From: "Kirill A. Shutemov" <kirill@shutemov.name>
To: Andy Lutomirski <luto@kernel.org>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Borislav Petkov <bp@alien8.de>,
Sean Christopherson <seanjc@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Joerg Roedel <jroedel@suse.de>, Ard Biesheuvel <ardb@kernel.org>,
Andi Kleen <ak@linux.intel.com>,
Sathyanarayanan Kuppuswamy
<sathyanarayanan.kuppuswamy@linux.intel.com>,
David Rientjes <rientjes@google.com>,
Vlastimil Babka <vbabka@suse.cz>,
Tom Lendacky <thomas.lendacky@amd.com>,
Thomas Gleixner <tglx@linutronix.de>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Ingo Molnar <mingo@redhat.com>,
Varad Gautam <varad.gautam@suse.com>,
Dario Faggioli <dfaggioli@suse.com>,
Dave Hansen <dave.hansen@intel.com>,
Mike Rapoport <rppt@kernel.org>,
David Hildenbrand <david@redhat.com>,
Marcelo Henrique Cerri <marcelo.cerri@canonical.com>,
tim.gardner@canonical.com, khalid.elmously@canonical.com,
philip.cox@canonical.com,
the arch/x86 maintainers <x86@kernel.org>,
linux-mm@kvack.org, linux-coco@lists.linux.dev,
linux-efi@vger.kernel.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCHv7 10/14] x86/mm: Avoid load_unaligned_zeropad() stepping into unaccepted memory
Date: Sun, 14 Aug 2022 00:02:15 +0300 [thread overview]
Message-ID: <20220813210215.ti7f2vqdg6olthjv@box.shutemov.name> (raw)
In-Reply-To: <453fb432-ac13-4819-8395-95561bca948b@www.fastmail.com>
On Sat, Aug 13, 2022 at 09:03:13AM -0700, Andy Lutomirski wrote:
>
>
> On Tue, Aug 9, 2022, at 4:38 AM, Kirill A. Shutemov wrote:
> > On Tue, Jul 26, 2022 at 01:17:13PM -0700, Andy Lutomirski wrote:
> >>
> >>
> >> On Tue, Jun 14, 2022, at 5:02 AM, Kirill A. Shutemov wrote:
> >> > load_unaligned_zeropad() can lead to unwanted loads across page boundaries.
> >> > The unwanted loads are typically harmless. But, they might be made to
> >> > totally unrelated or even unmapped memory. load_unaligned_zeropad()
> >> > relies on exception fixup (#PF, #GP and now #VE) to recover from these
> >> > unwanted loads.
> >> >
> >> > But, this approach does not work for unaccepted memory. For TDX, a load
> >> > from unaccepted memory will not lead to a recoverable exception within
> >> > the guest. The guest will exit to the VMM where the only recourse is to
> >> > terminate the guest.
> >>
> >> Why is unaccepted memory marked present in the direct map in the first place?
> >>
> >> Having kernel code assume that every valid address is followed by
> >> several bytes of memory that may be read without side effects other than
> >> #PF also seems like a mistake, but I probably won’t win that fight. But
> >> sticking guard pages in front of definitely-not-logically present pages
> >> seems silly to me. Let’s just not map it.
> >
> > It would mean no 1G pages in direct mapping for TDX as we accept 2M a
> > time.
As of now, we don't have a way to recover direct mapping from
fragmentation. So once we split 1G to 2M it stays this way.
> >> (What if MMIO memory is mapped next to regular memory? Doing random
> >> unaligned reads that cross into MMIO seems unwise.)
> >
> > MMIO is shared, not unaccpted private. We already handle the situation.
> > See 1e7769653b06 ("x86/tdx: Handle load_unaligned_zeropad() page-cross to
> > a shared page").
> >
>
> I don’t mean in a confidential guest — I mean generally. This whole
> model of “overrun the buffer — no big deal” is just fragile.
If you want to remove load_unaligned_zeropad(), I would not object. It can
make life easier.
I presumed that optimization it brings has measuarable benefit (otherwise,
why bother).
--
Kiryl Shutsemau / Kirill A. Shutemov
next prev parent reply other threads:[~2022-08-13 20:59 UTC|newest]
Thread overview: 139+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-14 12:02 [PATCHv7 00/14] mm, x86/cc: Implement support for unaccepted memory Kirill A. Shutemov
2022-06-14 12:02 ` [PATCHv7 01/14] x86/boot: Centralize __pa()/__va() definitions Kirill A. Shutemov
2022-06-23 17:37 ` Dave Hansen
2022-06-14 12:02 ` [PATCHv7 02/14] mm: Add support for unaccepted memory Kirill A. Shutemov
2022-06-14 12:57 ` Gupta, Pankaj
2022-06-17 19:28 ` Tom Lendacky
2022-06-17 20:53 ` Tom Lendacky
2022-07-21 15:14 ` Borislav Petkov
2022-07-21 15:49 ` Dave Hansen
2022-07-22 19:18 ` Borislav Petkov
2022-07-22 19:30 ` Dave Hansen
2022-07-25 12:23 ` Borislav Petkov
2022-07-25 12:38 ` David Hildenbrand
2022-07-25 12:53 ` Borislav Petkov
2022-07-26 14:30 ` David Hildenbrand
2022-07-25 13:00 ` Mike Rapoport
2022-07-25 13:05 ` Borislav Petkov
2022-08-05 11:49 ` Vlastimil Babka
2022-08-05 12:09 ` David Hildenbrand
2022-08-05 13:38 ` Vlastimil Babka
2022-08-05 14:22 ` David Hildenbrand
2022-08-05 14:53 ` Dave Hansen
2022-08-05 14:41 ` Dave Hansen
2022-08-05 18:17 ` Vlastimil Babka
2022-08-08 15:55 ` Dave Hansen
2022-08-10 14:19 ` Mel Gorman
2022-08-15 21:08 ` Dionna Amalie Glaze
2022-08-15 22:02 ` Tom Lendacky
2022-08-29 16:02 ` Dionna Amalie Glaze
2022-08-29 16:19 ` Dave Hansen
2022-09-06 17:50 ` Dionna Amalie Glaze
2022-09-08 12:11 ` Mike Rapoport
2022-09-08 16:23 ` Dionna Amalie Glaze
2022-09-08 19:28 ` Mike Rapoport
2022-09-22 14:31 ` Tom Lendacky
2022-09-24 1:03 ` Kirill A. Shutemov
2022-09-24 9:36 ` Mike Rapoport
2022-09-26 12:10 ` Kirill A. Shutemov
2022-09-26 13:38 ` Tom Lendacky
2022-09-26 15:42 ` Kirill A. Shutemov
2022-09-26 15:42 ` Tom Lendacky
2022-06-14 12:02 ` [PATCHv7 03/14] mm: Report unaccepted memory in meminfo Kirill A. Shutemov
2022-07-26 14:33 ` David Hildenbrand
2022-06-14 12:02 ` [PATCHv7 04/14] efi/x86: Get full memory map in allocate_e820() Kirill A. Shutemov
2022-07-25 13:02 ` Borislav Petkov
2022-06-14 12:02 ` [PATCHv7 05/14] x86/boot: Add infrastructure required for unaccepted memory support Kirill A. Shutemov
2022-06-15 10:19 ` Peter Zijlstra
2022-06-15 15:05 ` Kirill A. Shutemov
2022-07-17 17:16 ` Borislav Petkov
2022-07-25 21:33 ` Borislav Petkov
2022-06-14 12:02 ` [PATCHv7 06/14] efi/x86: Implement support for unaccepted memory Kirill A. Shutemov
2022-06-22 19:58 ` Dave Hansen
2022-07-26 8:35 ` Borislav Petkov
2022-06-14 12:02 ` [PATCHv7 07/14] x86/boot/compressed: Handle " Kirill A. Shutemov
2022-06-14 12:02 ` [PATCHv7 08/14] x86/mm: Reserve unaccepted memory bitmap Kirill A. Shutemov
2022-07-26 9:07 ` Borislav Petkov
2022-11-30 1:28 ` Kirill A. Shutemov
2022-12-01 9:37 ` Mike Rapoport
2022-12-01 13:47 ` Kirill A. Shutemov
2022-06-14 12:02 ` [PATCHv7 09/14] x86/mm: Provide helpers for unaccepted memory Kirill A. Shutemov
2022-06-14 12:02 ` [PATCHv7 10/14] x86/mm: Avoid load_unaligned_zeropad() stepping into " Kirill A. Shutemov
2022-06-23 17:19 ` Dave Hansen
2022-07-26 10:21 ` Borislav Petkov
2022-08-02 23:46 ` Dave Hansen
2022-08-03 14:02 ` Dave Hansen
2022-08-11 11:26 ` Borislav Petkov
2022-08-13 16:11 ` Andy Lutomirski
2022-08-13 21:13 ` Kirill A. Shutemov
2022-08-13 16:04 ` Andy Lutomirski
2022-08-13 20:58 ` Kirill A. Shutemov
2022-07-26 17:25 ` Borislav Petkov
2022-07-26 17:46 ` Dave Hansen
2022-07-26 20:17 ` Andy Lutomirski
2022-08-09 11:38 ` Kirill A. Shutemov
2022-08-13 16:03 ` Andy Lutomirski
2022-08-13 21:02 ` Kirill A. Shutemov [this message]
2022-06-14 12:02 ` [PATCHv7 11/14] x86: Disable kexec if system has " Kirill A. Shutemov
2022-06-23 17:23 ` Dave Hansen
2022-06-23 21:48 ` Eric W. Biederman
2022-06-24 2:00 ` Kirill A. Shutemov
2022-06-28 23:51 ` Kirill A. Shutemov
2022-06-29 0:10 ` Dave Hansen
2022-06-29 0:59 ` Kirill A. Shutemov
2022-07-04 7:18 ` Dave Young
2022-06-14 12:02 ` [PATCHv7 12/14] x86/tdx: Make _tdx_hypercall() and __tdx_module_call() available in boot stub Kirill A. Shutemov
2022-06-23 17:25 ` Dave Hansen
2022-06-14 12:02 ` [PATCHv7 13/14] x86/tdx: Refactor try_accept_one() Kirill A. Shutemov
2022-06-23 17:31 ` Dave Hansen
2022-07-26 10:58 ` Borislav Petkov
2022-06-14 12:02 ` [PATCHv7 14/14] x86/tdx: Add unaccepted memory support Kirill A. Shutemov
2022-06-24 16:22 ` Dave Hansen
2022-06-27 10:42 ` Kirill A. Shutemov
2022-07-26 14:51 ` Borislav Petkov
2022-08-09 11:45 ` Kirill A. Shutemov
2022-08-10 10:27 ` Borislav Petkov
2022-06-24 16:37 ` [PATCHv7 00/14] mm, x86/cc: Implement support for unaccepted memory Peter Gonda
2022-06-24 16:57 ` Dave Hansen
2022-06-24 17:06 ` Marc Orr
2022-06-24 17:09 ` Dave Hansen
2022-06-24 17:15 ` Peter Gonda
2022-06-24 17:19 ` Marc Orr
2022-06-24 17:21 ` Peter Gonda
2022-06-24 17:47 ` Dave Hansen
2022-06-24 18:10 ` Peter Gonda
2022-06-24 18:13 ` Dave Hansen
2022-06-24 17:40 ` Michael Roth
2022-06-24 17:58 ` Michael Roth
2022-06-24 18:05 ` Peter Gonda
2022-06-27 11:30 ` Kirill A. Shutemov
2022-06-27 11:54 ` Ard Biesheuvel
2022-06-27 12:22 ` Kirill A. Shutemov
2022-06-27 16:17 ` Peter Gonda
2022-06-27 16:33 ` Ard Biesheuvel
2022-06-27 22:38 ` Kirill A. Shutemov
2022-06-28 17:17 ` Ard Biesheuvel
2022-07-18 17:21 ` Kirill A. Shutemov
2022-07-18 23:32 ` Dionna Amalie Glaze
2022-07-19 0:31 ` Dionna Amalie Glaze
2022-07-19 18:29 ` Dionna Amalie Glaze
2022-07-19 19:13 ` Borislav Petkov
2022-07-19 20:45 ` Ard Biesheuvel
2022-07-19 21:23 ` Borislav Petkov
2022-07-19 21:35 ` Dave Hansen
2022-07-19 21:50 ` Borislav Petkov
2022-07-19 22:01 ` Kirill A. Shutemov
2022-07-19 22:02 ` Dave Hansen
2022-07-19 22:08 ` Tom Lendacky
2022-07-20 0:26 ` Marc Orr
2022-07-20 5:44 ` Borislav Petkov
2022-07-20 17:03 ` Marc Orr
2022-07-22 15:07 ` Borislav Petkov
2022-07-21 17:12 ` Dave Hansen
2022-07-23 11:14 ` Ard Biesheuvel
2022-07-28 22:01 ` Dionna Amalie Glaze
2022-08-09 11:14 ` Kirill A. Shutemov
2022-08-09 11:36 ` Ard Biesheuvel
2022-08-09 11:54 ` Kirill A. Shutemov
2022-08-09 21:09 ` Dionna Amalie Glaze
2022-07-19 2:48 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220813210215.ti7f2vqdg6olthjv@box.shutemov.name \
--to=kirill@shutemov.name \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=ardb@kernel.org \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=david@redhat.com \
--cc=dfaggioli@suse.com \
--cc=jroedel@suse.de \
--cc=khalid.elmously@canonical.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=marcelo.cerri@canonical.com \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=philip.cox@canonical.com \
--cc=rientjes@google.com \
--cc=rppt@kernel.org \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tim.gardner@canonical.com \
--cc=varad.gautam@suse.com \
--cc=vbabka@suse.cz \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).