Re: [RFC v2 28/32] x86/tdx: Make pages shared in ioremap()

From: Kuppuswamy, Sathyanarayanan
Date: Mon May 31 2021 - 14:46:01 EST

Next message: Marion & Christophe JAILLET: "Re: [PATCH 5.4 135/177] net: netcp: Fix an error message"
Previous message: Marion & Christophe JAILLET: "Re: [PATCH 4.14 63/79] net: netcp: Fix an error message"
In reply to: Borislav Petkov: "Re: [RFC v2 28/32] x86/tdx: Make pages shared in ioremap()"
Next in thread: Borislav Petkov: "Re: [RFC v2 28/32] x86/tdx: Make pages shared in ioremap()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/31/21 10:55 AM, Borislav Petkov wrote:

On Mon, May 31, 2021 at 10:32:44AM -0700, Kuppuswamy, Sathyanarayanan wrote:

I think above requirement is satisfied in following implementation.

Well, I suggested a single protected_guest_has() function which does:

if (AMD)
amd_protected_guest_has(...)
else if (Intel)
intel_protected_guest_has(...)
else
WARN()

where amd_protected_guest_has() is implemented in arch/x86/kernel/sev.c
and intel_protected_guest_has() is implemented in, as far as I can
follow your paths in the diff, in arch/x86/kernel/tdx.c.

No is_protected_guest()

is_protected_guest() is a helper function added to check for VM guest type
(protected or normal). Andi is going to add some security hardening code in
virto and other some other generic drivers. He wants a helper function to
selective enable them for all protected guests. Since these are generic
drivers we need generic (non arch specific) helper call. is_protected_guest()
is proposed for this purpose.

We can also use protected_guest_has(VM_VIRTIO_SECURE_FIX) or something
similar for this purpose. Andi, any comments?

and no ARCH_HAS_PROTECTED_GUEST.

IMHO, its better to use above generic config option in common header
file (linux/protected_guest.h). Any architecture that implements
protected guest feature can enable it. This will help is hide arch
specific config options in arch specific header file.

This seems to be a cleaner solution than including ARCH specific
CONFIG option options in common header file (linux/protected_guest.h)

#ifdef CONFIG_ARCH_HAS_PROTECTED_GUEST
#include <asm/protected_guest.h>
#else
blah
#endif

is better than

#ifdef (AMD)
amd_call()
#endif

#ifdef (INTEL)
intel_call()
#endif

#ifdef (ARM)
arm_call()
#endif

Just the above controlled by CONFIG_INTEL_TDX_GUEST or whatever
the TDX config item is gonna end up being and on the AMD side by
CONFIG_AMD_MEM_ENCRYPT.

Thx.

--
Sathyanarayanan Kuppuswamy
Linux Kernel Developer

Next message: Marion & Christophe JAILLET: "Re: [PATCH 5.4 135/177] net: netcp: Fix an error message"
Previous message: Marion & Christophe JAILLET: "Re: [PATCH 4.14 63/79] net: netcp: Fix an error message"
In reply to: Borislav Petkov: "Re: [RFC v2 28/32] x86/tdx: Make pages shared in ioremap()"
Next in thread: Borislav Petkov: "Re: [RFC v2 28/32] x86/tdx: Make pages shared in ioremap()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]