From: Jason Gunthorpe <jgg@ziepe.ca>
To: Michael Kelley <mhklinux@outlook.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
Christoph Hellwig <hch@infradead.org>,
Kameron Carr <kameroncarr@linux.microsoft.com>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"urezki@gmail.com" <urezki@gmail.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"rppt@kernel.org" <rppt@kernel.org>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
Suzuki K Poulose <Suzuki.Poulose@arm.com>
Subject: Re: [RFC PATCH] mm/vmalloc: add vmalloc_decrypted() and vzalloc_decrypted()
Date: Mon, 15 Jun 2026 09:09:38 -0300 [thread overview]
Message-ID: <20260615120938.GR1066031@ziepe.ca> (raw)
In-Reply-To: <SN6PR02MB4157EC032AD55D182FBC1318D4182@SN6PR02MB4157.namprd02.prod.outlook.com>
On Fri, Jun 12, 2026 at 07:06:00PM +0000, Michael Kelley wrote:
> > I thought arches are either preserving the memory content or zeroing
> > it, you are saying some arch leaves it as garbage? I'd argue that's an
> > arch bug and they should clear it in their path.
>
> AMD SEV-SNP leaves the memory contents as garbage after an encryption
> or decryption state change. On the flip side, my understanding has been
> that TDX zeroes the memory (or at least has an option to do so) after
> such a state change, though a couple of AI chats say TDX also leaves
> garbage. To be sure, I'd have to run an experiment to check in a TDX
> guest on Hyper-V.
So there are many bugs then if the pre-zero is lost and you have to
zero it again. Even swiotlb doesn't reliably zero it's pools in the
right order under these rules, though alloc coherent does get it
right at least.
IMHO this is too sketchy to be usable and optimizing for AMD is not
the right call, IMHO.
> > Otherwise this sharp edge is not documented and we have many other
> > places getting it wrong, eg system_heap_allocate() doesn't re-zero the
> > memory after decrypting it.
>
> In the Hyper-V code that uses set_memory_decrypted()/encrypted(),
> there's always an explicit call to set the memory to zero afterwards.
Good for it, maybe next time improve the APIs :(
Even more compelling that hyper-v should be using the dma api..
Jason
next prev parent reply other threads:[~2026-06-15 12:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260521205834.1012925-1-kameroncarr@linux.microsoft.com>
2026-06-08 15:37 ` [RFC PATCH] mm/vmalloc: add vmalloc_decrypted() and vzalloc_decrypted() Catalin Marinas
2026-06-11 11:49 ` Jason Gunthorpe
2026-06-12 17:49 ` Catalin Marinas
2026-06-12 18:18 ` Jason Gunthorpe
2026-06-12 19:06 ` Michael Kelley
2026-06-15 12:09 ` Jason Gunthorpe [this message]
2026-06-16 18:17 ` Catalin Marinas
2026-06-16 18:45 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260615120938.GR1066031@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=Suzuki.Poulose@arm.com \
--cc=akpm@linux-foundation.org \
--cc=catalin.marinas@arm.com \
--cc=hch@infradead.org \
--cc=kameroncarr@linux.microsoft.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhklinux@outlook.com \
--cc=rppt@kernel.org \
--cc=urezki@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox