From: Binbin Wu <binbin.wu@linux.intel.com>
To: Sean Christopherson <seanjc@google.com>,
Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Ira Weiny <ira.weiny@intel.com>, Kai Huang <kai.huang@intel.com>,
Michael Roth <michael.roth@amd.com>,
Yan Zhao <yan.y.zhao@intel.com>,
Vishal Annapurve <vannapurve@google.com>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Ackerley Tng <ackerleytng@google.com>
Subject: Re: [RFC PATCH v2 01/18] KVM: TDX: Drop PROVE_MMU=y sanity check on to-be-populated mappings
Date: Fri, 29 Aug 2025 14:20:05 +0800 [thread overview]
Message-ID: <bf223bec-98f4-420f-a7fb-1056ea8725b4@linux.intel.com> (raw)
In-Reply-To: <20250829000618.351013-2-seanjc@google.com>
On 8/29/2025 8:06 AM, Sean Christopherson wrote:
> Drop TDX's sanity check that an S-EPT mapping isn't zapped between creating
^
should be M-EPT?
> said mapping and doing TDH.MEM.PAGE.ADD, as the check is simultaneously
> superfluous and incomplete. Per commit 2608f1057601 ("KVM: x86/tdp_mmu:
> Add a helper function to walk down the TDP MMU"), the justification for
> introducing kvm_tdp_mmu_gpa_is_mapped() was to check that the target gfn
> was pre-populated, with a link that points to this snippet:
>
> : > One small question:
> : >
> : > What if the memory region passed to KVM_TDX_INIT_MEM_REGION hasn't been pre-
> : > populated? If we want to make KVM_TDX_INIT_MEM_REGION work with these regions,
> : > then we still need to do the real map. Or we can make KVM_TDX_INIT_MEM_REGION
> : > return error when it finds the region hasn't been pre-populated?
> :
> : Return an error. I don't love the idea of bleeding so many TDX details into
> : userspace, but I'm pretty sure that ship sailed a long, long time ago.
>
> But that justification makes little sense for the final code, as simply
> doing TDH.MEM.PAGE.ADD without a paranoid sanity check will return an error
> if the S-EPT mapping is invalid (as evidenced by the code being guarded
> with CONFIG_KVM_PROVE_MMU=y).
I think this also needs to be updated.
As Yan mentioned in https://lore.kernel.org/lkml/aK6+TQ0r1j5j2PCx@yzhao56-desk.sh.intel.com/
TDH.MEM.PAGE.ADD would succeed without error, but error is still can be detected
via the value of nr_premapped in the end.
>
> The sanity check is also incomplete in the sense that mmu_lock is dropped
> between the check and TDH.MEM.PAGE.ADD, i.e. will only detect KVM bugs that
> zap SPTEs in a very specific window.
>
> Removing the sanity check will allow removing kvm_tdp_mmu_gpa_is_mapped(),
> which has no business being exposed to vendor code.
>
> Reviewed-by: Ira Weiny <ira.weiny@intel.com>
> Reviewed-by: Kai Huang <kai.huang@intel.com>
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
> arch/x86/kvm/vmx/tdx.c | 14 --------------
> 1 file changed, 14 deletions(-)
>
> diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
> index 6784aaaced87..71da245d160f 100644
> --- a/arch/x86/kvm/vmx/tdx.c
> +++ b/arch/x86/kvm/vmx/tdx.c
> @@ -3175,20 +3175,6 @@ static int tdx_gmem_post_populate(struct kvm *kvm, gfn_t gfn, kvm_pfn_t pfn,
> if (ret < 0)
> goto out;
>
> - /*
> - * The private mem cannot be zapped after kvm_tdp_map_page()
> - * because all paths are covered by slots_lock and the
> - * filemap invalidate lock. Check that they are indeed enough.
> - */
> - if (IS_ENABLED(CONFIG_KVM_PROVE_MMU)) {
> - scoped_guard(read_lock, &kvm->mmu_lock) {
> - if (KVM_BUG_ON(!kvm_tdp_mmu_gpa_is_mapped(vcpu, gpa), kvm)) {
> - ret = -EIO;
> - goto out;
> - }
> - }
> - }
> -
> ret = 0;
> err = tdh_mem_page_add(&kvm_tdx->td, gpa, pfn_to_page(pfn),
> src_page, &entry, &level_state);
next prev parent reply other threads:[~2025-08-29 6:20 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 0:06 [RFC PATCH v2 00/18] KVM: x86/mmu: TDX post-populate cleanups Sean Christopherson
2025-08-29 0:06 ` [RFC PATCH v2 01/18] KVM: TDX: Drop PROVE_MMU=y sanity check on to-be-populated mappings Sean Christopherson
2025-08-29 6:20 ` Binbin Wu [this message]
2025-08-29 0:06 ` [RFC PATCH v2 02/18] KVM: x86/mmu: Add dedicated API to map guest_memfd pfn into TDP MMU Sean Christopherson
2025-08-29 18:34 ` Edgecombe, Rick P
2025-08-29 20:27 ` Sean Christopherson
2025-08-29 0:06 ` [RFC PATCH v2 03/18] Revert "KVM: x86/tdp_mmu: Add a helper function to walk down the TDP MMU" Sean Christopherson
2025-08-29 19:00 ` Edgecombe, Rick P
2025-08-29 0:06 ` [RFC PATCH v2 04/18] KVM: x86/mmu: Rename kvm_tdp_map_page() to kvm_tdp_page_prefault() Sean Christopherson
2025-08-29 19:03 ` Edgecombe, Rick P
2025-08-29 0:06 ` [RFC PATCH v2 05/18] KVM: TDX: Drop superfluous page pinning in S-EPT management Sean Christopherson
2025-08-29 8:36 ` Binbin Wu
2025-08-29 19:53 ` Edgecombe, Rick P
2025-08-29 20:19 ` Sean Christopherson
2025-08-29 21:54 ` Edgecombe, Rick P
2025-08-29 22:02 ` Sean Christopherson
2025-08-29 22:17 ` Edgecombe, Rick P
2025-08-29 22:58 ` Sean Christopherson
2025-08-29 22:59 ` Edgecombe, Rick P
2025-09-01 1:25 ` Yan Zhao
2025-09-02 17:33 ` Sean Christopherson
2025-09-02 18:55 ` Edgecombe, Rick P
2025-09-04 8:45 ` Sean Christopherson
2025-08-29 0:06 ` [RFC PATCH v2 06/18] KVM: TDX: Return -EIO, not -EINVAL, on a KVM_BUG_ON() condition Sean Christopherson
2025-08-29 9:40 ` Binbin Wu
2025-08-29 16:58 ` Ira Weiny
2025-08-29 19:59 ` Edgecombe, Rick P
2025-08-29 0:06 ` [RFC PATCH v2 07/18] KVM: TDX: Fold tdx_sept_drop_private_spte() into tdx_sept_remove_private_spte() Sean Christopherson
2025-08-29 9:49 ` Binbin Wu
2025-08-29 0:06 ` [RFC PATCH v2 08/18] KVM: x86/mmu: Drop the return code from kvm_x86_ops.remove_external_spte() Sean Christopherson
2025-08-29 9:52 ` Binbin Wu
2025-08-29 0:06 ` [RFC PATCH v2 09/18] KVM: TDX: Avoid a double-KVM_BUG_ON() in tdx_sept_zap_private_spte() Sean Christopherson
2025-08-29 9:52 ` Binbin Wu
2025-08-29 0:06 ` [RFC PATCH v2 10/18] KVM: TDX: Use atomic64_dec_return() instead of a poor equivalent Sean Christopherson
2025-08-29 10:06 ` Binbin Wu
2025-08-29 0:06 ` [RFC PATCH v2 11/18] KVM: TDX: Fold tdx_mem_page_record_premap_cnt() into its sole caller Sean Christopherson
2025-09-02 22:46 ` Edgecombe, Rick P
2025-08-29 0:06 ` [RFC PATCH v2 12/18] KVM: TDX: Bug the VM if extended the initial measurement fails Sean Christopherson
2025-08-29 8:18 ` Yan Zhao
2025-08-29 18:16 ` Edgecombe, Rick P
2025-08-29 20:11 ` Sean Christopherson
2025-08-29 22:39 ` Edgecombe, Rick P
2025-08-29 23:15 ` Edgecombe, Rick P
2025-08-29 23:18 ` Sean Christopherson
2025-09-02 9:24 ` Yan Zhao
2025-09-02 17:04 ` Sean Christopherson
2025-09-03 0:18 ` Edgecombe, Rick P
2025-09-03 3:34 ` Yan Zhao
2025-09-03 9:19 ` Yan Zhao
2025-08-29 0:06 ` [RFC PATCH v2 13/18] KVM: TDX: ADD pages to the TD image while populating mirror EPT entries Sean Christopherson
2025-08-29 23:42 ` Edgecombe, Rick P
2025-09-02 17:09 ` Sean Christopherson
2025-08-29 0:06 ` [RFC PATCH v2 14/18] KVM: TDX: Fold tdx_sept_zap_private_spte() into tdx_sept_remove_private_spte() Sean Christopherson
2025-09-02 17:31 ` Edgecombe, Rick P
2025-08-29 0:06 ` [RFC PATCH v2 15/18] KVM: TDX: Combine KVM_BUG_ON + pr_tdx_error() into TDX_BUG_ON() Sean Christopherson
2025-08-29 9:03 ` Binbin Wu
2025-08-29 14:19 ` Sean Christopherson
2025-09-01 1:46 ` Binbin Wu
2025-09-02 18:55 ` Edgecombe, Rick P
2025-08-29 0:06 ` [RFC PATCH v2 16/18] KVM: TDX: Derive error argument names from the local variable names Sean Christopherson
2025-08-30 0:00 ` Edgecombe, Rick P
2025-08-29 0:06 ` [RFC PATCH v2 17/18] KVM: TDX: Assert that mmu_lock is held for write when removing S-EPT entries Sean Christopherson
2025-08-29 0:06 ` [RFC PATCH v2 18/18] KVM: TDX: Add macro to retry SEAMCALLs when forcing vCPUs out of guest Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bf223bec-98f4-420f-a7fb-1056ea8725b4@linux.intel.com \
--to=binbin.wu@linux.intel.com \
--cc=ackerleytng@google.com \
--cc=ira.weiny@intel.com \
--cc=kai.huang@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.roth@amd.com \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
--cc=vannapurve@google.com \
--cc=yan.y.zhao@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.