From patchwork Mon Mar 1 09:44:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Huang, Kai" X-Patchwork-Id: 12109329 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C51CAC433E6 for ; Mon, 1 Mar 2021 09:47:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8F5D264E3F for ; Mon, 1 Mar 2021 09:47:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234155AbhCAJqv (ORCPT ); Mon, 1 Mar 2021 04:46:51 -0500 Received: from mga02.intel.com ([134.134.136.20]:12507 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234101AbhCAJpi (ORCPT ); Mon, 1 Mar 2021 04:45:38 -0500 IronPort-SDR: mUiW0UENOVCkcR04FIjmkkPLM+95o2Kjarggno4omJCxpFwnPVqzWT736GYqyFEKTpnjzWm8H1 +L74mrdTPrUg== X-IronPort-AV: E=McAfee;i="6000,8403,9909"; a="173542490" X-IronPort-AV: E=Sophos;i="5.81,215,1610438400"; d="scan'208";a="173542490" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Mar 2021 01:44:54 -0800 IronPort-SDR: FfgqcorckhK8BbAoCv3pnzckWJRiYSB5Fxt9Sei8fXqXhZ52yGvntAK04Iavbr4XPCE6fUGypz 3QJCCgefW5Ug== X-IronPort-AV: E=Sophos;i="5.81,215,1610438400"; d="scan'208";a="599267336" Received: from jscomeax-mobl.amr.corp.intel.com (HELO khuang2-desk.gar.corp.intel.com) ([10.252.139.76]) by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Mar 2021 01:44:50 -0800 From: Kai Huang To: kvm@vger.kernel.org, x86@kernel.org, linux-sgx@vger.kernel.org Cc: linux-kernel@vger.kernel.org, seanjc@google.com, jarkko@kernel.org, luto@kernel.org, dave.hansen@intel.com, rick.p.edgecombe@intel.com, haitao.huang@intel.com, pbonzini@redhat.com, bp@alien8.de, tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com, Kai Huang Subject: [PATCH 03/25] x86/sgx: Wipe out EREMOVE from sgx_free_epc_page() Date: Mon, 1 Mar 2021 22:44:30 +1300 Message-Id: <9c2c83ccc7324390bfb302bd327d9236b890c679.1614590788.git.kai.huang@intel.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org From: Jarkko Sakkinen EREMOVE takes a pages and removes any association between that page and an enclave. It must be run on a page before it can be added into another enclave. Currently, EREMOVE is run as part of pages being freed into the SGX page allocator. It is not expected to fail. KVM does not track how guest pages are used, which means that SGX virtualization use of EREMOVE might fail. Break out the EREMOVE call from the SGX page allocator. This will allow the SGX virtualization code to use the allocator directly. (SGX/KVM will also introduce a more permissive EREMOVE helper). Implement original sgx_free_epc_page() as sgx_encl_free_epc_page() to be more specific that it is used to free EPC page assigned to one enclave. Print an error message when EREMOVE fails to explicitly call out EPC page is leaked, and requires machine reboot to get leaked pages back. Signed-off-by: Jarkko Sakkinen Co-developed-by: Kai Huang Signed-off-by: Kai Huang --- RFC v6->v1: - Removed sgx_reset_epc_page() since with it, I found it is hard to find a place to print the msg saying EPC page is leaked. - Implemented original sgx_free_epc_page() as sgx_encl_free_epc_page(), and add pr_err_once() to print EPC page is leaked when EREMOVE failed. --- arch/x86/kernel/cpu/sgx/encl.c | 26 +++++++++++++++++++++++--- arch/x86/kernel/cpu/sgx/main.c | 12 ++++-------- 2 files changed, 27 insertions(+), 11 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c index 7449ef33f081..a7dc86e87a09 100644 --- a/arch/x86/kernel/cpu/sgx/encl.c +++ b/arch/x86/kernel/cpu/sgx/encl.c @@ -381,6 +381,26 @@ const struct vm_operations_struct sgx_vm_ops = { .access = sgx_vma_access, }; +static void sgx_encl_free_epc_page(struct sgx_epc_page *epc_page) +{ + int ret; + + WARN_ON_ONCE(epc_page->flags & SGX_EPC_PAGE_RECLAIMER_TRACKED); + + ret = __eremove(sgx_get_epc_virt_addr(epc_page)); + if (WARN_ONCE(ret, "EREMOVE returned %d (0x%x)", ret, ret)) { + /* + * Give a message to remind EPC page is leaked, and requires + * machine reboot to get leaked pages back. This can be improved + * in the future by adding stats of leaked pages, etc. + */ + pr_err_once("EPC page is leaked. Require machine reboot to get leaked pages back.\n"); + return; + } + + sgx_free_epc_page(epc_page); +} + /** * sgx_encl_release - Destroy an enclave instance * @kref: address of a kref inside &sgx_encl @@ -404,7 +424,7 @@ void sgx_encl_release(struct kref *ref) if (sgx_unmark_page_reclaimable(entry->epc_page)) continue; - sgx_free_epc_page(entry->epc_page); + sgx_encl_free_epc_page(entry->epc_page); encl->secs_child_cnt--; entry->epc_page = NULL; } @@ -415,7 +435,7 @@ void sgx_encl_release(struct kref *ref) xa_destroy(&encl->page_array); if (!encl->secs_child_cnt && encl->secs.epc_page) { - sgx_free_epc_page(encl->secs.epc_page); + sgx_encl_free_epc_page(entry->epc_page); encl->secs.epc_page = NULL; } @@ -423,7 +443,7 @@ void sgx_encl_release(struct kref *ref) va_page = list_first_entry(&encl->va_pages, struct sgx_va_page, list); list_del(&va_page->list); - sgx_free_epc_page(va_page->epc_page); + sgx_encl_free_epc_page(entry->epc_page); kfree(va_page); } diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c index 8df81a3ed945..44fe91a5bfb3 100644 --- a/arch/x86/kernel/cpu/sgx/main.c +++ b/arch/x86/kernel/cpu/sgx/main.c @@ -598,18 +598,14 @@ struct sgx_epc_page *sgx_alloc_epc_page(void *owner, bool reclaim) * sgx_free_epc_page() - Free an EPC page * @page: an EPC page * - * Call EREMOVE for an EPC page and insert it back to the list of free pages. + * Put the EPC page back to the list of free pages. It's the caller's + * responsibility to make sure that the page is in uninitialized state. In other + * words, do EREMOVE, EWB or whatever operation is necessary before calling + * this function. */ void sgx_free_epc_page(struct sgx_epc_page *page) { struct sgx_epc_section *section = &sgx_epc_sections[page->section]; - int ret; - - WARN_ON_ONCE(page->flags & SGX_EPC_PAGE_RECLAIMER_TRACKED); - - ret = __eremove(sgx_get_epc_virt_addr(page)); - if (WARN_ONCE(ret, "EREMOVE returned %d (0x%x)", ret, ret)) - return; spin_lock(§ion->lock); list_add_tail(&page->list, §ion->page_list);