| Message ID | 20240222021006.2279329-3-rick.p.edgecombe@intel.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-75793-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:693c:2685:b0:108:e6aa:91d0 with SMTP id
mn5csp1420195dyc;
Wed, 21 Feb 2024 18:12:11 -0800 (PST)
X-Forwarded-Encrypted: i=3;
AJvYcCVs/25cZ0mz3zeAWkejX+UD9cvtEezAH5bTG/TgDhtFLfrExY+l4ORH1y6QoHEE5piz+uzkwdkn/xaBEh8ULA+SWrhYKw==
X-Google-Smtp-Source:
AGHT+IHJx0/aPX2iXR73t70Vabglz0Tgm1T4V0sM4ev2cWGOZ+SBcyHQZurKr7zRWqxc3bJJnX/7
X-Received: by 2002:a17:902:bb17:b0:1db:c6a0:288b with SMTP id
im23-20020a170902bb1700b001dbc6a0288bmr12002463plb.7.1708567930937;
Wed, 21 Feb 2024 18:12:10 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708567930; cv=pass;
d=google.com; s=arc-20160816;
b=HhoGFJfxdanthNcBcmowF2605Kc0SLzwo41UJGnR4KUx+Ws8I3TOTTERDv/i4dlTFl
8W2s15kPvkYyjHeYc/03IV5pnPWJvCdPFWR0Zd7GkvHTpIVq8t0i5VyGthZlo2HE4sV1
180LWOn80+f1v44YwipH2FCkV7xe6CX5VmvOnLEXBz5cMiR2xcUl96j76+lYzVs4mYxL
39Q44W4qn/7htTplVOjkCdYGDD49iRWyMpUGB6Ysvs0ZMSNKuIgbNEFOSxDz5+98X/MM
6ZfdnzIPDzX8Gn6/fndrlLr6WPS0mKbmdtRHRNg/o7kz/PnKPOh4beXITHP1s3JKqliC
4h9Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:references:in-reply-to:message-id
:date:subject:cc:to:from:dkim-signature;
bh=8i67SZ82uRwMR4vw2Ei4PQbJHfZHeilWUZ8X+V+EBk8=;
fh=X9TPmIV9GEMYfi6LJ1MW90VgoxzHHuSuntmVoL+fRLI=;
b=AZtOrdNl34G1GynRktKOOVKg+I8hPcLU2FHSDMNcP/PdhkVtGvXpQd7C7fU7g6LQ0n
ecSuaVlV+3KXxvt5WuGNHBm8BxPf9A3Mg8o+LUNeaH57Xy9CUZ5sYj5zBOLIhe3FZW4c
JHhNugGKcQ06do3jEPabun3JB1gWX5dZt7bHYeZSIe0NxNpIwUKw31cjEO8/iRqVa6Mi
8czrrXtYC8SaKkwh/TqhogM+nXJbRIsjYfkhz+4VraWVuHzNrXioB3WsZee2xiqZ49ms
/ieBbngy19nu+zg7qWfVaoc/YAxq1L/u5ZWI8R5/JM9VEmMnpbRyxi1o9ozFre+omBB8
f7+w==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=dNEk7N55;
arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com
dmarc=pass fromdomain=intel.com);
spf=pass (google.com: domain of
linux-kernel+bounces-75793-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-75793-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
by mx.google.com with ESMTPS id
jb19-20020a170903259300b001db9dda28f3si8957873plb.468.2024.02.21.18.12.10
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 21 Feb 2024 18:12:10 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-75793-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=dNEk7N55;
arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com
dmarc=pass fromdomain=intel.com);
spf=pass (google.com: domain of
linux-kernel+bounces-75793-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-75793-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by sv.mirrors.kernel.org (Postfix) with ESMTPS id BDEBD283603
for <ouuuleilei@gmail.com>; Thu, 22 Feb 2024 02:12:10 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 727EF1F92C;
Thu, 22 Feb 2024 02:10:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
header.b="dNEk7N55"
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.19])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 012431428E;
Thu, 22 Feb 2024 02:10:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=192.198.163.19
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1708567847; cv=none;
b=aY/UmYHlR8bucPj1XnyRclv8N3zxLAb4L1WKQCJ2WVkHuqs6mtWK/NaL1P7pMc3VbdPm+3jBjjoydBQ9Hp30lU0dFutU1ugsYFzlT984ZssMfbzWIT41rceyQALKKRmMX/iBUtAcBPFl0OVdZ7J2wW8Y+UzUJAoaaYkTINqkcrk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1708567847; c=relaxed/simple;
bh=UD5rk9PLkBp1RIi0KMC4OnruwWQq2DUII52if4k3oos=;
h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
MIME-Version;
b=VpBayZZe3lB+1GJ3cw94tKQ7xisuPPuI5WuFJf1JwJJnAkKc4ZDOTcdtO1pBVyWvOHxp7vj14mGe7K3+4X0f8i63MrzIBRk78dPAmkzpYYB2C+NXwOy9AxdBkCUf4SXIJyU0icUfqbdPZPc3rtMWvjfJyNtERYKZHOiHMI/ADi0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=intel.com;
spf=pass smtp.mailfrom=intel.com;
dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
header.b=dNEk7N55; arc=none smtp.client-ip=192.198.163.19
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=intel.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
t=1708567845; x=1740103845;
h=from:to:cc:subject:date:message-id:in-reply-to:
references:mime-version:content-transfer-encoding;
bh=UD5rk9PLkBp1RIi0KMC4OnruwWQq2DUII52if4k3oos=;
b=dNEk7N55EznqGAthKQ1OxXCUixVolAdw/wTxneFyeVtS264sSbR2dXZZ
AqUZxv8pqhxrC2WwjfJvw/N01TpuqTyga3+utRkn7mV8HH4YNFWxGjlZm
YZKZxHfI95Sr7ZA7mKFbUV1yL95Ms+GDSRLFYIHXoHQdExE2X7sShm1Ns
JMGCYOF9CN/ZYcXbtblROLyurAm3aXFMsJQbDEanYt7A6uFkstjr837xw
mPq/Xd7WjVtRFYfJWtEua1TOZE88wjL6eX96JAOpHN+yBJk49bJpJZc+Q
ZwA591dGSEpbwpECAai9Vjt5Ll3g7Ot3f3hpg93P/OK8c2s0+uwfPjnIq
Q==;
X-IronPort-AV: E=McAfee;i="6600,9927,10991"; a="2641026"
X-IronPort-AV: E=Sophos;i="6.06,177,1705392000";
d="scan'208";a="2641026"
Received: from fmviesa007.fm.intel.com ([10.60.135.147])
by fmvoesa113.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
21 Feb 2024 18:10:43 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.06,177,1705392000";
d="scan'208";a="5226890"
Received: from nlokaya-mobl1.amr.corp.intel.com (HELO
rpedgeco-desk4.intel.com) ([10.209.62.65])
by fmviesa007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
21 Feb 2024 18:10:42 -0800
From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: kys@microsoft.com,
haiyangz@microsoft.com,
wei.liu@kernel.org,
decui@microsoft.com,
mhklinux@outlook.com,
linux-hyperv@vger.kernel.org,
gregkh@linuxfoundation.org,
davem@davemloft.net,
edumazet@google.com,
kuba@kernel.org,
pabeni@redhat.com,
netdev@vger.kernel.org,
kirill.shutemov@linux.intel.com,
dave.hansen@linux.intel.com,
linux-coco@lists.linux.dev,
linux-kernel@vger.kernel.org
Cc: sathyanarayanan.kuppuswamy@linux.intel.com,
elena.reshetova@intel.com,
rick.p.edgecombe@intel.com
Subject: [RFC RFT PATCH 2/4] hv: Track decrypted status in vmbus_gpadl
Date: Wed, 21 Feb 2024 18:10:04 -0800
Message-Id: <20240222021006.2279329-3-rick.p.edgecombe@intel.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240222021006.2279329-1-rick.p.edgecombe@intel.com>
References: <20240222021006.2279329-1-rick.p.edgecombe@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1791563326722819763
X-GMAIL-MSGID: 1791563326722819763
|
| Series |
Handle set_memory_XXcrypted() errors in hyperv
|
|
Commit Message
Edgecombe, Rick P
Feb. 22, 2024, 2:10 a.m. UTC
On TDX it is possible for the untrusted host to cause
set_memory_encrypted() or set_memory_decrypted() to fail such that an
error is returned and the resulting memory is shared. Callers need to take
care to handle these errors to avoid returning decrypted (shared) memory to
the page allocator, which could lead to functional or security issues.
In order to make sure caller's of vmbus_establish_gpadl() and
vmbus_teardown_gpadl() don't return decrypted/shared pages to
allocators, add a field in struct vmbus_gpadl to keep track of the
decryption status of the buffer's. This will allow the callers to
know if they should free or leak the pages.
Only compile tested.
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Wei Liu <wei.liu@kernel.org>
Cc: Dexuan Cui <decui@microsoft.com>
Cc: linux-hyperv@vger.kernel.org
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
---
drivers/hv/channel.c | 11 ++++++++---
include/linux/hyperv.h | 1 +
2 files changed, 9 insertions(+), 3 deletions(-)
Comments
From: Rick Edgecombe <rick.p.edgecombe@intel.com> Sent: Wednesday, February 21, 2024 6:10 PM > See comment in Patch 1 about the "Subject" prefix. > On TDX it is possible for the untrusted host to cause See comment in Patch 1 about TDX vs. CoCo VM. > set_memory_encrypted() or set_memory_decrypted() to fail such that an > error is returned and the resulting memory is shared. Callers need to take > care to handle these errors to avoid returning decrypted (shared) memory to > the page allocator, which could lead to functional or security issues. > > In order to make sure caller's of vmbus_establish_gpadl() and s/caller's/callers/ > vmbus_teardown_gpadl() don't return decrypted/shared pages to > allocators, add a field in struct vmbus_gpadl to keep track of the > decryption status of the buffer's. This will allow the callers to s/buffer's/buffers/ > know if they should free or leak the pages. > > Only compile tested. > > Cc: "K. Y. Srinivasan" <kys@microsoft.com> > Cc: Haiyang Zhang <haiyangz@microsoft.com> > Cc: Wei Liu <wei.liu@kernel.org> > Cc: Dexuan Cui <decui@microsoft.com> > Cc: linux-hyperv@vger.kernel.org > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > --- > drivers/hv/channel.c | 11 ++++++++--- > include/linux/hyperv.h | 1 + > 2 files changed, 9 insertions(+), 3 deletions(-) > > diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c > index 56f7e06c673e..fe5d2f505a39 100644 > --- a/drivers/hv/channel.c > +++ b/drivers/hv/channel.c > @@ -478,6 +478,7 @@ static int __vmbus_establish_gpadl(struct > vmbus_channel *channel, > ret = set_memory_decrypted((unsigned long)kbuffer, > PFN_UP(size)); > if (ret) { > + gpadl->decrypted = false; There's an earlier error return in this function where gpadl->decrypted isn't set at all. I think it works because that flag is in the channel structure, which is zero'd when allocated, so the flag defaults to false. But it would probably be better to explicitly set gpadl->decrypted to false upon entry to the function so there's no implicit and potentially ambiguous behavior. > dev_warn(&channel->device_obj->device, > "Failed to set host visibility for new GPADL %d.\n", > ret); > @@ -550,6 +551,7 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, > gpadl->gpadl_handle = gpadlmsg->gpadl; > gpadl->buffer = kbuffer; > gpadl->size = size; > + gpadl->decrypted = true; This needs to be done immediately after the call to set_memory_decrypted() is known to succeed, so that the "goto cleanup" cases get to the "cleanup:" label with correct information about the encrypted state of the memory. > > > cleanup: > @@ -563,9 +565,10 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, > > kfree(msginfo); > > - if (ret) > - set_memory_encrypted((unsigned long)kbuffer, > - PFN_UP(size)); > + if (ret) { > + if (set_memory_encrypted((unsigned long)kbuffer, PFN_UP(size))) Doesn't the above need to be "if (!set_memory_encrypted(...))" ? Then if set_memory_encrypted() fails, gpadl->decrypted will be "true". > + gpadl->decrypted = false; > + } > > return ret; > } > @@ -886,6 +889,8 @@ int vmbus_teardown_gpadl(struct vmbus_channel > *channel, struct vmbus_gpadl *gpad > if (ret) > pr_warn("Fail to set mem host visibility in GPADL teardown %d.\n", ret); > > + gpadl->decrypted = ret; > + > return ret; > } > EXPORT_SYMBOL_GPL(vmbus_teardown_gpadl); > diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h > index 2b00faf98017..5bac136c268c 100644 > --- a/include/linux/hyperv.h > +++ b/include/linux/hyperv.h > @@ -812,6 +812,7 @@ struct vmbus_gpadl { > u32 gpadl_handle; > u32 size; > void *buffer; > + bool decrypted; > }; > > struct vmbus_channel { > -- > 2.34.1
diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c index 56f7e06c673e..fe5d2f505a39 100644 --- a/drivers/hv/channel.c +++ b/drivers/hv/channel.c @@ -478,6 +478,7 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, ret = set_memory_decrypted((unsigned long)kbuffer, PFN_UP(size)); if (ret) { + gpadl->decrypted = false; dev_warn(&channel->device_obj->device, "Failed to set host visibility for new GPADL %d.\n", ret); @@ -550,6 +551,7 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, gpadl->gpadl_handle = gpadlmsg->gpadl; gpadl->buffer = kbuffer; gpadl->size = size; + gpadl->decrypted = true; cleanup: @@ -563,9 +565,10 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, kfree(msginfo); - if (ret) - set_memory_encrypted((unsigned long)kbuffer, - PFN_UP(size)); + if (ret) { + if (set_memory_encrypted((unsigned long)kbuffer, PFN_UP(size))) + gpadl->decrypted = false; + } return ret; } @@ -886,6 +889,8 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, struct vmbus_gpadl *gpad if (ret) pr_warn("Fail to set mem host visibility in GPADL teardown %d.\n", ret); + gpadl->decrypted = ret; + return ret; } EXPORT_SYMBOL_GPL(vmbus_teardown_gpadl); diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h index 2b00faf98017..5bac136c268c 100644 --- a/include/linux/hyperv.h +++ b/include/linux/hyperv.h @@ -812,6 +812,7 @@ struct vmbus_gpadl { u32 gpadl_handle; u32 size; void *buffer; + bool decrypted; }; struct vmbus_channel {