From: Sean Christopherson <seanjc@google.com>
To: Kim Phillips <kim.phillips@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>,
qemu-devel@nongnu.org, kvm@vger.kernel.org,
Michael Roth <michael.roth@amd.com>,
Ashish Kalra <ashish.kalra@amd.com>,
"Nikunj A . Dadhania" <nikunj@amd.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Kishon Vijay Abraham I <kvijayab@amd.com>
Subject: Re: [PATCH v3 2/2] KVM: SEV: Configure "ALLOWED_SEV_FEATURES" VMCB Field
Date: Thu, 13 Feb 2025 16:55:13 -0800 [thread overview]
Message-ID: <Z66UcY8otZosvnxY@google.com> (raw)
In-Reply-To: <6829cf75-5bf3-4a89-afbe-cfd489b2b24b@amd.com>
On Thu, Feb 13, 2025, Kim Phillips wrote:
> On 2/11/25 3:46 PM, Sean Christopherson wrote:
> > On Mon, Feb 10, 2025, Tom Lendacky wrote:
> > > On 2/7/25 17:34, Kim Phillips wrote:
> > > > diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> > > > index a2a794c32050..a9e16792cac0 100644
> > > > --- a/arch/x86/kvm/svm/sev.c
> > > > +++ b/arch/x86/kvm/svm/sev.c
> > > > @@ -894,9 +894,19 @@ static int sev_es_sync_vmsa(struct vcpu_svm *svm)
> > > > return 0;
> > > > }
> > > > +static u64 allowed_sev_features(struct kvm_sev_info *sev)
> > > > +{
> > > > + if (cpu_feature_enabled(X86_FEATURE_ALLOWED_SEV_FEATURES) &&
> > >
> > > Not sure if the cpu_feature_enabled() check is necessary, as init should
> > > have failed if SVM_SEV_FEAT_ALLOWED_SEV_FEATURES wasn't set in
> > > sev_supported_vmsa_features.
> >
> > Two things missing from this series:
> >
> > 1: KVM enforcement. No way is KVM going to rely on userspace to opt-in to
> > preventing the guest from enabling features.
> > 2: Backwards compatilibity if KVM unconditionally enforces ALLOWED_SEV_FEATURES.
> > Although maybe there's nothing to do here? I vaguely recall all of the gated
> > features being unsupported, or something...
>
> This contradicts your review comment from the previous version of the series [1].
First off, my comment was anything but decisive. I don't see how anyone can read
this and come away thinking "this is exactly what Sean wants".
This may need additional uAPI so that userspace can opt-in. Dunno. I hope guests
aren't abusing features, but IIUC, flipping this on has the potential to break
existing VMs, correct?
Second, there's a clear question there that went unanswered. Respond to questions
and elaborate as needed until we're all on the same page. Don't just send patches.
Third, letting userspace opt-in to something doesn't necessarily mean giving
userspace full control. Which is the entire reason I asked the question about
whether or not this can break userspace. E.g. we can likely get away with only
making select features opt-in, and enforcing everything else by default.
I don't think RESTRICTED_INJECTION or ALTERNATE_INJECTION can work without KVM
cooperation, so enforcing those shouldn't break anything.
It's still not clear to me that we don't have a bug with DEBUG_SWAP. AIUI,
DEBUG_SWAP is allowed by default. I.e. if ALLOWED_FEATURES is unsupported, then
the guest can use DEBUG_SWAP via SVM_VMGEXIT_AP_CREATE without KVM's knowledge.
So _maybe_ we have to let userspace opt-in to enforcing DEBUG_SWAP, but I suspect
we can get away with fully enabling ALLOWED_FEATURES without userspace's blessing.
> If KVM enforces ALLOWED_SEV_FEATURES, it can break existing VMs, thus
> the explicit userspace allowed-sev-features=on opt-in [2].
>
> Thanks,
>
> Kim
>
> [1] https://lore.kernel.org/kvm/ZsfKYHFkWA-Rh23C@google.com/
> [2] https://lore.kernel.org/kvm/20250207233327.130770-1-kim.phillips@amd.com/
next prev parent reply other threads:[~2025-02-14 0:55 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-07 23:34 [PATCH v3 0/2] KVM: SEV: Add support for the ALLOWED_SEV_FEATURES feature Kim Phillips
2025-02-07 23:34 ` [PATCH v3 1/2] x86/cpufeatures: Add "Allowed SEV Features" Feature Kim Phillips
2025-02-10 17:20 ` Tom Lendacky
2025-02-07 23:34 ` [PATCH v3 2/2] KVM: SEV: Configure "ALLOWED_SEV_FEATURES" VMCB Field Kim Phillips
2025-02-10 18:08 ` Tom Lendacky
2025-02-11 21:46 ` Sean Christopherson
2025-02-13 23:03 ` Kim Phillips
2025-02-14 0:55 ` Sean Christopherson [this message]
2025-02-14 21:59 ` Kim Phillips
2025-02-18 17:07 ` Sean Christopherson
2025-02-17 6:43 ` Naveen N Rao
2025-02-18 16:38 ` Sean Christopherson
2025-02-18 18:33 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z66UcY8otZosvnxY@google.com \
--to=seanjc@google.com \
--cc=ashish.kalra@amd.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=kim.phillips@amd.com \
--cc=kvijayab@amd.com \
--cc=kvm@vger.kernel.org \
--cc=michael.roth@amd.com \
--cc=nikunj@amd.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.