drivers/dax/device.c | 3 +++ 1 file changed, 3 insertions(+)
Confidential Computing (CoCo) guests encrypt private memory by default.
DAX memory regions allow a guest to bypass its own (private) page cache
and instead use host memory, which is not private to the guest.
Commit 867400af90f1 ("mm/memremap.c: map FS_DAX device memory as
decrypted") only ensures that FS_DAX memory is appropriately marked as
decrypted. As such, also mark device-dax memory as decrypted.
Signed-off-by: Kevin Loughlin <kevinloughlin@google.com>
---
drivers/dax/device.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/dax/device.c b/drivers/dax/device.c
index 2051e4f73c8a..a284442d7ecc 100644
--- a/drivers/dax/device.c
+++ b/drivers/dax/device.c
@@ -11,6 +11,7 @@
#include <linux/fs.h>
#include <linux/mm.h>
#include <linux/mman.h>
+#include <linux/cc_platform.h>
#include "dax-private.h"
#include "bus.h"
@@ -303,6 +304,8 @@ static int dax_mmap(struct file *filp, struct vm_area_struct *vma)
vma->vm_ops = &dax_vm_ops;
vm_flags_set(vma, VM_HUGEPAGE);
+ if (cc_platform_has(CC_ATTR_MEM_ENCRYPT))
+ vma->vm_page_prot = pgprot_decrypted(vma->vm_page_prot);
return 0;
}
--
2.46.0.76.ge559c4bf1a-goog> Confidential Computing (CoCo) guests encrypt private memory by default.
> DAX memory regions allow a guest to bypass its own (private) page cache
> and instead use host memory, which is not private to the guest.
>
> Commit 867400af90f1 ("mm/memremap.c: map FS_DAX device memory as
> decrypted") only ensures that FS_DAX memory is appropriately marked as
> decrypted. As such, also mark device-dax memory as decrypted.
Overall patch seems OK to me.
How can I test this? Can I test it with virtio-pmem device?
Thanks,
Pankaj
>
> Signed-off-by: Kevin Loughlin <kevinloughlin@google.co > ---
> drivers/dax/device.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/dax/device.c b/drivers/dax/device.c
> index 2051e4f73c8a..a284442d7ecc 100644
> --- a/drivers/dax/device.c
> +++ b/drivers/dax/device.c
> @@ -11,6 +11,7 @@
> #include <linux/fs.h>
> #include <linux/mm.h>
> #include <linux/mman.h>
> +#include <linux/cc_platform.h>
> #include "dax-private.h"
> #include "bus.h"
>
> @@ -303,6 +304,8 @@ static int dax_mmap(struct file *filp, struct vm_area_struct *vma)
>
> vma->vm_ops = &dax_vm_ops;
> vm_flags_set(vma, VM_HUGEPAGE);
> + if (cc_platform_has(CC_ATTR_MEM_ENCRYPT))
> + vma->vm_page_prot = pgprot_decrypted(vma->vm_page_prot);
> return 0;
> }
>
> How can I test this? Can I test it with virtio-pmem device? Correct. Assuming the CoCo guest accesses some virtio-pmem device in devdax mode, mmapping() this virtio-pmem device's memory region results in the guest and host reading the same (plaintext) values from the region. > > Thanks, > Pankaj > > > > Signed-off-by: Kevin Loughlin <kevinloughlin@google.co > --- > > drivers/dax/device.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/drivers/dax/device.c b/drivers/dax/device.c > > index 2051e4f73c8a..a284442d7ecc 100644 > > --- a/drivers/dax/device.c > > +++ b/drivers/dax/device.c > > @@ -11,6 +11,7 @@ > > #include <linux/fs.h> > > #include <linux/mm.h> > > #include <linux/mman.h> > > +#include <linux/cc_platform.h> > > #include "dax-private.h" > > #include "bus.h" > > > > @@ -303,6 +304,8 @@ static int dax_mmap(struct file *filp, struct vm_area_struct *vma) > > > > vma->vm_ops = &dax_vm_ops; > > vm_flags_set(vma, VM_HUGEPAGE); > > + if (cc_platform_has(CC_ATTR_MEM_ENCRYPT)) > > + vma->vm_page_prot = pgprot_decrypted(vma->vm_page_prot); > > return 0; > > } > > >
On 8/26/2024 11:35 PM, Kevin Loughlin wrote:
>> How can I test this? Can I test it with virtio-pmem device?
>
> Correct. Assuming the CoCo guest accesses some virtio-pmem device in
> devdax mode, mmapping() this virtio-pmem device's memory region
> results in the guest and host reading the same (plaintext) values from
> the region.
I tried to test the daxdev with virtio-pmem but getting the below error
(just tried without this patch)
root@ubuntu:/home/amd# ndctl list -N
{
"dev":"namespace0.0",
"mode":"devdax",
"map":"dev",
"size":1054867456,
"uuid":"c8b15ce6-0c8f-4a1a-ada6-b19a90bdf1bb",
"numa_node":0
}
root@ubuntu:cat /dev/zero | daxio --output=/dev/namespace0.0
daxio: neither input or output is device dax
Could you please share the instructions (to test with virtio-pmem or
Qemu). If not, still okay.
Thanks,
Pankaj
Best regards,
Pankaj
On 9/10/2024 3:00 PM, Gupta, Pankaj wrote:
> On 8/26/2024 11:35 PM, Kevin Loughlin wrote:
>>> How can I test this? Can I test it with virtio-pmem device?
>>
>> Correct. Assuming the CoCo guest accesses some virtio-pmem device in
>> devdax mode, mmapping() this virtio-pmem device's memory region
>> results in the guest and host reading the same (plaintext) values from
>> the region.
>
> I tried to test the daxdev with virtio-pmem but getting the below error
> (just tried without this patch)
>
> root@ubuntu:/home/amd# ndctl list -N
> {
> "dev":"namespace0.0",
> "mode":"devdax",
> "map":"dev",
> "size":1054867456,
> "uuid":"c8b15ce6-0c8f-4a1a-ada6-b19a90bdf1bb",
> "numa_node":0
> }
>
> root@ubuntu:cat /dev/zero | daxio --output=/dev/namespace0.0
> daxio: neither input or output is device dax
>
> Could you please share the instructions (to test with virtio-pmem or
> Qemu). If not, still okay.
Ah by mistake pressed entered early.
Just want to see the behavior on a SEV system with daxdev (maybe above
virtio-pmem or other emulated device) and see how this patch helps.
Best regards,
Pankaj
© 2016 - 2026 Red Hat, Inc.