Re: [PATCH v5 10/10] KVM: selftests: Test disabling NX hugepages on a VM

[Sean Christopherson <seanjc@google.com>]

On Wed, Apr 13, 2022, Ben Gardon wrote:
> diff --git a/tools/testing/selftests/kvm/x86_64/nx_huge_pages_test.c b/tools/testing/selftests/kvm/x86_64/nx_huge_pages_test.c
> index 7f80e48781fd..21c31e1d567e 100644
> --- a/tools/testing/selftests/kvm/x86_64/nx_huge_pages_test.c
> +++ b/tools/testing/selftests/kvm/x86_64/nx_huge_pages_test.c
> @@ -13,6 +13,8 @@
>  #include <fcntl.h>
>  #include <stdint.h>
>  #include <time.h>
> +#include <linux/reboot.h>
> +#include <sys/syscall.h>
>  
>  #include <test_util.h>
>  #include "kvm_util.h"
> @@ -80,13 +82,45 @@ static void check_split_count(struct kvm_vm *vm, int expected_splits)
>  		    expected_splits, actual_splits);
>  }
>  
> -int main(int argc, char **argv)
> +void run_test(bool disable_nx)

Probably worth naming this disable_nx_workaround or disable_nx_mitigation, it's
quite easy to think this means "disable EFER.NX".

>  {
>  	struct kvm_vm *vm;
>  	struct timespec ts;
> +	uint64_t pages;
>  	void *hva;
> -
> -	vm = vm_create_default(0, 0, guest_code);
> +	int r;
> +
> +	pages = vm_pages_needed(VM_MODE_DEFAULT, 1, DEFAULT_GUEST_PHY_PAGES,
> +				0, 0);
> +	vm = vm_create_without_vcpus(VM_MODE_DEFAULT, pages);
> +
> +	if (disable_nx) {
> +		kvm_check_cap(KVM_CAP_VM_DISABLE_NX_HUGE_PAGES);
> +
> +		/*
> +		 * Check if this process has the reboot permissions needed to
> +		 * disable NX huge pages on a VM.
> +		 *
> +		 * The reboot call below will never have any effect because
> +		 * the magic values are not set correctly, however the
> +		 * permission check is done before the magic value check.
> +		 */
> +		r = syscall(SYS_reboot, 0, 0, 0, NULL);
> +		if (r && errno == EPERM) {
> +			r = vm_disable_nx_huge_pages(vm);
> +			TEST_ASSERT(r == EPERM,
> +				    "This process should not have permission to disable NX huge pages");

First off, huge kudos for negative testing!  But, it's going to provide poor coverage
if we teach everyone to use the runner script, because that'll likely require root on
most hosts, e.g. to futz with the module param.

Aha!  Idea.  And it should eliminate the SYS_reboot shenanigans, which while hilarious,
are mildy scary.

In the runner script, wrap all the modification of sysfs knobs with sudo, and then
(again with sudo) do:

	setcap cap_sys_boot+ep path/to/nx_huge_pages_test
	path/to/nx_huge_pages_test MAGIC_NUMBER -b

where "-b" means "has CAP_SYS_BOOT".  And then 

	setcap cap_sys_boot-ep path/to/nx_huge_pages_test
	path/to/nx_huge_pages_test MAGIC_NUMBER

Hmm, and I guess if the script is run as root, just skip the second invocation.

> +			return;
> +		}
> +
> +		TEST_ASSERT(r && errno == EINVAL,
> +			    "Reboot syscall should fail with -EINVAL");
> +
> +		r = vm_disable_nx_huge_pages(vm);
> +		TEST_ASSERT(!r, "Disabling NX huge pages should succeed if process has reboot permissions");
> +	}
> +
> +	vm_vcpu_add_default(vm, 0, guest_code);
>  
>  	vm_userspace_mem_region_add(vm, VM_MEM_SRC_ANONYMOUS_HUGETLB,
>  				    HPAGE_GPA, HPAGE_SLOT,
> @@ -121,21 +155,21 @@ int main(int argc, char **argv)
>  	 * to be remapped at 4k.
>  	 */
>  	vcpu_run(vm, 0);
> -	check_2m_page_count(vm, 1);
> -	check_split_count(vm, 1);
> +	check_2m_page_count(vm, disable_nx ? 2 : 1);
> +	check_split_count(vm, disable_nx ? 0 : 1);

Can you update the comments to explain why these magic number of pages are
expected for NX enabled/disabled?  As Jim has pointed out, just because KVM and
selftests might agree that 1==2, doesn't mean that their math is correct :-)