From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1979C4363D for ; Fri, 25 Sep 2020 16:33:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A1CC6221EC for ; Fri, 25 Sep 2020 16:33:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601051585; bh=7TU9kWw58pJDNUxAQUELKat8AUx/OZ978xRwb3agCpM=; h=Date:From:To:Cc:Subject:In-Reply-To:References:List-ID:From; b=WBZghznj5iZFR2Ep0vcIhJA4HGy+0OYxUtqm35shZcCkmMlrHr62MQXWYkvx1ZmNq N64iZnnE5dw2vnrHNG0JoQwze4et0kT4mDiFakJMIqhJ82GHetJVy8dttj3W/2Szbi AB7zv1nuxiRtptBdh01bbP3ngBcaGi8plw/0rUfA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729612AbgIYQdE (ORCPT ); Fri, 25 Sep 2020 12:33:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:33152 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727751AbgIYQdE (ORCPT ); Fri, 25 Sep 2020 12:33:04 -0400 Received: from disco-boy.misterjones.org (disco-boy.misterjones.org [51.254.78.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 47BF620738; Fri, 25 Sep 2020 16:33:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601051583; bh=7TU9kWw58pJDNUxAQUELKat8AUx/OZ978xRwb3agCpM=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=Js1A7tFd/oLicRCBqR1juwwr+LzahGXkH9mcYss0ahUwkLD8XI5GX9B1I8D7+jbRe KinG0UfGCDKW9tzCSo++aA8F6dPT6YYt7eKwTKSEPmRf+5RMwtj7cmJ7Z14obKacnw GyuJ+Rm1/1IjepqtXCK1djDtnOxpzEbh5pHJLXRE= Received: from [185.69.144.225] (helo=wait-a-minute.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kLqeb-00Ev7R-9n; Fri, 25 Sep 2020 17:33:01 +0100 Date: Fri, 25 Sep 2020 17:32:53 +0100 Message-ID: <874knlrf4a.wl-maz@kernel.org> From: Marc Zyngier To: Sean Christopherson Cc: Paolo Bonzini , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, James Morse , Julien Thierry , Suzuki K Poulose , linux-arm-kernel@lists.infradead.org, Huacai Chen , Aleksandar Markovic , linux-mips@vger.kernel.org, Paul Mackerras , kvm-ppc@vger.kernel.org, Christian Borntraeger , Janosch Frank , David Hildenbrand , Cornelia Huck , Claudio Imbrenda Subject: Re: [RFC PATCH 0/3] KVM: Introduce "VM bugged" concept In-Reply-To: <20200923224530.17735-1-sean.j.christopherson@intel.com> References: <20200923224530.17735-1-sean.j.christopherson@intel.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 EasyPG/1.0.0 Emacs/26.3 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-SA-Exim-Connect-IP: 185.69.144.225 X-SA-Exim-Rcpt-To: sean.j.christopherson@intel.com, pbonzini@redhat.com, vkuznets@redhat.com, wanpengli@tencent.com, jmattson@google.com, joro@8bytes.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, james.morse@arm.com, julien.thierry.kdev@gmail.com, suzuki.poulose@arm.com, linux-arm-kernel@lists.infradead.org, chenhc@lemote.com, aleksandar.qemu.devel@gmail.com, linux-mips@vger.kernel.org, paulus@ozlabs.org, kvm-ppc@vger.kernel.org, borntraeger@de.ibm.com, frankja@linux.ibm.com, david@redhat.com, cohuck@redhat.com, imbrenda@linux.ibm.com X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Sean, On Wed, 23 Sep 2020 23:45:27 +0100, Sean Christopherson wrote: > > This series introduces a concept we've discussed a few times in x86 land. > The crux of the problem is that x86 has a few cases where KVM could > theoretically encounter a software or hardware bug deep in a call stack > without any sane way to propagate the error out to userspace. > > Another use case would be for scenarios where letting the VM live will > do more harm than good, e.g. we've been using KVM_BUG_ON for early TDX > enabling as botching anything related to secure paging all but guarantees > there will be a flood of WARNs and error messages because lower level PTE > operations will fail if an upper level operation failed. > > The basic idea is to WARN_ONCE if a bug is encountered, kick all vCPUs out > to userspace, and mark the VM as bugged so that no ioctls() can be issued > on the VM or its devices/vCPUs. > > RFC as I've done nowhere near enough testing to verify that rejecting the > ioctls(), evicting running vCPUs, etc... works as intended. I'm quite like the idea. However, I wonder whether preventing the vcpus from re-entering the guest is enough. When something goes really wrong, is it safe to allow the userspace process to terminate normally and free the associated memory? And is it still safe to allow new VMs to be started? I can't really imagine a case where such extreme measures would be necessary on arm64, but I thought I'd ask. Thanks, M. -- Without deviation from the norm, progress is not possible. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2013C4363D for ; Fri, 25 Sep 2020 16:34:31 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3781C221EC for ; Fri, 25 Sep 2020 16:34:31 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="rz62sYNk"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="Js1A7tFd" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3781C221EC Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Subject:To:From: Message-ID:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Lp8MMak3qk784c3jn6ME+LgO5e5bc3bk5Rgh3TXp35k=; b=rz62sYNkxI8BLTKsxOArznPy3 dQ6eIoIRkKgkFTNnFbE2sTobFCWiUGqJ8efcTDpZ7kArilvPSiAbIie6Y2LSDqVjlMoD4+I8W24sl onTMg2Pb67bPVDdtvJqTtNzfHNBtZGf6Rge3fMuMHdacqZgZje15Duj9VDKSXEprTBmU4mzYxIwk2 8BmwFZ/HqQigAKmq1MCRkCyAzjN49Wwo2A6VTGhto6uzdJ0vuRjAgs6EB2c460uiu4UZKK2rxFu7W LTN58UEAhpGnpPteykkugPhAzfC39Cg5oISqVXit0nf58ZbQGvghhn2jAzfO3gWa5zTxk8YEs8gWH 8094dirNQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kLqeg-0003hu-EU; Fri, 25 Sep 2020 16:33:06 +0000 Received: from mail.kernel.org ([198.145.29.99]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kLqee-0003hS-Eq for linux-arm-kernel@lists.infradead.org; Fri, 25 Sep 2020 16:33:05 +0000 Received: from disco-boy.misterjones.org (disco-boy.misterjones.org [51.254.78.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 47BF620738; Fri, 25 Sep 2020 16:33:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601051583; bh=7TU9kWw58pJDNUxAQUELKat8AUx/OZ978xRwb3agCpM=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=Js1A7tFd/oLicRCBqR1juwwr+LzahGXkH9mcYss0ahUwkLD8XI5GX9B1I8D7+jbRe KinG0UfGCDKW9tzCSo++aA8F6dPT6YYt7eKwTKSEPmRf+5RMwtj7cmJ7Z14obKacnw GyuJ+Rm1/1IjepqtXCK1djDtnOxpzEbh5pHJLXRE= Received: from [185.69.144.225] (helo=wait-a-minute.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kLqeb-00Ev7R-9n; Fri, 25 Sep 2020 17:33:01 +0100 Date: Fri, 25 Sep 2020 17:32:53 +0100 Message-ID: <874knlrf4a.wl-maz@kernel.org> From: Marc Zyngier To: Sean Christopherson Subject: Re: [RFC PATCH 0/3] KVM: Introduce "VM bugged" concept In-Reply-To: <20200923224530.17735-1-sean.j.christopherson@intel.com> References: <20200923224530.17735-1-sean.j.christopherson@intel.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 EasyPG/1.0.0 Emacs/26.3 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") X-SA-Exim-Connect-IP: 185.69.144.225 X-SA-Exim-Rcpt-To: sean.j.christopherson@intel.com, pbonzini@redhat.com, vkuznets@redhat.com, wanpengli@tencent.com, jmattson@google.com, joro@8bytes.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, james.morse@arm.com, julien.thierry.kdev@gmail.com, suzuki.poulose@arm.com, linux-arm-kernel@lists.infradead.org, chenhc@lemote.com, aleksandar.qemu.devel@gmail.com, linux-mips@vger.kernel.org, paulus@ozlabs.org, kvm-ppc@vger.kernel.org, borntraeger@de.ibm.com, frankja@linux.ibm.com, david@redhat.com, cohuck@redhat.com, imbrenda@linux.ibm.com X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200925_123304_664270_CB471BEA X-CRM114-Status: GOOD ( 20.51 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Cornelia Huck , Wanpeng Li , Janosch Frank , kvm@vger.kernel.org, Suzuki K Poulose , Joerg Roedel , David Hildenbrand , linux-kernel@vger.kernel.org, kvm-ppc@vger.kernel.org, linux-mips@vger.kernel.org, Paul Mackerras , Christian Borntraeger , Aleksandar Markovic , James Morse , linux-arm-kernel@lists.infradead.org, Huacai Chen , Paolo Bonzini , Vitaly Kuznetsov , Claudio Imbrenda , Julien Thierry , Jim Mattson Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi Sean, On Wed, 23 Sep 2020 23:45:27 +0100, Sean Christopherson wrote: > > This series introduces a concept we've discussed a few times in x86 land. > The crux of the problem is that x86 has a few cases where KVM could > theoretically encounter a software or hardware bug deep in a call stack > without any sane way to propagate the error out to userspace. > > Another use case would be for scenarios where letting the VM live will > do more harm than good, e.g. we've been using KVM_BUG_ON for early TDX > enabling as botching anything related to secure paging all but guarantees > there will be a flood of WARNs and error messages because lower level PTE > operations will fail if an upper level operation failed. > > The basic idea is to WARN_ONCE if a bug is encountered, kick all vCPUs out > to userspace, and mark the VM as bugged so that no ioctls() can be issued > on the VM or its devices/vCPUs. > > RFC as I've done nowhere near enough testing to verify that rejecting the > ioctls(), evicting running vCPUs, etc... works as intended. I'm quite like the idea. However, I wonder whether preventing the vcpus from re-entering the guest is enough. When something goes really wrong, is it safe to allow the userspace process to terminate normally and free the associated memory? And is it still safe to allow new VMs to be started? I can't really imagine a case where such extreme measures would be necessary on arm64, but I thought I'd ask. Thanks, M. -- Without deviation from the norm, progress is not possible. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marc Zyngier Date: Fri, 25 Sep 2020 16:32:53 +0000 Subject: Re: [RFC PATCH 0/3] KVM: Introduce "VM bugged" concept Message-Id: <874knlrf4a.wl-maz@kernel.org> List-Id: References: <20200923224530.17735-1-sean.j.christopherson@intel.com> In-Reply-To: <20200923224530.17735-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Sean Christopherson Cc: Paolo Bonzini , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, James Morse , Julien Thierry , Suzuki K Poulose , linux-arm-kernel@lists.infradead.org, Huacai Chen , Aleksandar Markovic , linux-mips@vger.kernel.org, Paul Mackerras , kvm-ppc@vger.kernel.org, Christian Borntraeger , Janosch Frank , David Hildenbrand , Cornelia Huck , Claudio Imbrenda Hi Sean, On Wed, 23 Sep 2020 23:45:27 +0100, Sean Christopherson wrote: > > This series introduces a concept we've discussed a few times in x86 land. > The crux of the problem is that x86 has a few cases where KVM could > theoretically encounter a software or hardware bug deep in a call stack > without any sane way to propagate the error out to userspace. > > Another use case would be for scenarios where letting the VM live will > do more harm than good, e.g. we've been using KVM_BUG_ON for early TDX > enabling as botching anything related to secure paging all but guarantees > there will be a flood of WARNs and error messages because lower level PTE > operations will fail if an upper level operation failed. > > The basic idea is to WARN_ONCE if a bug is encountered, kick all vCPUs out > to userspace, and mark the VM as bugged so that no ioctls() can be issued > on the VM or its devices/vCPUs. > > RFC as I've done nowhere near enough testing to verify that rejecting the > ioctls(), evicting running vCPUs, etc... works as intended. I'm quite like the idea. However, I wonder whether preventing the vcpus from re-entering the guest is enough. When something goes really wrong, is it safe to allow the userspace process to terminate normally and free the associated memory? And is it still safe to allow new VMs to be started? I can't really imagine a case where such extreme measures would be necessary on arm64, but I thought I'd ask. Thanks, M. -- Without deviation from the norm, progress is not possible.