From patchwork Thu Mar 16 00:30:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ackerley Tng X-Patchwork-Id: 13176854 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 197F2C61DA4 for ; Thu, 16 Mar 2023 00:31:24 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id ACA4E6B0080; Wed, 15 Mar 2023 20:31:23 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A523C6B0081; Wed, 15 Mar 2023 20:31:23 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8A41A6B0082; Wed, 15 Mar 2023 20:31:23 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 7A9786B0080 for ; Wed, 15 Mar 2023 20:31:23 -0400 (EDT) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 3BEC2C0A41 for ; Thu, 16 Mar 2023 00:31:23 +0000 (UTC) X-FDA: 80572882446.15.E4A65CB Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com [209.85.210.202]) by imf27.hostedemail.com (Postfix) with ESMTP id 66D7F40017 for ; Thu, 16 Mar 2023 00:31:21 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=XWGmJ9JA; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf27.hostedemail.com: domain of 3WGMSZAsKCI8tv3xA4xHC6zz77z4x.v75416DG-553Etv3.7Az@flex--ackerleytng.bounces.google.com designates 209.85.210.202 as permitted sender) smtp.mailfrom=3WGMSZAsKCI8tv3xA4xHC6zz77z4x.v75416DG-553Etv3.7Az@flex--ackerleytng.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1678926681; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=JjmIOJvjUEG2+4aovgmSBlRBGRP0JRLKbOkhR3o7e/I=; b=kaUMBePRxQGPh9zvMgMtGAQy/HIAckwC8Rdrt2esoQ5pJwq73fmCp/hQdsZgb1G28eoAE2 ESFOpyfgd1Zcvvga1aOalFU+8aqdHD/QaGovWpnqNOqMUo5pqeNW11u/KzyG7Z3xxCma0s rqCKUi0vcVFEdujQZ9J32R578f0FztA= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=XWGmJ9JA; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf27.hostedemail.com: domain of 3WGMSZAsKCI8tv3xA4xHC6zz77z4x.v75416DG-553Etv3.7Az@flex--ackerleytng.bounces.google.com designates 209.85.210.202 as permitted sender) smtp.mailfrom=3WGMSZAsKCI8tv3xA4xHC6zz77z4x.v75416DG-553Etv3.7Az@flex--ackerleytng.bounces.google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1678926681; a=rsa-sha256; cv=none; b=x2qd5TgHChtC9+ivr2yaiQZe0O7Ach+jkz0v38VpHDVo2Nb+6dwzG/HyKMsK+eW56+BZui cWJC3joycIcgWW+bTAz0a18t/HmrQuwjJjSREyQ9k266XThDngA9B3Dwf3Bna+C5aRIWwZ W0hMGhIl5OSb4EoHls9rBO7MaT8mVWU= Received: by mail-pf1-f202.google.com with SMTP id p39-20020a056a0026e700b0062315c420d6so161705pfw.21 for ; Wed, 15 Mar 2023 17:31:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; t=1678926680; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=JjmIOJvjUEG2+4aovgmSBlRBGRP0JRLKbOkhR3o7e/I=; b=XWGmJ9JAs9QizM49LznB/3WeGWT9Pc+PU89wCd8j/FUtVE5mMn/ax/bL088f1qtOz1 RFmCWBaiH29nU9Rm1KEJYwwbJN+AkVaHOxnJG89ZrDJuTFkTNXO5WvuZG2ISNDllw0uo fSjaUkPVuesviWcTzk98UxYatwmpd417x6c+02nHUCPhFRDc3jObfLW3h3zTrxlqgUMt LSd6LeHzPnNB0IV8pPZgCTjW0bYxKCuKc0IBsjiwto4vhAFiBAjpHsDO9Qt092Ms2tAr DgVpYe+MAJleDmnTkKW5CLiYIwwbNbMGX4Gf9ND5AcxA8F5WN4Z2xDh5NS+5PrMXSWp9 XSmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678926680; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=JjmIOJvjUEG2+4aovgmSBlRBGRP0JRLKbOkhR3o7e/I=; b=w1i/qDQ4l/qqU7kzluZ0lvlHU8QNLZuL0QaIBVuBmqQl1MHdZ39rRePygUuJZrNkwF PKFeW6Oq82ixHEoWu4CtwcK7krRvrIhEncKAMcjnPzUa7nudIXOwSKtHqNtKnehMudbJ wqwYSlUrYvMk7YA29lYW77JGTA7ZOBvr+F4DFR05ZVKEOOlzLS+doCJeVwYh2t2uhqpk 7ohvp2fAqvHP/Js5dCgG2wyoMlS6EHH7TfX3epEdWJCfVcPhGbKmp1sNVNVMifboPp2G UWLr/R5hlq9eigwOYYUN6touZQmdU1y8qWSIwsCCtOOmflfyFQnQ+XPsBndcgDSQpvP3 pblg== X-Gm-Message-State: AO0yUKVfv/teAVoo5NQNckiIz+FP2TqJWbbmkj14Zd43JY2cbco+FZ6W yH3MGw733MYOG4RApiotnEkwXngZ+h6XLI0aCQ== X-Google-Smtp-Source: AK7set+j36PrTQ1uWKwZ/ZTMviUfrC3nfQJHH3bSUBCARqM/YyB/PYWAqeXRAUTM8xOy7rllnybTZtBO0uvKhOtP8A== X-Received: from ackerleytng-cloudtop.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:1f5f]) (user=ackerleytng job=sendgmr) by 2002:a17:902:e5cb:b0:1a0:4346:d43e with SMTP id u11-20020a170902e5cb00b001a04346d43emr595748plf.11.1678926680301; Wed, 15 Mar 2023 17:31:20 -0700 (PDT) Date: Thu, 16 Mar 2023 00:30:56 +0000 In-Reply-To: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.40.0.rc2.332.ga46443480c-goog Message-ID: <48490641ce981c31ea58c11ad478ff85cd0dd156.1678926164.git.ackerleytng@google.com> Subject: [RFC PATCH 03/10] KVM: selftests: Test that VM private memory should not be readable from host From: Ackerley Tng To: kvm@vger.kernel.org, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, qemu-devel@nongnu.org Cc: aarcange@redhat.com, ak@linux.intel.com, akpm@linux-foundation.org, arnd@arndb.de, bfields@fieldses.org, bp@alien8.de, chao.p.peng@linux.intel.com, corbet@lwn.net, dave.hansen@intel.com, david@redhat.com, ddutile@redhat.com, dhildenb@redhat.com, hpa@zytor.com, hughd@google.com, jlayton@kernel.org, jmattson@google.com, joro@8bytes.org, jun.nakajima@intel.com, kirill.shutemov@linux.intel.com, linmiaohe@huawei.com, luto@kernel.org, mail@maciej.szmigiero.name, mhocko@suse.com, michael.roth@amd.com, mingo@redhat.com, naoya.horiguchi@nec.com, pbonzini@redhat.com, qperret@google.com, rppt@kernel.org, seanjc@google.com, shuah@kernel.org, steven.price@arm.com, tabba@google.com, tglx@linutronix.de, vannapurve@google.com, vbabka@suse.cz, vkuznets@redhat.com, wanpengli@tencent.com, wei.w.wang@intel.com, x86@kernel.org, yu.c.zhang@linux.intel.com, Ackerley Tng X-Rspamd-Queue-Id: 66D7F40017 X-Rspamd-Server: rspam09 X-Rspam-User: X-Stat-Signature: fyeof64icftn9qhqtx3y8mwfb74fedwc X-HE-Tag: 1678926681-995022 X-HE-Meta: U2FsdGVkX18s2eY1Lcqqe3cFKzvJdE0nWiSu8OrlTgBsQK0KrsCSBXvz3rGwtIQBD5dcUTFRKc3CviLDuUP/FYgDlPGXEJKI3imMLa8Dngx+ClthkuwT7dqzAGQ1gowtVG/vcfh1N/CT22sEMO6Z60wytXhIhjmoZI5DdMwJqqEItRRhl9i1MH0xo+I1EVVerfMd+pUOraPvOfHEvt9qCZY7XRVSkcvPRYuvtALsryPsrQxLKjr1VLOkq96Im1UVd6OeI8aiF2KbN+k3nlJze5HMbP5apvdP7uLpbW8R3lg1BAlXX/1oQnzG+NI6wcpcXk/exm5M3sb0b9xKm92PPTiNlk5OEM5GDTupgtZKQoeJKXnMQQL0HslzAzmo8yR528IPo3wd1O0H3/pzPJHbU2vXH4cpo9jFUlNDeccbPCNIccEWZWi1XM4TnwWqlrJhsV5R7PUVxaNlTRicYa0cjbUdFgrPEkVuEiRqp0dysXBn+W2t/k5mG8HtEtnRaCqLGo93mtlFxTjMUdQRywA2QQ1KWTTXRrnqm5zof3p54+uBJyKisf2dalmncZiHgXB1wdfew6Zc1zNV1bVF+T0Xv4AbNtsHWi2HGGsygrejqy8dzYpadi2RD0vkKoR68db7r04qnSjFFiwd3PaRhJUuoqcOa6rTDPrDP7pkB0XXK05J2cvQkBQb3gNo/SMbePIiHIHNOFLjxzQEKKq4FD10WjD9zK1zpa3L32YC84woUG9RnMrWMeVBjXGMKBD/JBKHaFL7PqtnxqnLc7VKW31a4mN17B8pLJfIsvWiCxAIF4chPfJcd//QEbrCRJ8u9Ac7ZiKqS2T0YujU3IW8C+0OelGWQfiQ9s4lxB8AAaCavgHtFrpsKhCHZPYOFBBkmTA8hHrPlS6CRxlJHPN6UBY4Enj670bB6BXGKR0/vYCdcAYlgbqwSammfnBqGi7oDtJHWmFK40USH7PYv1VjPVU /ZYTir2h /CM/RvxrgAzyInu7vZd3GwX7ECQUUEzDacUvrU8nQadRu292p3jVpk3NDi8aSJZCZ7hCjxywM0fEPOfkGFV3H+6wBEfmyBjzXzEdVAOmVZmVbOl19wKOARL22aUOUz3VO9o3QgzTtRrWXhJsD4zoyQix1X2931c4jhj9jqztXGmtSTNIO9xRE5AMcgIlKF1mNg01dbNiKpS4GFwYMPoz7t9rjCiT8HQ9p6eRFa31S15ySCtUFTfY0lAPHyDy1Va1NupnEz84LOrGKJM5xbSIPWpNs1eHtNH6+3Z3sHQyPwQ0SOJg+SIxIFybVIRQDlAESi9lIQOUqZMCJgiEh0iL0YeKYDHZt7y/FJ5mSo8XDHVWYZ1IlnuH1lIcxy7S0dKyoVy/PhLWnmRBej3S7jNlOFD38QWY/GKoWOAOe8TtqALW0vjljbqEhLoHrx0IQofmtkoC7O/BMFaZ+vft7rbmVSgVcgqpJjpYkYi4h4dJwcpi+DboxOtAWfObcXjQ0Hc51HjKlxJgoGeJf8a+HsNwCEwNH7YPEFWb/jb0vktLh+ZVH1LPd+pFogOsp9CUWR302GE/h X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: After VM memory is remapped as private memory and guest has written to private memory, request the host to read the corresponding hva for that private memory. The host should not be able to read the value in private memory. This selftest shows that private memory contents of the guest are not accessible to host userspace via the HVA. Signed-off-by: Ackerley Tng --- .../kvm/x86_64/private_mem_conversions_test.c | 54 ++++++++++++++++--- 1 file changed, 48 insertions(+), 6 deletions(-) diff --git a/tools/testing/selftests/kvm/x86_64/private_mem_conversions_test.c b/tools/testing/selftests/kvm/x86_64/private_mem_conversions_test.c index ef9894340a2b..f2c1e4450b0e 100644 --- a/tools/testing/selftests/kvm/x86_64/private_mem_conversions_test.c +++ b/tools/testing/selftests/kvm/x86_64/private_mem_conversions_test.c @@ -47,6 +47,16 @@ static void memcmp_h(uint8_t *mem, uint8_t pattern, size_t size) pattern, i, mem[i]); } +static void memcmp_ne_h(uint8_t *mem, uint8_t pattern, size_t size) +{ + size_t i; + + for (i = 0; i < size; i++) + TEST_ASSERT(mem[i] != pattern, + "Expected not to find 0x%x at offset %lu but got 0x%x", + pattern, i, mem[i]); +} + /* * Run memory conversion tests with explicit conversion: * Execute KVM hypercall to map/unmap gpa range which will cause userspace exit @@ -64,8 +74,14 @@ static void memcmp_h(uint8_t *mem, uint8_t pattern, size_t size) #define GUEST_STAGE(o, s) { .offset = o, .size = s } -#define GUEST_SYNC4(gpa, size, current_pattern, new_pattern) \ - ucall(UCALL_SYNC, 4, gpa, size, current_pattern, new_pattern) +#define UCALL_RW_SHARED (0xca11 - 0) +#define UCALL_R_PRIVATE (0xca11 - 1) + +#define REQUEST_HOST_RW_SHARED(gpa, size, current_pattern, new_pattern) \ + ucall(UCALL_RW_SHARED, 4, gpa, size, current_pattern, new_pattern) + +#define REQUEST_HOST_R_PRIVATE(gpa, size, expected_pattern) \ + ucall(UCALL_R_PRIVATE, 3, gpa, size, expected_pattern) static void guest_code(void) { @@ -86,7 +102,7 @@ static void guest_code(void) /* Memory should be shared by default. */ memset((void *)DATA_GPA, ~init_p, DATA_SIZE); - GUEST_SYNC4(DATA_GPA, DATA_SIZE, ~init_p, init_p); + REQUEST_HOST_RW_SHARED(DATA_GPA, DATA_SIZE, ~init_p, init_p); memcmp_g(DATA_GPA, init_p, DATA_SIZE); for (i = 0; i < ARRAY_SIZE(stages); i++) { @@ -113,6 +129,12 @@ static void guest_code(void) kvm_hypercall_map_private(gpa, size); memset((void *)gpa, p2, size); + /* + * Host should not be able to read the values written to private + * memory + */ + REQUEST_HOST_R_PRIVATE(gpa, size, p2); + /* * Verify that the private memory was set to pattern two, and * that shared memory still holds the initial pattern. @@ -133,11 +155,20 @@ static void guest_code(void) continue; kvm_hypercall_map_shared(gpa + j, PAGE_SIZE); - GUEST_SYNC4(gpa + j, PAGE_SIZE, p1, p3); + REQUEST_HOST_RW_SHARED(gpa + j, PAGE_SIZE, p1, p3); memcmp_g(gpa + j, p3, PAGE_SIZE); } + /* + * Even-number pages are still mapped as private, host should + * not be able to read those values. + */ + for (j = 0; j < size; j += PAGE_SIZE) { + if (!((j >> PAGE_SHIFT) & 1)) + REQUEST_HOST_R_PRIVATE(gpa + j, PAGE_SIZE, p2); + } + /* * Convert the entire region back to shared, explicitly write * pattern three to fill in the even-number frames before @@ -145,7 +176,7 @@ static void guest_code(void) */ kvm_hypercall_map_shared(gpa, size); memset((void *)gpa, p3, size); - GUEST_SYNC4(gpa, size, p3, p4); + REQUEST_HOST_RW_SHARED(gpa, size, p3, p4); memcmp_g(gpa, p4, size); /* Reset the shared memory back to the initial pattern. */ @@ -209,7 +240,18 @@ static void test_mem_conversions(enum vm_mem_backing_src_type src_type) switch (get_ucall(vcpu, &uc)) { case UCALL_ABORT: REPORT_GUEST_ASSERT_4(uc, "%lx %lx %lx %lx"); - case UCALL_SYNC: { + case UCALL_R_PRIVATE: { + uint8_t *hva = addr_gpa2hva(vm, uc.args[0]); + uint64_t size = uc.args[1]; + + /* + * Try to read hva for private gpa from host, should not + * be able to read private data + */ + memcmp_ne_h(hva, uc.args[2], size); + break; + } + case UCALL_RW_SHARED: { uint8_t *hva = addr_gpa2hva(vm, uc.args[0]); uint64_t size = uc.args[1];