[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 47/58] i386/tdx: Wire REPORT_FATAL_ERROR with GuestPanic f
|
From: |
Daniel P . Berrangé |
|
Subject: |
Re: [PATCH v2 47/58] i386/tdx: Wire REPORT_FATAL_ERROR with GuestPanic facility |
|
Date: |
Tue, 29 Aug 2023 11:28:09 +0100 |
|
User-agent: |
Mutt/2.2.9 (2022-11-12) |
On Mon, Aug 28, 2023 at 09:14:41PM +0800, Xiaoyao Li wrote:
> On 8/21/2023 5:58 PM, Daniel P. Berrangé wrote:
> > On Fri, Aug 18, 2023 at 05:50:30AM -0400, Xiaoyao Li wrote:
> > > Originated-from: Isaku Yamahata <isaku.yamahata@intel.com>
> > > Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
> > > ---
> > > qapi/run-state.json | 17 +++++++++++++--
> > > softmmu/runstate.c | 49 +++++++++++++++++++++++++++++++++++++++++++
> > > target/i386/kvm/tdx.c | 24 ++++++++++++++++++++-
> > > 3 files changed, 87 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/qapi/run-state.json b/qapi/run-state.json
> > > index f216ba54ec4c..506bbe31541f 100644
> > > --- a/qapi/run-state.json
> > > +++ b/qapi/run-state.json
> > > @@ -499,7 +499,7 @@
> > > # Since: 2.9
> > > ##
> > > { 'enum': 'GuestPanicInformationType',
> > > - 'data': [ 'hyper-v', 's390' ] }
> > > + 'data': [ 'hyper-v', 's390', 'tdx' ] }
>
> > > +#
> > > +# Since: 8.2
> > > +##
> > > +{'struct': 'GuestPanicInformationTdx',
> > > + 'data': {'error-code': 'uint64',
> > > + 'gpa': 'uint64',
> > > + 'message': 'str'}}
> > > +
> > > ##
> > > # @MEMORY_FAILURE:
> > > #
> > > diff --git a/softmmu/runstate.c b/softmmu/runstate.c
> > > index f3bd86281813..cab11484ed7e 100644
> > > --- a/softmmu/runstate.c
> > > +++ b/softmmu/runstate.c
> > > @@ -518,7 +518,56 @@ void
> > > qemu_system_guest_panicked(GuestPanicInformation *info)
> > > S390CrashReason_str(info->u.s390.reason),
> > > info->u.s390.psw_mask,
> > > info->u.s390.psw_addr);
> > > + } else if (info->type == GUEST_PANIC_INFORMATION_TYPE_TDX) {
> > > + char *buf = NULL;
> > > + bool printable = false;
> > > +
> > > + /*
> > > + * Although message is defined as a json string, we shouldn't
> > > + * unconditionally treat it as is because the guest
> > > generated it and
> > > + * it's not necessarily trustable.
> > > + */
> > > + if (info->u.tdx.message) {
> > > + /* The caller guarantees the NUL-terminated string. */
> > > + int len = strlen(info->u.tdx.message);
> > > + int i;
> > > +
> > > + printable = len > 0;
> > > + for (i = 0; i < len; i++) {
> > > + if (!(0x20 <= info->u.tdx.message[i] &&
> > > + info->u.tdx.message[i] <= 0x7e)) {
> > > + printable = false;
> > > + break;
> > > + }
> > > + }
> > > +
> > > + /* 3 = length of "%02x " */
> > > + buf = g_malloc(len * 3);
> > > + for (i = 0; i < len; i++) {
> > > + if (info->u.tdx.message[i] == '\0') {
> > > + break;
> > > + } else {
> > > + sprintf(buf + 3 * i, "%02x ",
> > > info->u.tdx.message[i]);
> > > + }
> > > + }
> > > + if (i > 0)
> > > + /* replace the last ' '(space) to NUL */
> > > + buf[i * 3 - 1] = '\0';
> > > + else
> > > + buf[0] = '\0';
> >
> > You're building this escaped buffer but...
> >
> > > + }
> > > +
> > > + qemu_log_mask(LOG_GUEST_ERROR,
> > > + //" TDX report fatal error:\"%s\" %s",
> > > + " TDX report fatal error:\"%s\""
> > > + "error: 0x%016" PRIx64 " gpa page: 0x%016"
> > > PRIx64 "\n",
> > > + printable ? info->u.tdx.message : "",
> > > + //buf ? buf : "",
> >
> > ...then not actually using it
> >
> > Either delete the 'buf' code, or use it.
>
> Sorry for posting some internal testing version.
> Does below look good to you?
>
> @@ -518,7 +518,56 @@ void qemu_system_guest_panicked(GuestPanicInformation
> *info)
> S390CrashReason_str(info->u.s390.reason),
> info->u.s390.psw_mask,
> info->u.s390.psw_addr);
> + } else if (info->type == GUEST_PANIC_INFORMATION_TYPE_TDX) {
> + bool printable = false;
> + char *buf = NULL;
> + int len = 0, i;
> +
> + /*
> + * Although message is defined as a json string, we shouldn't
> + * unconditionally treat it as is because the guest generated
> it and
> + * it's not necessarily trustable.
> + */
> + if (info->u.tdx.message) {
> + /* The caller guarantees the NUL-terminated string. */
> + len = strlen(info->u.tdx.message);
> +
> + printable = len > 0;
> + for (i = 0; i < len; i++) {
> + if (!(0x20 <= info->u.tdx.message[i] &&
> + info->u.tdx.message[i] <= 0x7e)) {
> + printable = false;
> + break;
> + }
> + }
> + }
> +
> + if (!printable && len) {
> + /* 3 = length of "%02x " */
> + buf = g_malloc(len * 3);
> + for (i = 0; i < len; i++) {
> + if (info->u.tdx.message[i] == '\0') {
> + break;
> + } else {
> + sprintf(buf + 3 * i, "%02x ",
> info->u.tdx.message[i]);
> + }
> + }
> + if (i > 0)
> + /* replace the last ' '(space) to NUL */
> + buf[i * 3 - 1] = '\0';
> + else
> + buf[0] = '\0';
> + }
> +
> + qemu_log_mask(LOG_GUEST_ERROR,
> + " TDX guest reports fatal error:\"%s\""
> + " error code: 0x%016" PRIx64 " gpa page: 0x%016"
> PRIx64 "\n",
> + printable ? info->u.tdx.message : buf,
> + info->u.tdx.error_code,
> + info->u.tdx.gpa);
> + g_free(buf);
> }
Ok that makes more sense now. BTW, probably a nice idea to create a
separate helper method that santizes the guest provided JSON into
the safe 'buf' string.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
[PATCH v2 39/58] i386/tdx: Finalize TDX VM, Xiaoyao Li, 2023/08/18
[PATCH v2 46/58] i386/tdx: Handle TDG.VP.VMCALL<REPORT_FATAL_ERROR>, Xiaoyao Li, 2023/08/18
[PATCH v2 49/58] i386/tdx: Disable PIC for TDX VMs, Xiaoyao Li, 2023/08/18
[PATCH v2 41/58] i386/tdx: handle TDG.VP.VMCALL<GetQuote>, Xiaoyao Li, 2023/08/18