| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z0SbYzr20UQjptgC@google.com>
Date: Mon, 25 Nov 2024 07:44:35 -0800
From: Sean Christopherson <seanjc@...gle.com>
To: Dave Hansen <dave.hansen@...el.com>
Cc: Rick Edgecombe <rick.p.edgecombe@...el.com>, kvm@...r.kernel.org, pbonzini@...hat.com,
isaku.yamahata@...il.com, kai.huang@...el.com, linux-kernel@...r.kernel.org,
tony.lindgren@...ux.intel.com, xiaoyao.li@...el.com, yan.y.zhao@...el.com,
x86@...nel.org, adrian.hunter@...el.com,
Isaku Yamahata <isaku.yamahata@...el.com>, Binbin Wu <binbin.wu@...ux.intel.com>,
Yuan Yao <yuan.yao@...el.com>
Subject: Re: [RFC PATCH 1/6] x86/virt/tdx: Add SEAMCALL wrappers for TDX KeyID management
On Fri, Nov 22, 2024, Dave Hansen wrote:
> On 11/22/24 15:55, Sean Christopherson wrote:
> > On Fri, Nov 22, 2024, Dave Hansen wrote:
> > I don't know the full context, but working with "struct page" is a pain when every
> > user just wants the physical address. KVM SVM had a few cases where pointers were
> > tracked as "struct page", and it was generally unpleasant to read and work with.
>
> I'm not super convinced. page_to_phys(foo) is all it takes
I looked again at the KVM code that bugs me, and my complaints are with code that
needs both the physical address and the virtual address, i.e. that could/should
use a meaningful pointer to describe the underlying data structure since KVM does
directly access the memory.
But for TDX pages, that obviously doesn't apply, so I withdraw my objection about
using struct page.
> > I also don't like conflating the kernel's "struct page" with the architecture's
> > definition of a 4KiB page.
>
> That's fair, although it's pervasively conflated across our entire
> codebase. But 'struct page' is substantially better than a hpa_t,
> phys_addr_t or u64 that can store a full 64-bits of address. Those
> conflate a physical address with a physical page, which is *FAR* worse.
>
> >> You know that 'tdr' is not just some random physical address. It's a
> >> whole physical page. It's page-aligned. It was allocated, from the
> >> allocator. It doesn't point to special memory.
> >
> > Oh, but it does point to special memory. If it *didn't* point at special memory
> > that is completely opaque and untouchable, then KVM could use a struct overlay,
> > which would give contextual information and some amount of type safety. E.g.
> > an equivalent without TDX is "struct vmcs *".
> >
> > Rather than "struct page", what if we add an address_space (in the Sparse sense),
> > and a typedef for a TDX pages? Maybe __firmware? E.g.
> >
> > # define __firmware __attribute__((noderef, address_space(__firmware)))
> >
> > typedef u64 __firmware *tdx_page_t;
> >
> > That doesn't give as much compile-time safety, but in some ways it provides more
> > type safety since KVM (or whatever else cares) would need to make an explicit and
> > ugly cast to misuse the pointer.
>
> It's better than nothing. But I still vastly prefer to have a type that
> tells you that something is physically-allocated out of the buddy, RAM,
> and page-aligned.
>
> I'd be better to have:
>
> struct tdx_page {
> u64 page_phys_addr;
> };
>
> than depend on sparse, IMNHO.
>
> Do you run sparse every time you compile the kernel, btw? ;)
Nah, but the 0-day both does such a good job of detecting and reporting new warnings
that I'm generally comfortable relying on sparse for something like this. Though
as above, I'm ok with using "struct page" for the TDX pages.
Powered by blists - more mailing lists