platform: extend the way pages are identified for validation/invalidation #461
Conversation
|
@peterfang This should resolve the challenges you had in implementing validation for the TDP platform. |
msft-jlange
force-pushed
the
page_validate
branch
from
89b77ed to
2ecdbf9
Compare
Thanks! Will update my stage2 PR after this is merged. |
msft-jlange
force-pushed
the
page_validate
branch
from
2ecdbf9 to
1751117
Compare
msft-jlange
force-pushed
the
page_validate
branch
3 times, most recently
from
2b47b08 to
c73c9fb
Compare
|
These changes break boot for me, I need to investigate before this can be merged. |
|
This breaks the boot for me too. I'll help investigate. |
|
I've started on this as well. AFAICT the self-map isn't set up properly for some (or all?) page tables, so the lookups fail. AFAICT the self-map sometimes points to random garbage, I'm not yet sure why. |
msft-jlange
force-pushed
the
page_validate
branch
from
c73c9fb to
1716142
Compare
|
I've fixed the PR. There were two problems: neither the self-map PML4E nor the level 1/2/3 page table hierarchy logic would set the C-bit in any of those entries. With a self-map, every intermediate entry can be treated like a PTE, so all of them need to set the C-bit. The Hyper-V and TDX environments both use vTOM (or a vTOM equivalent) which is why no problem was observed in either environment. I've updated the PR to set the C-bit correctly in non-vTOM environments and everything appears to work now. BTW, the reason the failures appeared to be so random is that with the C-bit clear, accesses through the self-map would result in reading ciphertext, which is random. |
I've tested this new version and it works in my environment. |
In general, page validation should be performed by physical address, which is required on certain platforms; platforms that require validation by virtual address can create a temporary virtual mapping to describe the physical page being validated. However, in certain contexts (like stage2), temporary mapping is not possible, and the pages to be validate already have virtual mapping, so a mechanism to validate by virtual address is retained solely for use in those limited cases where a virtual mapping already exists in such a restricted context. Signed-off-by: Jon Lange <[email protected]>
All processors that support virtualization also support NX. Therefore, there is no reason to detect NX via CPUID, and EFER.NXE can be enabled very early in boot, unconditionally, for simplicity in managing page tables. Signed-off-by: Jon Lange <[email protected]>
It is possible to insert a reference to the current page table into the page table itself, creating a recursive "self-map". This permits access to any PTE in the address space by taking advantage of the hierarchical property of page tables, using the CPU's own page table walker to obtain the PTE contents. This change inserts a self-map entry into every page table, and reimplements `virt_to_phys()` to use the self map so that it is possible to translate any VA to a PA without requiring either the VA or the PA to be within the bounds of any known address range. Signed-off-by: Jon Lange <[email protected]>
Some platforms will require translation from virtual to physical address in order to perform page validation by virtual address. Therefore, on other platforms, force a call to `virt_to_phys()` in debug builds to increas the number of test environments that can detect possible translation failures to add in debugging. Signed-off-by: Jon Lange <[email protected]>
msft-jlange
force-pushed
the
page_validate
branch
from
1716142 to
c2a9101
Compare
SNP validates pages by virtual address while TDX validates pages by physical address. This PR makes it possible for code to request validation changes based on either. This ensures that virtual mappings are not created unnecessarily on platforms that do not require them, and ensures that it can be possible to correctly obtain the physical address for validation in those cases where the caller has only a virtual address.