RE: [PATCH 2/6] x86/tdx: Retry TDVMCALL_MAP_GPA() when needed
From: Dexuan Cui
Date: Tue Nov 22 2022 - 21:55:37 EST
> Sent: Monday, November 21, 2022 12:56 PM
> On 11/21/22 11:51, Dexuan Cui wrote:
> > +static bool tdx_map_gpa(phys_addr_t start, phys_addr_t end, bool enc)
> > +{
> > + u64 ret, r11;
>
> 'r11' needs a real, logical name.
OK, will use "map_fail_paddr" (as you implied below).
> > + while (1) {
> > + ret = _tdx_hypercall_output_r11(TDVMCALL_MAP_GPA, start,
> > + end - start, 0, 0, &r11);
> > + if (!ret)
> > + break;
> > +
> > + if (ret != TDVMCALL_STATUS_RETRY)
> > + break;
> > +
> > + /*
> > + * The guest must retry the operation for the pages in the
> > + * region starting at the GPA specified in R11. Make sure R11
> > + * contains a sane value.
> > + */
> > + if ((r11 & ~cc_mkdec(0)) < (start & ~cc_mkdec(0)) ||
> > + (r11 & ~cc_mkdec(0)) >= (end & ~cc_mkdec(0)))
> > + return false;
>
> This statement is, um, a wee bit ugly.
>
> First, it's not obvious at all why the address masking is necessary.
It turns out that the masking is completely unnecessary :-)
I incorrectly assumed that if the input 'start' has the bit 47, Hyper-V
always returns a physical address without bit 47. This is not the case.
I'll remove the masking code in v2.
> Second, it's utterly insane to do that mask to 'r11' twice. Third, it's
> silly do logically the same thing to start and end every time through
> the loop.
>
> This also seems to have built in the idea that cc_mkdec() *SETS* bits
> rather than clearing them. That's true for TDX today, but it's a
> horrible chunk of code to leave around because it'll confuse actual
> legitimate cc_enc/dec() users.
>
> The more I write about it, the more I dislike it.
>
> Why can't this just be:
>
> if ((map_fail_paddr < start) ||
> (map_fail_paddr >= end))
> return false;
>
> If the hypervisor returns some crazy address in r11 that isn't masked
> like the inputs, just fail.
Will use your example code in v2.
> > + start = r11;
> > +
> > + /* Set the shared (decrypted) bit. */
> > + if (!enc)
> > + start |= cc_mkdec(0);
>
> Why is only one side of this necessary? Shouldn't it need to be
> something like:
>
> if (enc)
> start = cc_mkenc(start);
> else
> start = cc_mkdec(start);
>
> ??
The code is unnecessary. Will remove it in v2.