From patchwork Sat Dec 30 16:19:39 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Roth <michael.roth@amd.com>
X-Patchwork-Id: 13506860
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AA94FC46CD2
	for <linux-mm@archiver.kernel.org>; Sat, 30 Dec 2023 16:22:38 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 4E9DD6B0143; Sat, 30 Dec 2023 11:22:38 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 49A1A6B0149; Sat, 30 Dec 2023 11:22:38 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 33B826B0152; Sat, 30 Dec 2023 11:22:38 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com
 [216.40.44.11])
	by kanga.kvack.org (Postfix) with ESMTP id 1F6D96B0143
	for <linux-mm@kvack.org>; Sat, 30 Dec 2023 11:22:38 -0500 (EST)
Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id EED2D1409A7
	for <linux-mm@kvack.org>; Sat, 30 Dec 2023 16:22:37 +0000 (UTC)
X-FDA: 81624002754.18.0DECA4A
Received: from NAM12-MW2-obe.outbound.protection.outlook.com
 (mail-mw2nam12on2044.outbound.protection.outlook.com [40.107.244.44])
	by imf17.hostedemail.com (Postfix) with ESMTP id DAC2B40006
	for <linux-mm@kvack.org>; Sat, 30 Dec 2023 16:22:34 +0000 (UTC)
Authentication-Results: imf17.hostedemail.com;
	dkim=pass header.d=amd.com header.s=selector1 header.b=ZuJzSlCa;
	dmarc=pass (policy=quarantine) header.from=amd.com;
	arc=pass ("microsoft.com:s=arcselector9901:i=1");
	spf=pass (imf17.hostedemail.com: domain of Michael.Roth@amd.com designates
 40.107.244.44 as permitted sender) smtp.mailfrom=Michael.Roth@amd.com
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1703953355;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=xOuzjFN27QpzXdMKytPaV0gZ1paWDl02O8pOtEiViog=;
	b=BZY8EJXK6mU+XVrnJsqYz1TAnaCn7u95wgxYT7vJ6U0LKEIwgbt/9/3FUKhfxi00g7HJDn
	vziOEDZIu239wBedbsgFjija8yU3TKQ9xwZRRjeZkIFXWqgtnQRidLwVG9m0pqnRDP58E9
	kv5zorQFAK6LQxtJmhJYGWA09w168DY=
ARC-Authentication-Results: i=2;
	imf17.hostedemail.com;
	dkim=pass header.d=amd.com header.s=selector1 header.b=ZuJzSlCa;
	dmarc=pass (policy=quarantine) header.from=amd.com;
	arc=pass ("microsoft.com:s=arcselector9901:i=1");
	spf=pass (imf17.hostedemail.com: domain of Michael.Roth@amd.com designates
 40.107.244.44 as permitted sender) smtp.mailfrom=Michael.Roth@amd.com
ARC-Seal: i=2; s=arc-20220608; d=hostedemail.com; t=1703953355; a=rsa-sha256;
	cv=pass;
	b=HNaQ5WWvHVC+53igRnEBokSPFdjBUAAUq1x2WFg85MmL44pKSqdAo2AS1fdBv/wnye4akU
	6xTKZxlqj73j/kjGznGvvIFCMdf97mi+UwJCJ8+5nq1S3DnHOVRDgxb1eU8RK3CySOMcxb
	p2Cq0tIUXn8Pby3GCfBmC7N4lCqL1Ds=
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=hoL16X+qAFGVXXca49eeyDOhVVgHK+Hi49GGmMW6l0LUV6CDnH6/5Ntu6FJJoqlxoo2IqEny/oM8+B8VqLOhtaf+pUJCZ1mE10MWbczKomy8cOGmQUaSDPsL5t4+Fs/MzrH35e8r1/mBEN29GkCfaWNlxvdp5QO1ZVXPmF/4OTe7jVhB+YtdsPOjVHDqMsYX2diL4PH+iBAIu1yJUYiYLb6HEytFWJFAqG7ol6cxxoP8HjUHEiKfYRoaOV66gJhbChP3FA40ERMsnod9Tpk0hYs7tAKYL3TjiwVRv2xCr4NxodpQzBD7/RVNkUP6oAexvdARDX0xdCp4chSfn24qZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=xOuzjFN27QpzXdMKytPaV0gZ1paWDl02O8pOtEiViog=;
 b=SIrvLorsRmxuIe2gz3xaQBbWePuLTQ0LrnGh4SOMB7TMAGiYvnTSV8kNUpDzVH5/AYkYLEy+sIFNjyPguo3840nMhEqAwXJk7Ob+y8zZzB2I8/KQc8kNt1ge9oWlOn4qfqcK9MUpxOiaTQRxKDONCUMAYTX9J8eTIT6sbMaV9/E01jhVlT77JfAgLfWWoFu8J2QHMLo4mvNgrRUBoszp6Gs+wRhv6+v5e0FrkfiovI0UmtRXlr32LHJyufRSuQ9P2iK+Q+4onDci6/vS9bD9p10nlSwFaRTn6rOHeYQE8oFazP5cwSgWeMRYlg7ACaA9oZ67NJYq3VrrSRxqJlA9qg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 165.204.84.17) smtp.rcpttodomain=kernel.org smtp.mailfrom=amd.com; dmarc=pass
 (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=xOuzjFN27QpzXdMKytPaV0gZ1paWDl02O8pOtEiViog=;
 b=ZuJzSlCaqZGTp+HurfBPB3F6WaazJp4MB4uMjLF+alkibhqYZl+nsTBuUhMbYtL+8QdjiuEQEIcniHIlzC09b9WGkN2wyMXLU5Qi2IZl9lb8kcgwmgpnFBdxylZuUTr/pra2phmrnfmf5Frf0TJuaxrZ1xKX+Hum0ZsS6sky4K4=
Received: from DM6PR03CA0097.namprd03.prod.outlook.com (2603:10b6:5:333::30)
 by BL1PR12MB5922.namprd12.prod.outlook.com (2603:10b6:208:399::5) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7135.20; Sat, 30 Dec
 2023 16:22:28 +0000
Received: from DS3PEPF000099DC.namprd04.prod.outlook.com
 (2603:10b6:5:333:cafe::e8) by DM6PR03CA0097.outlook.office365.com
 (2603:10b6:5:333::30) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7113.27 via Frontend
 Transport; Sat, 30 Dec 2023 16:22:28 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17)
 smtp.mailfrom=amd.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=amd.com;
Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
 165.204.84.17 as permitted sender) receiver=protection.outlook.com;
 client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C
Received: from SATLEXMB04.amd.com (165.204.84.17) by
 DS3PEPF000099DC.mail.protection.outlook.com (10.167.17.198) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.20.7159.9 via Frontend Transport; Sat, 30 Dec 2023 16:22:27 +0000
Received: from localhost (10.180.168.240) by SATLEXMB04.amd.com
 (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.34; Sat, 30 Dec
 2023 10:22:27 -0600
From: Michael Roth <michael.roth@amd.com>
To: <x86@kernel.org>
CC: <kvm@vger.kernel.org>, <linux-coco@lists.linux.dev>, <linux-mm@kvack.org>,
	<linux-crypto@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	<tglx@linutronix.de>, <mingo@redhat.com>, <jroedel@suse.de>,
	<thomas.lendacky@amd.com>, <hpa@zytor.com>, <ardb@kernel.org>,
	<pbonzini@redhat.com>, <seanjc@google.com>, <vkuznets@redhat.com>,
	<jmattson@google.com>, <luto@kernel.org>, <dave.hansen@linux.intel.com>,
	<slp@redhat.com>, <pgonda@google.com>, <peterz@infradead.org>,
	<srinivas.pandruvada@linux.intel.com>, <rientjes@google.com>,
	<tobin@ibm.com>, <bp@alien8.de>, <vbabka@suse.cz>, <kirill@shutemov.name>,
	<ak@linux.intel.com>, <tony.luck@intel.com>,
	<sathyanarayanan.kuppuswamy@linux.intel.com>, <alpergun@google.com>,
	<jarkko@kernel.org>, <ashish.kalra@amd.com>, <nikunj.dadhania@amd.com>,
	<pankaj.gupta@amd.com>, <liam.merwick@oracle.com>, <zhi.a.wang@intel.com>,
	Brijesh Singh <brijesh.singh@amd.com>
Subject: [PATCH v1 11/26] x86/sev: Invalidate pages from the direct map when
 adding them to the RMP table
Date: Sat, 30 Dec 2023 10:19:39 -0600
Message-ID: <20231230161954.569267-12-michael.roth@amd.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20231230161954.569267-1-michael.roth@amd.com>
References: <20231230161954.569267-1-michael.roth@amd.com>
MIME-Version: 1.0
X-Originating-IP: [10.180.168.240]
X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com
 (10.181.40.145)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS3PEPF000099DC:EE_|BL1PR12MB5922:EE_
X-MS-Office365-Filtering-Correlation-Id: 2ae231f5-290c-4eee-b903-08dc095383f5
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	LuRxEJb2D2e5f4boGKuli9N0C9NTJnAM1oh1urScsnxkPnCpiA2/I/FUO0Y2uRJVprhVUz6oU54nwq7Mm6E6T1Pf+wv+gDUaAJrX9nvuOxIbh4oqkUavrleh0vk3Ye+IB+G6+MuQxTzwqPEUhBkZfwK4v7F9wzjUwk0Y+jzHRVv6P0JaoMHWhP8+wFL6C0jFvY8cTVRMPW529PqKckRL2plFtMnr3quYOvVNdEHkyiMjBQ14tVqIhk6kBZe6Xrj6ozg/MYcdYpcBg7nhEFZyE8Qb/zF2v1Ao3MQQw2ab2Bbxp+zaia2rzj5fVnSN4hOutdrc2CqkeFZCzAwg5kaOY3gJZKhNcLrg/3wtXPCXuyS89kahfdTqkxyDAxp4cMa2rRi4quE0YnXTmhgRlFl39ya7/Pdi43XCS2A9wSqG0eCu1AnZTmB40+pNe7EMjrMKiIMXG0/3FAmqRCHMctW0MT17jpE2TEwNnIoWs4bATLtlfeulfnvIE8yRhKGaE4cjqE9jeCXG4XmW/VRjYRSVW0rSuT4fnl7Nvkd+sqiJKqgYoFJosi8QRcxDRBEC4/a8Y/ilY1L2bPFZcPlcEntSy+7nCocvBR+6xlLgqvcUDQv9FdMhhKXCR5AagaYmJSFnNfk55UpfYz4IOM65QONbi/02II8+kL0d5n18E+74z7sIlmI4L8IQgOznipG9BcGhoNGm7DwcX65u+lYO4LDkkeZex3y9TsKzQmnFRMPRcSob180A6NpxfUQtcgoRjHU802tYfzzMeeLXChGOpJA9FA==
X-Forefront-Antispam-Report: 
	CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(4636009)(39860400002)(346002)(136003)(396003)(376002)(230922051799003)(186009)(82310400011)(1800799012)(64100799003)(451199024)(36840700001)(40470700004)(46966006)(40480700001)(36860700001)(47076005)(36756003)(81166007)(41300700001)(356005)(83380400001)(40460700003)(70206006)(70586007)(8936002)(8676002)(426003)(336012)(2616005)(7416002)(6916009)(44832011)(82740400003)(7406005)(5660300002)(316002)(4326008)(54906003)(6666004)(86362001)(478600001)(1076003)(26005)(16526019)(2906002)(36900700001);DIR:OUT;SFP:1101;
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Dec 2023 16:22:27.9841
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 2ae231f5-290c-4eee-b903-08dc095383f5
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	DS3PEPF000099DC.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR12MB5922
X-Rspam-User: 
X-Rspamd-Server: rspam12
X-Rspamd-Queue-Id: DAC2B40006
X-Stat-Signature: 5wbkodztj3i8bzy5mn3wk6zo8wrojqzi
X-HE-Tag: 1703953354-391035
X-HE-Meta: 
 U2FsdGVkX1+zqJEgoOjmBa+09vR6ui/m0Oqw9gbIieritDkxH7lP9+I6s44sv2VVrRfgV58Tk0jdwmle31ijeSrRtv4kfOrqhVEYRX9nYGiDVV5T3/TUHC4ElIDITBb8lY8PD6+ucTs3JblHaT+eBJHrIBhvtgaMJWDtXV76YEa/EXNQy/r0xEWZmp+KJGpN1SoIPDKJRZPUk/PUF4YL9iyRRyWyFTQlslBYFs9RN5H1Aa75vDz5L59na4SA2TerlyJ+j/eJXoVyfxgu3s7bIvUXtViIq/ErEPDk+M52qAmjLcIijUwgi0GoigcBr0yaQ9uhMUaVJukIVtLy3jwmqDSH3L5LJudAQevy6nXCagGvPn+7w1HHyR5yHu4Mv+/Jo2B04E6WnsJhcBysv1Qwf/8FBFWI+JtDNN8/wXmE4ihbRFY22/ezIygeMNTJjuO3aDPZOEg+8yZV71b+kvnNdw9APwQG+ZFwFo1sldGy73CXjdpFZHcgQwMVACm97rin2e/zd+hC+s58Mk+edyiWUBPvPox4s5xsyLBHTMnmTgqxJB86QsdvoUSH5moZKhzt726wsSN7LRXA4pAKsWXupCrzR57Sv43Ux/8ozXjt8DybIi2Waf6NqHmELyemibVm/e9Nii+u4EwYd+IlFc6/dlPO+nZeOB4I+18t4uDklbXTGXsQOU3oyIFtAVlNa825IYEh7SNXfCl0pZU6JS+m2wiy7gfTHRd57p/iTdeZl7myMFC1t+10sSz6BPGpg4IgonKlyB/8YXcTyWkhLDvAUjbovWiZCQsv6AbQdzjibBwoPANNxEgGVdAdb0Pk+ljQK4FzM1NCMc3tizrBfbl3158YYNlkqeB0QvkVjlKSuhS6LHbY9La+e2lcNJoT4JsaIaqlRlxZ8bBE0R5uTGdgeEc1FF1S8xr0vWmS2UF1R0XNlu++1l77UP1LRTjNE2XJr++KFIvJOGbihKmOuov
 zSP7F613
 ME6WrCMNLqHvT40Siaqixg9+EZQkxDPIeA51ta5PXMswSZM5gkBGWSXiAvS4Dp6DgQhevBcDdjScUTqW0fsJds8aqu+JgTPj+p6R62FXQ9lwLtWAvp74SVNDcRgMIx8rOC7ySfigsryB8MiKbRAG0UL5T+Qbctb1AACB7X+605jmHlHIn/Uyqk18bEnjr+myAtkIDiNQO42QHZ2QIR9Z40Bh7Io0RVL8JqN1AaK3EYX4RUAfCfOCXcw8C6in9b7yeoXcCmguKf+zXw+2SXibZMqZDhzGtErEo+j+D/fBQmcTyYZzQcEv5YV1dvvV+ykaYIORLkGIng7rNZKM=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

From: Brijesh Singh <brijesh.singh@amd.com>

The integrity guarantee of SEV-SNP is enforced through the RMP table.
The RMP is used with standard x86 and IOMMU page tables to enforce
memory restrictions and page access rights. The RMP check is enforced as
soon as SEV-SNP is enabled globally in the system. When hardware
encounters an RMP-check failure, it raises a page-fault exception.

If the kernel uses a 2MB directmap mapping to write to an address, and
that 2MB range happens to contain a 4KB page that set to private in the
RMP table, that will also lead to a page-fault exception.

Prevent this by removing pages from the directmap prior to setting them
as private in the RMP table, and then re-adding them to the directmap
when they set back to shared.

Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Co-developed-by: Ashish Kalra <ashish.kalra@amd.com>
Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
 arch/x86/virt/svm/sev.c | 58 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 56 insertions(+), 2 deletions(-)

diff --git a/arch/x86/virt/svm/sev.c b/arch/x86/virt/svm/sev.c
index ff9fa0a85a7f..ee182351d93a 100644
--- a/arch/x86/virt/svm/sev.c
+++ b/arch/x86/virt/svm/sev.c
@@ -369,14 +369,64 @@ int psmash(u64 pfn)
 }
 EXPORT_SYMBOL_GPL(psmash);
 
+static int restore_direct_map(u64 pfn, int npages)
+{
+	int i, ret = 0;
+
+	for (i = 0; i < npages; i++) {
+		ret = set_direct_map_default_noflush(pfn_to_page(pfn + i));
+		if (ret)
+			break;
+	}
+
+	if (ret)
+		pr_warn("Failed to restore direct map for pfn 0x%llx, ret: %d\n",
+			pfn + i, ret);
+
+	return ret;
+}
+
+static int invalidate_direct_map(u64 pfn, int npages)
+{
+	int i, ret = 0;
+
+	for (i = 0; i < npages; i++) {
+		ret = set_direct_map_invalid_noflush(pfn_to_page(pfn + i));
+		if (ret)
+			break;
+	}
+
+	if (ret) {
+		pr_warn("Failed to invalidate direct map for pfn 0x%llx, ret: %d\n",
+			pfn + i, ret);
+		restore_direct_map(pfn, i);
+	}
+
+	return ret;
+}
+
 static int rmpupdate(u64 pfn, struct rmp_state *state)
 {
 	unsigned long paddr = pfn << PAGE_SHIFT;
-	int ret;
+	int ret, level, npages;
 
 	if (!cpu_feature_enabled(X86_FEATURE_SEV_SNP))
 		return -ENODEV;
 
+	level = RMP_TO_PG_LEVEL(state->pagesize);
+	npages = page_level_size(level) / PAGE_SIZE;
+
+	/*
+	 * If the kernel uses a 2MB directmap mapping to write to an address,
+	 * and that 2MB range happens to contain a 4KB page that set to private
+	 * in the RMP table, an RMP #PF will trigger and cause a host crash.
+	 *
+	 * Prevent this by removing pages from the directmap prior to setting
+	 * them as private in the RMP table.
+	 */
+	if (state->assigned && invalidate_direct_map(pfn, npages))
+		return -EFAULT;
+
 	do {
 		/* Binutils version 2.36 supports the RMPUPDATE mnemonic. */
 		asm volatile(".byte 0xF2, 0x0F, 0x01, 0xFE"
@@ -386,12 +436,16 @@ static int rmpupdate(u64 pfn, struct rmp_state *state)
 	} while (ret == RMPUPDATE_FAIL_OVERLAP);
 
 	if (ret) {
-		pr_err("RMPUPDATE failed for PFN %llx, ret: %d\n", pfn, ret);
+		pr_err("RMPUPDATE failed for PFN %llx, pg_level: %d, ret: %d\n",
+		       pfn, level, ret);
 		dump_rmpentry(pfn);
 		dump_stack();
 		return -EFAULT;
 	}
 
+	if (!state->assigned && restore_direct_map(pfn, npages))
+		return -EFAULT;
+
 	return 0;
 }