public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Sean Christopherson <seanjc@google.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	x86@kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
	Jim Mattson <jmattson@google.com>, Joerg Roedel <joro@8bytes.org>,
	Vitaly Kuznetsov <vkuznets@redhat.com>,
	Wanpeng Li <wanpengli@tencent.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Ingo Molnar <mingo@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Brijesh Singh <brijesh.singh@amd.com>
Subject: Re: [PATCH] KVM: SVM: Do not terminate SEV-ES guests on GHCB validation failure
Date: Fri, 3 Dec 2021 19:22:31 +0000	[thread overview]
Message-ID: <Yapud4DmBwvNHXBi@google.com> (raw)
In-Reply-To: <9ac5cf9c-0afb-86d1-1ef2-b3a7138010f2@amd.com>

On Fri, Dec 03, 2021, Tom Lendacky wrote:
> On 12/3/21 10:39 AM, Sean Christopherson wrote:
> > On Thu, Dec 02, 2021, Tom Lendacky wrote:
> > > +			goto e_scratch;
> > >   		if (kvm_read_guest(svm->vcpu.kvm, scratch_gpa_beg, scratch_va, len)) {
> > >   			/* Unable to copy scratch area from guest */
> > >   			pr_err("vmgexit: kvm_read_guest for scratch area failed\n");
> > >   			kvfree(scratch_va);
> > > -			return -EFAULT;
> > > +			goto e_scratch;
> > 
> > Same here, failure to read guest memory is a userspace issue and needs to be
> > reported to userspace.
> 
> But it could be a guest issue as well...  whichever is preferred is ok by me.

Arguably, any guest issue is a violation of the guest's contract with userspace,
and thus userspace needs to decide how to proceed.  E.g. userspace defines what
is RAM vs. MMIO and communicates that directly to the guest, KVM is not involved
in deciding what is/isn't RAM nor in communicating that information to the guest.
If the scratch GPA doesn't resolve to a memslot, then the guest is not honoring
the memory configuration as defined by userspace.

And if userspace unmaps an hva for whatever reason, then exiting to userspace
with -EFAULT is absolutely the right thing to do.  KVM's ABI currently sucks and
doesn't provide enough information to act on the -EFAULT, but I really want to
change that as there are multiple use cases, e.g. uffd and virtiofs truncation,
that shouldn't require any work in KVM beyond returning -EFAULT with a small
amount of metadata.

KVM could define its ABI such that failure to access the scratch area is reflected
into the guest, i.e. establish a contract with userspace, but IMO that's undesirable
as it limits KVM's options in the future, e.g. IIRC, in the potential uffd case any
failure on a uaccess needs to kick out to userspace.  KVM does have several cases
where it reflects these errors into the guest, e.g. kvm_pv_clock_pairing() and
Hyper-V emulation, but I would prefer we change those instead of adding more code
that assumes any memory failure is the guest's fault.

  reply	other threads:[~2021-12-03 19:22 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-02 18:52 [PATCH] KVM: SVM: Do not terminate SEV-ES guests on GHCB validation failure Tom Lendacky
2021-12-02 19:19 ` Paolo Bonzini
2021-12-02 19:39   ` Tom Lendacky
2021-12-02 19:39     ` Paolo Bonzini
2021-12-03 16:39 ` Sean Christopherson
2021-12-03 18:59   ` Tom Lendacky
2021-12-03 19:22     ` Sean Christopherson [this message]
2021-12-03 22:46     ` Tom Lendacky
2021-12-04  5:14     ` Marc Orr
  -- strict thread matches above, loose matches on Subject: below --
2021-05-14 19:22 Tom Lendacky
2021-05-14 23:06 ` Peter Gonda
2021-05-17 15:08   ` Tom Lendacky
2021-05-20 19:16     ` Sean Christopherson
2021-05-20 19:27       ` Sean Christopherson
2021-05-20 20:22         ` Sean Christopherson
2021-05-20 21:04           ` Tom Lendacky
2021-05-20 20:57       ` Tom Lendacky
2021-05-27 17:22         ` Sean Christopherson
2021-07-21 12:32           ` Vitaly Kuznetsov
2021-07-21 20:09             ` Sean Christopherson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Yapud4DmBwvNHXBi@google.com \
    --to=seanjc@google.com \
    --cc=bp@alien8.de \
    --cc=brijesh.singh@amd.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=hpa@zytor.com \
    --cc=jmattson@google.com \
    --cc=joro@8bytes.org \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=thomas.lendacky@amd.com \
    --cc=vkuznets@redhat.com \
    --cc=wanpengli@tencent.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox