[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230612042559.375660-14-michael.roth@amd.com>
Date: Sun, 11 Jun 2023 23:25:21 -0500
From: Michael Roth <michael.roth@....com>
To: <kvm@...r.kernel.org>
CC: <linux-coco@...ts.linux.dev>, <linux-mm@...ck.org>,
<linux-crypto@...r.kernel.org>, <x86@...nel.org>,
<linux-kernel@...r.kernel.org>, <tglx@...utronix.de>,
<mingo@...hat.com>, <jroedel@...e.de>, <thomas.lendacky@....com>,
<hpa@...or.com>, <ardb@...nel.org>, <pbonzini@...hat.com>,
<seanjc@...gle.com>, <vkuznets@...hat.com>, <jmattson@...gle.com>,
<luto@...nel.org>, <dave.hansen@...ux.intel.com>, <slp@...hat.com>,
<pgonda@...gle.com>, <peterz@...radead.org>,
<srinivas.pandruvada@...ux.intel.com>, <rientjes@...gle.com>,
<dovmurik@...ux.ibm.com>, <tobin@....com>, <bp@...en8.de>,
<vbabka@...e.cz>, <kirill@...temov.name>, <ak@...ux.intel.com>,
<tony.luck@...el.com>, <marcorr@...gle.com>,
<sathyanarayanan.kuppuswamy@...ux.intel.com>,
<alpergun@...gle.com>, <dgilbert@...hat.com>, <jarkko@...nel.org>,
<ashish.kalra@....com>, <nikunj.dadhania@....com>,
<liam.merwick@...cle.com>, <zhi.a.wang@...el.com>,
Brijesh Singh <brijesh.singh@....com>,
Jarkko Sakkinen <jarkko.sakkinen@...fian.com>
Subject: [PATCH RFC v9 13/51] x86/fault: Handle RMP page faults for user addresses
From: Brijesh Singh <brijesh.singh@....com>
When SEV-SNP is enabled globally, a write from the host is subject to
checks performed by the hardware against the RMP table (APM2 15.36.10)
at the end of a page walk:
1. Assigned bit in the RMP table is not set (i.e page is shared).
2. Immutable bit in the RMP table is not set.
3. If the page table entry that gives the sPA indicates that the
target page size is a large page, then all RMP entries for the 4KB
constituting pages of the target must have the assigned bit 0.
Nothing constructive can come of an attempt by userspace to violate case
1) (which will result in writing garbage due to page encryption) or case
2) (userspace should not ever need or be allowed to write to a page that
the host has specifically needed to mark immutable).
Case 3) is dependent on the hypervisor. In case of KVM, due to how
shared/private pages are partitioned into separate memory pools via
restricted/guarded memory, there should never be a case where a page in
the private pool overlaps with a shared page: either it is a
hugepage-sized allocation and all the sub-pages are private, or it is a
single-page allocation, in which case it cannot overlap with anything
but itself.
Therefore, for all 3 cases, it is appropriate to simply kill the
userspace process if it ever generates an RMP #PF. Implement that logic
here.
Co-developed-by: Jarkko Sakkinen <jarkko.sakkinen@...fian.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@...fian.com>
Co-developed-by: Ashish Kalra <ashish.kalra@....com>
Signed-off-by: Ashish Kalra <ashish.kalra@....com>
Signed-off-by: Brijesh Singh <brijesh.singh@....com>
[mdr: drop all previous page-splitting logic since it is no longer
needed with restricted/guarded memory, update commit message
accordingly]
Signed-off-by: Michael Roth <michael.roth@....com>
---
arch/x86/mm/fault.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index d46b9cf832b9..6465bff9d1ba 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -1329,6 +1329,13 @@ void do_user_addr_fault(struct pt_regs *regs,
if (error_code & X86_PF_INSTR)
flags |= FAULT_FLAG_INSTRUCTION;
+ if (error_code & X86_PF_RMP) {
+ pr_err("Unexpected RMP page fault for address 0x%lx, terminating process\n",
+ address);
+ do_sigbus(regs, error_code, address, VM_FAULT_SIGBUS);
+ return;
+ }
+
#ifdef CONFIG_X86_64
/*
* Faults in the vsyscall page might need emulation. The
--
2.25.1
Powered by blists - more mailing lists