lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 25 May 2021 11:21:21 -0700
From:   "Kuppuswamy, Sathyanarayanan" 
        <sathyanarayanan.kuppuswamy@...ux.intel.com>
To:     Tom Lendacky <thomas.lendacky@....com>,
        Borislav Petkov <bp@...en8.de>
Cc:     Sean Christopherson <seanjc@...gle.com>,
        Dave Hansen <dave.hansen@...el.com>,
        Andi Kleen <ak@...ux.intel.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Andy Lutomirski <luto@...nel.org>,
        Dan Williams <dan.j.williams@...el.com>,
        Tony Luck <tony.luck@...el.com>,
        Kirill Shutemov <kirill.shutemov@...ux.intel.com>,
        Kuppuswamy Sathyanarayanan <knsathya@...nel.org>,
        Raj Ashok <ashok.raj@...el.com>, linux-kernel@...r.kernel.org,
        Brijesh Singh <brijesh.singh@....com>
Subject: Re: [RFC v2 28/32] x86/tdx: Make pages shared in ioremap()

Hi,

On 5/21/21 2:14 PM, Tom Lendacky wrote:
> 
> 
> On 5/21/21 1:49 PM, Borislav Petkov wrote:
>> On Fri, May 21, 2021 at 11:19:15AM -0500, Tom Lendacky wrote:
>>> In arch/x86/mm/mem_encrypt.c, sme_early_init() (should have renamed that
>>> when SEV support was added), we do:
>>> 	if (sev_active())
>>> 		swiotlb_force = SWIOTLB_FORCE;
>>>
>>> TDX should be able to do a similar thing without having to touch
>>> arch/x86/kernel/pci-swiotlb.c.
>>>
>>> That would remove any confusion over SME being part of a
>>> protected_guest_has() call.
>>
>> Even better.
>>
>>> I kinda like the separate function, though.
>>
>> Only if you clean it up and get rid of the inverted logic and drop that
>> silly switch-case.
>>
>>> Except mem_encrypt_active() covers both SME and SEV, so
>>> protected_guest_has() would be confusing.
>>
>> I don't understand - the AMD-specific function amd_protected_guest_has()
>> would return sme_me_mask just like mem_encrypt_active() does and we can
>> get rid of latter.
>>
>> Or do you have a problem with the name protected_guest_has() containing
>> "guest" while we're talking about SME here?
> 
> The latter.
> 
>>
>> If so, feel free to suggest a better one - the name does not have to
>> have "guest" in it.
> 
> Let me see if I can come up with something that will make sense.
> 
> Thanks,
> Tom
> 
>>
>> Thx.
>>
>>

Following is the sample implementation. Please let me know your
comments.

     tdx: Introduce generic protected_guest abstraction

     Add a generic way to check if we run with an encrypted guest,
     without requiring x86 specific ifdefs. This can then be used in
     non architecture specific code.

     is_protected_guest() helper function can be implemented using
     arch specific CPU feature flags.

     protected_guest_has() is used to check for protected guest
     feature flags.

     Originally-by: Andi Kleen <ak@...ux.intel.com>
     Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@...ux.intel.com>

diff --git a/arch/Kconfig b/arch/Kconfig
index ecfd3520b676..98c30312555b 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -956,6 +956,9 @@ config HAVE_ARCH_NVRAM_OPS
  config ISA_BUS_API
         def_bool ISA

+config ARCH_HAS_PROTECTED_GUEST
+       bool
+
  #
  # ABI hall of shame
  #
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index bc91c4aa7ce4..2f31613be965 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -879,6 +879,7 @@ config INTEL_TDX_GUEST
         select X86_X2APIC
         select SECURITY_LOCKDOWN_LSM
         select X86_MEM_ENCRYPT_COMMON
+       select ARCH_HAS_PROTECTED_GUEST
         help
           Provide support for running in a trusted domain on Intel processors
           equipped with Trusted Domain eXtenstions. TDX is a new Intel
diff --git a/arch/x86/include/asm/protected_guest.h b/arch/x86/include/asm/protected_guest.h
new file mode 100644
index 000000000000..b2838e58ce94
--- /dev/null
+++ b/arch/x86/include/asm/protected_guest.h
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/* Copyright (C) 2020 Intel Corporation */
+#ifndef _ASM_PROTECTED_GUEST
+#define _ASM_PROTECTED_GUEST 1
+
+#include <asm/cpufeature.h>
+#include <asm/tdx.h>
+
+/* Only include through linux/protected_guest.h */
+
+static inline bool is_protected_guest(void)
+{
+       return boot_cpu_has(X86_FEATURE_TDX_GUEST);
+}
+
+static inline bool protected_guest_has(unsigned long flag)
+{
+       if (boot_cpu_has(X86_FEATURE_TDX_GUEST))
+               return tdx_protected_guest_has(flag);
+
+       return false;
+}
+
+#endif
diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h
index 175cebb7bf94..d894111f49ea 100644
--- a/arch/x86/include/asm/tdx.h
+++ b/arch/x86/include/asm/tdx.h
@@ -147,6 +147,7 @@ do {                                                                        \
  extern phys_addr_t tdg_shared_mask(void);
  extern int tdx_hcall_gpa_intent(phys_addr_t gpa, int numpages,
                                 enum tdx_map_type map_type);
+bool tdx_protected_guest_has(unsigned long flag);

  #else // !CONFIG_INTEL_TDX_GUEST

@@ -167,6 +168,11 @@ static inline int tdx_hcall_gpa_intent(phys_addr_t gpa, int numpages,
  {
         return -ENODEV;
  }
+
+static inline bool tdx_protected_guest_has(unsigned long flag)
+{
+       return false;
+}
  #endif /* CONFIG_INTEL_TDX_GUEST */

  #ifdef CONFIG_INTEL_TDX_GUEST_KVM
diff --git a/arch/x86/kernel/tdx.c b/arch/x86/kernel/tdx.c
index c613c89d0d6a..cbb893412b43 100644
--- a/arch/x86/kernel/tdx.c
+++ b/arch/x86/kernel/tdx.c
@@ -11,6 +11,7 @@
  #include <linux/sched/signal.h> /* force_sig_fault() */
  #include <linux/swiotlb.h>
  #include <linux/security.h>
+#include <linux/protected_guest.h>

  #include <linux/cpu.h>

@@ -122,6 +123,23 @@ bool is_tdx_guest(void)
  }
  EXPORT_SYMBOL_GPL(is_tdx_guest);

+bool tdx_protected_guest_has(unsigned long flag)
+{
+       if (!is_tdx_guest())
+               return false;
+
+       switch (flag) {
+       case VM_MEM_ENCRYPT:
+       case VM_MEM_ENCRYPT_ACTIVE:
+       case VM_UNROLL_STRING_IO:
+       case VM_HOST_MEM_ENCRYPT:
+               return true;
+       }
+
+       return false;
+}
+EXPORT_SYMBOL_GPL(tdx_protected_guest_has);
+
  /* The highest bit of a guest physical address is the "sharing" bit */
  phys_addr_t tdg_shared_mask(void)
  {
diff --git a/include/linux/protected_guest.h b/include/linux/protected_guest.h
new file mode 100644
index 000000000000..f362eea39bd8
--- /dev/null
+++ b/include/linux/protected_guest.h
@@ -0,0 +1,23 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+#ifndef _LINUX_PROTECTED_GUEST_H
+#define _LINUX_PROTECTED_GUEST_H 1
+
+/* Protected Guest Feature Flags (leave 0-0xff for arch specific flags) */
+
+/* Support for guest encryption */
+#define VM_MEM_ENCRYPT                 0x100
+/* Encryption support is active */
+#define VM_MEM_ENCRYPT_ACTIVE          0x101
+/* Support for unrolled string IO */
+#define VM_UNROLL_STRING_IO            0x102
+/* Support for host memory encryption */
+#define VM_HOST_MEM_ENCRYPT            0x103
+
+#ifdef CONFIG_ARCH_HAS_PROTECTED_GUEST
+#include <asm/protected_guest.h>
+#else
+static inline bool is_protected_guest(void) { return false; }
+static inline bool protected_guest_has(unsigned long flag) { return false; }
+#endif
+
+#endif


-- 
Sathyanarayanan Kuppuswamy
Linux Kernel Developer

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ