Re: [RFC v2-fix 1/1] x86/traps: Add #VE support for TDX guest

From: Kuppuswamy, Sathyanarayanan
Date: Fri May 21 2021 - 14:45:44 EST

Next message: Josh Poimboeuf: "Re: [RFC PATCH v4 1/2] arm64: Introduce stack trace reliability checks in the unwinder"
Previous message: Greg Kroah-Hartman: "[PATCH] debugfs: remove return value of debugfs_create_bool()"
In reply to: Dan Williams: "Re: [RFC v2-fix 1/1] x86/traps: Add #VE support for TDX guest"
Next in thread: Dave Hansen: "Re: [RFC v2-fix 1/1] x86/traps: Add #VE support for TDX guest"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Dave,

On 5/17/21 5:09 PM, Kuppuswamy Sathyanarayanan wrote:

From: "Kirill A. Shutemov"<kirill.shutemov@xxxxxxxxxxxxxxx>

Virtualization Exceptions (#VE) are delivered to TDX guests due to
specific guest actions which may happen in either user space or the kernel:

* Specific instructions (WBINVD, for example)
* Specific MSR accesses
* Specific CPUID leaf accesses
* Access to TD-shared memory, which includes MMIO

In the settings that Linux will run in, virtual exceptions are never
generated on accesses to normal, TD-private memory that has been
accepted.

The entry paths do not access TD-shared memory, MMIO regions or use
those specific MSRs, instructions, CPUID leaves that might generate #VE.
In addition, all interrupts including NMIs are blocked by the hardware
starting with #VE delivery until TDGETVEINFO is called. This eliminates
the chance of a #VE during the syscall gap or paranoid entry paths and
simplifies #VE handling.

After TDGETVEINFO #VE could happen in theory (e.g. through an NMI),
although we don't expect it to happen because we don't expect NMIs to
trigger #VEs. Another case where they could happen is if the #VE
exception panics, but in this case there are no guarantees on anything
anyways.

If a guest kernel action which would normally cause a #VE occurs in the
interrupt-disabled region before TDGETVEINFO, a #DF is delivered to the
guest which will result in an oops (and should eventually be a panic, as
we would like to set panic_on_oops to 1 for TDX guests).

Add basic infrastructure to handle any #VE which occurs in the kernel or
userspace. Later patches will add handling for specific #VE scenarios.

Convert unhandled #VE's (everything, until later in this series) so that
they appear just like a #GP by calling ve_raise_fault() directly.
ve_raise_fault() is similar to #GP handler and is responsible for
sending SIGSEGV to userspace and cpu die and notifying debuggers and
other die chain users.

Co-developed-by: Sean Christopherson<sean.j.christopherson@xxxxxxxxx>
Signed-off-by: Sean Christopherson<sean.j.christopherson@xxxxxxxxx>
Signed-off-by: Kirill A. Shutemov<kirill.shutemov@xxxxxxxxxxxxxxx>
Reviewed-by: Andi Kleen<ak@xxxxxxxxxxxxxxx>
Signed-off-by: Kuppuswamy Sathyanarayanan<sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx>
---

You have any other comments on this patch? If not, can you reply with your
Reviewed-by tag?

--
Sathyanarayanan Kuppuswamy
Linux Kernel Developer

Next message: Josh Poimboeuf: "Re: [RFC PATCH v4 1/2] arm64: Introduce stack trace reliability checks in the unwinder"
Previous message: Greg Kroah-Hartman: "[PATCH] debugfs: remove return value of debugfs_create_bool()"
In reply to: Dan Williams: "Re: [RFC v2-fix 1/1] x86/traps: Add #VE support for TDX guest"
Next in thread: Dave Hansen: "Re: [RFC v2-fix 1/1] x86/traps: Add #VE support for TDX guest"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]