[PATCH] KVM: VMX: Inform user about INTEL_TXT dependency

[PATCH] KVM: VMX: Inform user about INTEL_TXT dependency

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Without CONFIG_INTEL_TXT, the user must not enable this feature in the
BIOS. Otherwise, KVM will not work. Explain this dependency via a kernel
log message.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 arch/x86/kvm/vmx.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 9367abc..ebafd57 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1306,8 +1306,13 @@ static __init int vmx_disabled_by_bios(void)
 			&& tboot_enabled())
 			return 1;
 		if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
-			&& !tboot_enabled())
+			&& !tboot_enabled()) {
+#ifndef CONFIG_INTEL_TXT
+			printk(KERN_INFO "kvm: if TXT is enabled in the bios, "
+					 "kvm depends on CONFIG_INTEL_TXT\n");
+#endif
 			return 1;
+		}
 	}
 
 	return 0;
-- 
1.7.1

Re: [PATCH] KVM: VMX: Inform user about INTEL_TXT dependency

[Avi Kivity]

On 11/14/2010 11:18 AM, Jan Kiszka wrote:
> From: Jan Kiszka<jan.kiszka@siemens.com>
>
> Without CONFIG_INTEL_TXT, the user must not enable this feature in the
> BIOS. Otherwise, KVM will not work. Explain this dependency via a kernel
> log message.
>
> Signed-off-by: Jan Kiszka<jan.kiszka@siemens.com>
> ---
>   arch/x86/kvm/vmx.c |    7 ++++++-
>   1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index 9367abc..ebafd57 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -1306,8 +1306,13 @@ static __init int vmx_disabled_by_bios(void)
>   			&&  tboot_enabled())
>   			return 1;
>   		if (!(msr&  FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
> -			&&  !tboot_enabled())
> +			&&  !tboot_enabled()) {
> +#ifndef CONFIG_INTEL_TXT
> +			printk(KERN_INFO "kvm: if TXT is enabled in the bios, "
> +					 "kvm depends on CONFIG_INTEL_TXT\n");
> +#endif
>   			return 1;
> +		}
>   	}
>

Maybe reword to an instruction?

Something like

   kvm: TXT enabled in the bios.  Either disable TXT in the bios, or 
enable CONFIG_INTEL_TXT in your kernel.

-- 
error compiling committee.c: too many arguments to function

Re: [PATCH] KVM: VMX: Inform user about INTEL_TXT dependency

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 1649 bytes --]

Am 14.11.2010 11:30, Avi Kivity wrote:
> On 11/14/2010 11:18 AM, Jan Kiszka wrote:
>> From: Jan Kiszka<jan.kiszka@siemens.com>
>>
>> Without CONFIG_INTEL_TXT, the user must not enable this feature in the
>> BIOS. Otherwise, KVM will not work. Explain this dependency via a kernel
>> log message.
>>
>> Signed-off-by: Jan Kiszka<jan.kiszka@siemens.com>
>> ---
>>   arch/x86/kvm/vmx.c |    7 ++++++-
>>   1 files changed, 6 insertions(+), 1 deletions(-)
>>
>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>> index 9367abc..ebafd57 100644
>> --- a/arch/x86/kvm/vmx.c
>> +++ b/arch/x86/kvm/vmx.c
>> @@ -1306,8 +1306,13 @@ static __init int vmx_disabled_by_bios(void)
>>               &&  tboot_enabled())
>>               return 1;
>>           if (!(msr&  FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
>> -            &&  !tboot_enabled())
>> +            &&  !tboot_enabled()) {
>> +#ifndef CONFIG_INTEL_TXT
>> +            printk(KERN_INFO "kvm: if TXT is enabled in the bios, "
>> +                     "kvm depends on CONFIG_INTEL_TXT\n");
>> +#endif
>>               return 1;
>> +        }
>>       }
>>
> 
> Maybe reword to an instruction?
> 
> Something like
> 
>   kvm: TXT enabled in the bios.  Either disable TXT in the bios, or
> enable CONFIG_INTEL_TXT in your kernel.
> 

I always get an aching head when thinking about these dependency: Does
FEATURE_CONTROL_LOCKED && !FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX
imply that the BIOS uses TXT? Or could it also mean that it just
disabled VT-x explicitly? As CONFIG_INTEL_TXT is off, we do not know if
tboot_enabled is off as well.

Jan


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 259 bytes --]

Re: [PATCH] KVM: VMX: Inform user about INTEL_TXT dependency

[Avi Kivity]

On 11/14/2010 12:41 PM, Jan Kiszka wrote:
> Am 14.11.2010 11:30, Avi Kivity wrote:
> >  On 11/14/2010 11:18 AM, Jan Kiszka wrote:
> >>  From: Jan Kiszka<jan.kiszka@siemens.com>
> >>
> >>  Without CONFIG_INTEL_TXT, the user must not enable this feature in the
> >>  BIOS. Otherwise, KVM will not work. Explain this dependency via a kernel
> >>  log message.
> >>
> >>  Signed-off-by: Jan Kiszka<jan.kiszka@siemens.com>
> >>  ---
> >>    arch/x86/kvm/vmx.c |    7 ++++++-
> >>    1 files changed, 6 insertions(+), 1 deletions(-)
> >>
> >>  diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> >>  index 9367abc..ebafd57 100644
> >>  --- a/arch/x86/kvm/vmx.c
> >>  +++ b/arch/x86/kvm/vmx.c
> >>  @@ -1306,8 +1306,13 @@ static __init int vmx_disabled_by_bios(void)
> >>                &&   tboot_enabled())
> >>                return 1;
> >>            if (!(msr&   FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
> >>  -&&   !tboot_enabled())
> >>  +&&   !tboot_enabled()) {
> >>  +#ifndef CONFIG_INTEL_TXT
> >>  +            printk(KERN_INFO "kvm: if TXT is enabled in the bios, "
> >>  +                     "kvm depends on CONFIG_INTEL_TXT\n");
> >>  +#endif
> >>                return 1;
> >>  +        }
> >>        }
> >>
> >
> >  Maybe reword to an instruction?
> >
> >  Something like
> >
> >    kvm: TXT enabled in the bios.  Either disable TXT in the bios, or
> >  enable CONFIG_INTEL_TXT in your kernel.
> >
>
> I always get an aching head when thinking about these dependency: Does
> FEATURE_CONTROL_LOCKED&&  !FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX
> imply that the BIOS uses TXT? Or could it also mean that it just
> disabled VT-x explicitly?

Probably the latter, at least that's what we took it to mean before it 
was renamed to that long string.

> As CONFIG_INTEL_TXT is off, we do not know if
> tboot_enabled is off as well.

I guess, if FEATURE_CONTROL_VMXON_ENABLED_INSIDER_SMX_YADA_YADA_YADA is 
set, then the bios wants us to enable TXT.  But if both bits are clear, 
the bios really doesn't want us to play with vmx.  But it would be good 
to get Intel guidance before we pass our confusion on to users.

-- 
error compiling committee.c: too many arguments to function

RE: [PATCH] KVM: VMX: Inform user about INTEL_TXT dependency

[Wang, Shane]

Avi Kivity wrote:
> On 11/14/2010 12:41 PM, Jan Kiszka wrote:
>> Am 14.11.2010 11:30, Avi Kivity wrote:
>>>  On 11/14/2010 11:18 AM, Jan Kiszka wrote:
>>>>  From: Jan Kiszka<jan.kiszka@siemens.com>
>>>> 
>>>>  Without CONFIG_INTEL_TXT, the user must not enable this feature
>>>>  in the BIOS. Otherwise, KVM will not work. Explain this
>>>> dependency via a kernel  log message. 
>>>> 
>>>>  Signed-off-by: Jan Kiszka<jan.kiszka@siemens.com>
>>>>  ---
>>>>    arch/x86/kvm/vmx.c |    7 ++++++-
>>>>    1 files changed, 6 insertions(+), 1 deletions(-)
>>>> 
>>>>  diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>>>  index 9367abc..ebafd57 100644
>>>>  --- a/arch/x86/kvm/vmx.c
>>>>  +++ b/arch/x86/kvm/vmx.c
>>>>  @@ -1306,8 +1306,13 @@ static __init int
>>>>                vmx_disabled_by_bios(void) &&   tboot_enabled())
>>>>                return 1;
>>>>            if (!(msr&   FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
>>>>  -&&   !tboot_enabled()) +&&   !tboot_enabled()) {
>>>>  +#ifndef CONFIG_INTEL_TXT
>>>>  +            printk(KERN_INFO "kvm: if TXT is enabled in the
>>>>  bios, " +                     "kvm depends on
>>>>                CONFIG_INTEL_TXT\n");  +#endif return 1;
>>>>  +        }
>>>>        }
>>>> 
Why do we need this?
If TXT is enabled in the bios, it doesn't mean TXT is launched but TXT is available.
tboot_enabled() = TXT is launched. And non-CONFIG_INTEL_TXT means tboot_enabled() = 0.
If you enable VT in bios, FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is set.


>>> 
>>>  Maybe reword to an instruction?
>>> 
>>>  Something like
>>> 
>>>    kvm: TXT enabled in the bios.  Either disable TXT in the bios, or
>>>  enable CONFIG_INTEL_TXT in your kernel.
>>> 
>> 
>> I always get an aching head when thinking about these dependency:
>> Does FEATURE_CONTROL_LOCKED&& 
>> !FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX imply that the BIOS uses
>> TXT?
No

Or could it also mean that it just disabled VT-x explicitly?
> 
> Probably the latter, at least that's what we took it to mean before it
> was renamed to that long string.
Yes, it is.

> 
>> As CONFIG_INTEL_TXT is off, we do not know if
>> tboot_enabled is off as well.
>
CONFIG_INTEL_TXT is off, tboot_enabled() must be off.


 
> I guess, if FEATURE_CONTROL_VMXON_ENABLED_INSIDER_SMX_YADA_YADA_YADA
> is set, then the bios wants us to enable TXT. 
Yes. In most cases if TXT is enabled in the bios, the bit is set, otherwise, it is clear.
FEATURE_CONTROL_VMXON_ENABLED_INSIDER_SMX and FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX can be set at the same time. It doesn't mean bios wants us to enable TXT.
Here we just check the following logic in the spec for feature control MSR:

- Bit 1 enables VMXON in SMX operation. If this bit is clear, execution of
VMXON in SMX operation causes a general-protection exception.
- Bit 2 enables VMXON outside SMX operation. If this bit is clear, execution of
VMXON outside SMX operation causes a general-protection exception.

> But if both bits are
> clear, the bios really doesn't want us to play with vmx.
Yes it is.


> But it
> would be good to get Intel guidance before we pass our confusion on
> to users. 

Thanks.
Shane

Re: [PATCH] KVM: VMX: Inform user about INTEL_TXT dependency

[Jan Kiszka]

Am 16.11.2010 05:48, Wang, Shane wrote:
> Avi Kivity wrote:
>> On 11/14/2010 12:41 PM, Jan Kiszka wrote:
>>> Am 14.11.2010 11:30, Avi Kivity wrote:
>>>>  On 11/14/2010 11:18 AM, Jan Kiszka wrote:
>>>>>  From: Jan Kiszka<jan.kiszka@siemens.com>
>>>>>
>>>>>  Without CONFIG_INTEL_TXT, the user must not enable this feature
>>>>>  in the BIOS. Otherwise, KVM will not work. Explain this
>>>>> dependency via a kernel  log message. 
>>>>>
>>>>>  Signed-off-by: Jan Kiszka<jan.kiszka@siemens.com>
>>>>>  ---
>>>>>    arch/x86/kvm/vmx.c |    7 ++++++-
>>>>>    1 files changed, 6 insertions(+), 1 deletions(-)
>>>>>
>>>>>  diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>>>>  index 9367abc..ebafd57 100644
>>>>>  --- a/arch/x86/kvm/vmx.c
>>>>>  +++ b/arch/x86/kvm/vmx.c
>>>>>  @@ -1306,8 +1306,13 @@ static __init int
>>>>>                vmx_disabled_by_bios(void) &&   tboot_enabled())
>>>>>                return 1;
>>>>>            if (!(msr&   FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
>>>>>  -&&   !tboot_enabled()) +&&   !tboot_enabled()) {
>>>>>  +#ifndef CONFIG_INTEL_TXT
>>>>>  +            printk(KERN_INFO "kvm: if TXT is enabled in the
>>>>>  bios, " +                     "kvm depends on
>>>>>                CONFIG_INTEL_TXT\n");  +#endif return 1;
>>>>>  +        }
>>>>>        }
>>>>>
> Why do we need this?
> If TXT is enabled in the bios, it doesn't mean TXT is launched but TXT is available.
> tboot_enabled() = TXT is launched. And non-CONFIG_INTEL_TXT means tboot_enabled() = 0.
> If you enable VT in bios, FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is set.

Probably, this patch is based on my semi-understanding of TXT. What I
observe is that, when I enable TXT in the BIOS of my machine, kvm-intel
does not load and report VT-x being disabled at BIOS level. As my
kernels had CONFIG_INTEL_TXT disabled, I thought that was the reason.

However, it turned out that
A) FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is _not_ set here when TXT
   is enabled in the BIOS
B) enabling CONFIG_INTEL_TXT does not magically solve the issue, KVM
   still does not work

The latter appears to be related to the fact that I do not actually have
a trust chain from the BIOS over the boot loader to the kernel. So
tboot_addr is not set and tboot_enabled remains off. I guess I need some
trusted grub or so to get this running, maybe even more. Still, I'm
unsure if that will give me VT-x support back again. Can you comment on
the requirements and mechanisms behind that?

In any case, what we should catch is the user mistake of enabling TXT in
the BIOS blindly without actually needing it, disabling VT-x this way.
How to express this?

Jan

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

RE: [PATCH] KVM: VMX: Inform user about INTEL_TXT dependency

[Cihula, Joseph]

> From: Jan Kiszka [mailto:jan.kiszka@siemens.com]
> Sent: Tuesday, November 16, 2010 6:23 PM
> 
> Am 16.11.2010 05:48, Wang, Shane wrote:
> > Avi Kivity wrote:
> >> On 11/14/2010 12:41 PM, Jan Kiszka wrote:
> >>> Am 14.11.2010 11:30, Avi Kivity wrote:
> >>>>  On 11/14/2010 11:18 AM, Jan Kiszka wrote:
> >>>>>  From: Jan Kiszka<jan.kiszka@siemens.com>
> >>>>>
> >>>>>  Without CONFIG_INTEL_TXT, the user must not enable this feature
> >>>>>  in the BIOS. Otherwise, KVM will not work. Explain this
> >>>>> dependency via a kernel  log message.
> >>>>>
> >>>>>  Signed-off-by: Jan Kiszka<jan.kiszka@siemens.com>
> >>>>>  ---
> >>>>>    arch/x86/kvm/vmx.c |    7 ++++++-
> >>>>>    1 files changed, 6 insertions(+), 1 deletions(-)
> >>>>>
> >>>>>  diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> >>>>>  index 9367abc..ebafd57 100644
> >>>>>  --- a/arch/x86/kvm/vmx.c
> >>>>>  +++ b/arch/x86/kvm/vmx.c
> >>>>>  @@ -1306,8 +1306,13 @@ static __init int
> >>>>>                vmx_disabled_by_bios(void) &&   tboot_enabled())
> >>>>>                return 1;
> >>>>>            if (!(msr&   FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
> >>>>>  -&&   !tboot_enabled()) +&&   !tboot_enabled()) {
> >>>>>  +#ifndef CONFIG_INTEL_TXT
> >>>>>  +            printk(KERN_INFO "kvm: if TXT is enabled in the
> >>>>>  bios, " +                     "kvm depends on
> >>>>>                CONFIG_INTEL_TXT\n");  +#endif return 1;
> >>>>>  +        }
> >>>>>        }
> >>>>>
> > Why do we need this?
> > If TXT is enabled in the bios, it doesn't mean TXT is launched but TXT is available.
> > tboot_enabled() = TXT is launched. And non-CONFIG_INTEL_TXT means tboot_enabled() = 0.
> > If you enable VT in bios, FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is set.
> 
> Probably, this patch is based on my semi-understanding of TXT. What I
> observe is that, when I enable TXT in the BIOS of my machine, kvm-intel
> does not load and report VT-x being disabled at BIOS level. As my
> kernels had CONFIG_INTEL_TXT disabled, I thought that was the reason.
> 
> However, it turned out that
> A) FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is _not_ set here when TXT
>    is enabled in the BIOS
> B) enabling CONFIG_INTEL_TXT does not magically solve the issue, KVM
>    still does not work
> 
> The latter appears to be related to the fact that I do not actually have
> a trust chain from the BIOS over the boot loader to the kernel. So
> tboot_addr is not set and tboot_enabled remains off. I guess I need some
> trusted grub or so to get this running, maybe even more. Still, I'm
> unsure if that will give me VT-x support back again. Can you comment on
> the requirements and mechanisms behind that?

The setting of the FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX when TXT is enabled is up to each OEM.  Intel's original guidance was to clear this flag, to prevent a Blue Pill type of attack on an un-measured OS launch.  Intel has since change our guidance to set this flag even when TXT is enabled, in order to allow for dual boot and late launch uses of TXT along with VT.

> In any case, what we should catch is the user mistake of enabling TXT in
> the BIOS blindly without actually needing it, disabling VT-x this way.
> How to express this?

It is probably worth a warning/guidance message to the user that, if this condition is detected, they should either disable TXT in the BIOS or activate TXT before enabling KVM.

> 
> Jan
> 
> --
> Siemens AG, Corporate Technology, CT T DE IT 1
> Corporate Competence Center Embedded Linux

Re: [PATCH] KVM: VMX: Inform user about INTEL_TXT dependency

[Jan Kiszka]

Am 16.11.2010 14:02, Cihula, Joseph wrote:
>> From: Jan Kiszka [mailto:jan.kiszka@siemens.com]
>> Sent: Tuesday, November 16, 2010 6:23 PM
>>
>> Am 16.11.2010 05:48, Wang, Shane wrote:
>>> Avi Kivity wrote:
>>>> On 11/14/2010 12:41 PM, Jan Kiszka wrote:
>>>>> Am 14.11.2010 11:30, Avi Kivity wrote:
>>>>>>  On 11/14/2010 11:18 AM, Jan Kiszka wrote:
>>>>>>>  From: Jan Kiszka<jan.kiszka@siemens.com>
>>>>>>>
>>>>>>>  Without CONFIG_INTEL_TXT, the user must not enable this feature
>>>>>>>  in the BIOS. Otherwise, KVM will not work. Explain this
>>>>>>> dependency via a kernel  log message.
>>>>>>>
>>>>>>>  Signed-off-by: Jan Kiszka<jan.kiszka@siemens.com>
>>>>>>>  ---
>>>>>>>    arch/x86/kvm/vmx.c |    7 ++++++-
>>>>>>>    1 files changed, 6 insertions(+), 1 deletions(-)
>>>>>>>
>>>>>>>  diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>>>>>>  index 9367abc..ebafd57 100644
>>>>>>>  --- a/arch/x86/kvm/vmx.c
>>>>>>>  +++ b/arch/x86/kvm/vmx.c
>>>>>>>  @@ -1306,8 +1306,13 @@ static __init int
>>>>>>>                vmx_disabled_by_bios(void) &&   tboot_enabled())
>>>>>>>                return 1;
>>>>>>>            if (!(msr&   FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
>>>>>>>  -&&   !tboot_enabled()) +&&   !tboot_enabled()) {
>>>>>>>  +#ifndef CONFIG_INTEL_TXT
>>>>>>>  +            printk(KERN_INFO "kvm: if TXT is enabled in the
>>>>>>>  bios, " +                     "kvm depends on
>>>>>>>                CONFIG_INTEL_TXT\n");  +#endif return 1;
>>>>>>>  +        }
>>>>>>>        }
>>>>>>>
>>> Why do we need this?
>>> If TXT is enabled in the bios, it doesn't mean TXT is launched but TXT is available.
>>> tboot_enabled() = TXT is launched. And non-CONFIG_INTEL_TXT means tboot_enabled() = 0.
>>> If you enable VT in bios, FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is set.
>>
>> Probably, this patch is based on my semi-understanding of TXT. What I
>> observe is that, when I enable TXT in the BIOS of my machine, kvm-intel
>> does not load and report VT-x being disabled at BIOS level. As my
>> kernels had CONFIG_INTEL_TXT disabled, I thought that was the reason.
>>
>> However, it turned out that
>> A) FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is _not_ set here when TXT
>>    is enabled in the BIOS
>> B) enabling CONFIG_INTEL_TXT does not magically solve the issue, KVM
>>    still does not work
>>
>> The latter appears to be related to the fact that I do not actually have
>> a trust chain from the BIOS over the boot loader to the kernel. So
>> tboot_addr is not set and tboot_enabled remains off. I guess I need some
>> trusted grub or so to get this running, maybe even more. Still, I'm
>> unsure if that will give me VT-x support back again. Can you comment on
>> the requirements and mechanisms behind that?
> 
> The setting of the FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX when TXT is enabled is up to each OEM.  Intel's original guidance was to clear this flag, to prevent a Blue Pill type of attack on an un-measured OS launch.  Intel has since change our guidance to set this flag even when TXT is enabled, in order to allow for dual boot and late launch uses of TXT along with VT.
> 
>> In any case, what we should catch is the user mistake of enabling TXT in
>> the BIOS blindly without actually needing it, disabling VT-x this way.
>> How to express this?
> 
> It is probably worth a warning/guidance message to the user that, if this condition is detected, they should either disable TXT in the BIOS or activate TXT before enabling KVM.

So the condition to issue the warning is FEATURE_CONTROL_LOCKED &&
!FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX? Independent of tboot_enabled
or precisely in that branch I targeted, just without CONFIG_INTEL_TXT?

Out of curiosity: Who would enable TXT, and how, so that VT-x becomes
usable again? The trusted boot loader (like tboot)?

Jan

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

RE: [PATCH] KVM: VMX: Inform user about INTEL_TXT dependency

[Wang, Shane]

Jan Kiszka wrote:
> Am 16.11.2010 14:02, Cihula, Joseph wrote:
>>> From: Jan Kiszka [mailto:jan.kiszka@siemens.com]
>>> Sent: Tuesday, November 16, 2010 6:23 PM
>>> 
>>> Am 16.11.2010 05:48, Wang, Shane wrote:
>>>> Avi Kivity wrote:
>>>>> On 11/14/2010 12:41 PM, Jan Kiszka wrote:
>>>>>> Am 14.11.2010 11:30, Avi Kivity wrote:
>>>>>>>  On 11/14/2010 11:18 AM, Jan Kiszka wrote:
>>>>>>>>  From: Jan Kiszka<jan.kiszka@siemens.com>
>>>>>>>> 
>>>>>>>>  Without CONFIG_INTEL_TXT, the user must not enable this
>>>>>>>>  feature in the BIOS. Otherwise, KVM will not work. Explain
>>>>>>>> this dependency via a kernel  log message.
>>>>>>>> 
>>>>>>>>  Signed-off-by: Jan Kiszka<jan.kiszka@siemens.com>
>>>>>>>>  ---
>>>>>>>>    arch/x86/kvm/vmx.c |    7 ++++++-
>>>>>>>>    1 files changed, 6 insertions(+), 1 deletions(-)
>>>>>>>> 
>>>>>>>>  diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>>>>>>>  index 9367abc..ebafd57 100644
>>>>>>>>  --- a/arch/x86/kvm/vmx.c
>>>>>>>>  +++ b/arch/x86/kvm/vmx.c
>>>>>>>>  @@ -1306,8 +1306,13 @@ static __init int
>>>>>>>>                vmx_disabled_by_bios(void) &&  
>>>>>>>>            tboot_enabled())                return 1; if
>>>>>>>>  (!(msr&   FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX) -&&  
>>>>>>>>  !tboot_enabled()) +&&   !tboot_enabled()) { +#ifndef
>>>>>>>>  CONFIG_INTEL_TXT +            printk(KERN_INFO "kvm: if TXT
>>>>>>>>  is enabled in the bios, " +                     "kvm depends
>>>>>>>>                on CONFIG_INTEL_TXT\n");  +#endif return 1;  + 
>>>>>>>>        } }
>>>>>>>> 
>>>> Why do we need this?
>>>> If TXT is enabled in the bios, it doesn't mean TXT is launched but
>>>> TXT is available. tboot_enabled() = TXT is launched. And
>>>> non-CONFIG_INTEL_TXT means tboot_enabled() = 0. If you enable VT
>>>> in bios, FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is set. 
>>> 
>>> Probably, this patch is based on my semi-understanding of TXT. What
>>> I observe is that, when I enable TXT in the BIOS of my machine,
>>> kvm-intel does not load and report VT-x being disabled at BIOS
>>> level. As my kernels had CONFIG_INTEL_TXT disabled, I thought that
>>> was the reason. 
>>> 
>>> However, it turned out that
>>> A) FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is _not_ set here when
>>> TXT    is enabled in the BIOS B) enabling CONFIG_INTEL_TXT does not
>>> magically solve the issue, KVM    still does not work 
>>> 
>>> The latter appears to be related to the fact that I do not actually
>>> have a trust chain from the BIOS over the boot loader to the
>>> kernel. So tboot_addr is not set and tboot_enabled remains off. I
>>> guess I need some trusted grub or so to get this running, maybe
>>> even more. Still, I'm unsure if that will give me VT-x support back
>>> again. Can you comment on the requirements and mechanisms behind
>>> that? 
>> 
>> The setting of the FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX when
>> TXT is enabled is up to each OEM.  Intel's original guidance was to
>> clear this flag, to prevent a Blue Pill type of attack on an
>> un-measured OS launch.  Intel has since change our guidance to set
>> this flag even when TXT is enabled, in order to allow for dual boot
>> and late launch uses of TXT along with VT.     
>> 
>>> In any case, what we should catch is the user mistake of enabling
>>> TXT in the BIOS blindly without actually needing it, disabling VT-x
>>> this way. How to express this?
>> 
>> It is probably worth a warning/guidance message to the user that, if
>> this condition is detected, they should either disable TXT in the
>> BIOS or activate TXT before enabling KVM.  
> 
> So the condition to issue the warning is FEATURE_CONTROL_LOCKED &&
> !FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX? Independent of
> tboot_enabled or precisely in that branch I targeted, just without
> CONFIG_INTEL_TXT? 
For me, I prefer the branch you targeted. e.g., to add one more condition (if ENABLED_INSIDE_SMX) to check in the previous if-clause
                if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
                        && !tboot_enabled())
                        return 1;

> 
> Out of curiosity: Who would enable TXT, and how, so that VT-x becomes
> usable again? The trusted boot loader (like tboot)?
Yes, tboot. Please download tboot.gz and the corresponding SINIT for your platform from tboot.sourceforge.net.
And modify your grub menu like

title Linux with tboot
kernel tboot.gz ...
module vmlinuz ...
module initrd.img ...
module sinit.bin

> 
> Jan

Shane

Re: [PATCH]KVM: VMX: Inform user about INTEL_TXT dependency

[Marcelo Tosatti]

On Wed, Nov 17, 2010 at 11:40:17AM +0800, Shane Wang wrote:
> Inform user to either disable TXT in the BIOS or do TXT launch with tboot before enabling KVM since some BIOSes do not set FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX bit when TXT is enabled.
> 
> Signed-off-by: Shane Wang <shane.wang@intel.com>
> ---
>  arch/x86/kvm/vmx.c |    5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)

Applied, thanks.

RE: [PATCH]KVM: VMX: Inform user about INTEL_TXT dependency

[Wang, Shane]

After discussing with Joe, we gave it up (i.e. not depend on enabled-inside-smx;)

Thanks.
Shane

-----Original Message-----
From: Jan Kiszka [mailto:jan.kiszka@siemens.com] 
Sent: 2010年11月17日 15:56
To: Wang, Shane
Cc: avi@redhat.com; mtosatti@redhat.com; kvm@vger.kernel.org; Cihula, Joseph
Subject: Re: [PATCH]KVM: VMX: Inform user about INTEL_TXT dependency

Am 17.11.2010 04:40, Shane Wang wrote:
> Inform user to either disable TXT in the BIOS or do TXT launch with tboot before enabling KVM since some BIOSes do not set FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX bit when TXT is enabled.
> 
> Signed-off-by: Shane Wang <shane.wang@intel.com>
> ---
>  arch/x86/kvm/vmx.c |    5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff -r b1a2deff4c64 arch/x86/kvm/vmx.c
> --- a/arch/x86/kvm/vmx.c	Wed Nov 17 12:47:42 2010 -0500
> +++ b/arch/x86/kvm/vmx.c	Wed Nov 17 12:49:52 2010 -0500
> @@ -1306,8 +1306,11 @@
>  			&& tboot_enabled())
>  			return 1;
>  		if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
> -			&& !tboot_enabled())
> +			&& !tboot_enabled()) {
> +			printk(KERN_WARNING "kvm: disable TXT in the BIOS or "
> +				" activate TXT before enabling KVM\n");

Thought you wanted to let this message depend on ENABLED_INSIDE_SMX?
However, if it's OK for you, I'm fine with it as well.

Thanks!
Jan

>  			return 1;
> +		}
>  	}
>  
>  	return 0;

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

Re: [PATCH]KVM: VMX: Inform user about INTEL_TXT dependency

[Jan Kiszka]

Am 17.11.2010 04:40, Shane Wang wrote:
> Inform user to either disable TXT in the BIOS or do TXT launch with tboot before enabling KVM since some BIOSes do not set FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX bit when TXT is enabled.
> 
> Signed-off-by: Shane Wang <shane.wang@intel.com>
> ---
>  arch/x86/kvm/vmx.c |    5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff -r b1a2deff4c64 arch/x86/kvm/vmx.c
> --- a/arch/x86/kvm/vmx.c	Wed Nov 17 12:47:42 2010 -0500
> +++ b/arch/x86/kvm/vmx.c	Wed Nov 17 12:49:52 2010 -0500
> @@ -1306,8 +1306,11 @@
>  			&& tboot_enabled())
>  			return 1;
>  		if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
> -			&& !tboot_enabled())
> +			&& !tboot_enabled()) {
> +			printk(KERN_WARNING "kvm: disable TXT in the BIOS or "
> +				" activate TXT before enabling KVM\n");

Thought you wanted to let this message depend on ENABLED_INSIDE_SMX?
However, if it's OK for you, I'm fine with it as well.

Thanks!
Jan

>  			return 1;
> +		}
>  	}
>  
>  	return 0;

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

[PATCH]KVM: VMX: Inform user about INTEL_TXT dependency

[Shane Wang]

Inform user to either disable TXT in the BIOS or do TXT launch with tboot before enabling KVM since some BIOSes do not set FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX bit when TXT is enabled.

Signed-off-by: Shane Wang <shane.wang@intel.com>
---
 arch/x86/kvm/vmx.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff -r b1a2deff4c64 arch/x86/kvm/vmx.c
--- a/arch/x86/kvm/vmx.c	Wed Nov 17 12:47:42 2010 -0500
+++ b/arch/x86/kvm/vmx.c	Wed Nov 17 12:49:52 2010 -0500
@@ -1306,8 +1306,11 @@
 			&& tboot_enabled())
 			return 1;
 		if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
-			&& !tboot_enabled())
+			&& !tboot_enabled()) {
+			printk(KERN_WARNING "kvm: disable TXT in the BIOS or "
+				" activate TXT before enabling KVM\n");
 			return 1;
+		}
 	}
 
 	return 0;