Re: [PATCH v2 3/4] KVM: SVM: Prevent writes to TSC MSR when Secure TSC is enabled

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sean Christopherson <seanjc@google.com>
To: Nikunj A Dadhania <nikunj@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>,
	pbonzini@redhat.com, kvm@vger.kernel.org,
	 santosh.shukla@amd.com, bp@alien8.de, ketanch@iitk.ac.in,
	 isaku.yamahata@intel.com
Subject: Re: [PATCH v2 3/4] KVM: SVM: Prevent writes to TSC MSR when Secure TSC is enabled
Date: Wed, 12 Feb 2025 06:04:40 -0800	[thread overview]
Message-ID: <Z6yqeEQeLoTQx_QD@google.com> (raw)
In-Reply-To: <858qqbtv6m.fsf@amd.com>

On Wed, Feb 12, 2025, Nikunj A Dadhania wrote:
> Sean Christopherson <seanjc@google.com> writes:
> 
> > On Mon, Feb 10, 2025, Tom Lendacky wrote:
> >> On 2/10/25 03:22, Nikunj A Dadhania wrote:
> >> > Disallow writes to MSR_IA32_TSC for Secure TSC enabled SNP guests, as such
> >> > writes are not expected. Log the error and return #GP to the guest.
> >> 
> >> Re-word this to make it a bit clearer about why this is needed. It is
> >> expected that the guest won't write to MSR_IA32_TSC or, if it does, it
> >> will ignore any writes to it and not exit to the HV. So this is catching
> >> the case where that behavior is not occurring.
> >
> > Unless it's architectural impossible for KVM to modify MSR_IA32_TSC, I don't see
> > any reason for KVM to care.  If the guest wants to modify TSC, that's the guest's
> > prerogative.
> >
> > If KVM _can't_ honor the write, then that's something else entirely, and the
> > changelog should pretty much write itself.
> 
> How about the below changelog:
> 
>     KVM: SVM: Prevent writes to TSC MSR when Secure TSC is enabled
> 
>     Secure TSC enabled SNP guests should not write to the TSC MSR. Any such

This is a host write, not a guest write.  What guest's "should" or should not do
is irrelevant.

>     writes should be identified and ignored by the guest kernel in the #VC

Again, I don't care what the guest does.  Talking about #VC just adds noise.
E.g. if the guest requests WRMSR emulation without ever doing WRMSR, there will
be no #VC.

>     handler. As a safety measure, detect and disallow writes to MSR_IA32_TSC by

No, KVM is not the trusted monitor.  "safety measure" makes it sound like KVM is
protecting the guest from a malicious VMM.  That is not KVM's responsibility.

>     Secure TSC enabled guests, as these writes are not expected to reach the
>     hypervisor. Log the error and return #GP to the guest.

Again, none of this ever says what actually happens if KVM tries to emulate a
write to MSR_IA32_TSC.  Based on what the APM says, the TSC fields in the control
area are ignored.  _That's_ what's relevant.

  The TSC value is first scaled with the GUEST_TSC_SCALE value from the VMSA and
  then is added to the VMSA GUEST_TSC_OFFSET value. The P0 frequency, TSC_RATIO
  (C001_0104h) and TSC_OFFSET (VMCB offset 50h) values are not used in the calculation.

next prev parent reply	other threads:[~2025-02-12 14:04 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-10  9:22 [PATCH v2 0/4] Enable Secure TSC for SEV-SNP Nikunj A Dadhania
2025-02-10  9:22 ` [PATCH v2 1/4] x86/cpufeatures: Add SNP Secure TSC Nikunj A Dadhania
2025-02-11 14:30   ` Borislav Petkov
2025-02-10  9:22 ` [PATCH v2 2/4] KVM: SVM: Add GUEST_TSC_FREQ MSR for Secure TSC enabled guests Nikunj A Dadhania
2025-02-10  9:22 ` [PATCH v2 3/4] KVM: SVM: Prevent writes to TSC MSR when Secure TSC is enabled Nikunj A Dadhania
2025-02-10 20:21   ` Tom Lendacky
2025-02-11  8:24     ` Nikunj A Dadhania
2025-02-11 14:03       ` Tom Lendacky
2025-02-11 14:42         ` Tom Lendacky
2025-02-12  4:26           ` Nikunj A Dadhania
2025-02-11 22:37     ` Sean Christopherson
2025-02-12  8:37       ` Nikunj A Dadhania
2025-02-12 14:04         ` Sean Christopherson [this message]
2025-02-14  5:14           ` Nikunj A. Dadhania
2025-02-14  5:37             ` subscribe list archives
2025-02-10  9:22 ` [PATCH v2 4/4] KVM: SVM: Enable Secure TSC for SNP guests Nikunj A Dadhania
2025-02-10 20:41   ` Tom Lendacky
2025-02-11  8:11     ` Nikunj A Dadhania

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z6yqeEQeLoTQx_QD@google.com \
    --to=seanjc@google.com \
    --cc=bp@alien8.de \
    --cc=isaku.yamahata@intel.com \
    --cc=ketanch@iitk.ac.in \
    --cc=kvm@vger.kernel.org \
    --cc=nikunj@amd.com \
    --cc=pbonzini@redhat.com \
    --cc=santosh.shukla@amd.com \
    --cc=thomas.lendacky@amd.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.