From: Ankur Arora <ankur.a.arora@oracle.com>
To: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: x86@kernel.org, Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Sean Christopherson <sean.j.christopherson@intel.com>,
Jim Mattson <jmattson@google.com>,
Liran Alon <liran.alon@oracle.com>,
linux-kernel@vger.kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Paolo Bonzini <pbonzini@redhat.com>,
kvm@vger.kernel.org
Subject: Re: [PATCH RFC] KVM: x86: tell guests if the exposed SMT topology is trustworthy
Date: Fri, 6 Dec 2019 12:31:56 -0800 [thread overview]
Message-ID: <2e16b707-f020-22a3-a618-4960db917dfa@oracle.com> (raw)
In-Reply-To: <87wob9d0t3.fsf@vitty.brq.redhat.com>
On 12/6/19 5:46 AM, Vitaly Kuznetsov wrote:
> Ankur Arora <ankur.a.arora@oracle.com> writes:
>
>> On 2019-11-05 3:56 p.m., Paolo Bonzini wrote:
>>> On 05/11/19 17:17, Vitaly Kuznetsov wrote:
>>>> There is also one additional piece of the information missing. A VM can be
>>>> sharing physical cores with other VMs (or other userspace tasks on the
>>>> host) so does KVM_FEATURE_TRUSTWORTHY_SMT imply that it's not the case or
>>>> not? It is unclear if this changes anything and can probably be left out
>>>> of scope (just don't do that).
>>>>
>>>> Similar to the already existent 'NoNonArchitecturalCoreSharing' Hyper-V
>>>> enlightenment, the default value of KVM_HINTS_TRUSTWORTHY_SMT is set to
>>>> !cpu_smt_possible(). KVM userspace is thus supposed to pass it to guest's
>>>> CPUIDs in case it is '1' (meaning no SMT on the host at all) or do some
>>>> extra work (like CPU pinning and exposing the correct topology) before
>>>> passing '1' to the guest.
>>>>
>>>> Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
>>>> ---
>>>> Documentation/virt/kvm/cpuid.rst | 27 +++++++++++++++++++--------
>>>> arch/x86/include/uapi/asm/kvm_para.h | 2 ++
>>>> arch/x86/kvm/cpuid.c | 7 ++++++-
>>>> 3 files changed, 27 insertions(+), 9 deletions(-)
>>>>
>>>> diff --git a/Documentation/virt/kvm/cpuid.rst b/Documentation/virt/kvm/cpuid.rst
>>>> index 01b081f6e7ea..64b94103fc90 100644
>>>> --- a/Documentation/virt/kvm/cpuid.rst
>>>> +++ b/Documentation/virt/kvm/cpuid.rst
>>>> @@ -86,6 +86,10 @@ KVM_FEATURE_PV_SCHED_YIELD 13 guest checks this feature bit
>>>> before using paravirtualized
>>>> sched yield.
>>>>
>>>> +KVM_FEATURE_TRUSTWORTHY_SMT 14 set when host supports 'SMT
>>>> + topology is trustworthy' hint
>>>> + (KVM_HINTS_TRUSTWORTHY_SMT).
>>>> +
>>>
>>> Instead of defining a one-off bit, can we make:
>>>
>>> ecx = the set of known "hints" (defaults to edx if zero)
>>>
>>> edx = the set of hints that apply to the virtual machine
>>>
>> Just to resurrect this thread, the guest could explicitly ACK
>> a KVM_FEATURE_DYNAMIC_HINT at init. This would allow the host
>> to change the hints whenever with the guest not needing to separately
>> ACK the changed hints.
>
> (I apologize for dropping the ball on this, I'm intended to do RFCv2 in
> a nearby future)
>
> Regarding this particular hint (let's call it 'no nonarchitectural
> coresharing' for now) I don't see much value in communicating change to
> guest when it happens. Imagine our host for some reason is not able to
> guarantee that anymore e.g. we've migrated to a host with less pCPUs
> and/or special restrictions and have to start sharing. What we, as a
> guest, are supposed to do when we receive a notification? "You're now
> insecure, deal with it!" :-) Equally, I don't see much value in
> pre-acking such change. "I'm fine with becoming insecure at some point".
True, for that use-case pre-ACK seems like exactly the thing you would
not want.
I do see some value in the guest receiving the notification though.
Maybe it could print a big fat printk or something :). Or, it could
change to a different security-policy-that-I-just-made-up.
> If we, however, discuss other hints such 'pre-ACK' mechanism may make
> sense, however, I'd make it an option to a 'challenge/response'
> protocol: if host wants to change a hint it notifies the guest and waits
> for an ACK from it (e.g. a pair of MSRs + an interrupt). I, however,
My main reason for this 'pre-ACK' approach is some discomfort with
changing the CPUID edx from under the guest.
The MSR+interrupt approach would work as well but then we have the
same set of hints spread across CPUID and the MSR. What do you think
is the right handling for a guest that refuses to ACK the MSR?
> have no good candidate from the existing hints which would require guest
> to ACK (e.g revoking PV EOI would probably do but why would we do that?)
> As I said before, challenge/response protocol is needed if we'd like to
> make TSC frequency change the way Hyper-V does it (required for updating
> guest TSC pages in nested case) but this is less and less important with
> the appearance of TSC scaling. I'm still not sure if this is an
> over-engineering or not. We can wait for the first good candidate to
> decide.
As we've discussed offlist, the particular hint I'm interested in is
KVM_HINT_REALTIME. That's not a particularly good candidate though
because there's no correctness problem if the host does switch it
off suddenly.
Ankur
next prev parent reply other threads:[~2019-12-06 20:31 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-05 16:17 [PATCH RFC] KVM: x86: tell guests if the exposed SMT topology is trustworthy Vitaly Kuznetsov
2019-11-05 17:17 ` Liran Alon
2019-11-05 17:30 ` Liran Alon
2019-11-05 17:35 ` Jim Mattson
2019-11-05 19:37 ` Sean Christopherson
2019-11-05 23:25 ` Sean Christopherson
2019-11-07 10:38 ` Vitaly Kuznetsov
[not found] ` <943488A8-2DD7-4471-B3C7-9F21A0B0BCF9@dinechin.org>
2019-11-07 15:02 ` Liran Alon
2019-11-08 15:35 ` Christophe de Dinechin
2019-11-08 15:52 ` Liran Alon
2019-11-05 20:02 ` Peter Zijlstra
2019-11-05 23:25 ` Sean Christopherson
2019-11-06 8:32 ` Peter Zijlstra
2019-11-20 10:13 ` Wanpeng Li
2019-11-05 23:51 ` Paolo Bonzini
2019-11-06 8:32 ` Peter Zijlstra
2019-11-06 9:41 ` Paolo Bonzini
2019-11-05 23:56 ` Paolo Bonzini
2019-12-06 4:01 ` Ankur Arora
2019-12-06 13:46 ` Vitaly Kuznetsov
2019-12-06 20:31 ` Ankur Arora [this message]
2019-12-09 9:15 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2e16b707-f020-22a3-a618-4960db917dfa@oracle.com \
--to=ankur.a.arora@oracle.com \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=jmattson@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liran.alon@oracle.com \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=sean.j.christopherson@intel.com \
--cc=tglx@linutronix.de \
--cc=vkuznets@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).