From: Peter Gonda <pgonda@google.com>
To: thomas.lendacky@amd.com
Cc: Peter Gonda <pgonda@google.com>, Borislav Petkov <bp@suse.de>,
Michael Roth <michael.roth@amd.com>,
Haowen Bai <baihaowen@meizu.com>,
Yang Yingliang <yangyingliang@huawei.com>,
Marc Orr <marcorr@google.com>,
David Rientjes <rientjes@google.com>,
Ashish Kalra <Ashish.Kalra@amd.com>,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Subject: [PATCH V3 2/2] virt: sev: Allow for retrying SNP extended requests
Date: Thu, 27 Oct 2022 08:05:58 -0700 [thread overview]
Message-ID: <20221027150558.722062-3-pgonda@google.com> (raw)
In-Reply-To: <20221027150558.722062-1-pgonda@google.com>
If an SNP Extended Request is placed without enough data pages the host
will return an error to the guest and tell it the number of required
data pages. If we place an extended request without enogh data page we
can retry the command portion of the request using an SNP Request. This
allows us to keep our command sequence numbers with the ASP in sync
while also supporting the SNP Extended Request's data size querying
capability. This happens inside of snp_issue_guest_request() to keep the
safety of the sequence numbers easy. Any failure
snp_issue_guest_request() should result in no further of the VMCPK due
to issues with the sequence number being the IV in the AES-GCM
communication channel. IV reuse, meaning sequence number reuse in this
driver, can result in the secure channel being compromised.
Signed-off-by: Peter Gonda <pgonda@google.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Haowen Bai <baihaowen@meizu.com>
Cc: Yang Yingliang <yangyingliang@huawei.com>
Cc: Marc Orr <marcorr@google.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Ashish Kalra <Ashish.Kalra@amd.com>
Cc: linux-kernel@vger.kernel.org
Cc: kvm@vger.kernel.org
---
arch/x86/include/asm/svm.h | 6 ++++++
arch/x86/kernel/sev.c | 28 ++++++++++++++++++++-----
drivers/virt/coco/sev-guest/sev-guest.c | 2 +-
3 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
index 0361626841bc..3886b8ea18ae 100644
--- a/arch/x86/include/asm/svm.h
+++ b/arch/x86/include/asm/svm.h
@@ -585,6 +585,12 @@ struct vmcb {
(unsigned long *)&ghcb->save.valid_bitmap); \
} \
\
+ static __always_inline void ghcb_clear_##field(const struct ghcb *ghcb) \
+ { \
+ clear_bit(GHCB_BITMAP_IDX(field), \
+ (unsigned long *)&ghcb->save.valid_bitmap); \
+ } \
+ \
static __always_inline u64 ghcb_get_##field(struct ghcb *ghcb) \
{ \
return ghcb->save.field; \
diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c
index a428c62330d3..3f7e2105ef97 100644
--- a/arch/x86/kernel/sev.c
+++ b/arch/x86/kernel/sev.c
@@ -2213,12 +2213,30 @@ int snp_issue_guest_request(u64 exit_code, struct snp_req_data *input, unsigned
goto e_put;
if (ghcb->save.sw_exit_info_2) {
- /* Number of expected pages are returned in RBX */
+ /* For a SNP Extended Request, if the request was placed with
+ * insufficient data pages. The host will return the number of
+ * pages required using RBX in the GHCB. We can than retry the
+ * call as an SNP Request to fulfill the command without getting
+ * the extended request data.
+ */
if (exit_code == SVM_VMGEXIT_EXT_GUEST_REQUEST &&
- ghcb->save.sw_exit_info_2 == SNP_GUEST_REQ_INVALID_LEN)
- input->data_npages = ghcb_get_rbx(ghcb);
-
- *fw_err = ghcb->save.sw_exit_info_2;
+ ghcb->save.sw_exit_info_2 == SNP_GUEST_REQ_INVALID_LEN) {
+ int npages = ghcb_get_rbx(ghcb);
+
+ ghcb_clear_rax(ghcb);
+ ghcb_clear_rbx(ghcb);
+
+ ret = sev_es_ghcb_hv_call(ghcb, &ctxt,
+ SVM_VMGEXIT_GUEST_REQUEST,
+ input->req_gpa,
+ input->resp_gpa);
+ if (ret)
+ goto e_put;
+
+ input->data_npages = npages;
+ *fw_err = SNP_GUEST_REQ_INVALID_LEN;
+ } else
+ *fw_err = ghcb->save.sw_exit_info_2;
ret = -EIO;
}
diff --git a/drivers/virt/coco/sev-guest/sev-guest.c b/drivers/virt/coco/sev-guest/sev-guest.c
index 8c54ea84bc57..ede07c0ec0c3 100644
--- a/drivers/virt/coco/sev-guest/sev-guest.c
+++ b/drivers/virt/coco/sev-guest/sev-guest.c
@@ -496,7 +496,7 @@ static int get_ext_report(struct snp_guest_dev *snp_dev, struct snp_guest_reques
if (!resp)
return -ENOMEM;
- snp_dev->input.data_npages = sizeof(*snp_dev->certs_data) >> PAGE_SHIFT;
+ snp_dev->input.data_npages = req_cert_len >> PAGE_SHIFT;
ret = handle_guest_request(snp_dev, SVM_VMGEXIT_EXT_GUEST_REQUEST, arg->msg_version,
SNP_MSG_REPORT_REQ, &req.data,
sizeof(req.data), resp->data, resp_len, &arg->fw_err);
--
2.38.0.135.g90850a2211-goog
next prev parent reply other threads:[~2022-10-27 15:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-27 15:05 [PATCH V3 0/2] Fix security issue in SNP guest AES-GCM usage Peter Gonda
2022-10-27 15:05 ` [PATCH V3 1/2] virt: sev: Prevent IV reuse in SNP guest driver Peter Gonda
2022-10-27 18:06 ` Tom Lendacky
2022-10-27 20:10 ` Peter Gonda
2022-10-27 20:30 ` Peter Gonda
2022-10-27 15:05 ` Peter Gonda [this message]
2022-10-27 17:27 ` [PATCH V3 2/2] virt: sev: Allow for retrying SNP extended requests Dionna Amalie Glaze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221027150558.722062-3-pgonda@google.com \
--to=pgonda@google.com \
--cc=Ashish.Kalra@amd.com \
--cc=baihaowen@meizu.com \
--cc=bp@suse.de \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcorr@google.com \
--cc=michael.roth@amd.com \
--cc=rientjes@google.com \
--cc=thomas.lendacky@amd.com \
--cc=yangyingliang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox