From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
To: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org
Cc: "Rafael J. Wysocki" <rafael@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Adrian Hunter <adrian.hunter@intel.com>,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
Elena Reshetova <elena.reshetova@intel.com>,
Jun Nakajima <jun.nakajima@intel.com>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
"Kalra, Ashish" <ashish.kalra@amd.com>,
Sean Christopherson <seanjc@google.com>,
"Huang, Kai" <kai.huang@intel.com>,
Ard Biesheuvel <ardb@kernel.org>, Baoquan He <bhe@redhat.com>,
"H. Peter Anvin" <hpa@zytor.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
"K. Y. Srinivasan" <kys@microsoft.com>,
Haiyang Zhang <haiyangz@microsoft.com>,
kexec@lists.infradead.org, linux-hyperv@vger.kernel.org,
linux-acpi@vger.kernel.org, linux-coco@lists.linux.dev,
linux-kernel@vger.kernel.org,
Nikolay Borisov <nik.borisov@suse.com>, Tao Liu <ltao@redhat.com>
Subject: [PATCHv12 10/19] x86/mm: Add callbacks to prepare encrypted memory for kexec
Date: Fri, 14 Jun 2024 12:58:55 +0300 [thread overview]
Message-ID: <20240614095904.1345461-11-kirill.shutemov@linux.intel.com> (raw)
In-Reply-To: <20240614095904.1345461-1-kirill.shutemov@linux.intel.com>
AMD SEV and Intel TDX guests allocate shared buffers for performing I/O.
This is done by allocating pages normally from the buddy allocator and
then converting them to shared using set_memory_decrypted().
On kexec, the second kernel is unaware of which memory has been
converted in this manner. It only sees E820_TYPE_RAM. Accessing shared
memory as private is fatal.
Therefore, the memory state must be reset to its original state before
starting the new kernel with kexec.
The process of converting shared memory back to private occurs in two
steps:
- enc_kexec_begin() stops new conversions.
- enc_kexec_finish() unshares all existing shared memory, reverting it
back to private.
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
Tested-by: Tao Liu <ltao@redhat.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
arch/x86/include/asm/x86_init.h | 10 ++++++++++
arch/x86/kernel/crash.c | 12 ++++++++++++
arch/x86/kernel/reboot.c | 12 ++++++++++++
arch/x86/kernel/x86_init.c | 4 ++++
4 files changed, 38 insertions(+)
diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h
index 28ac3cb9b987..213cf5379a5a 100644
--- a/arch/x86/include/asm/x86_init.h
+++ b/arch/x86/include/asm/x86_init.h
@@ -149,12 +149,22 @@ struct x86_init_acpi {
* @enc_status_change_finish Notify HV after the encryption status of a range is changed
* @enc_tlb_flush_required Returns true if a TLB flush is needed before changing page encryption status
* @enc_cache_flush_required Returns true if a cache flush is needed before changing page encryption status
+ * @enc_kexec_begin Begin the two-step process of converting shared memory back
+ * to private. It stops the new conversions from being started
+ * and waits in-flight conversions to finish, if possible.
+ * @enc_kexec_finish Finish the two-step process of converting shared memory to
+ * private. All memory is private after the call when
+ * the function returns.
+ * It is called on only one CPU while the others are shut down
+ * and with interrupts disabled.
*/
struct x86_guest {
int (*enc_status_change_prepare)(unsigned long vaddr, int npages, bool enc);
int (*enc_status_change_finish)(unsigned long vaddr, int npages, bool enc);
bool (*enc_tlb_flush_required)(bool enc);
bool (*enc_cache_flush_required)(void);
+ void (*enc_kexec_begin)(void);
+ void (*enc_kexec_finish)(void);
};
/**
diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c
index f06501445cd9..340af8155658 100644
--- a/arch/x86/kernel/crash.c
+++ b/arch/x86/kernel/crash.c
@@ -128,6 +128,18 @@ void native_machine_crash_shutdown(struct pt_regs *regs)
#ifdef CONFIG_HPET_TIMER
hpet_disable();
#endif
+
+ /*
+ * Non-crash kexec calls enc_kexec_begin() while scheduling is still
+ * active. This allows the callback to wait until all in-flight
+ * shared<->private conversions are complete. In a crash scenario,
+ * enc_kexec_begin() gets called after all but one CPU have been shut
+ * down and interrupts have been disabled. This allows the callback to
+ * detect a race with the conversion and report it.
+ */
+ x86_platform.guest.enc_kexec_begin();
+ x86_platform.guest.enc_kexec_finish();
+
crash_save_cpu(regs, safe_smp_processor_id());
}
diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
index f3130f762784..bb7a44af7efd 100644
--- a/arch/x86/kernel/reboot.c
+++ b/arch/x86/kernel/reboot.c
@@ -12,6 +12,7 @@
#include <linux/delay.h>
#include <linux/objtool.h>
#include <linux/pgtable.h>
+#include <linux/kexec.h>
#include <acpi/reboot.h>
#include <asm/io.h>
#include <asm/apic.h>
@@ -716,6 +717,14 @@ static void native_machine_emergency_restart(void)
void native_machine_shutdown(void)
{
+ /*
+ * Call enc_kexec_begin() while all CPUs are still active and
+ * interrupts are enabled. This will allow all in-flight memory
+ * conversions to finish cleanly.
+ */
+ if (kexec_in_progress)
+ x86_platform.guest.enc_kexec_begin();
+
/* Stop the cpus and apics */
#ifdef CONFIG_X86_IO_APIC
/*
@@ -752,6 +761,9 @@ void native_machine_shutdown(void)
#ifdef CONFIG_X86_64
x86_platform.iommu_shutdown();
#endif
+
+ if (kexec_in_progress)
+ x86_platform.guest.enc_kexec_finish();
}
static void __machine_emergency_restart(int emergency)
diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c
index a7143bb7dd93..82b128d3f309 100644
--- a/arch/x86/kernel/x86_init.c
+++ b/arch/x86/kernel/x86_init.c
@@ -138,6 +138,8 @@ static int enc_status_change_prepare_noop(unsigned long vaddr, int npages, bool
static int enc_status_change_finish_noop(unsigned long vaddr, int npages, bool enc) { return 0; }
static bool enc_tlb_flush_required_noop(bool enc) { return false; }
static bool enc_cache_flush_required_noop(void) { return false; }
+static void enc_kexec_begin_noop(void) {}
+static void enc_kexec_finish_noop(void) {}
static bool is_private_mmio_noop(u64 addr) {return false; }
struct x86_platform_ops x86_platform __ro_after_init = {
@@ -161,6 +163,8 @@ struct x86_platform_ops x86_platform __ro_after_init = {
.enc_status_change_finish = enc_status_change_finish_noop,
.enc_tlb_flush_required = enc_tlb_flush_required_noop,
.enc_cache_flush_required = enc_cache_flush_required_noop,
+ .enc_kexec_begin = enc_kexec_begin_noop,
+ .enc_kexec_finish = enc_kexec_finish_noop,
},
};
--
2.43.0
next prev parent reply other threads:[~2024-06-14 9:59 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-14 9:58 [PATCHv12 00/19] x86/tdx: Add kexec support Kirill A. Shutemov
2024-06-14 9:58 ` [PATCHv12 01/19] x86/acpi: Extract ACPI MADT wakeup code into a separate file Kirill A. Shutemov
2024-06-14 9:58 ` [PATCHv12 02/19] x86/apic: Mark acpi_mp_wake_* variables as __ro_after_init Kirill A. Shutemov
2024-06-14 9:58 ` [PATCHv12 03/19] cpu/hotplug: Add support for declaring CPU offlining not supported Kirill A. Shutemov
2024-06-14 9:58 ` [PATCHv12 04/19] cpu/hotplug, x86/acpi: Disable CPU offlining for ACPI MADT wakeup Kirill A. Shutemov
2024-06-14 9:58 ` [PATCHv12 05/19] x86/relocate_kernel: Use named labels for less confusion Kirill A. Shutemov
2024-06-14 9:58 ` [PATCHv12 06/19] x86/kexec: Keep CR4.MCE set during kexec for TDX guest Kirill A. Shutemov
2024-06-14 9:58 ` [PATCHv12 07/19] x86/mm: Make x86_platform.guest.enc_status_change_*() return errno Kirill A. Shutemov
2024-06-14 9:58 ` [PATCHv12 08/19] x86/mm: Return correct level from lookup_address() if pte is none Kirill A. Shutemov
2024-06-14 9:58 ` [PATCHv12 09/19] x86/tdx: Account shared memory Kirill A. Shutemov
2024-06-14 9:58 ` Kirill A. Shutemov [this message]
2024-06-14 9:58 ` [PATCHv12 11/19] x86/tdx: Convert shared memory back to private on kexec Kirill A. Shutemov
2024-06-14 9:58 ` [PATCHv12 12/19] x86/mm: Make e820__end_ram_pfn() cover E820_TYPE_ACPI ranges Kirill A. Shutemov
2024-06-14 9:58 ` [PATCHv12 13/19] x86/mm: Do not zap page table entries mapping unaccepted memory table during kdump Kirill A. Shutemov
2024-06-14 9:58 ` [PATCHv12 14/19] x86/acpi: Rename fields in acpi_madt_multiproc_wakeup structure Kirill A. Shutemov
2024-06-14 9:59 ` [PATCHv12 15/19] x86/acpi: Do not attempt to bring up secondary CPUs in kexec case Kirill A. Shutemov
2024-06-14 9:59 ` [PATCHv12 16/19] x86/smp: Add smp_ops.stop_this_cpu() callback Kirill A. Shutemov
2024-06-14 9:59 ` [PATCHv12 17/19] x86/mm: Introduce kernel_ident_mapping_free() Kirill A. Shutemov
2024-06-14 9:59 ` [PATCHv12 18/19] x86/acpi: Add support for CPU offlining for ACPI MADT wakeup method Kirill A. Shutemov
2024-06-14 9:59 ` [PATCHv12 19/19] ACPI: tables: Print MULTIPROC_WAKEUP when MADT is parsed Kirill A. Shutemov
2024-06-17 21:13 ` [PATCH v8 0/2] x86/snp: Add kexec support Ashish Kalra
2024-06-17 21:15 ` [PATCH v8 1/2] x86/boot/compressed: Skip Video Memory access in Decompressor for SEV-ES/SNP Ashish Kalra
2024-06-19 10:22 ` Borislav Petkov
2024-06-17 21:15 ` [PATCH v8 2/2] x86/snp: Convert shared memory back to private on kexec Ashish Kalra
2024-06-20 22:22 ` [PATCH v9 0/3] x86/snp: Add kexec support Ashish Kalra
2024-06-20 22:23 ` [PATCH v9 1/3] x86/sev: Move SEV compilation units Ashish Kalra
2024-06-20 22:23 ` [PATCH v9 2/3] x86/boot: Skip video memory access in the decompressor for SEV-ES/SNP Ashish Kalra
2024-06-24 15:03 ` Tom Lendacky
2024-06-20 22:23 ` [PATCH v9 3/3] x86/snp: Convert shared memory back to private on kexec Ashish Kalra
2024-06-24 15:18 ` Tom Lendacky
2024-06-24 18:26 ` Borislav Petkov
2024-06-24 20:57 ` Kalra, Ashish
2024-06-25 3:59 ` Borislav Petkov
2024-06-28 4:27 ` Kalra, Ashish
2024-06-28 14:01 ` Tom Lendacky
2024-06-28 19:14 ` Kalra, Ashish
2024-06-28 20:33 ` Kalra, Ashish
2024-06-24 18:21 ` [PATCH v10 0/2] x86/snp: Add kexec support Ashish Kalra
2024-06-24 18:21 ` [PATCH v10 1/2] x86/boot: Skip video memory access in the decompressor for SEV-ES/SNP Ashish Kalra
2024-06-24 18:22 ` [PATCH v10 2/2] Subject: [PATCH v9 3/3] x86/snp: Convert shared memory back to private on kexec Ashish Kalra
2024-07-02 19:56 ` [PATCH v11 0/3] x86/snp: Add kexec support Ashish Kalra
2024-07-02 19:57 ` [PATCH v11 1/3] x86/boot: Skip video memory access in the decompressor for SEV-ES/SNP Ashish Kalra
2024-07-02 19:57 ` [PATCH v11 2/3] x86/mm: refactor __set_clr_pte_enc() Ashish Kalra
2024-07-05 14:26 ` Borislav Petkov
2024-07-02 19:58 ` [PATCH v11 3/3] x86/snp: Convert shared memory back to private on kexec Ashish Kalra
2024-07-05 14:28 ` Borislav Petkov
2024-07-05 14:29 ` Borislav Petkov
2024-07-10 20:12 ` Kalra, Ashish
2024-07-30 19:20 ` [PATCH v12 0/3] x86/snp: Add kexec support Ashish Kalra
2024-07-30 19:21 ` [PATCH v12 1/3] x86/boot: Skip video memory access in the decompressor for SEV-ES/SNP Ashish Kalra
2024-07-30 19:21 ` [PATCH v12 2/3] x86/mm: refactor __set_clr_pte_enc() Ashish Kalra
2024-07-30 19:22 ` [PATCH v12 3/3] x86/snp: Convert shared memory back to private on kexec Ashish Kalra
2024-08-01 19:14 ` [PATCH v13 0/3] x86/snp: Add kexec support Ashish Kalra
2024-08-01 19:14 ` [PATCH v13 1/3] x86/boot: Skip video memory access in the decompressor for SEV-ES/SNP Ashish Kalra
2024-08-01 19:14 ` [PATCH v13 2/3] x86/mm: refactor __set_clr_pte_enc() Ashish Kalra
2024-10-28 16:15 ` Tom Lendacky
2024-08-01 19:14 ` [PATCH v13 3/3] x86/snp: Convert shared memory back to private on kexec Ashish Kalra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240614095904.1345461-11-kirill.shutemov@linux.intel.com \
--to=kirill.shutemov@linux.intel.com \
--cc=adrian.hunter@intel.com \
--cc=ardb@kernel.org \
--cc=ashish.kalra@amd.com \
--cc=bhe@redhat.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=elena.reshetova@intel.com \
--cc=haiyangz@microsoft.com \
--cc=hpa@zytor.com \
--cc=jun.nakajima@intel.com \
--cc=kai.huang@intel.com \
--cc=kexec@lists.infradead.org \
--cc=kys@microsoft.com \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ltao@redhat.com \
--cc=mingo@redhat.com \
--cc=nik.borisov@suse.com \
--cc=peterz@infradead.org \
--cc=rafael@kernel.org \
--cc=rick.p.edgecombe@intel.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).