lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZZSqkm5WNEUuuA_h@google.com>
Date: Tue, 2 Jan 2024 16:30:10 -0800
From: Sean Christopherson <seanjc@...gle.com>
To: Ashish Kalra <Ashish.Kalra@....com>
Cc: pbonzini@...hat.com, tglx@...utronix.de, mingo@...hat.com, bp@...en8.de, 
	dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com, 
	thomas.lendacky@....com, kvm@...r.kernel.org, linux-kernel@...r.kernel.org, 
	joro@...tes.org
Subject: Re: [PATCH] x86/sev: Add support for allowing zero SEV ASIDs.

On Tue, Jan 02, 2024, Ashish Kalra wrote:
> @@ -2172,8 +2176,10 @@ void sev_vm_destroy(struct kvm *kvm)
>  
>  void __init sev_set_cpu_caps(void)
>  {
> -	if (!sev_enabled)
> +	if (!sev_guests_enabled) {

Ugh, what a mess.  The module param will show sev_enabled=false, but the caps
and CPUID will show SEV=true.

And this is doubly silly because "sev_enabled" is never actually checked, e.g.
if misc cgroup support is disabled, KVM_SEV_INIT will try to reclaim ASIDs and
eventually fail with -EBUSY, which is super confusing to users.

The other weirdness is that KVM can cause sev_enabled=false && sev_es_enabled=true,
but if *userspace* sets sev_enabled=false then sev_es_enabled is also forced off.

In other words, the least awful option seems to be to keep sev_enabled true :-(

>  		kvm_cpu_cap_clear(X86_FEATURE_SEV);
> +		return;

This is blatantly wrong, as it can result in KVM advertising SEV-ES if SEV is
disabled by the user.

> +	}
>  	if (!sev_es_enabled)
>  		kvm_cpu_cap_clear(X86_FEATURE_SEV_ES);
>  }
> @@ -2229,9 +2235,11 @@ void __init sev_hardware_setup(void)
>  		goto out;
>  	}
>  
> -	sev_asid_count = max_sev_asid - min_sev_asid + 1;
> -	WARN_ON_ONCE(misc_cg_set_capacity(MISC_CG_RES_SEV, sev_asid_count));
> -	sev_supported = true;
> +	if (min_sev_asid <= max_sev_asid) {
> +		sev_asid_count = max_sev_asid - min_sev_asid + 1;
> +		WARN_ON_ONCE(misc_cg_set_capacity(MISC_CG_RES_SEV, sev_asid_count));
> +		sev_supported = true;
> +	}
>  
>  	/* SEV-ES support requested? */
>  	if (!sev_es_enabled)
> @@ -2262,7 +2270,8 @@ void __init sev_hardware_setup(void)
>  	if (boot_cpu_has(X86_FEATURE_SEV))
>  		pr_info("SEV %s (ASIDs %u - %u)\n",
>  			sev_supported ? "enabled" : "disabled",
> -			min_sev_asid, max_sev_asid);
> +			sev_supported ? min_sev_asid : 0,
> +			sev_supported ? max_sev_asid : 0);

I honestly think we should print the "garbage" values.  The whole point of
printing the min/max SEV ASIDs was to help users understand why SEV is disabled,
i.e. printing zeroes is counterproductive.

>  	if (boot_cpu_has(X86_FEATURE_SEV_ES))
>  		pr_info("SEV-ES %s (ASIDs %u - %u)\n",
>  			sev_es_supported ? "enabled" : "disabled",

It's all a bit gross, but I think we want something like this (I'm definitely
open to suggestions though):

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index d0c580607f00..bfac6d17462a 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -143,8 +143,20 @@ static void sev_misc_cg_uncharge(struct kvm_sev_info *sev)
 
 static int sev_asid_new(struct kvm_sev_info *sev)
 {
-       int asid, min_asid, max_asid, ret;
+       /*
+        * SEV-enabled guests must use asid from min_sev_asid to max_sev_asid.
+        * SEV-ES-enabled guest can use from 1 to min_sev_asid - 1.  Note, the
+        * min ASID can end up larger than the max if basic SEV support is
+        * effectively disabled by disallowing use of ASIDs for SEV guests.
+        */
+       unsigned int min_asid = sev->es_active ? 1 : min_sev_asid;
+       unsigned int max_asid = sev->es_active ? min_sev_asid - 1 : max_sev_asid;
+       unsigned int asid;
        bool retry = true;
+       int ret;
+
+       if (min_asid > max_asid)
+               return -ENOTTY;
 
        WARN_ON(sev->misc_cg);
        sev->misc_cg = get_current_misc_cg();
@@ -157,12 +169,6 @@ static int sev_asid_new(struct kvm_sev_info *sev)
 
        mutex_lock(&sev_bitmap_lock);
 
-       /*
-        * SEV-enabled guests must use asid from min_sev_asid to max_sev_asid.
-        * SEV-ES-enabled guest can use from 1 to min_sev_asid - 1.
-        */
-       min_asid = sev->es_active ? 1 : min_sev_asid;
-       max_asid = sev->es_active ? min_sev_asid - 1 : max_sev_asid;
 again:
        asid = find_next_zero_bit(sev_asid_bitmap, max_asid + 1, min_asid);
        if (asid > max_asid) {
@@ -2232,8 +2238,10 @@ void __init sev_hardware_setup(void)
                goto out;
        }
 
-       sev_asid_count = max_sev_asid - min_sev_asid + 1;
-       WARN_ON_ONCE(misc_cg_set_capacity(MISC_CG_RES_SEV, sev_asid_count));
+       if (min_sev_asid <= max_sev_asid) {
+               sev_asid_count = max_sev_asid - min_sev_asid + 1;
+               WARN_ON_ONCE(misc_cg_set_capacity(MISC_CG_RES_SEV, sev_asid_count));
+       }
        sev_supported = true;
 
        /* SEV-ES support requested? */
@@ -2264,8 +2272,9 @@ void __init sev_hardware_setup(void)
 out:
        if (boot_cpu_has(X86_FEATURE_SEV))
                pr_info("SEV %s (ASIDs %u - %u)\n",
-                       sev_supported ? "enabled" : "disabled",
-                       min_sev_asid, max_sev_asid);
+                       sev_supported ? (min_sev_asid <= max_sev_asid ? "enabled" : "unusable") : "disabled",
+                       sev_supported ? min_sev_asid : 0,
+                       sev_supported ? max_sev_asid : 0);
        if (boot_cpu_has(X86_FEATURE_SEV_ES))
                pr_info("SEV-ES %s (ASIDs %u - %u)\n",
                        sev_es_supported ? "enabled" : "disabled",

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ