| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aKOXmlCkk900zyVY@google.com>
Date: Mon, 18 Aug 2025 14:14:02 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Ashish Kalra <Ashish.Kalra@....com>
Cc: tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com,
pbonzini@...hat.com, thomas.lendacky@....com, herbert@...dor.apana.org.au,
nikunj@....com, davem@...emloft.net, aik@....com, ardb@...nel.org,
michael.roth@....com, Neeraj.Upadhyay@....com, linux-kernel@...r.kernel.org,
kvm@...r.kernel.org, linux-crypto@...r.kernel.org
Subject: Re: [RESEND PATCH v2 1/3] x86/sev: Add new quiet parameter to
snp_leak_pages() API
On Mon, Aug 18, 2025, Ashish Kalra wrote:
> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> index 2fbdebf79fbb..a7db96a5f56d 100644
> --- a/arch/x86/kvm/svm/sev.c
> +++ b/arch/x86/kvm/svm/sev.c
> @@ -271,7 +271,7 @@ static void sev_decommission(unsigned int handle)
> static int kvm_rmp_make_shared(struct kvm *kvm, u64 pfn, enum pg_level level)
> {
> if (KVM_BUG_ON(rmp_make_shared(pfn, level), kvm)) {
> - snp_leak_pages(pfn, page_level_size(level) >> PAGE_SHIFT);
> + snp_leak_pages(pfn, page_level_size(level) >> PAGE_SHIFT, false);
> return -EIO;
> }
>
> @@ -300,7 +300,7 @@ static int snp_page_reclaim(struct kvm *kvm, u64 pfn)
> data.paddr = __sme_set(pfn << PAGE_SHIFT);
> rc = sev_do_cmd(SEV_CMD_SNP_PAGE_RECLAIM, &data, &fw_err);
> if (KVM_BUG(rc, kvm, "Failed to reclaim PFN %llx, rc %d fw_err %d", pfn, rc, fw_err)) {
> - snp_leak_pages(pfn, 1);
> + snp_leak_pages(pfn, 1, false);
Open coded true/false literals are ugly, e.g. now I have to go look at the
declaration (or even definition) of snp_leak_pages() to understand what %false
controls.
Assuming "don't dump the RMP entry" is the rare case, then craft the APIs to
reflect that, i.e. make snp_leak_pages() a wrapper for the common case. As a
bonus, you don't need to churn any extra code either.
void __snp_leak_pages(u64 pfn, unsigned int npages, bool dump_rmp);
static inline void snp_leak_pages(u64 pfn, unsigned int npages)
{
__snp_leak_pages(pfn, npages, true);
}
> return -EIO;
> }
>
> diff --git a/arch/x86/virt/svm/sev.c b/arch/x86/virt/svm/sev.c
> index 942372e69b4d..d75659859a07 100644
> --- a/arch/x86/virt/svm/sev.c
> +++ b/arch/x86/virt/svm/sev.c
> @@ -1029,7 +1029,7 @@ int rmp_make_shared(u64 pfn, enum pg_level level)
> }
> EXPORT_SYMBOL_GPL(rmp_make_shared);
>
> -void snp_leak_pages(u64 pfn, unsigned int npages)
> +void snp_leak_pages(u64 pfn, unsigned int npages, bool quiet)
> {
> struct page *page = pfn_to_page(pfn);
>
> @@ -1052,7 +1052,8 @@ void snp_leak_pages(u64 pfn, unsigned int npages)
> (PageHead(page) && compound_nr(page) <= npages))
> list_add_tail(&page->buddy_list, &snp_leaked_pages_list);
>
> - dump_rmpentry(pfn);
> + if (!quiet)
The polarity is arbitrarily odd, and "quiet" is annoyingly ambiguous and arguably
misleading, e.g. one could expect "quiet=true" to suppress the pr_warn() too, but
it does not.
pr_warn("Leaking PFN range 0x%llx-0x%llx\n", pfn, pfn + npages)
If you call it "bool dump_rmp" then it's more precise, self-explanatory, and
doesn't need to be inverted.
> + dump_rmpentry(pfn);
> snp_nr_leaked_pages++;
> pfn++;
> page++;
> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> index 4f000dc2e639..203a43a2df63 100644
> --- a/drivers/crypto/ccp/sev-dev.c
> +++ b/drivers/crypto/ccp/sev-dev.c
> @@ -408,7 +408,7 @@ static int snp_reclaim_pages(unsigned long paddr, unsigned int npages, bool lock
> * If there was a failure reclaiming the page then it is no longer safe
> * to release it back to the system; leak it instead.
> */
> - snp_leak_pages(__phys_to_pfn(paddr), npages - i);
> + snp_leak_pages(__phys_to_pfn(paddr), npages - i, false);
> return ret;
> }
>
> --
> 2.34.1
>
Powered by blists - more mailing lists