Re: [PATCH] kvm/vmx: EPTP switching test

[Paolo Bonzini <pbonzini@redhat.com>]

On 17/11/2015 11:44, Wang, Wei W wrote:
> On 17/11/2015 18:18,  Paolo Bonzini wrote:
>> On 17/11/2015 02:45, Zhang, Yang Z wrote:
>>> We have a different version in hand which is using separate
>>> EPTP.
>> 
>> Can you say in advance what you are using EPTP switching for?
>> Offlist if necessary.
> 
> Hi Paolo,
> 
> We are using EPTP switching for a protected inter-VM communication
> design, as shown in the slides (#23) here:
> http://events.linuxfoundation.org/sites/events/files/slides/Jun_Nakajima_NFV_KVM%202015_final.pdf

[offlist, adding virt-intel-list@redhat.com]

If the EPTP switch is only adding extra data pages (e.g. mapping another
guest's memory inside a PCI BAR), this can work.

However, slides 24 and 25 suggest that the executable pages change
between the two EPTP views, similar to Jun's KVM Forum 2014
presentation.  Michael and I explained in Seattle that this only works
if the guest is trusted.  I am a bit disappointed that Intel continued
developing this feature without contacting us or without urging us to
present our issues more formally.

I think I should make this very clear: I am not going to accept in KVM a
feature that requires the guest to be trusted.  A trusted guest kernel
may make sense for other applications of VMFUNC (e.g. McAfee memory
scan) but not for virtualization; if the guest is trusted, you don't
have virtualization anymore.

Michael and I are going to present our findings to Intel soon.  This
will hopefully clarify why the guest has to be trusted.  We will also
present possible extensions to VMFUNC that enable its usage with
untrusted guests, albeit only at CPL=0.

Asit Mallick is going to contact Jun about this so we can organize the
meeting.  Unfortunately it is going to be hard for everyone to attend
since we have people in Europe, US and China, but we will share the slides.

Thanks,

Paolo