| Message ID | 20240222021006.2279329-2-rick.p.edgecombe@intel.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-75790-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:693c:2685:b0:108:e6aa:91d0 with SMTP id
mn5csp1419984dyc;
Wed, 21 Feb 2024 18:11:37 -0800 (PST)
X-Forwarded-Encrypted: i=3;
AJvYcCUKn3uE0HCtOHta3qDZSrPmyn0NM+tQcpN3LwiqjN7ewB+rMzJMxh1KVQ1fgcQmZAU3UNqElERwK6tU8JLltKC/ba8npQ==
X-Google-Smtp-Source:
AGHT+IH4avgPy3kcwrquQqKrYTxHPHCSutD8vQZ7ARdoZ1v2I+asTjLLPdK3H69T1GnYHAJeg2An
X-Received: by 2002:a05:6a20:d70b:b0:19e:5683:e8d0 with SMTP id
iz11-20020a056a20d70b00b0019e5683e8d0mr28114866pzb.12.1708567897307;
Wed, 21 Feb 2024 18:11:37 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708567897; cv=pass;
d=google.com; s=arc-20160816;
b=L9nGF36av1CiLjQkxAKJtRYKa01hkYa+ziDvdgTuMDB4NSnLOy68hM2wGdm8Rl9cl7
a0UDKetO+d2jdAqyh09dWC/zqchcK7/gx82gCKEzjP3Ngp5udhKIqgNkbfrB7BexM0Za
RpRzMKMBge8wzY3FnsQUryGh9WpidUcwtDU6pd+w9YMv50WmJzIT9wTOCUED0V2QlGy4
HufmoHwGK1XE9dbjMMPGQruG82B3UAhQl7tCqgDTrcu/gJREaqr0Pe1hH/0DiKczVIar
w6VOCfWPdWY2u61a9694X6oyu4TNzL770dZVBtlojQ8m2YFUv3Cv1L0Vhl3/E7tOsCqJ
73Dw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:references:in-reply-to:message-id
:date:subject:cc:to:from:dkim-signature;
bh=1A6K7gJyUgb/XqbG7wxY5jixt4RTx15cutdnQRwzMKI=;
fh=X9TPmIV9GEMYfi6LJ1MW90VgoxzHHuSuntmVoL+fRLI=;
b=lgGleMfJTyQw59llaXGiDVI4ZOgzYu46oicQeki5YAS7Y9i9IGWrDS/+v2Nz+8yC3v
IPvigqXf5jdZVidVar4lbqMdW1w+6wWcFLCL9W8fK6+vQJRGMmldlUvDh/aC631183Vq
g9QvDb1yE3ZC8tIwBvw9LZ4OHwWGJ/dYz1poAVkhBKzaL+nuGNXTwHF0IUDBfmEzz5/D
JAEpB2IBkJt8+/eaRtdmKKGbaSYWdWG+XY95yPHGy5jLR8ZSQIbvP+EJAxuygT9IYCIh
ncxS+17MV3ZF/TvakwW+zOke34iAx15e4TUfRPTBQfQwbE9mBVSFDwANKrZ6ssGFwToc
NVYg==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=QreDpfsD;
arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com
dmarc=pass fromdomain=intel.com);
spf=pass (google.com: domain of
linux-kernel+bounces-75790-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-75790-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
by mx.google.com with ESMTPS id
kk7-20020a17090b4a0700b00297117e6a7bsi2604197pjb.176.2024.02.21.18.11.37
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 21 Feb 2024 18:11:37 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-75790-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=QreDpfsD;
arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com
dmarc=pass fromdomain=intel.com);
spf=pass (google.com: domain of
linux-kernel+bounces-75790-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-75790-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by sv.mirrors.kernel.org (Postfix) with ESMTPS id 259892835CE
for <ouuuleilei@gmail.com>; Thu, 22 Feb 2024 02:11:37 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 567F619452;
Thu, 22 Feb 2024 02:10:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
header.b="QreDpfsD"
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.19])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 257DD14016;
Thu, 22 Feb 2024 02:10:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=192.198.163.19
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1708567845; cv=none;
b=AKRsZecWqv1X6eQIRKp3U5U9wQNjCCYW7n8w8GCaaJHTG5bB+AA8z21eykIETTI8HCpB1AJ6WZIxlA7MXag4bJZW1PDCsGSfznPch6tzHJXtrlcXEidmsbyQUlIFH+WrsDMVT+AIcvz4ZudyK9vighKGISeN5MtQqlV/m3a+OmE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1708567845; c=relaxed/simple;
bh=mjD62jwPXXL/iF50Sop2guy61uKievhhSBMu62CiiMY=;
h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
MIME-Version;
b=aQw0937vKJNQgiFoM5hZoGivF7sORVDZbHcJJMoS4QR3iRPjXoj8gh2/yH3GihYQxUqoqmtFrUR7jBmRE0nVfuJx3sztRH37g0HThV+NT7h5l/agJkHeWsEGGq5XCIaTbPgTW3IXifVt2hFzdt8oAQck3YSdS8A1KPYtdrUtydc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=intel.com;
spf=pass smtp.mailfrom=intel.com;
dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
header.b=QreDpfsD; arc=none smtp.client-ip=192.198.163.19
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=intel.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
t=1708567844; x=1740103844;
h=from:to:cc:subject:date:message-id:in-reply-to:
references:mime-version:content-transfer-encoding;
bh=mjD62jwPXXL/iF50Sop2guy61uKievhhSBMu62CiiMY=;
b=QreDpfsDU7aLykDX1qtFMC1mLz+YR0iu1wJNDpw6aBeQp8x9MyqiBHBI
vSttIIJMrPgBJ3xVJ9ldh2kWSBN5HrevIIcu39tU4+eJqxNwHwo70LyN2
ETRapGt0MuGBvew3u0W3XFz+fZI8ck8xXnfpnqjHuS/wmYw8Tp2fLW2f3
r+3ot0eJmzBxUVF+ZJpDHBETyzj+S9kzZ55BIag98j7ntRR7x4Mbj+A3i
9WoFQ9cE1rMXA0RKz3sqsr6xKf5i6UsAMKRLR60IwxRzwZ1IdYSqWUIWM
uaWnv5r5lMVum1xNPACzpN9QMnSe8AXbT0b4/Pkr8M6Ryt4VEOPUDb1En
Q==;
X-IronPort-AV: E=McAfee;i="6600,9927,10991"; a="2641015"
X-IronPort-AV: E=Sophos;i="6.06,177,1705392000";
d="scan'208";a="2641015"
Received: from fmviesa007.fm.intel.com ([10.60.135.147])
by fmvoesa113.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
21 Feb 2024 18:10:43 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.06,177,1705392000";
d="scan'208";a="5226886"
Received: from nlokaya-mobl1.amr.corp.intel.com (HELO
rpedgeco-desk4.intel.com) ([10.209.62.65])
by fmviesa007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
21 Feb 2024 18:10:41 -0800
From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: kys@microsoft.com,
haiyangz@microsoft.com,
wei.liu@kernel.org,
decui@microsoft.com,
mhklinux@outlook.com,
linux-hyperv@vger.kernel.org,
gregkh@linuxfoundation.org,
davem@davemloft.net,
edumazet@google.com,
kuba@kernel.org,
pabeni@redhat.com,
netdev@vger.kernel.org,
kirill.shutemov@linux.intel.com,
dave.hansen@linux.intel.com,
linux-coco@lists.linux.dev,
linux-kernel@vger.kernel.org
Cc: sathyanarayanan.kuppuswamy@linux.intel.com,
elena.reshetova@intel.com,
rick.p.edgecombe@intel.com
Subject: [RFC RFT PATCH 1/4] hv: Leak pages if set_memory_encrypted() fails
Date: Wed, 21 Feb 2024 18:10:03 -0800
Message-Id: <20240222021006.2279329-2-rick.p.edgecombe@intel.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240222021006.2279329-1-rick.p.edgecombe@intel.com>
References: <20240222021006.2279329-1-rick.p.edgecombe@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1791563291596067162
X-GMAIL-MSGID: 1791563291596067162
|
| Series |
Handle set_memory_XXcrypted() errors in hyperv
|
|
Commit Message
Edgecombe, Rick P
Feb. 22, 2024, 2:10 a.m. UTC
On TDX it is possible for the untrusted host to cause
set_memory_encrypted() or set_memory_decrypted() to fail such that an
error is returned and the resulting memory is shared. Callers need to take
care to handle these errors to avoid returning decrypted (shared) memory to
the page allocator, which could lead to functional or security issues.
Hyperv could free decrypted/shared pages if set_memory_encrypted() fails.
Leak the pages if this happens.
Only compile tested.
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Wei Liu <wei.liu@kernel.org>
Cc: Dexuan Cui <decui@microsoft.com>
Cc: linux-hyperv@vger.kernel.org
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
---
drivers/hv/connection.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
Comments
On Wed, Feb 21, 2024 at 06:10:03PM -0800, Rick Edgecombe wrote: > On TDX it is possible for the untrusted host to cause > set_memory_encrypted() or set_memory_decrypted() to fail such that an > error is returned and the resulting memory is shared. Callers need to take > care to handle these errors to avoid returning decrypted (shared) memory to > the page allocator, which could lead to functional or security issues. > > Hyperv could free decrypted/shared pages if set_memory_encrypted() fails. "Hyper-V" throughout. > Leak the pages if this happens. > > Only compile tested. > > Cc: "K. Y. Srinivasan" <kys@microsoft.com> > Cc: Haiyang Zhang <haiyangz@microsoft.com> > Cc: Wei Liu <wei.liu@kernel.org> > Cc: Dexuan Cui <decui@microsoft.com> > Cc: linux-hyperv@vger.kernel.org > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > --- > drivers/hv/connection.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c > index 3cabeeabb1ca..e39493421bbb 100644 > --- a/drivers/hv/connection.c > +++ b/drivers/hv/connection.c > @@ -315,6 +315,7 @@ int vmbus_connect(void) > > void vmbus_disconnect(void) > { > + int ret; > /* > * First send the unload request to the host. > */ > @@ -337,11 +338,13 @@ void vmbus_disconnect(void) > vmbus_connection.int_page = NULL; > } > > - set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[0], 1); > - set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[1], 1); > + ret = set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[0], 1); > + ret |= set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[1], 1); > > - hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); > - hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); > + if (!ret) { > + hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); > + hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); > + } This silently leaks the pages if set_memory_encrypted() fails. I think there should print some warning or error messages here. Thanks, Wei. > vmbus_connection.monitor_pages[0] = NULL; > vmbus_connection.monitor_pages[1] = NULL; > } > -- > 2.34.1 >
From: Rick Edgecombe <rick.p.edgecombe@intel.com> Sent: Wednesday, February 21, 2024 6:10 PM > Historically, the preferred Subject prefix for changes to connection.c has been "Drivers: hv: vmbus:", not just "hv:". Sometimes that preference isn't followed, but most of the time it is. > On TDX it is possible for the untrusted host to cause I'd argue that this is for CoCo VMs in general, not just TDX. I don't know all the failure modes for SEV-SNP, but the code paths you are changing are run in both TDX and SEV-SNP CoCo VMs. > set_memory_encrypted() or set_memory_decrypted() to fail such that an > error is returned and the resulting memory is shared. Callers need to take > care to handle these errors to avoid returning decrypted (shared) memory to > the page allocator, which could lead to functional or security issues. > > Hyperv could free decrypted/shared pages if set_memory_encrypted() fails. It's not Hyper-V doing the freeing. Maybe say "VMBus code could free ...." > Leak the pages if this happens. > > Only compile tested. > > Cc: "K. Y. Srinivasan" <kys@microsoft.com> > Cc: Haiyang Zhang <haiyangz@microsoft.com> > Cc: Wei Liu <wei.liu@kernel.org> > Cc: Dexuan Cui <decui@microsoft.com> > Cc: linux-hyperv@vger.kernel.org > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > --- > drivers/hv/connection.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c > index 3cabeeabb1ca..e39493421bbb 100644 > --- a/drivers/hv/connection.c > +++ b/drivers/hv/connection.c > @@ -315,6 +315,7 @@ int vmbus_connect(void) > > void vmbus_disconnect(void) > { > + int ret; > /* > * First send the unload request to the host. > */ > @@ -337,11 +338,13 @@ void vmbus_disconnect(void) > vmbus_connection.int_page = NULL; > } > > - set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[0], 1); > - set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[1], 1); > + ret = set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[0], 1); > + ret |= set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[1], 1); > > - hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); > - hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); > + if (!ret) { > + hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); > + hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); > + } Of course, this will leak the memory for both pages if only one of the set_memory_encrypted() calls fails, but I'm OK with that. It doesn't seem worth the additional complexity to treat each page separately. > vmbus_connection.monitor_pages[0] = NULL; > vmbus_connection.monitor_pages[1] = NULL; > } > -- > 2.34.1
On Fri, 2024-03-01 at 09:26 +0000, Wei Liu wrote: > > Hyperv could free decrypted/shared pages if set_memory_encrypted() > > fails. > > "Hyper-V" throughout. Ok. > > > Leak the pages if this happens. > > > > Only compile tested. > > > > Cc: "K. Y. Srinivasan" <kys@microsoft.com> > > Cc: Haiyang Zhang <haiyangz@microsoft.com> > > Cc: Wei Liu <wei.liu@kernel.org> > > Cc: Dexuan Cui <decui@microsoft.com> > > Cc: linux-hyperv@vger.kernel.org > > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > > --- > > drivers/hv/connection.c | 11 +++++++---- > > 1 file changed, 7 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c > > index 3cabeeabb1ca..e39493421bbb 100644 > > --- a/drivers/hv/connection.c > > +++ b/drivers/hv/connection.c > > @@ -315,6 +315,7 @@ int vmbus_connect(void) > > > > void vmbus_disconnect(void) > > { > > + int ret; > > /* > > * First send the unload request to the host. > > */ > > @@ -337,11 +338,13 @@ void vmbus_disconnect(void) > > vmbus_connection.int_page = NULL; > > } > > > > - set_memory_encrypted((unsigned > > long)vmbus_connection.monitor_pages[0], 1); > > - set_memory_encrypted((unsigned > > long)vmbus_connection.monitor_pages[1], 1); > > + ret = set_memory_encrypted((unsigned > > long)vmbus_connection.monitor_pages[0], 1); > > + ret |= set_memory_encrypted((unsigned > > long)vmbus_connection.monitor_pages[1], 1); > > > > - hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); > > - hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); > > + if (!ret) { > > + hv_free_hyperv_page(vmbus_connection.monitor_pages[ > > 0]); > > + hv_free_hyperv_page(vmbus_connection.monitor_pages[ > > 1]); > > + } > > This silently leaks the pages if set_memory_encrypted() fails. I > think > there should print some warning or error messages here. Another patch will warn in CPA for the particular case: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/mm Do we want a warning in the caller too? It is more robust to other types of failures in the future I guess.
On Fri, 2024-03-01 at 19:00 +0000, Michael Kelley wrote: > From: Rick Edgecombe <rick.p.edgecombe@intel.com> Sent: Wednesday, > February 21, 2024 6:10 PM > > > > Historically, the preferred Subject prefix for changes to > connection.c has > been "Drivers: hv: vmbus:", not just "hv:". Sometimes that > preference > isn't followed, but most of the time it is. Ok, I can update it. > > > On TDX it is possible for the untrusted host to cause > > I'd argue that this is for CoCo VMs in general, not just TDX. I > don't know > all the failure modes for SEV-SNP, but the code paths you are > changing > are run in both TDX and SEV-SNP CoCo VMs. On SEV-SNP the host can cause the call to fail too was my understanding. But in Linux, that side panics and never gets to the point of being able to free the shared memory. So it's not TDX architecture specific, it's just how Linux handles it on the different sids. For TDX the suggestion was to avoid panicing because it is possible to handle in SW, as Linux usually tries it's best to do. > > > set_memory_encrypted() or set_memory_decrypted() to fail such that > > an > > error is returned and the resulting memory is shared. Callers need > > to take > > care to handle these errors to avoid returning decrypted (shared) > > memory to > > the page allocator, which could lead to functional or security > > issues. > > > > Hyperv could free decrypted/shared pages if set_memory_encrypted() > > fails. > > It's not Hyper-V doing the freeing. Maybe say "VMBus code could > free ...." Ok.
From: Edgecombe, Rick P <rick.p.edgecombe@intel.com> Sent: Friday, March 1, 2024 11:13 AM > > > > > On TDX it is possible for the untrusted host to cause > > > > I'd argue that this is for CoCo VMs in general, not just TDX. I don't know > > all the failure modes for SEV-SNP, but the code paths you are changing > > are run in both TDX and SEV-SNP CoCo VMs. > > On SEV-SNP the host can cause the call to fail too was my > understanding. But in Linux, that side panics and never gets to the > point of being able to free the shared memory. So it's not TDX > architecture specific, it's just how Linux handles it on the different > sids. For TDX the suggestion was to avoid panicing because it is > possible to handle in SW, as Linux usually tries it's best to do. > The Hyper-V case can actually be a third path when a paravisor is being used. In that case, for both TDX and SEV-SNP, the hypervisor callbacks in __set_memory_enc_pgtable() go to Hyper-V specific functions that talk to the paravisor. Those callbacks never panic. After a failure, either at the paravisor level or in the paravisor talking to the hypervisor/VMM, the decrypted/encrypted state of the memory isn't known. So leaking the memory is still the right thing to do, and your patch set is good. But in the Hyper-V with paravisor case, the leaking is applicable more broadly than just TDX. The text in the commit message isn't something that I'll go to the mat over. But I wanted to offer the slightly broader perspective. Michael
On Fri, 2024-03-01 at 20:21 +0000, Michael Kelley wrote: > > The Hyper-V case can actually be a third path when a paravisor > is being used. In that case, for both TDX and SEV-SNP, the > hypervisor callbacks in __set_memory_enc_pgtable() go > to Hyper-V specific functions that talk to the paravisor. Those > callbacks never panic. After a failure, either at the paravisor > level or in the paravisor talking to the hypervisor/VMM, the > decrypted/encrypted state of the memory isn't known. So > leaking the memory is still the right thing to do, and your > patch set is good. But in the Hyper-V with paravisor case, > the leaking is applicable more broadly than just TDX. > > The text in the commit message isn't something that I'll > go to the mat over. But I wanted to offer the slightly broader > perspective. Oh, interesting. I think I missed it because it only has a special enc_status_change_finish(). But yea. It does sound like the text you suggested is more accurate. I'll update it.
diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c index 3cabeeabb1ca..e39493421bbb 100644 --- a/drivers/hv/connection.c +++ b/drivers/hv/connection.c @@ -315,6 +315,7 @@ int vmbus_connect(void) void vmbus_disconnect(void) { + int ret; /* * First send the unload request to the host. */ @@ -337,11 +338,13 @@ void vmbus_disconnect(void) vmbus_connection.int_page = NULL; } - set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[0], 1); - set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[1], 1); + ret = set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[0], 1); + ret |= set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[1], 1); - hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); - hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); + if (!ret) { + hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); + hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); + } vmbus_connection.monitor_pages[0] = NULL; vmbus_connection.monitor_pages[1] = NULL; }