Re: [PATCH] x86/mm/cpa: Warn if set_memory_XXcrypted() fails

From: Kuppuswamy Sathyanarayanan
Date: Wed Oct 25 2023 - 14:10:35 EST

Next message: Bart Van Assche: "Re: [PATCH v1 1/1] ufs: core: Add host quirk QUIRK_MCQ_EXPAND_QUEUE_SLOT"
Previous message: Florian Fainelli: "Re: [PATCH 0/5] MIPS: Fix kernel in XKPHYS"
In reply to: Tom Lendacky: "Re: [PATCH] x86/mm/cpa: Warn if set_memory_XXcrypted() fails"
Next in thread: Edgecombe, Rick P: "Re: [PATCH] x86/mm/cpa: Warn if set_memory_XXcrypted() fails"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/24/2023 4:48 PM, Rick Edgecombe wrote:
> On TDX it is possible for the untrusted host to cause
> set_memory_encrypted() or set_memory_decrypted() to fail such that an
> error is returned and the resulting memory is shared. Callers need to take
> care to handle these errors to avoid returning decrypted (shared) memory to
> the page allocator, which could lead to functional or security issues.
>
> Such errors may herald future system instability, but are temporarily
> survivable with proper handling in the caller. The kernel traditionally
> makes every effort to keep running, but it is expected that some coco
> guests may prefer to play it safe security-wise, and panic in this case.
> To accommodate both cases, warn when the arch breakouts for converting
> memory at the VMM layer return an error to CPA. Security focused users
> can rely on panic_on_warn to defend against bugs in the callers.
>
> Since the arch breakouts host the logic for handling coco implementation
> specific errors, an error returned from them means that the set_memory()
> call is out of options for handling the error internally. Make this the
> condition to warn about.
>
> It is possible that very rarely these functions could fail due to guest
> memory pressure (in the case of failing to allocate a huge page when
> splitting a page table). Don't warn in this case because it is a lot less
> likely to indicate an attack by the host and it is not clear which
> set_memory() calls should get the same treatment. That corner should be
> addressed by future work that considers the more general problem and not
> just papers over a single set_memory() variant.
>
> Suggested-by: Michael Kelley (LINUX) <mikelley@xxxxxxxxxxxxx>
> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@xxxxxxxxx>
> ---

Looks good to me.

Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx>

> This is a followup to the "Handle set_memory_XXcrypted() errors"
> series[0].
>
> Previously[1] I attempted to create a useful helper to both simplify the
> callers and provide an official example of how to handle conversion
> errors. Dave pointed out that there wasn't actually any code savings in
> the callers using it. It also required a whole additional patch to make
> set_memory_XXcrypted() more robust.
>
> I tried to create some more sensible helper, but in the end gave up. My
> current plan is to just add a warning for VMM failures around this. And
> then shortly after, pursue open coded fixes for the callers that are
> problems for TDX. There are some SEV and SME specifics callers, that I am
> not sure on. But I'm under the impression that as long as that side
> terminates the guest on error, they should be harmless.
>
> [0] https://lore.kernel.org/lkml/20231017202505.340906-1-rick.p.edgecombe@xxxxxxxxx/
> [1] https://lore.kernel.org/lkml/20231017202505.340906-2-rick.p.edgecombe@xxxxxxxxx/
> ---
> arch/x86/mm/pat/set_memory.c | 18 +++++++++++++-----
> 1 file changed, 13 insertions(+), 5 deletions(-)
>
> diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c
> index bda9f129835e..dade281f449b 100644
> --- a/arch/x86/mm/pat/set_memory.c
> +++ b/arch/x86/mm/pat/set_memory.c
> @@ -2153,7 +2153,7 @@ static int __set_memory_enc_pgtable(unsigned long addr, int numpages, bool enc)
>
> /* Notify hypervisor that we are about to set/clr encryption attribute. */
> if (!x86_platform.guest.enc_status_change_prepare(addr, numpages, enc))
> - return -EIO;
> + goto vmm_fail;
>
> ret = __change_page_attr_set_clr(&cpa, 1);
>
> @@ -2167,12 +2167,20 @@ static int __set_memory_enc_pgtable(unsigned long addr, int numpages, bool enc)
> cpa_flush(&cpa, 0);
>
> /* Notify hypervisor that we have successfully set/clr encryption attribute. */
> - if (!ret) {
> - if (!x86_platform.guest.enc_status_change_finish(addr, numpages, enc))
> - ret = -EIO;
> - }
> + if (ret)
> + goto out;

IMO, you can avoid "out" label with (!ret && !x86_platform....) check. But it is upto
you.

>
> + if (!x86_platform.guest.enc_status_change_finish(addr, numpages, enc))
> + goto vmm_fail;
> +
> +out:
> return ret;
> +
> +vmm_fail:
> + WARN_ONCE(1, "CPA VMM failure to convert memory (addr=%p, numpages=%d) to %s.\n",
> + (void *)addr, numpages, enc ? "private" : "shared");
> +
> + return -EIO;
> }
>
> static int __set_memory_enc_dec(unsigned long addr, int numpages, bool enc)

--
Sathyanarayanan Kuppuswamy
Linux Kernel Developer

Next message: Bart Van Assche: "Re: [PATCH v1 1/1] ufs: core: Add host quirk QUIRK_MCQ_EXPAND_QUEUE_SLOT"
Previous message: Florian Fainelli: "Re: [PATCH 0/5] MIPS: Fix kernel in XKPHYS"
In reply to: Tom Lendacky: "Re: [PATCH] x86/mm/cpa: Warn if set_memory_XXcrypted() fails"
Next in thread: Edgecombe, Rick P: "Re: [PATCH] x86/mm/cpa: Warn if set_memory_XXcrypted() fails"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]