[v2,03/12] x86/sev: Add an x86 version of prot_guest_has()

Introduce an x86 version of the prot_guest_has() function. This will be
used in the more generic x86 code to replace vendor specific calls like
sev_active(), etc.

While the name suggests this is intended mainly for guests, it will
also be used for host memory encryption checks in place of sme_active().

Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Reviewed-by: Joerg Roedel <jroedel@suse.de>
Co-developed-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Co-developed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
 arch/x86/Kconfig                       |  1 +
 arch/x86/include/asm/mem_encrypt.h     |  2 ++
 arch/x86/include/asm/protected_guest.h | 29 ++++++++++++++++++++++++++
 arch/x86/mm/mem_encrypt.c              | 25 ++++++++++++++++++++++
 include/linux/protected_guest.h        |  5 +++++
 5 files changed, 62 insertions(+)
 create mode 100644 arch/x86/include/asm/protected_guest.h

On Fri, Aug 13, 2021 at 11:59:22AM -0500, Tom Lendacky wrote:
> diff --git a/arch/x86/include/asm/protected_guest.h b/arch/x86/include/asm/protected_guest.h
> new file mode 100644
> index 000000000000..51e4eefd9542
> --- /dev/null
> +++ b/arch/x86/include/asm/protected_guest.h
> @@ -0,0 +1,29 @@
> +/* SPDX-License-Identifier: GPL-2.0-only */
> +/*
> + * Protected Guest (and Host) Capability checks
> + *
> + * Copyright (C) 2021 Advanced Micro Devices, Inc.
> + *
> + * Author: Tom Lendacky <thomas.lendacky@amd.com>
> + */
> +
> +#ifndef _X86_PROTECTED_GUEST_H
> +#define _X86_PROTECTED_GUEST_H
> +
> +#include <linux/mem_encrypt.h>
> +
> +#ifndef __ASSEMBLY__
> +
> +static inline bool prot_guest_has(unsigned int attr)
> +{
> +#ifdef CONFIG_AMD_MEM_ENCRYPT
> +	if (sme_me_mask)
> +		return amd_prot_guest_has(attr);
> +#endif
> +
> +	return false;
> +}
> +
> +#endif	/* __ASSEMBLY__ */
> +
> +#endif	/* _X86_PROTECTED_GUEST_H */

I think this can be simplified more, diff ontop below:

- no need for the ifdeffery as amd_prot_guest_has() has versions for
both when CONFIG_AMD_MEM_ENCRYPT is set or not.

- the sme_me_mask check is pushed there too.

- and since this is vendor-specific, I'm checking the vendor bit. Yeah,
yeah, cross-vendor but I don't really believe that.

---
diff --git a/arch/x86/include/asm/protected_guest.h b/arch/x86/include/asm/protected_guest.h
index 51e4eefd9542..8541c76d5da4 100644
--- a/arch/x86/include/asm/protected_guest.h
+++ b/arch/x86/include/asm/protected_guest.h
@@ -12,18 +12,13 @@
 
 #include <linux/mem_encrypt.h>
 
-#ifndef __ASSEMBLY__
-
 static inline bool prot_guest_has(unsigned int attr)
 {
-#ifdef CONFIG_AMD_MEM_ENCRYPT
-	if (sme_me_mask)
+	if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
+	    boot_cpu_data.x86_vendor == X86_VENDOR_HYGON)
 		return amd_prot_guest_has(attr);
-#endif
 
 	return false;
 }
 
-#endif	/* __ASSEMBLY__ */
-
 #endif	/* _X86_PROTECTED_GUEST_H */
diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c
index edc67ddf065d..5a0442a6f072 100644
--- a/arch/x86/mm/mem_encrypt.c
+++ b/arch/x86/mm/mem_encrypt.c
@@ -392,6 +392,9 @@ bool noinstr sev_es_active(void)
 
 bool amd_prot_guest_has(unsigned int attr)
 {
+	if (!sme_me_mask)
+		return false;
+
 	switch (attr) {
 	case PATTR_MEM_ENCRYPT:
 		return sme_me_mask != 0;

On 8/14/21 2:08 PM, Borislav Petkov wrote:
> On Fri, Aug 13, 2021 at 11:59:22AM -0500, Tom Lendacky wrote:

>> diff --git a/arch/x86/include/asm/protected_guest.h b/arch/x86/include/asm/protected_guest.h

>> new file mode 100644

>> index 000000000000..51e4eefd9542

>> --- /dev/null

>> +++ b/arch/x86/include/asm/protected_guest.h

>> @@ -0,0 +1,29 @@

>> +/* SPDX-License-Identifier: GPL-2.0-only */

>> +/*

>> + * Protected Guest (and Host) Capability checks

>> + *

>> + * Copyright (C) 2021 Advanced Micro Devices, Inc.

>> + *

>> + * Author: Tom Lendacky <thomas.lendacky@amd.com>

>> + */

>> +

>> +#ifndef _X86_PROTECTED_GUEST_H

>> +#define _X86_PROTECTED_GUEST_H

>> +

>> +#include <linux/mem_encrypt.h>

>> +

>> +#ifndef __ASSEMBLY__

>> +

>> +static inline bool prot_guest_has(unsigned int attr)

>> +{

>> +#ifdef CONFIG_AMD_MEM_ENCRYPT

>> +	if (sme_me_mask)

>> +		return amd_prot_guest_has(attr);

>> +#endif

>> +

>> +	return false;

>> +}

>> +

>> +#endif	/* __ASSEMBLY__ */

>> +

>> +#endif	/* _X86_PROTECTED_GUEST_H */

> 

> I think this can be simplified more, diff ontop below:

> 

> - no need for the ifdeffery as amd_prot_guest_has() has versions for

> both when CONFIG_AMD_MEM_ENCRYPT is set or not.


Ugh, yeah, not sure why I put that in for this version since I have the 
static inline for when CONFIG_AMD_MEM_ENCRYPT is not set.

> 

> - the sme_me_mask check is pushed there too.

> 

> - and since this is vendor-specific, I'm checking the vendor bit. Yeah,

> yeah, cross-vendor but I don't really believe that.


It's not a cross-vendor thing as opposed to a KVM or other hypervisor 
thing where the family doesn't have to be reported as AMD or HYGON. That's 
why I made the if check be for sme_me_mask. I think that is the safer way 
to go.

Thanks,
Tom

> 

> ---

> diff --git a/arch/x86/include/asm/protected_guest.h b/arch/x86/include/asm/protected_guest.h

> index 51e4eefd9542..8541c76d5da4 100644

> --- a/arch/x86/include/asm/protected_guest.h

> +++ b/arch/x86/include/asm/protected_guest.h

> @@ -12,18 +12,13 @@

>   

>   #include <linux/mem_encrypt.h>

>   

> -#ifndef __ASSEMBLY__

> -

>   static inline bool prot_guest_has(unsigned int attr)

>   {

> -#ifdef CONFIG_AMD_MEM_ENCRYPT

> -	if (sme_me_mask)

> +	if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||

> +	    boot_cpu_data.x86_vendor == X86_VENDOR_HYGON)

>   		return amd_prot_guest_has(attr);

> -#endif

>   

>   	return false;

>   }

>   

> -#endif	/* __ASSEMBLY__ */

> -

>   #endif	/* _X86_PROTECTED_GUEST_H */

> diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c

> index edc67ddf065d..5a0442a6f072 100644

> --- a/arch/x86/mm/mem_encrypt.c

> +++ b/arch/x86/mm/mem_encrypt.c

> @@ -392,6 +392,9 @@ bool noinstr sev_es_active(void)

>   

>   bool amd_prot_guest_has(unsigned int attr)

>   {

> +	if (!sme_me_mask)

> +		return false;

> +

>   	switch (attr) {

>   	case PATTR_MEM_ENCRYPT:

>   		return sme_me_mask != 0;

>

On Sun, Aug 15, 2021 at 08:53:31AM -0500, Tom Lendacky wrote:
> It's not a cross-vendor thing as opposed to a KVM or other hypervisor

> thing where the family doesn't have to be reported as AMD or HYGON.


What would be the use case? A HV starts a guest which is supposed to be
encrypted using the AMD's confidential guest technology but the HV tells
the guest that it is not running on an AMD SVM HV but something else?

Is that even an actual use case?

Or am I way off?

I know we have talked about this in the past but this still sounds
insane.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

On 8/15/21 9:39 AM, Borislav Petkov wrote:
> On Sun, Aug 15, 2021 at 08:53:31AM -0500, Tom Lendacky wrote:

>> It's not a cross-vendor thing as opposed to a KVM or other hypervisor

>> thing where the family doesn't have to be reported as AMD or HYGON.

> 

> What would be the use case? A HV starts a guest which is supposed to be

> encrypted using the AMD's confidential guest technology but the HV tells

> the guest that it is not running on an AMD SVM HV but something else?

> 

> Is that even an actual use case?

> 

> Or am I way off?

> 

> I know we have talked about this in the past but this still sounds

> insane.


Maybe the KVM folks have a better understanding of it...

I can change it to be an AMD/HYGON check...  although, I'll have to check
to see if any (very) early use of the function will work with that.

At a minimum, the check in arch/x86/kernel/head64.c will have to be
changed or removed. I'll take a closer look.

Thanks,
Tom

>

On Tue, Aug 17, 2021 at 10:22:52AM -0500, Tom Lendacky wrote:
> I can change it to be an AMD/HYGON check...  although, I'll have to check

> to see if any (very) early use of the function will work with that.


We can always change it later if really needed. It is just that I'm not
a fan of such "preemptive" changes.

> At a minimum, the check in arch/x86/kernel/head64.c will have to be

> changed or removed. I'll take a closer look.


Yeah, sme_me_mask, already discussed on IRC.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

On Fri, Aug 13, 2021 at 11:59:22AM -0500, Tom Lendacky wrote:
> While the name suggests this is intended mainly for guests, it will

> also be used for host memory encryption checks in place of sme_active().


Which suggest that the name is not good to start with.  Maybe protected
hardware, system or platform might be a better choice?

> +static inline bool prot_guest_has(unsigned int attr)

> +{

> +#ifdef CONFIG_AMD_MEM_ENCRYPT

> +	if (sme_me_mask)

> +		return amd_prot_guest_has(attr);

> +#endif

> +

> +	return false;

> +}


Shouldn't this be entirely out of line?

> +/* 0x800 - 0x8ff reserved for AMD */

> +#define PATTR_SME			0x800

> +#define PATTR_SEV			0x801

> +#define PATTR_SEV_ES			0x802


Why do we need reservations for a purely in-kernel namespace?

And why are you overoading a brand new generic API with weird details
of a specific implementation like this?

On Thu, Aug 19, 2021 at 10:52:53AM +0100, Christoph Hellwig wrote:
> Which suggest that the name is not good to start with.  Maybe protected

> hardware, system or platform might be a better choice?


Yah, coming up with a proper name here hasn't been easy.
prot_guest_has() is not the first variant.

From all three things you suggest above, I guess calling it a "platform"
is the closest. As in, this is a confidential computing platform which
provides host and guest facilities etc.

So calling it

confidential_computing_platform_has()

is obviously too long.

ccp_has() clashes with the namespace of drivers/crypto/ccp/ which is
used by the technology too.

coco_platform_has() is too unserious.

So I guess

cc_platform_has()

ain't all that bad.

Unless you have a better idea, ofc.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

On 8/19/21 4:52 AM, Christoph Hellwig wrote:
> On Fri, Aug 13, 2021 at 11:59:22AM -0500, Tom Lendacky wrote:

>> While the name suggests this is intended mainly for guests, it will

>> also be used for host memory encryption checks in place of sme_active().

> 

> Which suggest that the name is not good to start with.  Maybe protected

> hardware, system or platform might be a better choice?

> 

>> +static inline bool prot_guest_has(unsigned int attr)

>> +{

>> +#ifdef CONFIG_AMD_MEM_ENCRYPT

>> +	if (sme_me_mask)

>> +		return amd_prot_guest_has(attr);

>> +#endif

>> +

>> +	return false;

>> +}

> 

> Shouldn't this be entirely out of line?


I did it as inline originally because the presence of the function will be
decided based on the ARCH_HAS_PROTECTED_GUEST config. For now, that is
only selected by the AMD memory encryption support, so if I went out of
line I could put in mem_encrypt.c. But with TDX wanting to also use it, it
would have to be in an always built file with some #ifdefs or in its own
file that is conditionally built based on the ARCH_HAS_PROTECTED_GUEST
setting (they've already tried building with ARCH_HAS_PROTECTED_GUEST=y
and AMD_MEM_ENCRYPT not set).

To take it out of line, I'm leaning towards the latter, creating a new
file that is built based on the ARCH_HAS_PROTECTED_GUEST setting.

> 

>> +/* 0x800 - 0x8ff reserved for AMD */

>> +#define PATTR_SME			0x800

>> +#define PATTR_SEV			0x801

>> +#define PATTR_SEV_ES			0x802

> 

> Why do we need reservations for a purely in-kernel namespace?

> 

> And why are you overoading a brand new generic API with weird details

> of a specific implementation like this?


There was some talk about this on the mailing list where TDX and SEV may
need to be differentiated, so we wanted to reserve a range of values per
technology. I guess I can remove them until they are actually needed.

Thanks,
Tom

>

On 8/19/21 11:33 AM, Tom Lendacky wrote:
> There was some talk about this on the mailing list where TDX and SEV may

> need to be differentiated, so we wanted to reserve a range of values per

> technology. I guess I can remove them until they are actually needed.


In TDX also we have similar requirements and we need some flags for
TDX specific checks. So I think it is fine to leave some space for vendor
flags.

-- 
Sathyanarayanan Kuppuswamy
Linux Kernel Developer

On Thu, Aug 19, 2021 at 01:33:09PM -0500, Tom Lendacky wrote:
> I did it as inline originally because the presence of the function will be

> decided based on the ARCH_HAS_PROTECTED_GUEST config. For now, that is

> only selected by the AMD memory encryption support, so if I went out of

> line I could put in mem_encrypt.c. But with TDX wanting to also use it, it

> would have to be in an always built file with some #ifdefs or in its own

> file that is conditionally built based on the ARCH_HAS_PROTECTED_GUEST

> setting (they've already tried building with ARCH_HAS_PROTECTED_GUEST=y

> and AMD_MEM_ENCRYPT not set).

> 

> To take it out of line, I'm leaning towards the latter, creating a new

> file that is built based on the ARCH_HAS_PROTECTED_GUEST setting.


Yes.  In general everytime architectures have to provide the prototype
and not just the implementation of something we end up with a giant mess
sooner or later.  In a few cases that is still warranted due to
performance concerns, but i don't think that is the case here.

> 

> > 

> >> +/* 0x800 - 0x8ff reserved for AMD */

> >> +#define PATTR_SME			0x800

> >> +#define PATTR_SEV			0x801

> >> +#define PATTR_SEV_ES			0x802

> > 

> > Why do we need reservations for a purely in-kernel namespace?

> > 

> > And why are you overoading a brand new generic API with weird details

> > of a specific implementation like this?

> 

> There was some talk about this on the mailing list where TDX and SEV may

> need to be differentiated, so we wanted to reserve a range of values per

> technology. I guess I can remove them until they are actually needed.


In that case add a flag for the differing behavior.  And only add them
when actually needed.  And either way there is absolutely no need to
reserve ranges.