From: Avi Kivity <avi@redhat.com>
To: Ingo Molnar <mingo@elte.hu>
Cc: Jes Sorensen <Jes.Sorensen@redhat.com>,
Joerg Roedel <joro@8bytes.org>, KVM General <kvm@vger.kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Zachary Amsden <zamsden@redhat.com>,
Gleb Natapov <gleb@redhat.com>,
ming.m.lin@intel.com, "Zhang,
Yanmin" <yanmin_zhang@linux.intel.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>,
Arjan van de Ven <arjan@infradead.org>,
Fr??d??ric Weisbecker <fweisbec@gmail.com>,
Arnaldo Carvalho de Melo <acme@redhat.com>
Subject: Re: KVM PMU virtualization
Date: Fri, 26 Feb 2010 15:53:51 +0200 [thread overview]
Message-ID: <4B87D26F.7080703@redhat.com> (raw)
In-Reply-To: <20100226134400.GB23422@elte.hu>
On 02/26/2010 03:44 PM, Ingo Molnar wrote:
> * Avi Kivity<avi@redhat.com> wrote:
>
>
>> On 02/26/2010 03:06 PM, Ingo Molnar wrote:
>>
>>>
>>>>> Firstly, an emulated PMU was only the second-tier option i suggested. By far
>>>>> the best approach is native API to the host regarding performance events and
>>>>> good guest side integration.
>>>>>
>>>>> Secondly, the PMU cannot be 'given' to the guest in the general case. Those
>>>>> are privileged registers. They can expose sensitive host execution details,
>>>>> etc. etc. So if you emulate a PMU you have to exit out of most PMU accesses
>>>>> anyway for a secure solution. (RDPMC can still be supported, but in close
>>>>> cooperation with the host)
>>>>>
>>>> There is nothing secret in the host PMU, and it's easy to clear out the
>>>> counters before passing them off to the guest.
>>>>
>>> That's wrong. On some CPUs the host PMU can be used to say sample aspects of
>>> another CPU, allowing statistical attacks to recover crypto keys. It can be
>>> used to sample memory access patterns of another node.
>>>
>>> There's a good reason PMU configuration registers are privileged and there's
>>> good value in only giving a certain sub-set to less privileged entities by
>>> default.
>>>
>> Even if there were no security considerations, if the guest can observe host
>> data in the pmu, it means the pmu is inaccurate. We should expose guest
>> data only in the guest pmu. That's not difficult to do, you stop the pmu on
>> exit and swap the counters on context switches.
>>
> Again you are making an incorrect assumption: that information leakage via the
> PMU only occurs while the host is running on that CPU. It does not - the PMU
> can leak general system details _while the guest is running_.
>
You mean like bus transactions on a multicore? Well, we're already
exposed to cache timing attacks.
> So for this and for the many other reasons we dont want to give a raw PMU to
> guests:
>
> - A paravirt event driver is more compatible and more transparent in the long
> run: it allows hardware upgrade and upgraded PMU functionality (for Linux)
> without having to upgrade the guest OS. Via that a guest OS could even be
> live-migrated to a different PMU, without noticing anything about it.
>
What about Windows?
> In contrast, a 'stolen', 'raw' PMU directly programmed by the guest OS
> always assumes the guest OS is upgraded to the host. Also, 'raw' PMU state
> cannot be live-migrated. (save/restore doesnt help)
>
Why not? So long as the source and destination are compatible?
> - It's far cleaner on the host side as well: more granular, per event usage
> is possible. The guest can use portion of the PMU (managed by the host),
> and the host can use a portion too.
>
> In contrast, a 'stolen', 'raw' PMU directly programmed by the guest OS
> precludes the host OS from running some different piece of instrumentation
> at the same time.
>
Right, time slicing is something we want.
> - It's more secure: the host can have a finegrained policy about what kinds of
> events it exposes to the guest. It might chose to only expose software
> events for example.
>
> In contrast, a 'stolen', 'raw' PMU directly programmed by the guest OS is
> an all-or-nothing policy affair: either you fully allow the guest (and live
> with whatever consequences the piece of hardware that takes up a fair chunk
> on the CPU die causes), or you allow none of it.
>
No, we can hide insecure events with a full pmu. Trap the control
register and don't pass it on to the hardware.
> - A proper paravirt event driver gives more features as well: it can exposes
> host software events and tracepoints, probes - not restricting itself to
> the 'hardware PMU' abstraction.
>
But it is limited to whatever the host stack supports. At least that's
our control, but things like PEBS will take a ton of work.
> - There's proper event scheduling and event allocation. Time-slicing, etc.
>
>
> The thing is, we made quite similar arguments in the past, during the perfmon
> vs. perfcounters discussions. There's really a big advantage to proper
> abstractions, both on the host and on the guest side.
>
We only control half of the equation. That's very different compared to
tools/perf.
--
Do not meddle in the internals of kernels, for they are subtle and quick to panic.
next prev parent reply other threads:[~2010-02-26 13:54 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-25 15:04 KVM PMU virtualization Jes Sorensen
2010-02-25 15:44 ` Jan Kiszka
2010-02-25 16:26 ` Ingo Molnar
2010-02-26 2:52 ` Zhang, Yanmin
2010-02-26 8:45 ` Ingo Molnar
2010-02-26 11:03 ` Jes Sorensen
2010-02-25 17:34 ` Joerg Roedel
2010-02-26 2:55 ` Zhang, Yanmin
2010-02-26 8:51 ` Joerg Roedel
2010-02-26 9:17 ` Ingo Molnar
2010-02-26 10:42 ` Joerg Roedel
2010-02-26 10:56 ` Ingo Molnar
2010-03-02 7:09 ` Zhang, Yanmin
2010-03-02 9:36 ` Ingo Molnar
2010-03-03 3:32 ` Zhang, Yanmin
2010-03-03 9:27 ` Zhang, Yanmin
2010-03-03 10:13 ` Peter Zijlstra
2010-03-04 0:52 ` Zhang, Yanmin
2010-03-03 10:15 ` Peter Zijlstra
2010-03-04 1:00 ` Zhang, Yanmin
2010-03-10 9:29 ` Zhang, Yanmin
2010-03-02 9:57 ` Peter Zijlstra
2010-02-26 8:42 ` Ingo Molnar
2010-02-26 9:46 ` Avi Kivity
2010-02-26 10:39 ` Joerg Roedel
2010-02-26 10:46 ` Ingo Molnar
2010-02-26 10:51 ` Avi Kivity
2010-02-26 11:06 ` Joerg Roedel
2010-02-26 11:18 ` Jes Sorensen
2010-02-26 11:24 ` Ingo Molnar
2010-02-26 11:25 ` Jes Sorensen
2010-02-26 11:20 ` Ingo Molnar
2010-02-26 10:44 ` Ingo Molnar
2010-02-26 11:16 ` Avi Kivity
2010-02-26 11:26 ` Ingo Molnar
2010-02-26 11:47 ` Avi Kivity
2010-02-26 11:23 ` Jes Sorensen
2010-02-26 11:42 ` Ingo Molnar
2010-02-26 11:51 ` Avi Kivity
2010-02-26 12:07 ` Ingo Molnar
2010-02-26 12:20 ` Avi Kivity
2010-02-26 12:38 ` Ingo Molnar
2010-02-26 13:04 ` Avi Kivity
2010-02-26 13:13 ` Jes Sorensen
2010-02-26 13:27 ` Ingo Molnar
2010-02-26 13:33 ` Avi Kivity
2010-02-26 14:07 ` Jes Sorensen
2010-02-26 14:11 ` Avi Kivity
2010-02-26 13:18 ` Ingo Molnar
2010-02-26 13:34 ` Jes Sorensen
2010-02-26 12:56 ` Jes Sorensen
2010-02-26 13:31 ` Ingo Molnar
2010-02-26 13:37 ` Jes Sorensen
2010-02-26 13:55 ` Avi Kivity
2010-02-26 14:27 ` Peter Zijlstra
2010-02-26 14:54 ` Avi Kivity
2010-02-26 15:08 ` Peter Zijlstra
2010-02-26 15:11 ` Avi Kivity
2010-02-26 15:18 ` Peter Zijlstra
2010-02-26 15:55 ` Peter Zijlstra
2010-02-26 16:06 ` Avi Kivity
2010-03-01 19:03 ` Zachary Amsden
2010-03-01 18:54 ` Zachary Amsden
2010-02-26 13:40 ` Avi Kivity
2010-02-26 14:01 ` Ingo Molnar
2010-02-26 14:22 ` Avi Kivity
2010-02-26 14:37 ` Ingo Molnar
2010-02-26 16:03 ` Avi Kivity
2010-02-26 16:07 ` Avi Kivity
2010-02-26 13:28 ` Peter Zijlstra
2010-02-26 13:44 ` Avi Kivity
2010-02-26 13:51 ` Jes Sorensen
2010-02-26 14:42 ` Peter Zijlstra
2010-03-08 18:14 ` Avi Kivity
2010-02-26 12:49 ` Jes Sorensen
2010-02-26 13:06 ` Ingo Molnar
2010-02-26 13:30 ` Avi Kivity
2010-02-26 13:32 ` Jes Sorensen
2010-02-26 13:44 ` Ingo Molnar
2010-02-26 13:53 ` Avi Kivity [this message]
2010-02-26 14:12 ` Ingo Molnar
2010-02-26 14:53 ` Avi Kivity
2010-02-26 15:14 ` Peter Zijlstra
2010-02-28 16:34 ` Joerg Roedel
2010-02-28 16:31 ` Joerg Roedel
2010-02-28 16:11 ` Joerg Roedel
2010-03-01 8:39 ` Ingo Molnar
2010-03-01 8:58 ` Joerg Roedel
2010-03-01 9:04 ` Ingo Molnar
2010-03-01 8:44 ` Ingo Molnar
2010-03-01 11:11 ` Joerg Roedel
2010-03-01 17:17 ` Peter Zijlstra
2010-03-01 18:36 ` Joerg Roedel
2010-03-08 10:15 ` Avi Kivity
2010-02-26 14:49 ` Peter Zijlstra
2010-02-26 14:50 ` Peter Zijlstra
2010-02-26 13:31 ` Jes Sorensen
2010-03-01 17:22 ` Zachary Amsden
2010-02-26 11:01 ` Jes Sorensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B87D26F.7080703@redhat.com \
--to=avi@redhat.com \
--cc=Jes.Sorensen@redhat.com \
--cc=a.p.zijlstra@chello.nl \
--cc=acme@redhat.com \
--cc=arjan@infradead.org \
--cc=fweisbec@gmail.com \
--cc=gleb@redhat.com \
--cc=hpa@zytor.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=ming.m.lin@intel.com \
--cc=mingo@elte.hu \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=yanmin_zhang@linux.intel.com \
--cc=zamsden@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.