Re: [PATCH 1/2] KVM: TDX: Handle TDG.VP.VMCALL<GetQuote>

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Huang, Kai" <kai.huang@intel.com>
To: "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
	"pbonzini@redhat.com" <pbonzini@redhat.com>,
	"seanjc@google.com" <seanjc@google.com>,
	"binbin.wu@linux.intel.com" <binbin.wu@linux.intel.com>
Cc: "mikko.ylinen@linux.intel.com" <mikko.ylinen@linux.intel.com>,
	"Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
	"Gao, Chao" <chao.gao@intel.com>,
	"Li, Xiaoyao" <xiaoyao.li@intel.com>,
	"Chatre, Reinette" <reinette.chatre@intel.com>,
	"Hunter, Adrian" <adrian.hunter@intel.com>,
	"Lindgren, Tony" <tony.lindgren@intel.com>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"Zhao, Yan Y" <yan.y.zhao@intel.com>,
	"Yamahata, Isaku" <isaku.yamahata@intel.com>
Subject: Re: [PATCH 1/2] KVM: TDX: Handle TDG.VP.VMCALL<GetQuote>
Date: Wed, 2 Apr 2025 22:05:58 +0000	[thread overview]
Message-ID: <46d208b59038b5e4dce3122d7efe85f9106dae32.camel@intel.com> (raw)
In-Reply-To: <c96f2ed1-1c7f-4b61-85ff-902e08c61fbc@linux.intel.com>

On Wed, 2025-04-02 at 21:16 +0800, Binbin Wu wrote:
> > > > +static int tdx_get_quote(struct kvm_vcpu *vcpu)
> > > > +{
> > > > +    struct vcpu_tdx *tdx = to_tdx(vcpu);
> > > > +
> > > > +    u64 gpa = tdx->vp_enter_args.r12;
> > > > +    u64 size = tdx->vp_enter_args.r13;
> > > > +
> > > > +    /* The buffer must be shared memory. */
> > > > +    if (vt_is_tdx_private_gpa(vcpu->kvm, gpa) || size == 0) {
> > > > +        tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
> > > > +        return 1;
> > > > +    }
> > > It is a little bit confusing about the shared buffer check here.  There are two
> > > perspectives here:
> > > 
> > > 1) the buffer has already been converted to shared, i.e., the attributes are
> > > stored in the Xarray.
> > > 2) the GPA passed in the GetQuote must have the shared bit set.
> > > 
> > > The key is we need 1) here.  From the spec, we need the 2) as well because it
> > > *seems* that the spec requires GetQuote to provide the GPA with shared bit set,
> > > as it says "Shared GPA as input".
> > > 
> > > The above check only does 2).  I think we need to check 1) as well, because once
> > > you forward this GetQuote to userspace, userspace is able to access it freely.
> > 
> > Right.
> > 
> > Another discussion is whether KVM should skip the sanity checks for GetQuote
> > and let the userspace take the job.
> > Considering checking the buffer is shared memory or not, KVM seems to be a
> > better place.
> A second thought. If the userspace could do the shared memory check, the
> whole sanity checks can be done in userspace to keep KVM as small as possible.

I am not sure depending on userspace to check is a good idea while KVM can just
do it, e.g., the userspace may forget to do the check.  It's consistent with
other "userspace input checks" as well.

Another argument is there are multiple VMMs out there and they all will need to
do such check if KVM doesn't do it.

next prev parent reply	other threads:[~2025-04-02 22:06 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-02  0:15 [PATCH 0/2] TDX attestation support Binbin Wu
2025-04-02  0:15 ` [PATCH 1/2] KVM: TDX: Handle TDG.VP.VMCALL<GetQuote> Binbin Wu
2025-04-02  0:53   ` Huang, Kai
2025-04-02  8:58     ` Huang, Kai
2025-04-02 12:53     ` Binbin Wu
2025-04-02 13:16       ` Binbin Wu
2025-04-02 22:05         ` Huang, Kai [this message]
2025-04-02 22:00       ` Huang, Kai
2025-04-08  2:35         ` Binbin Wu
2025-04-09 13:49       ` Sean Christopherson
2025-04-10  0:06         ` Binbin Wu
2025-04-10  0:15         ` Huang, Kai
2025-04-02 22:19   ` Huang, Kai
2025-04-07  1:00     ` Binbin Wu
2025-04-15  1:49   ` Xiaoyao Li
2025-04-15  1:51     ` Edgecombe, Rick P
2025-04-15  1:55       ` Binbin Wu
2025-04-02  0:15 ` [PATCH 2/2] KVM: TDX: Handle TDG.VP.VMCALL<SetupEventNotifyInterrupt> Binbin Wu
2025-04-02  0:20 ` [PATCH 0/2] TDX attestation support Edgecombe, Rick P
2025-04-11  1:42   ` Binbin Wu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46d208b59038b5e4dce3122d7efe85f9106dae32.camel@intel.com \
    --to=kai.huang@intel.com \
    --cc=adrian.hunter@intel.com \
    --cc=binbin.wu@linux.intel.com \
    --cc=chao.gao@intel.com \
    --cc=isaku.yamahata@intel.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mikko.ylinen@linux.intel.com \
    --cc=pbonzini@redhat.com \
    --cc=reinette.chatre@intel.com \
    --cc=rick.p.edgecombe@intel.com \
    --cc=seanjc@google.com \
    --cc=tony.lindgren@intel.com \
    --cc=xiaoyao.li@intel.com \
    --cc=yan.y.zhao@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox