From: Siddharth Chandrasekaran <sidcha@amazon.de>
To: Alexander Graf <graf@amazon.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Marcelo Tosatti <mtosatti@redhat.com>,
Siddharth Chandrasekaran <sidcha.dev@gmail.com>,
Evgeny Iakovlev <eyakovl@amazon.de>,
Liran Alon <liran@amazon.com>,
Ioannis Aslanidis <iaslan@amazon.de>, <qemu-devel@nongnu.org>,
<kvm@vger.kernel.org>
Subject: Re: [PATCH 5/6] kvm/i386: Add support for user space MSR filtering
Date: Tue, 8 Jun 2021 12:53:18 +0200 [thread overview]
Message-ID: <20210608105317.GA25597@u366d62d47e3651.ant.amazon.com> (raw)
In-Reply-To: <2c6375b0-e7e0-a19e-8cc9-a8b81a64dfc1@amazon.com>
On Tue, Jun 08, 2021 at 10:48:53AM +0200, Alexander Graf wrote:
> On 24.05.21 22:01, Siddharth Chandrasekaran wrote:
> > Check and enable user space MSR filtering capability and handle new exit
> > reason KVM_EXIT_X86_WRMSR. This will be used in a follow up patch to
> > implement hyper-v overlay pages.
> >
> > Signed-off-by: Siddharth Chandrasekaran <sidcha@amazon.de>
>
> This patch will break bisection, because we're no longer handling the writes
> in kernel space after this, but we also don't have user space handling
> available yet, right? It might be better to move all logic in this patch
> that sets up the filter for Hyper-V MSRs into the next one.
Yes, that's correct. I'll just bounce back all reads/writes to KVM. That
should maintain the existing behaviour.
> > ---
> > target/i386/kvm/kvm.c | 72 +++++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 72 insertions(+)
> >
> > diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
> > index 362f04ab3f..3591f8cecc 100644
> > --- a/target/i386/kvm/kvm.c
> > +++ b/target/i386/kvm/kvm.c
> > @@ -117,6 +117,8 @@ static bool has_msr_ucode_rev;
> > static bool has_msr_vmx_procbased_ctls2;
> > static bool has_msr_perf_capabs;
> > static bool has_msr_pkrs;
> > +static bool has_msr_filtering;
> > +static bool msr_filters_active;
> > static uint32_t has_architectural_pmu_version;
> > static uint32_t num_architectural_pmu_gp_counters;
> > @@ -2138,6 +2140,57 @@ static void register_smram_listener(Notifier *n, void *unused)
> > &smram_address_space, 1);
> > }
> > +static void kvm_set_msr_filter_range(struct kvm_msr_filter_range *range, uint32_t flags,
> > + uint32_t base, uint32_t nmsrs, ...)
> > +{
> > + int i, filter_to_userspace;
> > + va_list ap;
> > +
> > + range->flags = flags;
> > + range->nmsrs = nmsrs;
> > + range->base = base;
> > +
> > + va_start(ap, nmsrs);
> > + for (i = 0; i < nmsrs; i++) {
> > + filter_to_userspace = va_arg(ap, int);
> > + if (!filter_to_userspace) {
> > + range->bitmap[i / 8] = 1 << (i % 8);
> > + }
> > + }
> > + va_end(ap);
> > +}
> > +
> > +static int kvm_set_msr_filters(KVMState *s)
> > +{
> > + int r, nmsrs, nfilt = 0, bitmap_pos = 0;
> > + struct kvm_msr_filter filter = { };
> > + struct kvm_msr_filter_range *range;
> > + uint8_t bitmap_buf[KVM_MSR_FILTER_MAX_RANGES * 8] = {0};
> > +
> > + filter.flags = KVM_MSR_FILTER_DEFAULT_ALLOW;
> > +
> > + if (has_hyperv) {
> > + /* Hyper-V overlay page MSRs */
>
> I think you want to extend this comment and indicate in a human readable
> form that you set the filter on WRMSR to trap HV_X64_MSR_GUEST_OS_ID and
> HV_X64_MSR_HYPERCALL into user space here.
Sure.
> > + nmsrs = 2;
> > + range = &filter.ranges[nfilt++];
> > + range->bitmap = &bitmap_buf[bitmap_pos];
> > + kvm_set_msr_filter_range(range, KVM_MSR_FILTER_WRITE,
> > + HV_X64_MSR_GUEST_OS_ID, nmsrs,
> > + true, /* HV_X64_MSR_GUEST_OS_ID */
> > + true /* HV_X64_MSR_HYPERCALL */);
> > + bitmap_pos += ROUND_UP(nmsrs, 8) / 8;
> > + assert(bitmap_pos < sizeof(bitmap_buf));
> > + }
> > +
> > + r = kvm_vm_ioctl(s, KVM_X86_SET_MSR_FILTER, &filter);
> > + if (r != 0) {
> > + error_report("kvm: failed to set MSR filters");
> > + return -1;
> > + }
> > +
> > + return 0;
> > +}
> > +
> > int kvm_arch_init(MachineState *ms, KVMState *s)
> > {
> > uint64_t identity_base = 0xfffbc000;
> > @@ -2269,6 +2322,17 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
> > }
> > }
> > + has_msr_filtering = kvm_check_extension(s, KVM_CAP_X86_USER_SPACE_MSR) &&
> > + kvm_check_extension(s, KVM_CAP_X86_MSR_FILTER);
> > + if (has_msr_filtering) {
> > + ret = kvm_vm_enable_cap(s, KVM_CAP_X86_USER_SPACE_MSR, 0,
> > + KVM_MSR_EXIT_REASON_FILTER);
> > + if (ret == 0) {
> > + ret = kvm_set_msr_filters(s);
> > + msr_filters_active = (ret == 0);
> > + }
> > + }
> > +
> > return 0;
> > }
> > @@ -4542,6 +4606,11 @@ static bool host_supports_vmx(void)
> > return ecx & CPUID_EXT_VMX;
> > }
> > +static int kvm_handle_wrmsr(X86CPU *cpu, struct kvm_run *run)
> > +{
> > + return 0;
>
> The default handler should always set run->msr.error = 1 to mimic the
> existing behavior.
Will do, thanks.
> > +}
> > +
> > #define VMX_INVALID_GUEST_STATE 0x80000021
> > int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run)
> > @@ -4600,6 +4669,9 @@ int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run)
> > ioapic_eoi_broadcast(run->eoi.vector);
> > ret = 0;
> > break;
> > + case KVM_EXIT_X86_WRMSR:
> > + ret = kvm_handle_wrmsr(cpu, run);
>
> Please provide a default RDMSR handler as well here.
Ack.
~ Sid.
Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879
next prev parent reply other threads:[~2021-06-08 10:53 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-24 19:54 [PATCH 0/6] Handle hypercall code overlay page in userspace Siddharth Chandrasekaran
2021-05-24 19:54 ` [PATCH 1/6] hyper-v: Overlay abstraction for synic event and msg pages Siddharth Chandrasekaran
2021-06-08 8:27 ` Alexander Graf
2021-05-24 19:54 ` [PATCH 2/6] hyper-v: Use -1 as invalid overlay address Siddharth Chandrasekaran
2021-06-08 8:27 ` Alexander Graf
2021-05-24 19:54 ` [PATCH 3/6] kvm/i386: Stop using cpu->kvm_msr_buf in kvm_put_one_msr() Siddharth Chandrasekaran
2021-06-08 8:27 ` Alexander Graf
2021-05-24 19:54 ` [PATCH 4/6] kvm/i386: Avoid multiple calls to check_extension(KVM_CAP_HYPERV) Siddharth Chandrasekaran
2021-06-08 8:28 ` Alexander Graf
2021-05-24 20:01 ` [PATCH 5/6] kvm/i386: Add support for user space MSR filtering Siddharth Chandrasekaran
2021-06-08 8:48 ` Alexander Graf
2021-06-08 10:53 ` Siddharth Chandrasekaran [this message]
2021-06-25 10:35 ` Siddharth Chandrasekaran
2021-05-24 20:02 ` [PATCH 6/6] hyper-v: Handle hypercall code page as an overlay page Siddharth Chandrasekaran
2021-06-08 9:02 ` Alexander Graf
2021-06-08 10:55 ` Siddharth Chandrasekaran
2021-06-07 19:36 ` [PATCH 0/6] Handle hypercall code overlay page in userspace Siddharth Chandrasekaran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210608105317.GA25597@u366d62d47e3651.ant.amazon.com \
--to=sidcha@amazon.de \
--cc=eyakovl@amazon.de \
--cc=graf@amazon.com \
--cc=iaslan@amazon.de \
--cc=kvm@vger.kernel.org \
--cc=liran@amazon.com \
--cc=mtosatti@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=sidcha.dev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).