| Message ID | 20220725130859.48740-1-frankja@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [kvm-unit-tests,v3] s390x: uv-host: Add access checks for donated memory | expand |
Quoting Janosch Frank (2022-07-25 15:08:59) > Let's check if the UV really protected all the memory we donated. > > Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: Nico Boehr <nrb@linux.ibm.com>
On Mon, 25 Jul 2022 13:08:59 +0000 Janosch Frank <frankja@linux.ibm.com> wrote: > Let's check if the UV really protected all the memory we donated. > > Signed-off-by: Janosch Frank <frankja@linux.ibm.com> > --- > s390x/uv-host.c | 37 +++++++++++++++++++++++++++++++++++++ > 1 file changed, 37 insertions(+) > > diff --git a/s390x/uv-host.c b/s390x/uv-host.c > index dfcebe10..ba6c9008 100644 > --- a/s390x/uv-host.c > +++ b/s390x/uv-host.c > @@ -45,6 +45,32 @@ static void cpu_loop(void) > for (;;) {} > } > > +/* > + * Checks if a memory area is protected as secure memory. > + * Will return true if all pages are protected, false otherwise. > + */ > +static bool access_check_3d(uint64_t *access_ptr, uint64_t len) > +{ > + assert(!(len & ~PAGE_MASK)); > + assert(!((uint64_t)access_ptr & ~PAGE_MASK)); > + > + while (len) { > + expect_pgm_int(); > + READ_ONCE(*access_ptr); > + if (clear_pgm_int() != PGM_INT_CODE_SECURE_STOR_ACCESS) > + return false; > + expect_pgm_int(); > + WRITE_ONCE(*access_ptr, 42); > + if (clear_pgm_int() != PGM_INT_CODE_SECURE_STOR_ACCESS) > + return false; > + > + access_ptr += PAGE_SIZE / sizeof(access_ptr); this looks ugly, although in principle the correct way to handle a pointer. In this specific case it's techically wrong though (you actually want sizeof(*access_ptr) ) what about making access_ptr a char*? then you can do just access_ptr += PAGE_SIZE; and you can keep the READ_ONCE and WRITE_ONCE as they are > + len -= PAGE_SIZE; > + } > + > + return true; > +} > + > static struct cmd_list cmds[] = { > { "init", UVC_CMD_INIT_UV, sizeof(struct uv_cb_init), BIT_UVC_CMD_INIT_UV }, > { "create conf", UVC_CMD_CREATE_SEC_CONF, sizeof(struct uv_cb_cgc), BIT_UVC_CMD_CREATE_SEC_CONF }, > @@ -332,6 +358,10 @@ static void test_cpu_create(void) > report(rc == 0 && uvcb_csc.header.rc == UVC_RC_EXECUTED && > uvcb_csc.cpu_handle, "success"); > > + rc = access_check_3d((uint64_t *)uvcb_csc.stor_origin, > + uvcb_qui.cpu_stor_len); > + report(rc, "Storage protection"); > + > tmp = uvcb_csc.stor_origin; > uvcb_csc.stor_origin = (unsigned long)memalign(PAGE_SIZE, uvcb_qui.cpu_stor_len); > rc = uv_call(0, (uint64_t)&uvcb_csc); > @@ -430,6 +460,13 @@ static void test_config_create(void) > rc = uv_call(0, (uint64_t)&uvcb_cgc); > report(rc == 0 && uvcb_cgc.header.rc == UVC_RC_EXECUTED, "successful"); > > + rc = access_check_3d((uint64_t *)uvcb_cgc.conf_var_stor_origin, vsize); > + report(rc, "Base storage protection"); > + > + rc = access_check_3d((uint64_t *)uvcb_cgc.conf_base_stor_origin, > + uvcb_qui.conf_base_phys_stor_len); > + report(rc, "Variable storage protection"); > + > uvcb_cgc.header.rc = 0; > uvcb_cgc.header.rrc = 0; > tmp = uvcb_cgc.guest_handle;
On 8/3/22 11:46, Claudio Imbrenda wrote: > On Mon, 25 Jul 2022 13:08:59 +0000 > Janosch Frank <frankja@linux.ibm.com> wrote: > >> Let's check if the UV really protected all the memory we donated. >> >> Signed-off-by: Janosch Frank <frankja@linux.ibm.com> >> --- >> s390x/uv-host.c | 37 +++++++++++++++++++++++++++++++++++++ >> 1 file changed, 37 insertions(+) >> >> diff --git a/s390x/uv-host.c b/s390x/uv-host.c >> index dfcebe10..ba6c9008 100644 >> --- a/s390x/uv-host.c >> +++ b/s390x/uv-host.c >> @@ -45,6 +45,32 @@ static void cpu_loop(void) >> for (;;) {} >> } >> >> +/* >> + * Checks if a memory area is protected as secure memory. >> + * Will return true if all pages are protected, false otherwise. >> + */ >> +static bool access_check_3d(uint64_t *access_ptr, uint64_t len) >> +{ >> + assert(!(len & ~PAGE_MASK)); >> + assert(!((uint64_t)access_ptr & ~PAGE_MASK)); >> + >> + while (len) { >> + expect_pgm_int(); >> + READ_ONCE(*access_ptr); >> + if (clear_pgm_int() != PGM_INT_CODE_SECURE_STOR_ACCESS) >> + return false; >> + expect_pgm_int(); >> + WRITE_ONCE(*access_ptr, 42); >> + if (clear_pgm_int() != PGM_INT_CODE_SECURE_STOR_ACCESS) >> + return false; >> + >> + access_ptr += PAGE_SIZE / sizeof(access_ptr); > > this looks ugly, although in principle the correct way to handle a > pointer. In this specific case it's techically wrong though (you > actually want sizeof(*access_ptr) ) > > what about making access_ptr a char*? > > then you can do just > > access_ptr += PAGE_SIZE; > > and you can keep the READ_ONCE and WRITE_ONCE as they are Sure > >> + len -= PAGE_SIZE; >> + } >> + >> + return true; >> +} >> + >> static struct cmd_list cmds[] = { >> { "init", UVC_CMD_INIT_UV, sizeof(struct uv_cb_init), BIT_UVC_CMD_INIT_UV }, >> { "create conf", UVC_CMD_CREATE_SEC_CONF, sizeof(struct uv_cb_cgc), BIT_UVC_CMD_CREATE_SEC_CONF }, >> @@ -332,6 +358,10 @@ static void test_cpu_create(void) >> report(rc == 0 && uvcb_csc.header.rc == UVC_RC_EXECUTED && >> uvcb_csc.cpu_handle, "success"); >> >> + rc = access_check_3d((uint64_t *)uvcb_csc.stor_origin, >> + uvcb_qui.cpu_stor_len); >> + report(rc, "Storage protection"); >> + >> tmp = uvcb_csc.stor_origin; >> uvcb_csc.stor_origin = (unsigned long)memalign(PAGE_SIZE, uvcb_qui.cpu_stor_len); >> rc = uv_call(0, (uint64_t)&uvcb_csc); >> @@ -430,6 +460,13 @@ static void test_config_create(void) >> rc = uv_call(0, (uint64_t)&uvcb_cgc); >> report(rc == 0 && uvcb_cgc.header.rc == UVC_RC_EXECUTED, "successful"); >> >> + rc = access_check_3d((uint64_t *)uvcb_cgc.conf_var_stor_origin, vsize); >> + report(rc, "Base storage protection"); >> + >> + rc = access_check_3d((uint64_t *)uvcb_cgc.conf_base_stor_origin, >> + uvcb_qui.conf_base_phys_stor_len); >> + report(rc, "Variable storage protection"); >> + >> uvcb_cgc.header.rc = 0; >> uvcb_cgc.header.rrc = 0; >> tmp = uvcb_cgc.guest_handle; >
diff --git a/s390x/uv-host.c b/s390x/uv-host.c index dfcebe10..ba6c9008 100644 --- a/s390x/uv-host.c +++ b/s390x/uv-host.c @@ -45,6 +45,32 @@ static void cpu_loop(void) for (;;) {} } +/* + * Checks if a memory area is protected as secure memory. + * Will return true if all pages are protected, false otherwise. + */ +static bool access_check_3d(uint64_t *access_ptr, uint64_t len) +{ + assert(!(len & ~PAGE_MASK)); + assert(!((uint64_t)access_ptr & ~PAGE_MASK)); + + while (len) { + expect_pgm_int(); + READ_ONCE(*access_ptr); + if (clear_pgm_int() != PGM_INT_CODE_SECURE_STOR_ACCESS) + return false; + expect_pgm_int(); + WRITE_ONCE(*access_ptr, 42); + if (clear_pgm_int() != PGM_INT_CODE_SECURE_STOR_ACCESS) + return false; + + access_ptr += PAGE_SIZE / sizeof(access_ptr); + len -= PAGE_SIZE; + } + + return true; +} + static struct cmd_list cmds[] = { { "init", UVC_CMD_INIT_UV, sizeof(struct uv_cb_init), BIT_UVC_CMD_INIT_UV }, { "create conf", UVC_CMD_CREATE_SEC_CONF, sizeof(struct uv_cb_cgc), BIT_UVC_CMD_CREATE_SEC_CONF }, @@ -332,6 +358,10 @@ static void test_cpu_create(void) report(rc == 0 && uvcb_csc.header.rc == UVC_RC_EXECUTED && uvcb_csc.cpu_handle, "success"); + rc = access_check_3d((uint64_t *)uvcb_csc.stor_origin, + uvcb_qui.cpu_stor_len); + report(rc, "Storage protection"); + tmp = uvcb_csc.stor_origin; uvcb_csc.stor_origin = (unsigned long)memalign(PAGE_SIZE, uvcb_qui.cpu_stor_len); rc = uv_call(0, (uint64_t)&uvcb_csc); @@ -430,6 +460,13 @@ static void test_config_create(void) rc = uv_call(0, (uint64_t)&uvcb_cgc); report(rc == 0 && uvcb_cgc.header.rc == UVC_RC_EXECUTED, "successful"); + rc = access_check_3d((uint64_t *)uvcb_cgc.conf_var_stor_origin, vsize); + report(rc, "Base storage protection"); + + rc = access_check_3d((uint64_t *)uvcb_cgc.conf_base_stor_origin, + uvcb_qui.conf_base_phys_stor_len); + report(rc, "Variable storage protection"); + uvcb_cgc.header.rc = 0; uvcb_cgc.header.rrc = 0; tmp = uvcb_cgc.guest_handle;
Let's check if the UV really protected all the memory we donated. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> --- s390x/uv-host.c | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+)