From: Sean Christopherson <seanjc@google.com>
To: Yang Weijiang <weijiang.yang@intel.com>
Cc: pbonzini@redhat.com, peterz@infradead.org, john.allen@amd.com,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
rick.p.edgecombe@intel.com, chao.gao@intel.com,
binbin.wu@linux.intel.com,
Zhang Yi Z <yi.z.zhang@linux.intel.com>
Subject: Re: [PATCH v5 04/19] KVM:x86: Refresh CPUID on write to guest MSR_IA32_XSS
Date: Fri, 4 Aug 2023 11:27:04 -0700 [thread overview]
Message-ID: <ZM1C+ILRMCfzJxx7@google.com> (raw)
In-Reply-To: <20230803042732.88515-5-weijiang.yang@intel.com>
On Thu, Aug 03, 2023, Yang Weijiang wrote:
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 0b9033551d8c..5d6d6fa33e5b 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -3780,10 +3780,12 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> * IA32_XSS[bit 8]. Guests have to use RDMSR/WRMSR rather than
> * XSAVES/XRSTORS to save/restore PT MSRs.
> */
> - if (data & ~kvm_caps.supported_xss)
> + if (data & ~vcpu->arch.guest_supported_xss)
Hmm, this is arguably wrong for userspace-initiated writes, as it would prevent
userspace from restoring MSRs before CPUID.
And it would make the handling of MSR_IA32_XSS writes inconsistent just within
this case statement. The initial "can this MSR be written at all" check would
*not* honor guest CPUID for host writes, but then the per-bit check *would* honor
guest CPUID for host writes.
But if we exempt host writes, then we'll end up with another mess, as exempting
host writes for MSR_KVM_GUEST_SSP would let the guest coerce KVM into writing an
illegal value by modifying SMRAM while in SMM.
Blech.
If we can get away with it, i.e. not break userspace, I think my preference is
to enforce guest CPUID for host accesses to XSS, XFD, XFD_ERR, etc. I'm 99%
certain we can make that change, because there are many, many MSRs that do NOT
exempt host writes, i.e. the only way this would be a breaking change is if
userspace is writing things like XSS before KVM_SET_CPUID2, but other MSRs after
KVM_SET_CPUID2.
I'm pretty sure I've advocated for the exact opposite in the past, i.e. argued
that KVM's ABI is to not enforce ordering between KVM_SET_CPUID2 and KVM_SET_MSR.
But this is becoming untenable, juggling the dependencies in KVM is complex and
is going to result in a nasty bug at some point.
For this series, lets just tighten the rules for XSS, i.e. drop the host_initated
exemption. And in a parallel/separate series, try to do a wholesale cleanup of
all the cases that essentially allow userspace to do KVM_SET_MSR before KVM_SET_CPUID2.
next prev parent reply other threads:[~2023-08-04 18:35 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-03 4:27 [PATCH v5 00/19] Enable CET Virtualization Yang Weijiang
2023-08-03 4:27 ` [PATCH v5 01/19] x86/cpufeatures: Add CPU feature flags for shadow stacks Yang Weijiang
2023-08-03 4:27 ` [PATCH v5 02/19] x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states Yang Weijiang
2023-08-03 4:27 ` [PATCH v5 03/19] KVM:x86: Report XSS as to-be-saved if there are supported features Yang Weijiang
2023-08-03 4:27 ` [PATCH v5 04/19] KVM:x86: Refresh CPUID on write to guest MSR_IA32_XSS Yang Weijiang
2023-08-04 16:02 ` Sean Christopherson
2023-08-04 21:43 ` Paolo Bonzini
2023-08-09 3:11 ` Yang, Weijiang
2023-08-08 14:20 ` Yang, Weijiang
2023-08-04 18:27 ` Sean Christopherson [this message]
2023-08-07 6:55 ` Paolo Bonzini
2023-08-09 8:56 ` Yang, Weijiang
2023-08-10 0:01 ` Paolo Bonzini
2023-08-10 1:12 ` Yang, Weijiang
2023-08-03 4:27 ` [PATCH v5 05/19] KVM:x86: Initialize kvm_caps.supported_xss Yang Weijiang
2023-08-04 18:45 ` Sean Christopherson
2023-08-08 15:08 ` Yang, Weijiang
2023-08-03 4:27 ` [PATCH v5 06/19] KVM:x86: Load guest FPU state when access XSAVE-managed MSRs Yang Weijiang
2023-08-03 4:27 ` [PATCH v5 07/19] KVM:x86: Add fault checks for guest CR4.CET setting Yang Weijiang
2023-08-03 9:07 ` Chao Gao
2023-08-03 4:27 ` [PATCH v5 08/19] KVM:x86: Report KVM supported CET MSRs as to-be-saved Yang Weijiang
2023-08-03 10:39 ` Chao Gao
2023-08-04 3:13 ` Yang, Weijiang
2023-08-04 5:51 ` Chao Gao
2023-08-04 18:51 ` Sean Christopherson
2023-08-04 22:01 ` Paolo Bonzini
2023-08-08 15:16 ` Yang, Weijiang
2023-08-06 8:54 ` Yang, Weijiang
2023-08-04 18:55 ` Sean Christopherson
2023-08-08 15:26 ` Yang, Weijiang
2023-08-04 21:47 ` Paolo Bonzini
2023-08-09 3:14 ` Yang, Weijiang
2023-08-03 4:27 ` [PATCH v5 09/19] KVM:x86: Make guest supervisor states as non-XSAVE managed Yang Weijiang
2023-08-03 11:15 ` Chao Gao
2023-08-04 3:26 ` Yang, Weijiang
2023-08-04 20:45 ` Sean Christopherson
2023-08-04 20:59 ` Peter Zijlstra
2023-08-04 21:32 ` Paolo Bonzini
2023-08-09 2:51 ` Yang, Weijiang
2023-08-09 2:39 ` Yang, Weijiang
2023-08-10 9:29 ` Yang, Weijiang
2023-08-10 14:29 ` Dave Hansen
2023-08-10 15:15 ` Paolo Bonzini
2023-08-10 15:37 ` Sean Christopherson
2023-08-11 3:03 ` Yang, Weijiang
2023-08-28 21:00 ` Dave Hansen
2023-08-29 7:05 ` Yang, Weijiang
2023-08-03 4:27 ` [PATCH v5 10/19] KVM:VMX: Introduce CET VMCS fields and control bits Yang Weijiang
2023-08-03 4:27 ` [PATCH v5 11/19] KVM:VMX: Emulate read and write to CET MSRs Yang Weijiang
2023-08-04 5:14 ` Chao Gao
2023-08-04 21:27 ` Sean Christopherson
2023-08-04 21:45 ` Paolo Bonzini
2023-08-04 22:21 ` Sean Christopherson
2023-08-07 7:03 ` Paolo Bonzini
2023-08-06 8:44 ` Yang, Weijiang
2023-08-07 7:00 ` Paolo Bonzini
2023-08-04 8:28 ` Chao Gao
2023-08-09 7:12 ` Yang, Weijiang
2023-08-04 21:40 ` Paolo Bonzini
2023-08-09 3:05 ` Yang, Weijiang
2023-08-03 4:27 ` [PATCH v5 12/19] KVM:x86: Save and reload SSP to/from SMRAM Yang Weijiang
2023-08-04 7:53 ` Chao Gao
2023-08-04 15:25 ` Sean Christopherson
2023-08-06 9:14 ` Yang, Weijiang
2023-08-03 4:27 ` [PATCH v5 13/19] KVM:VMX: Set up interception for CET MSRs Yang Weijiang
2023-08-04 8:16 ` Chao Gao
2023-08-06 9:22 ` Yang, Weijiang
2023-08-07 1:16 ` Chao Gao
2023-08-09 6:11 ` Yang, Weijiang
2023-08-03 4:27 ` [PATCH v5 14/19] KVM:VMX: Set host constant supervisor states to VMCS fields Yang Weijiang
2023-08-04 8:23 ` Chao Gao
2023-08-03 4:27 ` [PATCH v5 15/19] KVM:x86: Optimize CET supervisor SSP save/reload Yang Weijiang
2023-08-04 8:43 ` Chao Gao
2023-08-09 9:00 ` Yang, Weijiang
2023-08-03 4:27 ` [PATCH v5 16/19] KVM:x86: Enable CET virtualization for VMX and advertise to userspace Yang Weijiang
2023-08-03 4:27 ` [PATCH v5 17/19] KVM:x86: Enable guest CET supervisor xstate bit support Yang Weijiang
2023-08-04 22:02 ` Paolo Bonzini
2023-08-09 6:07 ` Yang, Weijiang
2023-08-03 4:27 ` [PATCH v5 18/19] KVM:nVMX: Refine error code injection to nested VM Yang Weijiang
2023-08-04 21:38 ` Sean Christopherson
2023-08-09 3:00 ` Yang, Weijiang
2023-08-03 4:27 ` [PATCH v5 19/19] KVM:nVMX: Enable CET support for " Yang Weijiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZM1C+ILRMCfzJxx7@google.com \
--to=seanjc@google.com \
--cc=binbin.wu@linux.intel.com \
--cc=chao.gao@intel.com \
--cc=john.allen@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=weijiang.yang@intel.com \
--cc=yi.z.zhang@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.