From: Xiaoyao Li <xiaoyao.li@intel.com>
To: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
hpa@zytor.com, Paolo Bonzini <pbonzini@redhat.com>,
Andy Lutomirski <luto@kernel.org>,
tony.luck@intel.com, peterz@infradead.org, fenghua.yu@intel.com,
x86@kernel.org, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 8/8] x86: vmx: virtualize split lock detection
Date: Fri, 6 Mar 2020 08:29:48 +0800 [thread overview]
Message-ID: <d0427e74-9666-d0b0-24ae-fd0e48c91a0a@intel.com> (raw)
In-Reply-To: <20200305164926.GH11500@linux.intel.com>
On 3/6/2020 12:49 AM, Sean Christopherson wrote:
> On Thu, Mar 05, 2020 at 10:16:40PM +0800, Xiaoyao Li wrote:
>> On 3/4/2020 3:30 AM, Sean Christopherson wrote:
>>> On Thu, Feb 06, 2020 at 03:04:12PM +0800, Xiaoyao Li wrote:
>>>> --- a/arch/x86/kvm/vmx/vmx.c
>>>> +++ b/arch/x86/kvm/vmx/vmx.c
>>>> @@ -1781,6 +1781,25 @@ static int vmx_get_msr_feature(struct kvm_msr_entry *msr)
>>>> }
>>>> }
>>>> +/*
>>>> + * Note: for guest, feature split lock detection can only be enumerated through
>>>> + * MSR_IA32_CORE_CAPS_SPLIT_LOCK_DETECT bit. The FMS enumeration is invalid.
>>>> + */
>>>> +static inline bool guest_has_feature_split_lock_detect(struct kvm_vcpu *vcpu)
>>>> +{
>>>> + return vcpu->arch.core_capabilities & MSR_IA32_CORE_CAPS_SPLIT_LOCK_DETECT;
>>>> +}
>>>> +
>>>> +static inline u64 vmx_msr_test_ctrl_valid_bits(struct kvm_vcpu *vcpu)
>>>> +{
>>>> + u64 valid_bits = 0;
>>>> +
>>>> + if (guest_has_feature_split_lock_detect(vcpu))
>>>> + valid_bits |= MSR_TEST_CTRL_SPLIT_LOCK_DETECT;
>>>> +
>>>> + return valid_bits;
>>>> +}
>>>> +
>>>> /*
>>>> * Reads an msr value (of 'msr_index') into 'pdata'.
>>>> * Returns 0 on success, non-0 otherwise.
>>>> @@ -1793,6 +1812,12 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
>>>> u32 index;
>>>> switch (msr_info->index) {
>>>> + case MSR_TEST_CTRL:
>>>> + if (!msr_info->host_initiated &&
>>>> + !guest_has_feature_split_lock_detect(vcpu))
>>>> + return 1;
>>>> + msr_info->data = vmx->msr_test_ctrl;
>>>> + break;
>>>> #ifdef CONFIG_X86_64
>>>> case MSR_FS_BASE:
>>>> msr_info->data = vmcs_readl(GUEST_FS_BASE);
>>>> @@ -1934,6 +1959,13 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
>>>> u32 index;
>>>> switch (msr_index) {
>>>> + case MSR_TEST_CTRL:
>>>> + if (!msr_info->host_initiated &&
>>>
>>> Host initiated writes need to be validated against
>>> kvm_get_core_capabilities(), otherwise userspace can enable SLD when it's
>>> supported in hardware and the kernel, but can't be safely exposed to the
>>> guest due to SMT being on.
>>
>> How about making the whole check like this:
>>
>> if (!msr_info->host_initiated &&
>> (!guest_has_feature_split_lock_detect(vcpu))
>> return 1;
>>
>> if (data & ~vmx_msr_test_ctrl_valid_bits(vcpu))
>
> Whoops, the check on kvm_get_core_capabilities() should be done in
> "case MSR_IA32_CORE_CAPS:", i.e. KVM shouldn't let host userspace advertise
> split-lock support unless it's allowed by KVM.
>
> Then this code doesn't need to do a check on host_initiated=true.
>
> Back to the original code, I don't think we need to make the existence of
> MSR_TEST_CTRL dependent on guest_has_feature_split_lock_detect(), i.e. this
> check can simply be:
>
> if (!msr_info->host_initiated &&
> (data & ~vmx_msr_test_ctrl_valid_bits(vcpu)))
> return 1;
If so, it also allow userspace write whatever it wants.
> and vmx_get_msr() doesn't need to check anything, i.e. RDMSR always
> succeeds. This is actually aligned with real silicon behavior because
> MSR_TEST_CTRL exists on older processors, it's just wasn't documented until
> we decided to throw in SPLIT_LOCK_AC, e.g. the LOCK# suppression bit is
> marked for deprecation in the SDM, which wouldn't be necessary if it didn't
> exist :-)
>
> Intel ISA/Feature Year of Removal
> TEST_CTRL MSR, bit 31 (MSR address 33H) 2019 onwards
>
> 31 Disable LOCK# assertion for split locked access
Well, bit 31 does exist on many old machines. But KVM never exposes bit
33 and even MSR_TEST_CTRL to guest.
Here, do the check on rdmsr is based on your suggestion that if none of
its bit is writable (i.e., no bit valid), we should make it non-existing.
> On my Haswell box:
>
> $ rdmsr 0x33
> 0
> $ wrmsr 0x33 0x20000000
> wrmsr: CPU 0 cannot set MSR 0x00000033 to 0x0000000020000000
> $ wrmsr 0x33 0x80000000
> $ rdmsr 0x33
> 80000000
> $ wrmsr 0x33 0x00000000
> $ rdmsr 0x33
> 0
>
> That way the guest_has_feature_split_lock_detect() helper isn't needed
> since its only user is vmx_msr_test_ctrl_valid_bits(), i.e. it can be
> open coded there.
>
>>>> + (!guest_has_feature_split_lock_detect(vcpu) ||
>>>> + data & ~vmx_msr_test_ctrl_valid_bits(vcpu)))
>>>> + return 1;
>>>> + vmx->msr_test_ctrl = data;
>> m>+ break;
prev parent reply other threads:[~2020-03-06 0:29 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-06 7:04 [PATCH v3 0/8] kvm/split_lock: Add feature split lock detection support in kvm Xiaoyao Li
2020-02-06 7:04 ` [PATCH v3 1/8] x86/split_lock: Export handle_user_split_lock() Xiaoyao Li
2020-03-03 18:42 ` Sean Christopherson
2020-02-06 7:04 ` [PATCH v3 2/8] x86/split_lock: Ensure X86_FEATURE_SPLIT_LOCK_DETECT means the existence of feature Xiaoyao Li
2020-03-03 18:55 ` Sean Christopherson
2020-03-03 19:41 ` Sean Christopherson
2020-03-04 1:49 ` Xiaoyao Li
2020-03-05 16:23 ` Sean Christopherson
2020-03-06 2:15 ` Xiaoyao Li
2020-03-04 2:20 ` Xiaoyao Li
2020-02-06 7:04 ` [PATCH v3 3/8] x86/split_lock: Cache the value of MSR_TEST_CTRL in percpu data Xiaoyao Li
2020-02-06 20:23 ` Arvind Sankar
2020-02-07 4:18 ` Xiaoyao Li
2020-03-03 19:18 ` Sean Christopherson
2020-03-05 6:48 ` Xiaoyao Li
2020-02-06 7:04 ` [PATCH v3 4/8] x86/split_lock: Add and export split_lock_detect_enabled() and split_lock_detect_fatal() Xiaoyao Li
2020-03-03 18:59 ` Sean Christopherson
2020-02-06 7:04 ` [PATCH v3 5/8] kvm: x86: Emulate split-lock access as a write Xiaoyao Li
2020-02-06 7:04 ` [PATCH v3 6/8] kvm: vmx: Extend VMX's #AC interceptor to handle split lock #AC happens in guest Xiaoyao Li
2020-03-03 19:08 ` Sean Christopherson
2020-02-06 7:04 ` [PATCH v3 7/8] kvm: x86: Emulate MSR IA32_CORE_CAPABILITIES Xiaoyao Li
2020-02-06 7:04 ` [PATCH v3 8/8] x86: vmx: virtualize split lock detection Xiaoyao Li
2020-02-07 18:27 ` Arvind Sankar
2020-02-08 4:51 ` Xiaoyao Li
2020-03-03 19:30 ` Sean Christopherson
2020-03-05 14:16 ` Xiaoyao Li
2020-03-05 16:49 ` Sean Christopherson
2020-03-06 0:29 ` Xiaoyao Li [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d0427e74-9666-d0b0-24ae-fd0e48c91a0a@intel.com \
--to=xiaoyao.li@intel.com \
--cc=bp@alien8.de \
--cc=fenghua.yu@intel.com \
--cc=hpa@zytor.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=sean.j.christopherson@intel.com \
--cc=tglx@linutronix.de \
--cc=tony.luck@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).