From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Jim Mattson <jmattson@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Vitaly Kuznetsov <vkuznets@redhat.com>,
Wanpeng Li <wanpengli@tencent.com>,
Joerg Roedel <joro@8bytes.org>, kvm list <kvm@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Weijiang Yang <weijiang.yang@intel.com>
Subject: Re: [RFC PATCH] KVM: x86: Disallow KVM_SET_CPUID{2} if the vCPU is in guest mode
Date: Wed, 18 Dec 2019 12:10:02 -0800 [thread overview]
Message-ID: <20191218201002.GE25201@linux.intel.com> (raw)
In-Reply-To: <CALMp9eR-ssCUT_6oZntZ=-5SEN7Y8q-HnraKW=WDHuAn9gYZfQ@mail.gmail.com>
On Wed, Dec 18, 2019 at 11:38:43AM -0800, Jim Mattson wrote:
> On Wed, Dec 18, 2019 at 9:42 AM Sean Christopherson
> <sean.j.christopherson@intel.com> wrote:
> >
> > Reject KVM_SET_CPUID{2} with -EBUSY if the vCPU is in guest mode (L2) to
> > avoid complications and potentially undesirable KVM behavior. Allowing
> > userspace to change a guest's capabilities while L2 is active would at
> > best result in unexpected behavior in the guest (L1 or L2), and at worst
> > induce bad KVM behavior by breaking fundamental assumptions regarding
> > transitions between L0, L1 and L2.
>
> This seems a bit contrived. As long as we're breaking the ABI, can we
> disallow changes to CPUID once the vCPU has been powered on?
I can at least concoct scenarios where changing CPUID after KVM_RUN
provides value, e.g. effectively creating a new VM/vCPU without destroying
the kernel's underlying data structures and without putting the file
descriptors, for performance (especially if KVM avoids its hardware on/off
paths) or sandboxing (process has access to a VM fd, but not /dev/kvm).
A truly contrived, but technically architecturally accurate, scenario would
be modeling SGX interaction with the machine check architecutre. Per the
SDM, #MCs or clearing bits in IA32_MCi_CTL disable SGX, which is reflected
in CPUID:
Any machine check exception (#MC) that occurs after Intel SGX is first
enables causes Intel SGX to be disabled, (CPUID.SGX_Leaf.0:EAX[SGX1] == 0)
It cannot be enabled until after the next reset.
Any act of clearing bits from '1 to '0 in any of the IA32_MCi_CTL register
may disable Intel SGX (set CPUID.SGX_Leaf.0:EAX[SGX1] to 0) until the next
reset.
I doubt a userspace VMM would actively model that behavior, but it's at
least theoretically possible. Yes, it would technically be possible for
SGX to be disabled while L2 is active, but I don't think it's unreasonable
to require userspace to first force the vCPU out of L2.
next prev parent reply other threads:[~2019-12-18 20:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-18 17:42 [RFC PATCH] KVM: x86: Disallow KVM_SET_CPUID{2} if the vCPU is in guest mode Sean Christopherson
2019-12-18 19:38 ` Jim Mattson
2019-12-18 20:10 ` Sean Christopherson [this message]
2019-12-18 20:57 ` Jim Mattson
2019-12-18 21:24 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191218201002.GE25201@linux.intel.com \
--to=sean.j.christopherson@intel.com \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=weijiang.yang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.