From: Xiaoyao Li <xiaoyao.li@linux.intel.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Fenghua Yu <fenghua.yu@intel.com>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>, H Peter Anvin <hpa@zytor.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Dave Hansen <dave.hansen@intel.com>,
Ashok Raj <ashok.raj@intel.com>,
Peter Zijlstra <peterz@infradead.org>,
Ravi V Shankar <ravi.v.shankar@intel.com>,
Christopherson Sean J <sean.j.christopherson@intel.com>,
Kalle Valo <kvalo@codeaurora.org>,
Michael Chan <michael.chan@broadcom.com>,
linux-kernel <linux-kernel@vger.kernel.org>, x86 <x86@kernel.org>,
kvm@vger.kernel.org, netdev@vger.kernel.org,
linux-wireless@vger.kernel.org
Subject: Re: [PATCH v8 12/15] kvm/vmx: Emulate MSR TEST_CTL
Date: Sun, 28 Apr 2019 15:34:26 +0800 [thread overview]
Message-ID: <87ef9a01-fc99-20be-ec20-2c65e6a012a1@linux.intel.com> (raw)
In-Reply-To: <alpine.DEB.2.21.1904280903520.1757@nanos.tec.linutronix.de>
On 4/28/2019 3:09 PM, Thomas Gleixner wrote:
> On Sat, 27 Apr 2019, Xiaoyao Li wrote:
>> On Thu, 2019-04-25 at 09:42 +0200, Thomas Gleixner wrote:
>>> On Wed, 24 Apr 2019, Fenghua Yu wrote:
>>>>
>>>> +static void atomic_switch_msr_test_ctl(struct vcpu_vmx *vmx)
>>>> +{
>>>> + u64 host_msr_test_ctl;
>>>> +
>>>> + if (!boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT))
>>>> + return;
>>>
>>> Again: MSR_TST_CTL is not only about LOCK_DETECT. Check the control mask.
>>>
>>>> + host_msr_test_ctl = this_cpu_read(msr_test_ctl_cache);
>>>> +
>>>> + if (host_msr_test_ctl == vmx->msr_test_ctl) {
>>>
>>> This still assumes that the only bit which can be set in the MSR is that
>>> lock detect bit.
>>>
>>>> + clear_atomic_switch_msr(vmx, MSR_TEST_CTL);
>>>> + } else {
>>>> + add_atomic_switch_msr(vmx, MSR_TEST_CTL, vmx->msr_test_ctl,
>>>> + host_msr_test_ctl, false);
>>>
>>> So what happens here is that if any other bit is set on the host, VMENTER
>>> will happily clear it.
>>
>> There are two bits of MSR TEST_CTL defined in Intel SDM now, which is bit
>> 29 and bit 31. Bit 31 is not used in kernel, and here we only need to
>> switch bit 29 between host and guest. So should I also change the name
>> to atomic_switch_split_lock_detect() to indicate that we only switch bit
>> 29?
>
> No. Just because we ony use the split lock bit now, there is no
> jusification to name everything splitlock. This is going to have renamed
> when yet another bit is added in the future. The MSR is exposed to the
> guest and the restriction of bits happens to be splitlock today.
Got it.
>>> guest = (host & ~vmx->test_ctl_mask) | vmx->test_ctl;
>>>
>>> That preserves any bits which are not exposed to the guest.
>>>
>>> But the way more interesting question is why are you exposing the MSR and
>>> the bit to the guest at all if the host has split lock detection enabled?
>>>
>>> That does not make any sense as you basically allow the guest to switch it
>>> off and then launch a slowdown attack. If the host has it enabled, then a
>>> guest has to be treated like any other process and the #AC trap has to be
>>> caught by the hypervisor which then kills the guest.
>>>
>>> Only if the host has split lock detection disabled, then you can expose it
>>> and allow the guest to turn it on and handle it on its own.
>>
>> Indeed, if we use split lock detection for protection purpose, when host
>> has it enabled we should directly pass it to guest and forbid guest from
>> disabling it. And only when host disables split lock detection, we can
>> expose it and allow the guest to turn it on.
> ?
>> If it is used for protection purpose, then it should follow what you said and
>> this feature needs to be disabled by default. Because there are split lock
>> issues in old/current kernels and BIOS. That will cause the existing guest
>> booting failure and killed due to those split lock.
>
> Rightfully so.
So, the patch 13 "Enable split lock detection by default" needs to be
removed?
>> If it is only used for debug purpose, I think it might be OK to enable this
>> feature by default and make it indepedent between host and guest?
>
> No. It does not make sense.
>
>> So I think how to handle this feature between host and guest depends on how we
>> use it? Once you give me a decision, I will follow it in next version.
>
> As I said: The host kernel makes the decision.
>
> If the host kernel has it enabled then the guest is not allowed to change
> it. If the guest triggers an #AC it will be killed.
>
> If the host kernel has it disabled then the guest can enable it for it's
> own purposes.
>
> Thanks,
>
> tglx
>
next prev parent reply other threads:[~2019-04-28 7:34 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-24 19:32 [PATCH v8 00/15] x86/split_lock: Enable split lock detection Fenghua Yu
2019-04-24 19:32 ` [PATCH v8 01/15] x86/common: Align cpu_caps_cleared and cpu_caps_set to unsigned long Fenghua Yu
2019-04-24 19:32 ` [PATCH v8 02/15] drivers/net/b44: Align pwol_mask to unsigned long for better performance Fenghua Yu
2019-04-24 19:32 ` [PATCH v8 03/15] wlcore: simplify/fix/optimize reg_ch_conf_pending operations Fenghua Yu
2019-04-25 17:12 ` Kalle Valo
2019-04-24 19:32 ` [PATCH v8 04/15] x86/split_lock: Align x86_capability to unsigned long to avoid split locked access Fenghua Yu
2019-04-24 19:32 ` [PATCH v8 05/15] x86/msr-index: Define MSR_IA32_CORE_CAPABILITY and split lock detection bit Fenghua Yu
2019-04-25 5:45 ` Ingo Molnar
2019-04-25 19:01 ` Fenghua Yu
2019-04-25 19:47 ` Ingo Molnar
2019-04-25 19:51 ` Fenghua Yu
2019-04-25 20:08 ` Ingo Molnar
2019-04-25 20:22 ` Fenghua Yu
2019-04-26 6:00 ` Ingo Molnar
2019-05-06 0:12 ` Fenghua Yu
2019-04-24 19:32 ` [PATCH v8 06/15] x86/cpufeatures: Enumerate MSR_IA32_CORE_CAPABILITY Fenghua Yu
2019-04-24 19:32 ` [PATCH v8 07/15] x86/split_lock: Enumerate split lock detection by MSR_IA32_CORE_CAPABILITY Fenghua Yu
2019-04-24 19:32 ` [PATCH v8 08/15] x86/split_lock: Enumerate split lock detection on Icelake mobile processor Fenghua Yu
2019-04-24 19:32 ` [PATCH v8 09/15] x86/split_lock: Define MSR TEST_CTL register Fenghua Yu
2019-04-25 6:21 ` Ingo Molnar
2019-04-25 19:48 ` Fenghua Yu
2019-04-24 19:32 ` [PATCH v8 10/15] x86/split_lock: Handle #AC exception for split lock Fenghua Yu
2019-04-25 6:07 ` Ingo Molnar
2019-04-25 7:29 ` Thomas Gleixner
2019-04-24 19:32 ` [PATCH v8 11/15] kvm/x86: Emulate MSR IA32_CORE_CAPABILITY Fenghua Yu
2019-04-24 19:32 ` [PATCH v8 12/15] kvm/vmx: Emulate MSR TEST_CTL Fenghua Yu
2019-04-25 7:42 ` Thomas Gleixner
2019-04-27 12:20 ` Xiaoyao Li
2019-04-28 7:09 ` Thomas Gleixner
2019-04-28 7:34 ` Xiaoyao Li [this message]
2019-04-29 7:31 ` Thomas Gleixner
2019-04-29 5:21 ` Xiaoyao Li
2019-04-24 19:33 ` [PATCH v8 13/15] x86/split_lock: Enable split lock detection by default Fenghua Yu
2019-04-25 7:50 ` Thomas Gleixner
2019-05-06 21:39 ` Fenghua Yu
2019-04-25 10:52 ` David Laight
2019-04-25 10:58 ` Thomas Gleixner
2019-04-25 11:13 ` David Laight
2019-04-25 11:41 ` Peter Zijlstra
2019-04-25 13:04 ` Thomas Gleixner
2019-05-07 20:48 ` Fenghua Yu
2019-04-24 19:33 ` [PATCH v8 14/15] x86/split_lock: Disable split lock detection by kernel parameter "nosplit_lock_detect" Fenghua Yu
2019-04-24 19:33 ` [PATCH v8 15/15] x86/split_lock: Add a sysfs interface to enable/disable split lock detection during run time Fenghua Yu
2019-04-25 6:31 ` Ingo Molnar
2019-05-06 0:21 ` Fenghua Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ef9a01-fc99-20be-ec20-2c65e6a012a1@linux.intel.com \
--to=xiaoyao.li@linux.intel.com \
--cc=ashok.raj@intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=fenghua.yu@intel.com \
--cc=hpa@zytor.com \
--cc=kvalo@codeaurora.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=michael.chan@broadcom.com \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=ravi.v.shankar@intel.com \
--cc=sean.j.christopherson@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).