From: Zeng Guang <guang.zeng@intel.com>
To: Binbin Wu <binbin.wu@linux.intel.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>, "Christopherson,,
Sean" <seanjc@google.com>, Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
H Peter Anvin <hpa@zytor.com>, Borislav Petkov <bp@alien8.de>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v1 0/6] LASS KVM virtualization support
Date: Tue, 6 Jun 2023 10:40:39 +0800 [thread overview]
Message-ID: <1d39cbcc-dae9-d976-b18b-f673cf0f1932@intel.com> (raw)
In-Reply-To: <08cf5a8a-7937-c033-06e7-85fe42758eaa@linux.intel.com>
On 6/5/2023 9:39 AM, Binbin Wu wrote:
>
> On 6/1/2023 10:23 PM, Zeng Guang wrote:
>> Subject:
>> [PATCH v1 0/6] LASS KVM virtualization support
>> From:
>> Zeng Guang <guang.zeng@intel.com>
>> Date:
>> 6/1/2023, 10:23 PM
>>
>> To:
>> Paolo Bonzini <pbonzini@redhat.com>, Sean Christopherson
>> <seanjc@google.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar
>> <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>, Dave Hansen
>> <dave.hansen@linux.intel.com>, H Peter Anvin <hpa@zytor.com>,
>> kvm@vger.kernel.org
>> CC:
>> x86@kernel.org, linux-kernel@vger.kernel.org, Zeng Guang
>> <guang.zeng@intel.com>
>>
>>
>> Linear Address Space Separation (LASS)[1] is an independent mechanism
>> that enforces the mode-based protections on any access to a linear
>> address.
>>
>> Based on a linear-address organization, the 64-bit canonical linear
>> address space is partitioned into two halves: all linear addresses
>> whose most significant bit is 0 are user space addresses, while linear
>> addresses whose most significant bit is 1 are supervisor space address.
>>
>> LASS aims to prevent any attempt to probe supervisor space addresses by
>> user mode, and likewise stop any attempt to access (if SMAP enabled) or
>> execute user space addresses from supervisor mode.
>>
>> When platform has LASS capability, KVM requires to expose this feature
>> to guest VM enumerated by CPUID.(EAX=07H.ECX=1):EAX.LASS[bit 6], and
>> allow guest to enable it via CR4.LASS[bit 27] on demand. For instruction
>> executed in the guest directly, hardware will perform the check. But KVM
>> also needs to behave same as hardware to apply LASS to kinds of guest
>> memory accesses when emulating privileged instructions by software.
> Not just privileged instructions, e.g. MMIO access instructions.
OK. I'll revise it.
>> KVM will take following LASS voilations check on emulation path.
> /s/voilations/violations
Thanks.
>> User-mode access to supervisor space address:
>> LA[bit 63] && (CPL == 3)
>> Supervisor-mode access to user space address:
>> Instruction fetch: !LA[bit 63] && (CPL < 3)
>> Data access: !LA[bit 63] && (CR4.SMAP==1) && ((RFLAGS.AC == 0 &&
>> CPL < 3) || Implicit supervisor access)
>>
>> This patch series provide a LASS KVM solution.
>>
>> We tested the basic function of LASS virtualization including LASS
>> enumeration and enabling in non-root and nested environment. As KVM
>> unittest framework is not compatible to LASS rule, we use kernel module
>> and application test to emulate LASS violation instead. With KVM forced
>> emulation mechanism, we also verified the LASS functionality on some
>> emulation path with instruction fetch and data access to have same
>> behavior as hardware.
>>
>> [1] Intel ISEhttps://cdrdv2.intel.com/v1/dl/getContent/671368
>> Chapter Linear Address Space Separation (LASS)
>>
>> ------------------------------------------------------
>>
>> v0->v1
>> 1. Adapt to new __linearize() API
>> 2. Function refactor of vmx_check_lass()
>> 3. Refine commit message to be more precise
>> 4. Drop LASS kvm cap detection depending
>> on hardware capability
>>
>>
>> Binbin Wu (1):
>> KVM: x86: Consolidate flags for __linearize()
>>
>> Zeng Guang (5):
>> KVM: x86: Virtualize CR4.LASS
>> KVM: VMX: Add new ops in kvm_x86_ops for LASS violation check
>> KVM: x86: Add emulator helper for LASS violation check
>> KVM: x86: LASS protection on KVM emulation
>> KVM: x86: Advertise LASS CPUID to user space
>>
>> arch/x86/include/asm/kvm-x86-ops.h | 3 +-
>> arch/x86/include/asm/kvm_host.h | 4 ++-
>> arch/x86/kvm/cpuid.c | 5 ++-
>> arch/x86/kvm/emulate.c | 47 +++++++++++++++++++++++-----
>> arch/x86/kvm/kvm_emulate.h | 6 ++++
>> arch/x86/kvm/vmx/nested.c | 3 ++
>> arch/x86/kvm/vmx/sgx.c | 4 +++
>> arch/x86/kvm/vmx/vmx.c | 50 ++++++++++++++++++++++++++++++
>> arch/x86/kvm/vmx/vmx.h | 2 ++
>> arch/x86/kvm/x86.c | 12 +++++++
>> arch/x86/kvm/x86.h | 2 ++
>> 11 files changed, 126 insertions(+), 12 deletions(-)
>>
>> -- 2.27.0
next prev parent reply other threads:[~2023-06-06 2:41 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-01 14:23 [PATCH v1 0/6] LASS KVM virtualization support Zeng Guang
2023-06-01 14:23 ` [PATCH v1 1/6] KVM: x86: Consolidate flags for __linearize() Zeng Guang
2023-06-27 17:40 ` Sean Christopherson
2023-06-28 5:13 ` Binbin Wu
2023-06-28 7:27 ` Zeng Guang
2023-06-01 14:23 ` [PATCH v1 2/6] KVM: x86: Virtualize CR4.LASS Zeng Guang
2023-06-05 1:57 ` Binbin Wu
2023-06-06 2:57 ` Zeng Guang
2023-06-27 17:43 ` Sean Christopherson
2023-06-28 8:19 ` Zeng Guang
2023-08-16 22:16 ` Sean Christopherson
2023-06-01 14:23 ` [PATCH v1 3/6] KVM: VMX: Add new ops in kvm_x86_ops for LASS violation check Zeng Guang
2023-06-05 3:31 ` Binbin Wu
2023-06-05 12:53 ` Zhi Wang
2023-06-06 2:57 ` Binbin Wu
2023-06-06 3:53 ` Zhi Wang
2023-06-07 6:28 ` Zeng Guang
2023-06-05 3:47 ` Chao Gao
2023-06-06 6:22 ` Zeng Guang
2023-06-05 14:07 ` Yuan Yao
2023-06-06 3:08 ` Zeng Guang
2023-06-27 18:26 ` Sean Christopherson
2023-06-27 22:45 ` Sean Christopherson
2023-06-30 18:50 ` Zeng Guang
2023-06-01 14:23 ` [PATCH v1 4/6] KVM: x86: Add emulator helper " Zeng Guang
2023-06-27 18:28 ` Sean Christopherson
2023-06-29 15:06 ` Zeng Guang
2023-06-01 14:23 ` [PATCH v1 5/6] KVM: x86: LASS protection on KVM emulation Zeng Guang
2023-06-06 4:20 ` Binbin Wu
2023-06-01 14:23 ` [PATCH v1 6/6] KVM: x86: Advertise LASS CPUID to user space Zeng Guang
2023-06-02 0:35 ` [PATCH v1 0/6] LASS KVM virtualization support Sean Christopherson
2023-06-06 2:22 ` Zeng Guang
2023-06-05 1:39 ` Binbin Wu
2023-06-06 2:40 ` Zeng Guang [this message]
2023-06-27 17:08 ` Sean Christopherson
2023-06-28 8:42 ` Zeng Guang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1d39cbcc-dae9-d976-b18b-f673cf0f1932@intel.com \
--to=guang.zeng@intel.com \
--cc=binbin.wu@linux.intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.