[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID:
<SN6PR02MB41574C2859020B4FD2769703D41F2@SN6PR02MB4157.namprd02.prod.outlook.com>
Date: Fri, 3 May 2024 16:29:00 +0000
From: Michael Kelley <mhklinux@...look.com>
To: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>, Thomas Gleixner
<tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov
<bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, "x86@...nel.org"
<x86@...nel.org>
CC: "Rafael J. Wysocki" <rafael@...nel.org>, Peter Zijlstra
<peterz@...radead.org>, Adrian Hunter <adrian.hunter@...el.com>, Kuppuswamy
Sathyanarayanan <sathyanarayanan.kuppuswamy@...ux.intel.com>, Elena Reshetova
<elena.reshetova@...el.com>, Jun Nakajima <jun.nakajima@...el.com>, Rick
Edgecombe <rick.p.edgecombe@...el.com>, Tom Lendacky
<thomas.lendacky@....com>, "Kalra, Ashish" <ashish.kalra@....com>, Sean
Christopherson <seanjc@...gle.com>, "Huang, Kai" <kai.huang@...el.com>,
Baoquan He <bhe@...hat.com>, "kexec@...ts.infradead.org"
<kexec@...ts.infradead.org>, "linux-coco@...ts.linux.dev"
<linux-coco@...ts.linux.dev>, "linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>, Dave Hansen <dave.hansen@...el.com>, Tao Liu
<ltao@...hat.com>, "K. Y. Srinivasan" <kys@...rosoft.com>, Haiyang Zhang
<haiyangz@...rosoft.com>, Wei Liu <wei.liu@...nel.org>, Dexuan Cui
<decui@...rosoft.com>, "linux-hyperv@...r.kernel.org"
<linux-hyperv@...r.kernel.org>
Subject: RE: [PATCHv10 06/18] x86/mm: Make
x86_platform.guest.enc_status_change_*() return errno
From: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com> Sent: Tuesday, April 9, 2024 4:30 AM
>
> TDX is going to have more than one reason to fail
> enc_status_change_prepare().
>
> Change the callback to return errno instead of assuming -EIO;
> enc_status_change_finish() changed too to keep the interface symmetric.
>
> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
> Reviewed-by: Dave Hansen <dave.hansen@...el.com>
> Reviewed-by: Kai Huang <kai.huang@...el.com>
> Tested-by: Tao Liu <ltao@...hat.com>
> ---
> arch/x86/coco/tdx/tdx.c | 20 +++++++++++---------
> arch/x86/hyperv/ivm.c | 22 ++++++++++------------
> arch/x86/include/asm/x86_init.h | 4 ++--
> arch/x86/kernel/x86_init.c | 4 ++--
> arch/x86/mm/mem_encrypt_amd.c | 8 ++++----
> arch/x86/mm/pat/set_memory.c | 8 +++++---
> 6 files changed, 34 insertions(+), 32 deletions(-)
>
> diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c
> index c1cb90369915..26fa47db5782 100644
> --- a/arch/x86/coco/tdx/tdx.c
> +++ b/arch/x86/coco/tdx/tdx.c
> @@ -798,28 +798,30 @@ static bool tdx_enc_status_changed(unsigned long vaddr, int numpages, bool enc)
> return true;
> }
>
> -static bool tdx_enc_status_change_prepare(unsigned long vaddr, int numpages,
> - bool enc)
> +static int tdx_enc_status_change_prepare(unsigned long vaddr, int numpages,
> + bool enc)
> {
> /*
> * Only handle shared->private conversion here.
> * See the comment in tdx_early_init().
> */
> - if (enc)
> - return tdx_enc_status_changed(vaddr, numpages, enc);
> - return true;
> + if (enc && !tdx_enc_status_changed(vaddr, numpages, enc))
> + return -EIO;
> +
> + return 0;
> }
>
> -static bool tdx_enc_status_change_finish(unsigned long vaddr, int numpages,
> +static int tdx_enc_status_change_finish(unsigned long vaddr, int numpages,
> bool enc)
> {
> /*
> * Only handle private->shared conversion here.
> * See the comment in tdx_early_init().
> */
> - if (!enc)
> - return tdx_enc_status_changed(vaddr, numpages, enc);
> - return true;
> + if (!enc && !tdx_enc_status_changed(vaddr, numpages, enc))
> + return -EIO;
> +
> + return 0;
> }
>
> void __init tdx_early_init(void)
> diff --git a/arch/x86/hyperv/ivm.c b/arch/x86/hyperv/ivm.c
> index 768d73de0d09..b4a851d27c7c 100644
> --- a/arch/x86/hyperv/ivm.c
> +++ b/arch/x86/hyperv/ivm.c
> @@ -523,9 +523,9 @@ static int hv_mark_gpa_visibility(u16 count, const u64 pfn[],
> * transition is complete, hv_vtom_set_host_visibility() marks the pages
> * as "present" again.
> */
> -static bool hv_vtom_clear_present(unsigned long kbuffer, int pagecount, bool enc)
> +static int hv_vtom_clear_present(unsigned long kbuffer, int pagecount, bool enc)
> {
> - return !set_memory_np(kbuffer, pagecount);
> + return set_memory_np(kbuffer, pagecount);
> }
>
> /*
> @@ -536,20 +536,19 @@ static bool hv_vtom_clear_present(unsigned long kbuffer, int pagecount, bool enc
> * with host. This function works as wrap of hv_mark_gpa_visibility()
> * with memory base and size.
> */
> -static bool hv_vtom_set_host_visibility(unsigned long kbuffer, int pagecount, bool enc)
> +static int hv_vtom_set_host_visibility(unsigned long kbuffer, int pagecount, bool enc)
> {
> enum hv_mem_host_visibility visibility = enc ?
> VMBUS_PAGE_NOT_VISIBLE : VMBUS_PAGE_VISIBLE_READ_WRITE;
> u64 *pfn_array;
> phys_addr_t paddr;
> + int i, pfn, err;
> void *vaddr;
> int ret = 0;
> - bool result = true;
> - int i, pfn;
>
> pfn_array = kmalloc(HV_HYP_PAGE_SIZE, GFP_KERNEL);
> if (!pfn_array) {
> - result = false;
> + ret = -ENOMEM;
> goto err_set_memory_p;
> }
>
> @@ -568,10 +567,8 @@ static bool hv_vtom_set_host_visibility(unsigned long kbuffer, int pagecount, bo
> if (pfn == HV_MAX_MODIFY_GPA_REP_COUNT || i == pagecount - 1) {
> ret = hv_mark_gpa_visibility(pfn, pfn_array,
> visibility);
> - if (ret) {
> - result = false;
> + if (ret)
> goto err_free_pfn_array;
> - }
> pfn = 0;
> }
> }
> @@ -586,10 +583,11 @@ static bool hv_vtom_set_host_visibility(unsigned long kbuffer, int pagecount, bo
> * order to avoid leaving the memory range in a "broken" state. Setting
> * the PRESENT bits shouldn't fail, but return an error if it does.
> */
> - if (set_memory_p(kbuffer, pagecount))
> - result = false;
> + err = set_memory_p(kbuffer, pagecount);
> + if (err && !ret)
> + ret = err;
>
> - return result;
> + return ret;
> }
>
> static bool hv_vtom_tlb_flush_required(bool private)
> diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h
> index 6149eabe200f..28ac3cb9b987 100644
> --- a/arch/x86/include/asm/x86_init.h
> +++ b/arch/x86/include/asm/x86_init.h
> @@ -151,8 +151,8 @@ struct x86_init_acpi {
> * @enc_cache_flush_required Returns true if a cache flush is needed before changing page encryption status
> */
> struct x86_guest {
> - bool (*enc_status_change_prepare)(unsigned long vaddr, int npages, bool enc);
> - bool (*enc_status_change_finish)(unsigned long vaddr, int npages, bool enc);
> + int (*enc_status_change_prepare)(unsigned long vaddr, int npages, bool enc);
> + int (*enc_status_change_finish)(unsigned long vaddr, int npages, bool enc);
> bool (*enc_tlb_flush_required)(bool enc);
> bool (*enc_cache_flush_required)(void);
> };
> diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c
> index d5dc5a92635a..a7143bb7dd93 100644
> --- a/arch/x86/kernel/x86_init.c
> +++ b/arch/x86/kernel/x86_init.c
> @@ -134,8 +134,8 @@ struct x86_cpuinit_ops x86_cpuinit = {
>
> static void default_nmi_init(void) { };
>
> -static bool enc_status_change_prepare_noop(unsigned long vaddr, int npages, bool enc) { return true; }
> -static bool enc_status_change_finish_noop(unsigned long vaddr, int npages, bool enc) { return true; }
> +static int enc_status_change_prepare_noop(unsigned long vaddr, int npages, bool enc) { return 0; }
> +static int enc_status_change_finish_noop(unsigned long vaddr, int npages, bool enc) { return 0; }
> static bool enc_tlb_flush_required_noop(bool enc) { return false; }
> static bool enc_cache_flush_required_noop(void) { return false; }
> static bool is_private_mmio_noop(u64 addr) {return false; }
> diff --git a/arch/x86/mm/mem_encrypt_amd.c b/arch/x86/mm/mem_encrypt_amd.c
> index 422602f6039b..e7b67519ddb5 100644
> --- a/arch/x86/mm/mem_encrypt_amd.c
> +++ b/arch/x86/mm/mem_encrypt_amd.c
> @@ -283,7 +283,7 @@ static void enc_dec_hypercall(unsigned long vaddr, unsigned long size, bool enc)
> #endif
> }
>
> -static bool amd_enc_status_change_prepare(unsigned long vaddr, int npages, bool enc)
> +static int amd_enc_status_change_prepare(unsigned long vaddr, int npages, bool enc)
> {
> /*
> * To maintain the security guarantees of SEV-SNP guests, make sure
> @@ -292,11 +292,11 @@ static bool amd_enc_status_change_prepare(unsigned long vaddr, int npages, bool
> if (cc_platform_has(CC_ATTR_GUEST_SEV_SNP) && !enc)
> snp_set_memory_shared(vaddr, npages);
>
> - return true;
> + return 0;
> }
>
> /* Return true unconditionally: return value doesn't matter for the SEV side */
> -static bool amd_enc_status_change_finish(unsigned long vaddr, int npages, bool enc)
> +static int amd_enc_status_change_finish(unsigned long vaddr, int npages, bool enc)
> {
> /*
> * After memory is mapped encrypted in the page table, validate it
> @@ -308,7 +308,7 @@ static bool amd_enc_status_change_finish(unsigned long vaddr, int npages, bool e
> if (!cc_platform_has(CC_ATTR_HOST_MEM_ENCRYPT))
> enc_dec_hypercall(vaddr, npages << PAGE_SHIFT, enc);
>
> - return true;
> + return 0;
> }
>
> static void __init __set_clr_pte_enc(pte_t *kpte, int level, bool enc)
> diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c
> index 80c9037ffadf..e5b454036bf3 100644
> --- a/arch/x86/mm/pat/set_memory.c
> +++ b/arch/x86/mm/pat/set_memory.c
> @@ -2156,7 +2156,8 @@ static int __set_memory_enc_pgtable(unsigned long addr, int numpages, bool enc)
> cpa_flush(&cpa, x86_platform.guest.enc_cache_flush_required());
>
> /* Notify hypervisor that we are about to set/clr encryption attribute. */
> - if (!x86_platform.guest.enc_status_change_prepare(addr, numpages, enc))
> + ret = x86_platform.guest.enc_status_change_prepare(addr, numpages, enc);
> + if (ret)
> goto vmm_fail;
>
> ret = __change_page_attr_set_clr(&cpa, 1);
> @@ -2174,7 +2175,8 @@ static int __set_memory_enc_pgtable(unsigned long addr, int numpages, bool enc)
> return ret;
>
> /* Notify hypervisor that we have successfully set/clr encryption attribute. */
> - if (!x86_platform.guest.enc_status_change_finish(addr, numpages, enc))
> + ret = x86_platform.guest.enc_status_change_finish(addr, numpages, enc);
> + if (ret)
> goto vmm_fail;
>
> return 0;
> @@ -2183,7 +2185,7 @@ static int __set_memory_enc_pgtable(unsigned long addr, int numpages, bool enc)
> WARN_ONCE(1, "CPA VMM failure to convert memory (addr=%p, numpages=%d) to %s.\n",
> (void *)addr, numpages, enc ? "private" : "shared");
Nit: Now that there's an error code instead of just a boolean, it would be nice
to have this warning message include the error code. Some of the callers of
set_memory_decrypted()/encrypted() also output a message on failure that
includes the error code, in which case this message will be redundant. But
many callers do not.
>
> - return -EIO;
> + return ret;
> }
>
> static int __set_memory_enc_dec(unsigned long addr, int numpages, bool enc)
> --
> 2.43.0
>
My nit notwithstanding,
Reviewed-by: Michael Kelley <mhklinux@...look.com>
Powered by blists - more mailing lists