From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0088C4360C for ; Wed, 16 Oct 2019 09:47:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C20B520854 for ; Wed, 16 Oct 2019 09:47:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392057AbfJPJrP (ORCPT ); Wed, 16 Oct 2019 05:47:15 -0400 Received: from Galois.linutronix.de ([193.142.43.55]:49480 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389173AbfJPJrP (ORCPT ); Wed, 16 Oct 2019 05:47:15 -0400 Received: from [5.158.153.52] (helo=nanos.tec.linutronix.de) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1iKftX-0001qC-R8; Wed, 16 Oct 2019 11:47:03 +0200 Date: Wed, 16 Oct 2019 11:47:03 +0200 (CEST) From: Thomas Gleixner To: Paolo Bonzini cc: Sean Christopherson , Fenghua Yu , Ingo Molnar , Borislav Petkov , H Peter Anvin , Peter Zijlstra , Andrew Morton , Dave Hansen , Radim Krcmar , Ashok Raj , Tony Luck , Dan Williams , Xiaoyao Li , Sai Praneeth Prakhya , Ravi V Shankar , linux-kernel , x86 , kvm@vger.kernel.org Subject: Re: [PATCH v9 09/17] x86/split_lock: Handle #AC exception for split lock In-Reply-To: <3ec328dc-2763-9da5-28d6-e28970262c58@redhat.com> Message-ID: References: <1560897679-228028-1-git-send-email-fenghua.yu@intel.com> <1560897679-228028-10-git-send-email-fenghua.yu@intel.com> <20190626203637.GC245468@romley-ivt3.sc.intel.com> <20190925180931.GG31852@linux.intel.com> <3ec328dc-2763-9da5-28d6-e28970262c58@redhat.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org On Wed, 16 Oct 2019, Paolo Bonzini wrote: > On 25/09/19 20:09, Sean Christopherson wrote: > > - Remove KVM loading of MSR_TEST_CTRL, i.e. KVM *never* writes the CPU's > > actual MSR_TEST_CTRL. KVM still emulates MSR_TEST_CTRL so that the > > guest can do WRMSR and handle its own #AC faults, but KVM doesn't > > change the value in hardware. > > > > * Allowing guest to enable split-lock detection can induce #AC on > > the host after it has been explicitly turned off, e.g. the sibling > > hyperthread hits an #AC in the host kernel, or worse, causes a > > different process in the host to SIGBUS. > > > > * Allowing guest to disable split-lock detection opens up the host > > to DoS attacks. > > > > - KVM advertises split-lock detection to guest/userspace if and only if > > split_lock_detect_disabled is zero. > > > > - Add a pr_warn_once() in KVM that triggers if split locks are disabled > > after support has been advertised to a guest. > > > > Does this sound sane? > > Not really, unfortunately. Just never advertise split-lock detection to > guests. If the host has enabled split-lock detection, trap #AC and > forward it to the host handler---which would disable split lock > detection globally and reenter the guest. Which completely defeats the purpose. 1) Sane guest Guest kernel has #AC handler and you basically prevent it from detecting malicious user space and killing it. You also prevent #AC detection in the guest kernel which limits debugability. 2) Malicious guest Trigger #AC to disable the host detection and then carry out the DoS attack. Try again. Thanks, tglx