[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Zn2qSl2zAjCKAgSi@google.com>
Date: Thu, 27 Jun 2024 11:07:06 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Tom Lendacky <thomas.lendacky@....com>
Cc: Michael Roth <michael.roth@....com>, kvm@...r.kernel.org, linux-coco@...ts.linux.dev,
linux-kernel@...r.kernel.org, x86@...nel.org, pbonzini@...hat.com,
jroedel@...e.de, pgonda@...gle.com, ashish.kalra@....com, bp@...en8.de,
pankaj.gupta@....com, liam.merwick@...cle.com,
Brijesh Singh <brijesh.singh@....com>, Alexey Kardashevskiy <aik@....com>
Subject: Re: [PATCH v1 1/5] KVM: SEV: Provide support for SNP_GUEST_REQUEST
NAE event
On Thu, Jun 27, 2024, Tom Lendacky wrote:
> On 6/27/24 10:35, Sean Christopherson wrote:
> >> The page states are documented in the SNP API (Chapter 5, Page
> >> Management):
> >
> > Heh, but then that section says:
> >
> > Pages in the Firmware state are owned by the firmware. Because the RMP.Immutable
> > ^^^^^^^^^^^^^^^^^^^^^^^^^
> > bit is set, the hypervisor cannot write to Firmware pages nor alter the RMP entry
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > with the RMPUPDATE instruction.
> >
> > which to me very clearly suggests that the RMP.Immutable bit is what makes the
> > page read-only.
> >
> > Can you ask^Wbribe someone to add a "Table 11. Page State Properties" or something?
> > E.g. to explicitly list out the read vs. write protections and the state of the
> > page's data (encrypted, integrity-protected, zeroed?, etc). I've read through
> > all of "5.2 Page States" and genuinely have no clue as to what protections most
> > of the states have.
>
> I'll get with the document owner and provide that feedback and see what we
> can do to remove some of the ambiguity and improve upon it.
Thanks!
> > Ah, never mind, I found "Table 15-39. RMP Memory Access Checks" in the APM. FWIW,
> > that somewhat contradicts this blurb from the SNP ABI spec:
> >
> > The content of a Context page is encrypted and integrity protected so that the
> > hypervisor cannot read or write to it.
> >
> > I also find that statement confusing. IIUC, the fact that the Context page is
> > encrypted and integrity protected doesn't actually have anything to do with the
> > host's ability to access the data. The host _can_ read the data, but it will get
> > ciphertext. But the host can't write the data because the page isn't HV-owned.
> >
> > Actually, isn't the intregrity protected part wrong? I thought one of the benefits
>
> The RMP protection is what helps provide the integrity protection. So if a
> hypervisor tries to write to a non-hypervisor owned page, it will generate
> an RMP #PF. If the page can't be RMPUPDATEd (the immutable bit is set for
> the page in the RMP), then the page can't be written to by the hypervisor.
My confusion (ok, maybe it's more annoyance than true confusion) is that that
applies to _all_ non-hypervisor pages, not just Context pages. Reading things
from a "the exception proves the rule" viewpoint, stating that Context pages are
encrypted and integrity protected strongly suggests that all other pages are NOT
encrypted and NOT integrity protected.
Powered by blists - more mailing lists