Re: [PATCH v5 06/14] x86/ioremap: Support hypervisor specified range to map as encrypted
From: Sean Christopherson
Date: Wed Feb 22 2023 - 20:21:45 EST
On Thu, Feb 23, 2023, Borislav Petkov wrote:
> On Wed, Feb 22, 2023 at 02:54:47PM -0800, Sean Christopherson wrote:
> > Why? I genuinely don't understand the motivation for bundling all of this stuff
> > under a single "feature".
>
> It is called "sanity".
>
> See here:
>
> https://lore.kernel.org/r/Y%2B5immKTXCsjSysx@xxxxxxx
>
> We support SEV, SEV-ES, SEV-SNP, TDX, HyperV... guests and whatever's
> coming down the pipe. And all that goes into arch/x86/ kernel proper
> code.
>
> The CC_ATTR stuff is clean-ish in the sense that we have separation by
> confidential computing platform - AMD's and Intel's. Hyper-V comes along
> and wants to define a different subset of that. And that's only the
> SEV-SNP side - there's a TDX patchset too.
>
> And then some other hypervisor will come along and say, but but, I wanna
> have X and Y and a pink pony too.
>
> Oh, and there's this other fun with MTRRs where each HV decides to do
> whatever it wants.
The MTRR mess isn't unique to coco guests, e.g. KVM explicitly "supports" VMMs
hiding MTTRs from the guest by defaulting to WB if MTTRs aren't exposed to the
guest. Why on earth Hyper-V suddenly needs to enlighten the guest is beyond me,
but whatever the reason, it's not unique to coco VMs.
> So, we have a zoo brewing on the horizon already!
>
> If there's no clean definition of what each guest is and requires and
> that stuff isn't documented properly and if depending on which "feature"
> I need to check, I need to call a different function or query
> a different variable, then it won't go anywhere as far as guest support
> goes.
>
> The cc_platform_has() thing gives us a relatively clean way to abstract
> all those differences away and keep the code sane-ish.
For features that are inherent to the platform, I agree, or at least I don't hate
the interface. But defining a platform to have specific devices runs counter to
pretty much the entire x86 ecosystem. At some point, there _will_ be more devices
in private memory than just IO-APIC and TPM, and conversely there will be "platforms"
that support a trusted TPM but not a trusted IO-APIC, and probably even vice versa.
All I'm advocating is that for determining whether or not a device should be mapped
private vs. shared, provide an API so that the hypervisor-specific enlightened code
can manage that insanity without polluting common code. If we are ever fortunate
enough to have common enumeration, e.g. through ACPI or something, the enlightened
code can simply reroute to the common code. This is a well established pattern for
many paravirt features, I don't see why it wouldn't work here.