| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Nov 2022 02:55:26 +0000
From: Dexuan Cui <decui@...rosoft.com>
To: Dave Hansen <dave.hansen@...el.com>,
"ak@...ux.intel.com" <ak@...ux.intel.com>,
"arnd@...db.de" <arnd@...db.de>, "bp@...en8.de" <bp@...en8.de>,
"brijesh.singh@....com" <brijesh.singh@....com>,
"Williams, Dan J" <dan.j.williams@...el.com>,
"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
Haiyang Zhang <haiyangz@...rosoft.com>,
"hpa@...or.com" <hpa@...or.com>,
"jane.chu@...cle.com" <jane.chu@...cle.com>,
"kirill.shutemov@...ux.intel.com" <kirill.shutemov@...ux.intel.com>,
KY Srinivasan <kys@...rosoft.com>,
"linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>,
"linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
"luto@...nel.org" <luto@...nel.org>,
"mingo@...hat.com" <mingo@...hat.com>,
"peterz@...radead.org" <peterz@...radead.org>,
"rostedt@...dmis.org" <rostedt@...dmis.org>,
"sathyanarayanan.kuppuswamy@...ux.intel.com"
<sathyanarayanan.kuppuswamy@...ux.intel.com>,
"seanjc@...gle.com" <seanjc@...gle.com>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"tony.luck@...el.com" <tony.luck@...el.com>,
"wei.liu@...nel.org" <wei.liu@...nel.org>,
"x86@...nel.org" <x86@...nel.org>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 2/6] x86/tdx: Retry TDVMCALL_MAP_GPA() when needed
> Sent: Monday, November 21, 2022 12:56 PM
> On 11/21/22 11:51, Dexuan Cui wrote:
> > +static bool tdx_map_gpa(phys_addr_t start, phys_addr_t end, bool enc)
> > +{
> > + u64 ret, r11;
>
> 'r11' needs a real, logical name.
OK, will use "map_fail_paddr" (as you implied below).
> > + while (1) {
> > + ret = _tdx_hypercall_output_r11(TDVMCALL_MAP_GPA, start,
> > + end - start, 0, 0, &r11);
> > + if (!ret)
> > + break;
> > +
> > + if (ret != TDVMCALL_STATUS_RETRY)
> > + break;
> > +
> > + /*
> > + * The guest must retry the operation for the pages in the
> > + * region starting at the GPA specified in R11. Make sure R11
> > + * contains a sane value.
> > + */
> > + if ((r11 & ~cc_mkdec(0)) < (start & ~cc_mkdec(0)) ||
> > + (r11 & ~cc_mkdec(0)) >= (end & ~cc_mkdec(0)))
> > + return false;
>
> This statement is, um, a wee bit ugly.
>
> First, it's not obvious at all why the address masking is necessary.
It turns out that the masking is completely unnecessary :-)
I incorrectly assumed that if the input 'start' has the bit 47, Hyper-V
always returns a physical address without bit 47. This is not the case.
I'll remove the masking code in v2.
> Second, it's utterly insane to do that mask to 'r11' twice. Third, it's
> silly do logically the same thing to start and end every time through
> the loop.
>
> This also seems to have built in the idea that cc_mkdec() *SETS* bits
> rather than clearing them. That's true for TDX today, but it's a
> horrible chunk of code to leave around because it'll confuse actual
> legitimate cc_enc/dec() users.
>
> The more I write about it, the more I dislike it.
>
> Why can't this just be:
>
> if ((map_fail_paddr < start) ||
> (map_fail_paddr >= end))
> return false;
>
> If the hypervisor returns some crazy address in r11 that isn't masked
> like the inputs, just fail.
Will use your example code in v2.
> > + start = r11;
> > +
> > + /* Set the shared (decrypted) bit. */
> > + if (!enc)
> > + start |= cc_mkdec(0);
>
> Why is only one side of this necessary? Shouldn't it need to be
> something like:
>
> if (enc)
> start = cc_mkenc(start);
> else
> start = cc_mkdec(start);
>
> ??
The code is unnecessary. Will remove it in v2.
Powered by blists - more mailing lists