From: Ingo Molnar <mingo@kernel.org>
To: speck@linutronix.de
Subject: [MODERATED] Re: [patch 1/2] Command line and documentation 1
Date: Mon, 9 Jul 2018 12:26:45 +0200 [thread overview]
Message-ID: <20180709102645.GA26055@gmail.com> (raw)
In-Reply-To: <20180708125654.729119463@linutronix.de>
* speck for Thomas Gleixner <speck@linutronix.de> wrote:
> From: Jiri Kosina <jkosina@suse.cz>
> Subject: [patch 1/2] x86/bugs, kvm: introduce boot-time control of L1TF mitigations
Looks good to me, I only have minor nits:
> Introduce 'l1tf=' kernel commad line option to allow for boot-time
> switching of mitigation that is used on processors affected by L1TF.
Beyond the typo there's also a missing article:
s/Introduce 'l1tf=' kernel command line option
/Introduce the 'l1tf=' kernel command line option
>
> The possible values are:
>
> full
> Provide all available mitigations for the L1TF
> vulnerability. Disable SMT and enable all mitigations
> in the hypervisors. SMT control is still possible
> after boot.
Maybe:
SMT control via /sys/devices/system/cpu/smt/control is still
possible after boot.
to make the text more helpful overall?
> full,force
> Same as 'full', but disables SMT control. Implies the
> 'nosmt=force' command line option.
Maybe add:
full,force
Same as 'full', but disables SMT control. Implies the
'nosmt=force' command line option. (I.e. sysfs control
of SMT is disabled.)
> novirt
> Leaves SMT enabled and does not enable the hypervisor
> mitigation. Hypervisors will issue a warning when the first VM is
> being started in a potentially insecure configuration, i.e. SMT
> enabled or L1D flush disabled.
s/being started
/started
> novirt,nowarn
> Same as 'novirt', but hypervisors will not warn when
> a VM is started in a potentially insecure configuration.
>
> Default is 'novirt'.
>
> Let KVM adhere to these semantics, which means:
>
> - 'lt1f=full,force' : start performing L1D flushes
> - 'l1tf=full' : start performing L1D flushes,
> warn on VM start if SMT has
> been runtime enabled
> - 'l1tf=novirt' : warn on first VM start
> - 'l1tf=novirt,nowarn': no extra action is taken
>
> This makes the KVM's private 'nosmt' option redundant, and as it is a bit
> non-systematic anyway (this is something to control globally, not on
> hypervisor level). Remove that option.
s/the KVM's
/KVM's
> + l1tf= [X86] Control mitigation of the L1TF vulnerability on
> + affected CPUs
> +
> + The kernel PTE inversion protection is unconditionally
> + enabled and cannot be controlled.
s/controlled
/disabled
?
> +
> + full
> + Provide all available mitigations for the
> + L1TF vulnerability. Disable SMT and enable
> + all mitigations in the hypervisors. SMT
> + control is still possible after boot.
> +
> + full,force
> + Same as 'full', but disables SMT
> + control. Implies the 'nosmt=force' command
> + line option.
> +
> + novirt
> + Leaves SMT enabled and does not enable the
> + hypervisor mitigation. Hypervisors will
> + issue a warning when the first VM is being
> + started in a potentially insecure
> + configuration, i.e. SMT enabled or L1D
> + flush disabled.
> +
> + novirt,nowarn
> + Same as 'novirt', but hypervisors will not
> + warn when a VM is started in a potentially
> + insecure configuration.
> +
> + Default is 'novirt'.
Also, to extent you agree to the tweaks of the text I gave above, they should
propagate into the documentation here as well.
> +/* Default mitigation for L1TF-affected CPUs */
> +enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_NOVIRT;
> +#if IS_ENABLED(CONFIG_KVM_INTEL)
Is there any difference to #ifdef CONFIG_KVM_INTEL?
> + switch (l1tf_mitigation) {
> + case L1TF_MITIGATION_FULL_FORCE:
> + cpu_smt_disable(true);
> + break;
> + case L1TF_MITIGATION_FULL:
> + cpu_smt_disable(false);
> + break;
> + case L1TF_MITIGATION_NOVIRT:
> + case L1TF_MITIGATION_NOVIRT_NOWARN:
> + break;
> + }
Nit: maybe put this into the same order as the definition order, i.e.
weaker-to-stronger options?
> +static int __init l1tf_cmdline(char *str)
> +{
> + if (!boot_cpu_has_bug(X86_BUG_L1TF))
> + return 0;
> +
> + if (!str)
> + return 0;
> +
> + if (!strcmp(str, "full"))
> + l1tf_mitigation = L1TF_MITIGATION_FULL;
> + else if (!strcmp(str, "full,force"))
> + l1tf_mitigation = L1TF_MITIGATION_FULL_FORCE;
> + else if (!strcmp(str, "novirt"))
> + l1tf_mitigation = L1TF_MITIGATION_NOVIRT;
> + else if (!strcmp(str, "novirt,nowarn"))
> + l1tf_mitigation = L1TF_MITIGATION_NOVIRT_NOWARN;
Ditto.
> +static const char *l1tf_states[] = {
> + [L1TF_MITIGATION_FULL] = "Mitigation: Full",
> + [L1TF_MITIGATION_FULL_FORCE] = "Mitigation: Full [force]",
> + [L1TF_MITIGATION_NOVIRT] = "Mitigation: Page Table Inversion",
> + [L1TF_MITIGATION_NOVIRT_NOWARN] = "Mitigation: Page Table Inversion"
> +};
Ditto.
> +
> +#if IS_ENABLED(CONFIG_KVM_INTEL)
> +static const char *l1tf_vmx_states[] = {
> + [VMENTER_L1D_FLUSH_NEVER] = "vulnerable",
> + [VMENTER_L1D_FLUSH_COND] = "mostly protected",
> + [VMENTER_L1D_FLUSH_ALWAYS] = "fully protected"
> +};
(This has the right order.)
> + if (boot_cpu_has(X86_BUG_L1TF)) {
> + switch (l1tf_mitigation) {
> + case L1TF_MITIGATION_NOVIRT_NOWARN:
> + /* The 'I explicitly don't care' flag is set */
> + break;
> + case L1TF_MITIGATION_NOVIRT:
> + /*
> + * Warn upon starting the first VM in a
> + * potentially insecure environment.
> + */
> + if (cpu_smt_control == CPU_SMT_ENABLED ||
> + vmentry_l1d_flush == VMENTER_L1D_FLUSH_NEVER)
> + pr_warn_once(L1TF_MSG_NOVIRT);
> + break;
> + case L1TF_MITIGATION_FULL:
> + /*
> + * Warn if SMT has been runtime-enabled. We can't
> + * really warn only once here, as SMT state is
> + * not constant.
> + */
> + if (cpu_smt_control == CPU_SMT_ENABLED)
> + pr_warn(L1TF_MSG_SMT);
> + break;
> + case L1TF_MITIGATION_FULL_FORCE:
> + /* All is good, proceed without hiccup */
> + break;
This has the definition-order too. So I'd suggest harmonizing the order.
> + /* Take the l1tf command line parameter into account */
Nit:
s/the l1tf command line parameter
/the l1tf= command line parameter
Just so that people know which exact parameter this is.
> extern enum cpuhp_smt_control cpu_smt_control;
> +void cpu_smt_disable(bool force);
Should perhaps be 'extern' too, like the other prototypes?
LGTM otherwise:
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Thanks,
Ingo
next prev parent reply other threads:[~2018-07-09 10:26 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-08 12:52 [patch 0/2] Command line and documentation 0 Thomas Gleixner
2018-07-08 12:52 ` [patch 1/2] Command line and documentation 1 Thomas Gleixner
2018-07-08 14:00 ` [MODERATED] " Josh Poimboeuf
2018-07-08 14:13 ` Thomas Gleixner
2018-07-08 15:21 ` [MODERATED] " Josh Poimboeuf
2018-07-09 7:07 ` Thomas Gleixner
2018-07-09 13:14 ` Thomas Gleixner
2018-07-09 13:21 ` [MODERATED] " Jiri Kosina
2018-07-09 13:25 ` Jiri Kosina
2018-07-09 15:32 ` Josh Poimboeuf
2018-07-09 15:40 ` Thomas Gleixner
2018-07-09 15:44 ` [MODERATED] " Jiri Kosina
2018-07-08 20:32 ` Jiri Kosina
2018-07-09 0:33 ` Jon Masters
2018-07-09 10:26 ` Ingo Molnar [this message]
2018-07-09 21:45 ` Andi Kleen
2018-07-09 22:08 ` Andi Kleen
2018-07-09 22:40 ` Jiri Kosina
2018-07-10 11:53 ` Thomas Gleixner
2018-07-08 12:52 ` [patch 2/2] Command line and documentation 2 Thomas Gleixner
2018-07-08 14:40 ` [MODERATED] " Andrew Cooper
2018-07-09 7:05 ` Thomas Gleixner
2018-07-08 15:40 ` [MODERATED] " Josh Poimboeuf
2018-07-09 11:04 ` Ingo Molnar
2018-07-09 11:08 ` Jiri Kosina
2018-07-09 11:47 ` Ingo Molnar
2018-07-09 15:18 ` Thomas Gleixner
2018-07-09 22:07 ` [MODERATED] " Andi Kleen
2018-07-09 23:00 ` Josh Poimboeuf
2018-07-09 23:11 ` Andi Kleen
2018-07-09 23:45 ` Linus Torvalds
2018-07-10 2:44 ` Josh Poimboeuf
2018-07-10 5:57 ` Jiri Kosina
2018-07-10 6:22 ` Jiri Kosina
2018-07-10 17:46 ` Linus Torvalds
2018-07-10 21:22 ` Thomas Gleixner
2018-07-10 21:30 ` [MODERATED] " Linus Torvalds
2018-07-10 21:53 ` Linus Torvalds
2018-07-10 22:27 ` Thomas Gleixner
2018-07-10 22:37 ` [MODERATED] " Linus Torvalds
2018-07-10 22:42 ` Linus Torvalds
2018-07-10 22:50 ` Josh Poimboeuf
2018-07-11 13:56 ` Jon Masters
2018-07-11 14:48 ` Josh Poimboeuf
2018-07-10 22:20 ` Thomas Gleixner
2018-07-10 22:35 ` [MODERATED] " Linus Torvalds
2018-07-10 7:41 ` Thomas Gleixner
2018-07-10 8:44 ` [MODERATED] " Jiri Kosina
2018-07-10 10:32 ` Jiri Kosina
2018-07-10 22:57 ` Josh Poimboeuf
2018-07-10 19:36 ` Thomas Gleixner
2018-07-11 14:03 ` [MODERATED] " Jon Masters
2018-07-08 13:11 ` [patch 0/2] Command line and documentation 0 Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180709102645.GA26055@gmail.com \
--to=mingo@kernel.org \
--cc=speck@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.