Re: [kvm-unit-tests PATCH v2 1/8] s390x: uv-host: Add access checks for donated memory

[Claudio Imbrenda <imbrenda@linux.ibm.com>]

On Thu, 7 Jul 2022 10:16:44 +0200
Janosch Frank <frankja@linux.ibm.com> wrote:

> On 7/6/22 18:33, Claudio Imbrenda wrote:
> > On Wed,  6 Jul 2022 06:40:17 +0000
> > Janosch Frank <frankja@linux.ibm.com> wrote:
> >   
> >> Let's check if the UV really protected all the memory we donated.
> >>
> >> Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
> >> ---
> >>   s390x/uv-host.c | 29 +++++++++++++++++++++++++++++
> >>   1 file changed, 29 insertions(+)
> >>
> >> diff --git a/s390x/uv-host.c b/s390x/uv-host.c
> >> index a1a6d120..983cb4a1 100644
> >> --- a/s390x/uv-host.c
> >> +++ b/s390x/uv-host.c
> >> @@ -43,6 +43,24 @@ static void cpu_loop(void)
> >>   	for (;;) {}
> >>   }
> >>   
> >> +/*
> >> + * Checks if a memory area is protected as secure memory.
> >> + * Will return true if all pages are protected, false otherwise.
> >> + */
> >> +static bool access_check_3d(uint64_t *access_ptr, uint64_t len)
> >> +{
> >> +	while (len) {
> >> +		expect_pgm_int();
> >> +		*access_ptr += 42;  
> > 
> > I'm surprised this works, you will get an (expected) exception when
> > reading from the pointer, and then you should get another one (at this
> > point unexpected) when writing
> >   
> 
> Let me introduce you to "AGSI" add grand storage immediate.

wow, of course there is an instruction for that :D

> But I get your point, inline assembly would make this much more explicit.

actually, I think you should separately check for read and write access.

something like 

expect_pgm_int();
READ_ONCE(*access_ptr);
...

expect_pgm_int();
WRITE_ONCE(*access_ptr, 42);

to really make sure both read and write access are blocked

> 
> >> +		if (clear_pgm_int() != PGM_INT_CODE_SECURE_STOR_ACCESS)
> >> +			return false;
> >> +		access_ptr += PAGE_SIZE / sizeof(access_ptr);
> >> +		len -= PAGE_SIZE;
> >> +	}
> >> +
> >> +	return true;
> >> +}
> >> +
> >>   static struct cmd_list cmds[] = {
> >>   	{ "init", UVC_CMD_INIT_UV, sizeof(struct uv_cb_init), BIT_UVC_CMD_INIT_UV },
> >>   	{ "create conf", UVC_CMD_CREATE_SEC_CONF, sizeof(struct uv_cb_cgc), BIT_UVC_CMD_CREATE_SEC_CONF },
> >> @@ -194,6 +212,10 @@ static void test_cpu_create(void)
> >>   	report(rc == 0 && uvcb_csc.header.rc == UVC_RC_EXECUTED &&
> >>   	       uvcb_csc.cpu_handle, "success");
> >>   
> >> +	rc = access_check_3d((uint64_t *)uvcb_csc.stor_origin,
> >> +			     uvcb_qui.cpu_stor_len);
> >> +	report(rc, "Storage protection");
> >> +
> >>   	tmp = uvcb_csc.stor_origin;
> >>   	uvcb_csc.stor_origin = (unsigned long)memalign(PAGE_SIZE, uvcb_qui.cpu_stor_len);
> >>   	rc = uv_call(0, (uint64_t)&uvcb_csc);
> >> @@ -292,6 +314,13 @@ static void test_config_create(void)
> >>   	rc = uv_call(0, (uint64_t)&uvcb_cgc);
> >>   	report(rc == 0 && uvcb_cgc.header.rc == UVC_RC_EXECUTED, "successful");
> >>   
> >> +	rc = access_check_3d((uint64_t *)uvcb_cgc.conf_var_stor_origin, vsize);
> >> +	report(rc, "Base storage protection");
> >> +
> >> +	rc = access_check_3d((uint64_t *)uvcb_cgc.conf_base_stor_origin,
> >> +			     uvcb_qui.conf_base_phys_stor_len);
> >> +	report(rc, "Variable storage protection");
> >> +
> >>   	uvcb_cgc.header.rc = 0;
> >>   	uvcb_cgc.header.rrc = 0;
> >>   	tmp = uvcb_cgc.guest_handle;  
> >   
>