[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YYqwT1fGxBQQmFvY@google.com>
Date: Tue, 9 Nov 2021 17:30:55 +0000
From: Sean Christopherson <seanjc@...gle.com>
To: Peter Gonda <pgonda@...gle.com>
Cc: Thomas.Lendacky@....com, Marc Orr <marcorr@...gle.com>,
David Rientjes <rientjes@...gle.com>,
Brijesh Singh <brijesh.singh@....com>,
Joerg Roedel <jroedel@...e.de>,
Herbert Xu <herbert@...dor.apana.org.au>,
John Allen <john.allen@....com>,
"David S. Miller" <davem@...emloft.net>,
Paolo Bonzini <pbonzini@...hat.com>,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH V3 2/4] crypto: ccp - Move SEV_INIT retry for corrupted
data
On Tue, Nov 09, 2021, Peter Gonda wrote:
> On Tue, Nov 9, 2021 at 9:31 AM Sean Christopherson <seanjc@...gle.com> wrote:
> >
> > On Tue, Nov 02, 2021, Peter Gonda wrote:
> > > This change moves the data corrupted retry of SEV_INIT into the
> >
> > Use imperative mood.
>
> Will do for next revision
>
> >
> > > __sev_platform_init_locked() function. This is for upcoming INIT_EX
> > > support as well as helping direct callers of
> > > __sev_platform_init_locked() which currently do not support the
> > > retry.
> > >
> > > Signed-off-by: Peter Gonda <pgonda@...gle.com>
> > > Reviewed-by: Marc Orr <marcorr@...gle.com>
> > > Acked-by: David Rientjes <rientjes@...gle.com>
> > > Acked-by: Tom Lendacky <thomas.lendacky@....com>
> > > Cc: Tom Lendacky <thomas.lendacky@....com>
> > > Cc: Brijesh Singh <brijesh.singh@....com>
> > > Cc: Marc Orr <marcorr@...gle.com>
> > > Cc: Joerg Roedel <jroedel@...e.de>
> > > Cc: Herbert Xu <herbert@...dor.apana.org.au>
> > > Cc: David Rientjes <rientjes@...gle.com>
> > > Cc: John Allen <john.allen@....com>
> > > Cc: "David S. Miller" <davem@...emloft.net>
> > > Cc: Paolo Bonzini <pbonzini@...hat.com>
> > > Cc: linux-crypto@...r.kernel.org
> > > Cc: linux-kernel@...r.kernel.org
> > > ---
> > > drivers/crypto/ccp/sev-dev.c | 24 ++++++++++++------------
> > > 1 file changed, 12 insertions(+), 12 deletions(-)
> > >
> > > diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> > > index ec89a82ba267..e4bc833949a0 100644
> > > --- a/drivers/crypto/ccp/sev-dev.c
> > > +++ b/drivers/crypto/ccp/sev-dev.c
> > > @@ -267,6 +267,18 @@ static int __sev_platform_init_locked(int *error)
> > > }
> > >
> > > rc = __sev_do_cmd_locked(SEV_CMD_INIT, &data, error);
> > > + if (rc && *error == SEV_RET_SECURE_DATA_INVALID) {
> >
> > There are no guarantees that @error is non-NULL as this is reachable via an
> > exported function, sev_platform_init(). Which ties in with my complaints in the
> > previous patch that the API is a bit of a mess.
>
> That seems like a bug from the caller right? Is it typical that we
> sanity-check the caller in these instances?
sev-dev.c needs to make up its mind. __sev_do_cmd_locked() very clearly allows
a NULL @error, ergo all of the wrappers for sev_do_cmd() support a NULL @error.
> For example the same comment could be made here:
> https://elixir.bootlin.com/linux/latest/source/drivers/crypto/ccp/sev-dev.c#L336
>
> ```
> static int sev_get_platform_state(int *state, int *error)
> {
> struct sev_user_data_status data;
> int rc;
>
> rc = __sev_do_cmd_locked(SEV_CMD_PLATFORM_STATUS, &data, error);
> if (rc)
> return rc;
>
> *state = data.state; <--- State could be null.
No, because this is an internal helper and all call sites can be easily audited.
> return rc;
> }
> ```
>
> Example outside of this driver:
> https://elixir.bootlin.com/linux/v5.15.1/source/arch/x86/kvm/x86.c#L468
>
> ```
> int kvm_set_apic_base(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> {
> enum lapic_mode old_mode = kvm_get_apic_mode(vcpu);
> enum lapic_mode new_mode = kvm_apic_mode(msr_info->data); <---
> msr_info could be null here
> u64 reserved_bits = kvm_vcpu_reserved_gpa_bits_raw(vcpu) | 0x2ff |
> (guest_cpuid_has(vcpu, X86_FEATURE_X2APIC) ? 0 : X2APIC_ENABLE);
>
> if ((msr_info->data & reserved_bits) != 0 || new_mode == LAPIC_MODE_INVALID)
> return 1;
> if (!msr_info->host_initiated) {
> if (old_mode == LAPIC_MODE_X2APIC && new_mode == LAPIC_MODE_XAPIC)
> return 1;
> if (old_mode == LAPIC_MODE_DISABLED && new_mode == LAPIC_MODE_X2APIC)
> return 1;
> }
>
> kvm_lapic_set_base(vcpu, msr_info->data);
> kvm_recalculate_apic_map(vcpu->kvm);
> return 0;
> }
> EXPORT_SYMBOL_GPL(kvm_set_apic_base);
> ```
The difference is that KVM has consistent expecations for a set of functions,
whereas sev-dev.c does not. Yes, KVM will explode if @msr_info is NULL, and
there are undoubtedly a bajillion flows in the kernel that would do the same,
but unlike the functions declared in include/linux/psp-sev.h() the requirements
on the caller are fairly obvious. E.g. why should this be illegal from a caller's
perspective?
sev_platform_init(NULL);
sev_platform_status(&status, NULL);
Powered by blists - more mailing lists