From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BAB18C2BBCA for ; Fri, 28 Jun 2024 09:59:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date: Message-ID:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=uZK9Elf+LODvn+LR6JKKI2UL47pulfLMAh2XanQ1Et0=; b=2IEKG2Wgbyt+RR6wzhnHJ23+dZ wC0djRiZSw/Cwz30xN89VeBLjN5KMziEwDA5GL9X8lWWP+fTE6jbyb42S1Tmu9IGWW00QPn0qovfw AXWW4YaczYpiVDXpmyevAwI/xovP3EYOh+vnQTT2Wp4HhP31kSB9dGxdKgMKEAjQhVShwCPUNfpDK D9ktcmC8sBzI4Kia21JcWgjXchRpJxUURz0MhkeI9Ykyekho1ZeVXoJjeXwFYaOzexfI6dY5wnYpm wf1V2XiSNPsaxvhIKOdKy8f48kd73hg4TZTmHXyrqia3AzLnzw2onR06AVH4pvtXJjcMip4nYKbsK Q/IdI+Ww==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1sN8OM-0000000DLmF-1z02; Fri, 28 Jun 2024 09:59:42 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1sN8OD-0000000DLkz-0YHp for linux-arm-kernel@lists.infradead.org; Fri, 28 Jun 2024 09:59:34 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E4C1B106F; Fri, 28 Jun 2024 02:59:56 -0700 (PDT) Received: from [10.1.29.17] (e122027.cambridge.arm.com [10.1.29.17]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 571CF3F6A8; Fri, 28 Jun 2024 02:59:28 -0700 (PDT) Message-ID: <01b48dc0-8f69-435c-86c5-bc22ea148e3a@arm.com> Date: Fri, 28 Jun 2024 10:59:26 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3 12/14] arm64: realm: Support nonsecure ITS emulation shared To: Michael Kelley , "kvm@vger.kernel.org" , "kvmarm@lists.linux.dev" Cc: Catalin Marinas , Marc Zyngier , Will Deacon , James Morse , Oliver Upton , Suzuki K Poulose , Zenghui Yu , "linux-arm-kernel@lists.infradead.org" , "linux-kernel@vger.kernel.org" , Joey Gouly , Alexandru Elisei , Christoffer Dall , Fuad Tabba , "linux-coco@lists.linux.dev" , Ganapatrao Kulkarni References: <20240605093006.145492-1-steven.price@arm.com> <20240605093006.145492-13-steven.price@arm.com> From: Steven Price Content-Language: en-GB In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240628_025933_312799_DDD9D0C2 X-CRM114-Status: GOOD ( 30.44 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 17/06/2024 04:54, Michael Kelley wrote: > From: Steven Price Sent: Wednesday, June 5, 2024 2:30 AM >> >> Within a realm guest the ITS is emulated by the host. This means the >> allocations must have been made available to the host by a call to >> set_memory_decrypted(). Introduce an allocation function which performs >> this extra call. >> >> Co-developed-by: Suzuki K Poulose >> Signed-off-by: Suzuki K Poulose >> Signed-off-by: Steven Price >> --- >> Changes since v2: >> * Drop 'shared' from the new its_xxx function names as they are used >> for non-realm guests too. >> * Don't handle the NUMA_NO_NODE case specially - alloc_pages_node() >> should do the right thing. >> * Drop a pointless (void *) cast. >> --- >> drivers/irqchip/irq-gic-v3-its.c | 90 ++++++++++++++++++++++++-------- >> 1 file changed, 67 insertions(+), 23 deletions(-) >> >> diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c >> index 40ebf1726393..ca72f830f4cc 100644 >> --- a/drivers/irqchip/irq-gic-v3-its.c >> +++ b/drivers/irqchip/irq-gic-v3-its.c >> @@ -18,6 +18,7 @@ >> #include >> #include >> #include >> +#include >> #include >> #include >> #include >> @@ -27,6 +28,7 @@ >> #include >> #include >> #include >> +#include >> #include >> #include >> >> @@ -163,6 +165,7 @@ struct its_device { >> struct its_node *its; >> struct event_lpi_map event_map; >> void *itt; >> + u32 itt_order; >> u32 nr_ites; >> u32 device_id; >> bool shared; >> @@ -198,6 +201,30 @@ static DEFINE_IDA(its_vpeid_ida); >> #define gic_data_rdist_rd_base() (gic_data_rdist()->rd_base) >> #define gic_data_rdist_vlpi_base() (gic_data_rdist_rd_base() + SZ_128K) >> >> +static struct page *its_alloc_pages_node(int node, gfp_t gfp, >> + unsigned int order) >> +{ >> + struct page *page; >> + >> + page = alloc_pages_node(node, gfp, order); >> + >> + if (page) >> + set_memory_decrypted((unsigned long)page_address(page), >> + 1 << order); > > There's been considerable discussion on the x86 side about > what to do when set_memory_decrypted() or set_memory_encrypted() > fails. The conclusions are: > > 1) set_memory_decrypted()/encrypted() *could* fail due to a > compromised/malicious host, due to a bug somewhere in the > software stack, or due to resource constraints (x86 might need to > split a large page mapping, and need to allocate additional page > table pages, which could fail). > > 2) The guest memory that was the target of such a failed call could > be left in an indeterminate state that the guest could not reliably > undo or correct. The guest's view of the page's decrypted/encrypted > state might not match the host's view. Therefore, any such guest > memory must be leaked rather than being used or put back on the > free list. > > 3) After some discussion, we decided not to panic in such a case. > Instead, set_memory_decrypted()/encrypted() generates a WARN, > as well as returns a failure result. The most security conscious > users could set panic_on_warn=1 in their VMs, and thereby stop > further operation if there any indication that the transition between > encrypted and decrypt is suspect. The caller of these functions > also can take explicit action in the case of a failure. > > It seems like the same guidelines should apply here. On the x86 > side we've also cleaned up cases where the return value isn't > checked, like here and the use of set_memory_encrypted() below. Very good points - this code was lacking error handling. I think you are also right that the correct situation when set_memory_{en,de}crypted() fails is to WARN() and leak the page. It's something that shouldn't happen with a well behaving host and it's unclear how to safely recover the page - so leaking the page is the safest result. And the WARN() approach gives the user the option as to whether this is fatal via panic_on_warn. Thanks, Steve