From: Sean Christopherson <seanjc@google.com>
To: Shirong Hao <shirong@linux.alibaba.com>
Cc: pbonzini@redhat.com, vkuznets@redhat.com, wanpengli@tencent.com,
jmattson@google.com, joro@8bytes.org, tglx@linutronix.de,
mingo@redhat.co, bp@alien8.de, dave.hansen@linux.intel.com,
x86@kernel.org, hpa@zytor.com, brijesh.singh@amd.com,
thomas.lendacky@amd.com, john.allen@amd.com,
herbert@gondor.apana.org.au, davem@davemloft.net,
srutherford@google.com, ashish.kalra@amd.com, natet@google.com,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org, zhang.jia@linux.alibaba.com
Subject: Re: [PATCH 1/3] KVM: X86: Introduce KVM_HC_VM_HANDLE hypercall
Date: Tue, 11 Jan 2022 01:05:32 +0000 [thread overview]
Message-ID: <YdzX3AXqqbwYBRej@google.com> (raw)
In-Reply-To: <20220110060445.549800-2-shirong@linux.alibaba.com>
On Mon, Jan 10, 2022, Shirong Hao wrote:
> This hypercall is used by the SEV guest to get the firmware handle.
This is completely insufficient to justify why KVM is providing host information
to the guest, let alone why KVM is providing that information to guest _userspace_.
> +static int sev_vm_handle(struct kvm *kvm)
> +{
> + struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;
> +
> + if (!sev_guest(kvm))
> + return -ENOTTY;
> +
> + return sev->handle;
> +}
> +
> static struct kvm_x86_ops svm_x86_ops __initdata = {
> .name = "kvm_amd",
>
...
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 0cf1082455df..24acf0f2a539 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -8906,7 +8906,7 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
> a3 &= 0xFFFFFFFF;
> }
>
> - if (static_call(kvm_x86_get_cpl)(vcpu) != 0) {
> + if (static_call(kvm_x86_get_cpl)(vcpu) != 0 && nr != KVM_HC_VM_HANDLE) {
> ret = -KVM_EPERM;
> goto out;
> }
next prev parent reply other threads:[~2022-01-11 1:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-10 6:04 [PATCH 0/3] Allow guest to query AMD SEV(-ES) runtime attestation evidence Shirong Hao
2022-01-10 6:04 ` [PATCH 1/3] KVM: X86: Introduce KVM_HC_VM_HANDLE hypercall Shirong Hao
2022-01-11 1:05 ` Sean Christopherson [this message]
2022-01-10 6:04 ` [PATCH 2/3] KVM/SVM: move the implementation of sev_get_attestation_report to ccp driver Shirong Hao
2022-01-10 6:04 ` [PATCH 3/3] crypto: ccp: Implement SEV_GET_REPORT ioctl command Shirong Hao
2022-01-10 16:35 ` [PATCH 0/3] Allow guest to query AMD SEV(-ES) runtime attestation evidence Brijesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YdzX3AXqqbwYBRej@google.com \
--to=seanjc@google.com \
--cc=ashish.kalra@amd.com \
--cc=bp@alien8.de \
--cc=brijesh.singh@amd.com \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=hpa@zytor.com \
--cc=jmattson@google.com \
--cc=john.allen@amd.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.co \
--cc=natet@google.com \
--cc=pbonzini@redhat.com \
--cc=shirong@linux.alibaba.com \
--cc=srutherford@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=x86@kernel.org \
--cc=zhang.jia@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).