From: Dan Williams <dan.j.williams@intel.com>
To: Nikolay Borisov <nik.borisov@suse.com>,
Dan Williams <dan.j.williams@intel.com>,
<dave.hansen@linux.intel.com>
Cc: <kirill.shutemov@linux.intel.com>, <linux-coco@lists.linux.dev>,
<x86@kernel.org>, <linux-kernel@vger.kernel.org>,
<vannapurve@google.com>
Subject: Re: [RFC PATCH] /dev/mem: Disable /dev/mem under TDX guest
Date: Tue, 25 Mar 2025 14:16:53 -0400 [thread overview]
Message-ID: <67e2f315af42e_50a3294d4@dwillia2-mobl3.amr.corp.intel.com.notmuch> (raw)
In-Reply-To: <327a23d5-d5c4-4227-aafb-9d4ddd90289e@suse.com>
Nikolay Borisov wrote:
[..]
> > It seems unfortunate that the kernel is allowing conflicting mappings of
> > the same pfn. Is this not just a track_pfn_remap() bug report? In other
> > words, whatever established the conflicting private mapping failed to do
> > a memtype_reserve() with the encryption setting such that
> > track_pfn_remap() could find it and enforce a consistent mapping.
>
> I'm not an expert into this, but looking at the code it seems
> memtype_reserve deals with the memory type w.r.t PAT/MTRR i.e the
> cacheability of the memory, not whether the mapping is consistent w.r.t
> to other, arbitrary attributes.
Right, but the observation is that "something" decides to map that first
page of memory as private and then xlate_dev_mem_ptr() fails to maintain
consistent mapping.
So memtype_reserve() is indeed an awkward place to carry this
information and overkill for this particular bug.
However, something like the following is more appropriate than saying
/dev/mem is outright forbidden for guests.
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index 38ff7791a9c7..4a7a5fc83039 100644
--- a/arch/x86/mm/ioremap.c
+++ b/arch/x86/mm/ioremap.c
@@ -122,6 +122,10 @@ static void __ioremap_check_other(resource_size_t addr, struct ioremap_desc *des
return;
}
+ /* Ensure BIOS data (see devmem_is_allowed()) is consistently mapped */
+ if (PHYS_PFN(addr) < 256)
+ desc->flags |= IORES_MAP_ENCRYPTED;
+
if (!IS_ENABLED(CONFIG_EFI))
return;
...because if the guest image wants to trust root why enforce piecemeal
lockdown semantics?
next prev parent reply other threads:[~2025-03-25 18:17 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-18 11:36 [RFC PATCH] /dev/mem: Disable /dev/mem under TDX guest Nikolay Borisov
2025-03-18 11:53 ` Juergen Gross
2025-03-18 11:56 ` Nikolay Borisov
2025-03-18 12:23 ` Kirill A. Shutemov
2025-03-18 12:53 ` Nikolay Borisov
2025-03-18 13:27 ` Kirill A. Shutemov
2025-03-18 14:21 ` Nikolay Borisov
2025-03-20 9:38 ` Kirill A. Shutemov
2025-03-18 14:48 ` Dave Hansen
2025-03-18 17:56 ` Nikolay Borisov
2025-03-18 19:06 ` Dan Williams
2025-03-24 9:59 ` Nikolay Borisov
2025-03-25 18:16 ` Dan Williams [this message]
2025-03-28 10:51 ` Nikolay Borisov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67e2f315af42e_50a3294d4@dwillia2-mobl3.amr.corp.intel.com.notmuch \
--to=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=nik.borisov@suse.com \
--cc=vannapurve@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox