook into that and force non sharing. It's probably safe to assume that > this is not used on real IO devices. > > I think there are still some other BIOS mappings that use just plain > ioremap() though. > > > -Andi Hmm don't you mean the reverse? If you make ioremap shared then OS is protected from malicious ACPI? If you don't make it shared then malicious ACPI can poke at arbitrary OS memory. Looks like making ioremap non shared by default is actually less safe than shared. Interesting. For BIOS I suspect there's no way around it, it needs to be audited since it's executable. -- MST _______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization