Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
x86/coco: Add cc_decrypted_alloc/free() interfaces
Confidential computing platforms, such as AMD SEV and Intel TDX, protect memory from VMM access. Any memory that is required for communication with the VMM must be explicitly shared. It involves adjusting page table entries to indicate that the memory is shared and notifies VMM about the change. set_memory_decrypted() converts memory to shared. Before freeing memory it has to be converted back with set_memory_encrypted(). The interface works fine for long-term allocations, but for frequent short-lived allocations it causes problems. Conversion takes time and direct mapping modification leads to its fracturing and performance degradation over time. Direct mapping modifications can be avoided by creating a vmap that maps allocated pages as shared while direct mapping is untouched. But having private mapping of a shared memory causes problems too. Any access of such memory via private mapping in TDX guest would trigger unrecoverable SEPT violation and termination of the virtual machine. It is known that load_unaligned_zeropad() can issue such unwanted loads across page boundaries that can trigger the issue. It can also be fixed by allocating a guard page in front of any memory that has to be converted to shared, so load_unaligned_zeropad() will roll off to the guard page instead. But it is wasteful and does not address cost of the memory conversion. The next logical step is to introduce a pool of shared memory that can share a single guard page and makes conversion less frequent. Fortunately, the kernel already has such a pool of memory: SWIOTLB buffer is used by the DMA API to allocate memory for I/O. The buffer is allocated once during the boot, so direct mapping fracturing is not an issue and no need for vmap tricks. Tapping into the SWIOTLB pool requires a device structure and using DMA API. Provide a couple of simple helpers to allocate and free shared memory that hide required plumbing. Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
- Loading branch information