RE: [PATCH v5 06/14] x86/ioremap: Support hypervisor specified range to map as encrypted

[Michael Kelley (LINUX)]

From: Sean Christopherson <seanjc@xxxxxxxxxx> Sent: Friday, February 10, 2023 12:58 PM
> 
> On Fri, Feb 10, 2023, Sean Christopherson wrote:
> > On Fri, Feb 10, 2023, Dave Hansen wrote:
> > > On 2/10/23 11:36, Borislav Petkov wrote:
> > > >> One approach is to go with the individual device attributes for now.>> If the list
> does grow significantly, there will probably be patterns
> > > >> or groupings that we can't discern now.  We could restructure into
> > > >> larger buckets at that point based on those patterns/groupings.
> > > > There's a reason the word "platform" is in cc_platform_has(). Initially
> > > > we wanted to distinguish attributes of the different platforms. So even
> > > > if y'all don't like CC_ATTR_PARAVISOR, that is what distinguishes this
> > > > platform and it *is* one platform.
> > > >
> > > > So call it CC_ATTR_SEV_VTOM as it uses that technology or whatever. But
> > > > call it like the platform, not to mean "I need this functionality".
> > >
> > > I can live with that.  There's already a CC_ATTR_GUEST_SEV_SNP, so it
> > > would at least not be too much of a break from what we already have.
> >
> > I'm fine with CC_ATTR_SEV_VTOM, assuming the proposal is to have something like:
> >
> > 	static inline bool is_address_range_private(resource_size_t addr)
> > 	{
> > 		if (cc_platform_has(CC_ATTR_SEV_VTOM))
> > 			return is_address_below_vtom(addr);
> >
> > 		return false;
> > 	}
> >
> > i.e. not have SEV_VTOM mean "I/O APIC and vTPM are private".  Though I don't see
> > the point in making it SEV vTOM specific or using a flag.  Despite what any of us
> > think about TDX paravisors, it's completely doable within the confines of TDX to
> > have an emulated device reside in the private address space.  E.g. why not
> > something like this?
> >
> > 	static inline bool is_address_range_private(resource_size_t addr)
> > 	{
> > 		return addr < cc_platform_private_end;
> > 	}
> >
> > where SEV fills in "cc_platform_private_end" when vTOM is enabled, and TDX does
> > the same.  Or wrap cc_platform_private_end in a helper, etc.
> 
> Gah, forgot that the intent with TDX is to enumerate devices in their legacy
> address spaces.  So a TDX guest couldn't do this by default, but if/when Hyper-V
> or some other hypervisor moves I/O APIC, vTPM, etc... into the TCB, the common
> code would just work and only the hypervisor-specific paravirt code would need
> to change.
> 
> Probably need a more specific name than is_address_range_private() though, e.g.
> is_mmio_address_range_private()?

Maybe I'm not understanding what you are proposing, but in an SEV-SNP
VM using vTOM, devices like the IO-APIC and TPM live at their usual guest
physical addresses.  The question is whether the kernel virtual mapping
should be set up with encryption enabled or disabled.   That question can't
be answered by looking at the device's address.  Whether to map a particular
device with encryption enabled really is a property of the "platform" because
it depends on whether the paravisor is emulating the device.  Having the
paravisor emulate the device does not change its guest physical address.

While there's a duality, it's better to think of the vTOM bit as the
"encryption" flag in the PTE rather than part of the guest physical address.
A key part of this patch series is about making that shift in how the vTOM
bit is treated.  With the change, the vTOM bit is treated pretty much the
same as the TDX SHARED flag.

Michael