diff mbox series

[kvm-unit-tests,v2,1/8] s390x: uv-host: Add access checks for donated memory

Message ID 20220706064024.16573-2-frankja@linux.ibm.com (mailing list archive)
State New, archived
Headers show
Series s390x: uv-host: Access check extensions and improvements | expand

Commit Message

Janosch Frank July 6, 2022, 6:40 a.m. UTC 
Let's check if the UV really protected all the memory we donated.

Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
---
 s390x/uv-host.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

Comments

Claudio Imbrenda July 6, 2022, 4:33 p.m. UTC | #1 
On Wed,  6 Jul 2022 06:40:17 +0000
Janosch Frank <frankja@linux.ibm.com> wrote:

> Let's check if the UV really protected all the memory we donated.
> 
> Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
> ---
>  s390x/uv-host.c | 29 +++++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)
> 
> diff --git a/s390x/uv-host.c b/s390x/uv-host.c
> index a1a6d120..983cb4a1 100644
> --- a/s390x/uv-host.c
> +++ b/s390x/uv-host.c
> @@ -43,6 +43,24 @@ static void cpu_loop(void)
>  	for (;;) {}
>  }
>  
> +/*
> + * Checks if a memory area is protected as secure memory.
> + * Will return true if all pages are protected, false otherwise.
> + */
> +static bool access_check_3d(uint64_t *access_ptr, uint64_t len)
> +{
> +	while (len) {
> +		expect_pgm_int();
> +		*access_ptr += 42;

I'm surprised this works, you will get an (expected) exception when
reading from the pointer, and then you should get another one (at this
point unexpected) when writing

> +		if (clear_pgm_int() != PGM_INT_CODE_SECURE_STOR_ACCESS)
> +			return false;
> +		access_ptr += PAGE_SIZE / sizeof(access_ptr);
> +		len -= PAGE_SIZE;
> +	}
> +
> +	return true;
> +}
> +
>  static struct cmd_list cmds[] = {
>  	{ "init", UVC_CMD_INIT_UV, sizeof(struct uv_cb_init), BIT_UVC_CMD_INIT_UV },
>  	{ "create conf", UVC_CMD_CREATE_SEC_CONF, sizeof(struct uv_cb_cgc), BIT_UVC_CMD_CREATE_SEC_CONF },
> @@ -194,6 +212,10 @@ static void test_cpu_create(void)
>  	report(rc == 0 && uvcb_csc.header.rc == UVC_RC_EXECUTED &&
>  	       uvcb_csc.cpu_handle, "success");
>  
> +	rc = access_check_3d((uint64_t *)uvcb_csc.stor_origin,
> +			     uvcb_qui.cpu_stor_len);
> +	report(rc, "Storage protection");
> +
>  	tmp = uvcb_csc.stor_origin;
>  	uvcb_csc.stor_origin = (unsigned long)memalign(PAGE_SIZE, uvcb_qui.cpu_stor_len);
>  	rc = uv_call(0, (uint64_t)&uvcb_csc);
> @@ -292,6 +314,13 @@ static void test_config_create(void)
>  	rc = uv_call(0, (uint64_t)&uvcb_cgc);
>  	report(rc == 0 && uvcb_cgc.header.rc == UVC_RC_EXECUTED, "successful");
>  
> +	rc = access_check_3d((uint64_t *)uvcb_cgc.conf_var_stor_origin, vsize);
> +	report(rc, "Base storage protection");
> +
> +	rc = access_check_3d((uint64_t *)uvcb_cgc.conf_base_stor_origin,
> +			     uvcb_qui.conf_base_phys_stor_len);
> +	report(rc, "Variable storage protection");
> +
>  	uvcb_cgc.header.rc = 0;
>  	uvcb_cgc.header.rrc = 0;
>  	tmp = uvcb_cgc.guest_handle;
Steffen Eiden July 7, 2022, 8:11 a.m. UTC | #2 
Hi Janosch,

On 7/6/22 08:40, Janosch Frank wrote:
> Let's check if the UV really protected all the memory we donated.
> 
> Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
> ---
>   s390x/uv-host.c | 29 +++++++++++++++++++++++++++++
>   1 file changed, 29 insertions(+)
> 
> diff --git a/s390x/uv-host.c b/s390x/uv-host.c
> index a1a6d120..983cb4a1 100644
> --- a/s390x/uv-host.c
> +++ b/s390x/uv-host.c
> @@ -43,6 +43,24 @@ static void cpu_loop(void)
>   	for (;;) {}
>   }
>   
> +/*
> + * Checks if a memory area is protected as secure memory.
> + * Will return true if all pages are protected, false otherwise.
> + */
> +static bool access_check_3d(uint64_t *access_ptr, uint64_t len)
> +{
> +	while (len) {
> +		expect_pgm_int();
> +		*access_ptr += 42;
> +		if (clear_pgm_int() != PGM_INT_CODE_SECURE_STOR_ACCESS)
> +			return false;
> +		access_ptr += PAGE_SIZE / sizeof(access_ptr);
> +		len -= PAGE_SIZE;
If someone uses this function with 'len' not being a multiple of
PAGE_SIZE this test does not for what is was intended by testing more 
memory than expected.

I suggest adding an explicit assert at the beginning of the function
that ensures 'len' is a multiple of PAGE_SIZE.

> +	}
> +
> +	return true;
> +}
> +

[snip]

Steffen
Janosch Frank July 7, 2022, 8:16 a.m. UTC | #3 
On 7/6/22 18:33, Claudio Imbrenda wrote:
> On Wed,  6 Jul 2022 06:40:17 +0000
> Janosch Frank <frankja@linux.ibm.com> wrote:
> 
>> Let's check if the UV really protected all the memory we donated.
>>
>> Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
>> ---
>>   s390x/uv-host.c | 29 +++++++++++++++++++++++++++++
>>   1 file changed, 29 insertions(+)
>>
>> diff --git a/s390x/uv-host.c b/s390x/uv-host.c
>> index a1a6d120..983cb4a1 100644
>> --- a/s390x/uv-host.c
>> +++ b/s390x/uv-host.c
>> @@ -43,6 +43,24 @@ static void cpu_loop(void)
>>   	for (;;) {}
>>   }
>>   
>> +/*
>> + * Checks if a memory area is protected as secure memory.
>> + * Will return true if all pages are protected, false otherwise.
>> + */
>> +static bool access_check_3d(uint64_t *access_ptr, uint64_t len)
>> +{
>> +	while (len) {
>> +		expect_pgm_int();
>> +		*access_ptr += 42;
> 
> I'm surprised this works, you will get an (expected) exception when
> reading from the pointer, and then you should get another one (at this
> point unexpected) when writing
> 

Let me introduce you to "AGSI" add grand storage immediate.
But I get your point, inline assembly would make this much more explicit.

>> +		if (clear_pgm_int() != PGM_INT_CODE_SECURE_STOR_ACCESS)
>> +			return false;
>> +		access_ptr += PAGE_SIZE / sizeof(access_ptr);
>> +		len -= PAGE_SIZE;
>> +	}
>> +
>> +	return true;
>> +}
>> +
>>   static struct cmd_list cmds[] = {
>>   	{ "init", UVC_CMD_INIT_UV, sizeof(struct uv_cb_init), BIT_UVC_CMD_INIT_UV },
>>   	{ "create conf", UVC_CMD_CREATE_SEC_CONF, sizeof(struct uv_cb_cgc), BIT_UVC_CMD_CREATE_SEC_CONF },
>> @@ -194,6 +212,10 @@ static void test_cpu_create(void)
>>   	report(rc == 0 && uvcb_csc.header.rc == UVC_RC_EXECUTED &&
>>   	       uvcb_csc.cpu_handle, "success");
>>   
>> +	rc = access_check_3d((uint64_t *)uvcb_csc.stor_origin,
>> +			     uvcb_qui.cpu_stor_len);
>> +	report(rc, "Storage protection");
>> +
>>   	tmp = uvcb_csc.stor_origin;
>>   	uvcb_csc.stor_origin = (unsigned long)memalign(PAGE_SIZE, uvcb_qui.cpu_stor_len);
>>   	rc = uv_call(0, (uint64_t)&uvcb_csc);
>> @@ -292,6 +314,13 @@ static void test_config_create(void)
>>   	rc = uv_call(0, (uint64_t)&uvcb_cgc);
>>   	report(rc == 0 && uvcb_cgc.header.rc == UVC_RC_EXECUTED, "successful");
>>   
>> +	rc = access_check_3d((uint64_t *)uvcb_cgc.conf_var_stor_origin, vsize);
>> +	report(rc, "Base storage protection");
>> +
>> +	rc = access_check_3d((uint64_t *)uvcb_cgc.conf_base_stor_origin,
>> +			     uvcb_qui.conf_base_phys_stor_len);
>> +	report(rc, "Variable storage protection");
>> +
>>   	uvcb_cgc.header.rc = 0;
>>   	uvcb_cgc.header.rrc = 0;
>>   	tmp = uvcb_cgc.guest_handle;
>
Janosch Frank July 7, 2022, 8:20 a.m. UTC | #4 
On 7/7/22 10:11, Steffen Eiden wrote:
> Hi Janosch,
> 
> On 7/6/22 08:40, Janosch Frank wrote:
>> Let's check if the UV really protected all the memory we donated.
>>
>> Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
>> ---
>>    s390x/uv-host.c | 29 +++++++++++++++++++++++++++++
>>    1 file changed, 29 insertions(+)
>>
>> diff --git a/s390x/uv-host.c b/s390x/uv-host.c
>> index a1a6d120..983cb4a1 100644
>> --- a/s390x/uv-host.c
>> +++ b/s390x/uv-host.c
>> @@ -43,6 +43,24 @@ static void cpu_loop(void)
>>    	for (;;) {}
>>    }
>>    
>> +/*
>> + * Checks if a memory area is protected as secure memory.
>> + * Will return true if all pages are protected, false otherwise.
>> + */
>> +static bool access_check_3d(uint64_t *access_ptr, uint64_t len)
>> +{
>> +	while (len) {
>> +		expect_pgm_int();
>> +		*access_ptr += 42;
>> +		if (clear_pgm_int() != PGM_INT_CODE_SECURE_STOR_ACCESS)
>> +			return false;
>> +		access_ptr += PAGE_SIZE / sizeof(access_ptr);
>> +		len -= PAGE_SIZE;
> If someone uses this function with 'len' not being a multiple of
> PAGE_SIZE this test does not for what is was intended by testing more
> memory than expected.
> 
> I suggest adding an explicit assert at the beginning of the function
> that ensures 'len' is a multiple of PAGE_SIZE.

Sure

> 
>> +	}
>> +
>> +	return true;
>> +}
>> +
> 
> [snip]
> 
> Steffen
Claudio Imbrenda July 7, 2022, 9:19 a.m. UTC | #5 
On Thu, 7 Jul 2022 10:16:44 +0200
Janosch Frank <frankja@linux.ibm.com> wrote:

> On 7/6/22 18:33, Claudio Imbrenda wrote:
> > On Wed,  6 Jul 2022 06:40:17 +0000
> > Janosch Frank <frankja@linux.ibm.com> wrote:
> >   
> >> Let's check if the UV really protected all the memory we donated.
> >>
> >> Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
> >> ---
> >>   s390x/uv-host.c | 29 +++++++++++++++++++++++++++++
> >>   1 file changed, 29 insertions(+)
> >>
> >> diff --git a/s390x/uv-host.c b/s390x/uv-host.c
> >> index a1a6d120..983cb4a1 100644
> >> --- a/s390x/uv-host.c
> >> +++ b/s390x/uv-host.c
> >> @@ -43,6 +43,24 @@ static void cpu_loop(void)
> >>   	for (;;) {}
> >>   }
> >>   
> >> +/*
> >> + * Checks if a memory area is protected as secure memory.
> >> + * Will return true if all pages are protected, false otherwise.
> >> + */
> >> +static bool access_check_3d(uint64_t *access_ptr, uint64_t len)
> >> +{
> >> +	while (len) {
> >> +		expect_pgm_int();
> >> +		*access_ptr += 42;  
> > 
> > I'm surprised this works, you will get an (expected) exception when
> > reading from the pointer, and then you should get another one (at this
> > point unexpected) when writing
> >   
> 
> Let me introduce you to "AGSI" add grand storage immediate.

wow, of course there is an instruction for that :D

> But I get your point, inline assembly would make this much more explicit.

actually, I think you should separately check for read and write access.

something like 

expect_pgm_int();
READ_ONCE(*access_ptr);
...

expect_pgm_int();
WRITE_ONCE(*access_ptr, 42);

to really make sure both read and write access are blocked

> 
> >> +		if (clear_pgm_int() != PGM_INT_CODE_SECURE_STOR_ACCESS)
> >> +			return false;
> >> +		access_ptr += PAGE_SIZE / sizeof(access_ptr);
> >> +		len -= PAGE_SIZE;
> >> +	}
> >> +
> >> +	return true;
> >> +}
> >> +
> >>   static struct cmd_list cmds[] = {
> >>   	{ "init", UVC_CMD_INIT_UV, sizeof(struct uv_cb_init), BIT_UVC_CMD_INIT_UV },
> >>   	{ "create conf", UVC_CMD_CREATE_SEC_CONF, sizeof(struct uv_cb_cgc), BIT_UVC_CMD_CREATE_SEC_CONF },
> >> @@ -194,6 +212,10 @@ static void test_cpu_create(void)
> >>   	report(rc == 0 && uvcb_csc.header.rc == UVC_RC_EXECUTED &&
> >>   	       uvcb_csc.cpu_handle, "success");
> >>   
> >> +	rc = access_check_3d((uint64_t *)uvcb_csc.stor_origin,
> >> +			     uvcb_qui.cpu_stor_len);
> >> +	report(rc, "Storage protection");
> >> +
> >>   	tmp = uvcb_csc.stor_origin;
> >>   	uvcb_csc.stor_origin = (unsigned long)memalign(PAGE_SIZE, uvcb_qui.cpu_stor_len);
> >>   	rc = uv_call(0, (uint64_t)&uvcb_csc);
> >> @@ -292,6 +314,13 @@ static void test_config_create(void)
> >>   	rc = uv_call(0, (uint64_t)&uvcb_cgc);
> >>   	report(rc == 0 && uvcb_cgc.header.rc == UVC_RC_EXECUTED, "successful");
> >>   
> >> +	rc = access_check_3d((uint64_t *)uvcb_cgc.conf_var_stor_origin, vsize);
> >> +	report(rc, "Base storage protection");
> >> +
> >> +	rc = access_check_3d((uint64_t *)uvcb_cgc.conf_base_stor_origin,
> >> +			     uvcb_qui.conf_base_phys_stor_len);
> >> +	report(rc, "Variable storage protection");
> >> +
> >>   	uvcb_cgc.header.rc = 0;
> >>   	uvcb_cgc.header.rrc = 0;
> >>   	tmp = uvcb_cgc.guest_handle;  
> >   
>
diff mbox series

Patch

diff --git a/s390x/uv-host.c b/s390x/uv-host.c
index a1a6d120..983cb4a1 100644
--- a/s390x/uv-host.c
+++ b/s390x/uv-host.c
@@ -43,6 +43,24 @@  static void cpu_loop(void)
 	for (;;) {}
 }
 
+/*
+ * Checks if a memory area is protected as secure memory.
+ * Will return true if all pages are protected, false otherwise.
+ */
+static bool access_check_3d(uint64_t *access_ptr, uint64_t len)
+{
+	while (len) {
+		expect_pgm_int();
+		*access_ptr += 42;
+		if (clear_pgm_int() != PGM_INT_CODE_SECURE_STOR_ACCESS)
+			return false;
+		access_ptr += PAGE_SIZE / sizeof(access_ptr);
+		len -= PAGE_SIZE;
+	}
+
+	return true;
+}
+
 static struct cmd_list cmds[] = {
 	{ "init", UVC_CMD_INIT_UV, sizeof(struct uv_cb_init), BIT_UVC_CMD_INIT_UV },
 	{ "create conf", UVC_CMD_CREATE_SEC_CONF, sizeof(struct uv_cb_cgc), BIT_UVC_CMD_CREATE_SEC_CONF },
@@ -194,6 +212,10 @@  static void test_cpu_create(void)
 	report(rc == 0 && uvcb_csc.header.rc == UVC_RC_EXECUTED &&
 	       uvcb_csc.cpu_handle, "success");
 
+	rc = access_check_3d((uint64_t *)uvcb_csc.stor_origin,
+			     uvcb_qui.cpu_stor_len);
+	report(rc, "Storage protection");
+
 	tmp = uvcb_csc.stor_origin;
 	uvcb_csc.stor_origin = (unsigned long)memalign(PAGE_SIZE, uvcb_qui.cpu_stor_len);
 	rc = uv_call(0, (uint64_t)&uvcb_csc);
@@ -292,6 +314,13 @@  static void test_config_create(void)
 	rc = uv_call(0, (uint64_t)&uvcb_cgc);
 	report(rc == 0 && uvcb_cgc.header.rc == UVC_RC_EXECUTED, "successful");
 
+	rc = access_check_3d((uint64_t *)uvcb_cgc.conf_var_stor_origin, vsize);
+	report(rc, "Base storage protection");
+
+	rc = access_check_3d((uint64_t *)uvcb_cgc.conf_base_stor_origin,
+			     uvcb_qui.conf_base_phys_stor_len);
+	report(rc, "Variable storage protection");
+
 	uvcb_cgc.header.rc = 0;
 	uvcb_cgc.header.rrc = 0;
 	tmp = uvcb_cgc.guest_handle;