From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 2D6CC21D2DCEB for ; Wed, 2 Aug 2017 00:35:00 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C2E11191A0A; Wed, 2 Aug 2017 07:37:09 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com C2E11191A0A Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=lersek@redhat.com Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-47.phx2.redhat.com [10.3.116.47]) by smtp.corp.redhat.com (Postfix) with ESMTP id 910AE7F1AD; Wed, 2 Aug 2017 07:37:08 +0000 (UTC) To: Brijesh Singh , edk2-devel@lists.01.org Cc: Tom Lendacky , Jordan Justen , Ard Biesheuvel References: <1501529474-20550-1-git-send-email-brijesh.singh@amd.com> <1501529474-20550-4-git-send-email-brijesh.singh@amd.com> From: Laszlo Ersek Message-ID: <58dc46c4-59ae-4743-214a-df25b138303b@redhat.com> Date: Wed, 2 Aug 2017 09:37:07 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <1501529474-20550-4-git-send-email-brijesh.singh@amd.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Wed, 02 Aug 2017 07:37:10 +0000 (UTC) Subject: Re: [PATCH v1 3/4] OvmfPkg: IommuDxe: Zero the shared page(s) on Unmap() X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Aug 2017 07:35:00 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 07/31/17 21:31, Brijesh Singh wrote: > To support the Map(), we allocate bounce buffer with C-bit cleared, > the buffer is referred as a DeviceAddress. Typically, DeviceAddress > is used as communication block between guest and hypervisor. When > guest is done with communication block, it calls Unmap().The Unmap() > free's the DeviceAddress, if we do not clear the content of shared > communication block during Unmap() then data remains readble to the > hypervisor for an unpredicatable time. Let's zero the bounce buffer > after we are done using it. > > I did some benchmark and did not see any measure perform impact of > zeroing the page(s). > > Suggested-by: Laszlo Ersek > Contributed-under: TianoCore Contribution Agreement 1.0 > Cc: Laszlo Ersek > Cc: Jordan Justen > Signed-off-by: Brijesh Singh > --- > OvmfPkg/IoMmuDxe/AmdSevIoMmu.c | 18 ++++++++++-------- > 1 file changed, 10 insertions(+), 8 deletions(-) > > diff --git a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c > index 5ae54482fffe..04e3725ff7e6 100644 > --- a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c > +++ b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c > @@ -67,8 +67,7 @@ SetBufferAsEncDec ( > // buffer matches with same encryption mask. > // > if (!Enc) { > - Status = MemEncryptSevClearPageEncMask (0, MapInfo->DeviceAddress, > - MapInfo->NumberOfPages, TRUE); > + Status = MemEncryptSevClearPageEncMask (0, TempBuffer, MapInfo->NumberOfPages, TRUE); > ASSERT_EFI_ERROR (Status); > } > > @@ -79,7 +78,7 @@ SetBufferAsEncDec ( > // > CopyMem ( > (VOID *) (UINTN) TempBuffer, > - (VOID *) (UINTN)MapInfo->HostAddress, > + (VOID *) (UINTN) MapInfo->HostAddress, > MapInfo->NumberOfBytes); > > // > @@ -109,11 +108,8 @@ SetBufferAsEncDec ( > // > // Restore the encryption mask of the intermediate buffer > // > - if (!Enc) { > - Status = MemEncryptSevSetPageEncMask (0, MapInfo->DeviceAddress, > - MapInfo->NumberOfPages, TRUE); > - ASSERT_EFI_ERROR (Status); > - } > + Status = MemEncryptSevSetPageEncMask (0, TempBuffer, MapInfo->NumberOfPages, TRUE); > + ASSERT_EFI_ERROR (Status); > > // > // Free the intermediate buffer > @@ -386,6 +382,12 @@ IoMmuUnmap ( > ASSERT_EFI_ERROR(Status); > > // > + // Zero the shared memory so that hypervisor no longer able to get intelligentable > + // data. > + // > + SetMem ((VOID *) (UINTN)MapInfo->DeviceAddress, MapInfo->NumberOfBytes, 0); Please use ZeroMem(). Furthermore, ZeroMem() should occur just before every FreePages() call: - when Unmap() releases the implicitly allocated bounce buffer - when FreeBuffer() releases the explicitly allocated common buffer (I thought I spelled this out in my previous email(s), but in retrospect it seems I only intended to :/ ) - in the virtio drivers' exit-boot-services callbacks, FreeBuffer() can't be called (only Unmap(), after the virtio reset), so the ZeroMem() should be done manually there. Thanks Laszlo > + > + // > // Free the bounce buffer > // > gBS->FreePages (MapInfo->DeviceAddress, MapInfo->NumberOfPages); >