From: Paolo Bonzini <pbonzini@redhat.com>
To: Sean Christopherson <seanjc@google.com>
Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
srutherford@google.com, joro@8bytes.org, brijesh.singh@amd.com,
thomas.lendacky@amd.com, ashish.kalra@amd.com,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
Borislav Petkov <bp@suse.de>,
x86@kernel.org
Subject: Re: [PATCH v3 2/2] KVM: X86: Introduce KVM_HC_PAGE_ENC_STATUS hypercall
Date: Sat, 1 May 2021 11:01:01 +0200 [thread overview]
Message-ID: <c4bf8a05-ec0d-9723-bb64-444fe1f088b5@redhat.com> (raw)
In-Reply-To: <YIxkTZsblAzUzsf7@google.com>
On 30/04/21 22:10, Sean Christopherson wrote:
> On Thu, Apr 29, 2021, Paolo Bonzini wrote:
>> diff --git a/Documentation/virt/kvm/msr.rst b/Documentation/virt/kvm/msr.rst
>> index 57fc4090031a..cf1b0b2099b0 100644
>> --- a/Documentation/virt/kvm/msr.rst
>> +++ b/Documentation/virt/kvm/msr.rst
>> @@ -383,5 +383,10 @@ MSR_KVM_MIGRATION_CONTROL:
>> data:
>> This MSR is available if KVM_FEATURE_MIGRATION_CONTROL is present in
>> CPUID. Bit 0 represents whether live migration of the guest is allowed.
>> +
>> When a guest is started, bit 0 will be 1 if the guest has encrypted
>> - memory and 0 if the guest does not have encrypted memory.
>> + memory and 0 if the guest does not have encrypted memory. If the
>> + guest is communicating page encryption status to the host using the
>> + ``KVM_HC_PAGE_ENC_STATUS`` hypercall, it can set bit 0 in this MSR to
>> + allow live migration of the guest. The MSR is read-only if
>> + ``KVM_FEATURE_HC_PAGE_STATUS`` is not advertised to the guest.
>
> I still don't get the desire to tie MSR_KVM_MIGRATION_CONTROL to PAGE_ENC_STATUS
> in any way shape or form. I can understand making it read-only or dropping
> writes if it's not intercepted by userspace, but making it read-only for
> non-encrypted guests makes it useful only for encrypted guests, which defeats
> the purpose of genericizing the MSR.
Yeah, I see your point. On the other hand by making it unconditionally
writable we must implement the writability in KVM, because a read-only
implementation would not comply with the spec.
>> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
>> index e9c40be9235c..0c2524bbaa84 100644
>> --- a/arch/x86/kvm/x86.c
>> +++ b/arch/x86/kvm/x86.c
>> @@ -3279,6 +3279,12 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
>> if (!guest_pv_has(vcpu, KVM_FEATURE_MIGRATION_CONTROL))
>> return 1;
>>
>> + /*
>> + * This implementation is only good if userspace has *not*
>> + * enabled KVM_FEATURE_HC_PAGE_ENC_STATUS. If userspace
>> + * enables KVM_FEATURE_HC_PAGE_ENC_STATUS it must set up an
>> + * MSR filter in order to accept writes that change bit 0.
>> + */
>> if (data != !static_call(kvm_x86_has_encrypted_memory)(vcpu->kvm))
>> return 1;
>
> This behavior doesn't match the documentation.
>
> a. The MSR is not read-only for legacy guests since they can write '0'.
> b. The MSR is not read-only if KVM_FEATURE_HC_PAGE_STATUS isn't advertised,
> a guest with encrypted memory can write '1' regardless of whether userspace
> has enabled KVM_FEATURE_HC_PAGE_STATUS.
Right, I should have said "not changeable" rather than "read-only".
> c. The MSR is never fully writable, e.g. a guest with encrypted memory can set
> bit 0, but not clear it. This doesn't seem intentional?
It is intentional, clearing it would mean preserving the value in the
kernel so that userspace can read it.
So... I don't know, all in all having both the separate CPUID and the
userspace implementation reeks of overengineering. It should be either
of these:
- separate CPUID bit, MSR unconditionally writable and implemented in
KVM. Userspace is expected to ignore the MSR value for encrypted guests
unless KVM_FEATURE_HC_PAGE_STATUS is exposed. Userspace should respect
it even for unencrypted guests (not a migration-DoS vector, because
userspace can just not expose the feature).
- make it completely independent from migration, i.e. it's just a facet
of MSR_KVM_PAGE_ENC_STATUS saying whether the bitmap is up-to-date. It
would use CPUID bit as the encryption status bitmap and have no code at
all in KVM (userspace needs to set up the filter and implement everything).
At this point I very much prefer the latter, which is basically Ashish's
earlier patch.
Paolo
> Why not simply drop writes? E.g.
>
> if (data & ~KVM_MIGRATION_READY)
> return 1;
> break;
>
> And then do "msr->data = 0;" in the read path. That's just as effective as
> making the MSR read-only to force userspace to intercept the MSR if it wants to
> do anything useful with the information, and it's easy to document.
next prev parent reply other threads:[~2021-05-01 9:01 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-29 10:47 [PATCH v3 0/2] KVM: x86: guest interface for SEV live migration Paolo Bonzini
2021-04-29 10:47 ` [PATCH v3 1/2] KVM: x86: add MSR_KVM_MIGRATION_CONTROL Paolo Bonzini
2021-04-29 10:47 ` [PATCH v3 2/2] KVM: X86: Introduce KVM_HC_PAGE_ENC_STATUS hypercall Paolo Bonzini
2021-04-30 20:10 ` Sean Christopherson
2021-05-01 9:01 ` Paolo Bonzini [this message]
2021-05-03 23:22 ` Steve Rutherford
2021-05-04 8:06 ` Paolo Bonzini
2021-05-04 17:09 ` Sean Christopherson
2021-05-04 20:27 ` Paolo Bonzini
2021-05-04 20:33 ` Sean Christopherson
2021-05-04 20:56 ` Paolo Bonzini
2021-05-04 21:16 ` Steve Rutherford
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c4bf8a05-ec0d-9723-bb64-444fe1f088b5@redhat.com \
--to=pbonzini@redhat.com \
--cc=ashish.kalra@amd.com \
--cc=bp@suse.de \
--cc=brijesh.singh@amd.com \
--cc=hpa@zytor.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=seanjc@google.com \
--cc=srutherford@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).