From: Sean Christopherson <seanjc@google.com>
To: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
x86@kernel.org, linux-kernel@vger.kernel.org,
Borislav Petkov <bp@alien8.de>,
Peter Zijlstra <peterz@infradead.org>,
Babu Moger <babu.moger@amd.com>,
Paolo Bonzini <pbonzini@redhat.com>,
David.Kaplan@amd.com, Nikolay Borisov <nik.borisov@suse.com>,
gregkh@linuxfoundation.org, Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH 03/22] KVM: x86: Support IBPB_BRTYPE and SBPB
Date: Mon, 21 Aug 2023 16:35:41 +0000 [thread overview]
Message-ID: <ZOOSXc9NE1rMHDZ1@google.com> (raw)
In-Reply-To: <20230821162337.imzjf3golstkrrgd@treble>
On Mon, Aug 21, 2023, Josh Poimboeuf wrote:
> On Mon, Aug 21, 2023 at 10:34:38AM +0100, Andrew Cooper wrote:
> > On 21/08/2023 2:19 am, Josh Poimboeuf wrote:
> > > The IBPB_BRTYPE and SBPB CPUID bits aren't set by HW.
> >
> > "Current hardware".
> >
> > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> > > index c381770bcbf1..dd7472121142 100644
> > > --- a/arch/x86/kvm/x86.c
> > > +++ b/arch/x86/kvm/x86.c
> > > @@ -3676,12 +3676,13 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> > > if (!msr_info->host_initiated && !guest_has_pred_cmd_msr(vcpu))
> > > return 1;
> > >
> > > - if (!boot_cpu_has(X86_FEATURE_IBPB) || (data & ~PRED_CMD_IBPB))
> > > + if (boot_cpu_has(X86_FEATURE_IBPB) && data == PRED_CMD_IBPB)
> > > + wrmsrl(MSR_IA32_PRED_CMD, PRED_CMD_IBPB);
> > > + else if (boot_cpu_has(X86_FEATURE_SBPB) && data == PRED_CMD_SBPB)
> > > + wrmsrl(MSR_IA32_PRED_CMD, PRED_CMD_SBPB);
> > > + else if (data)
> > > return 1;
> >
> > SBPB | IBPB is an explicitly permitted combination, but will be rejected
> > by this logic.
>
> Ah yes, I see that now:
>
> If software writes PRED_CMD with both bits 0 and 7 set to 1, the
> processor performs an IBPB operation.
The KVM code being a bit funky isn't doing you any favors. This is the least
awful approach I could come up with:
case MSR_IA32_PRED_CMD: {
u64 reserved_bits = ~(PRED_CMD_IBPB | PRED_CMD_SBPB);
if (!msr_info->host_initiated) {
if (!guest_has_pred_cmd_msr(vcpu))
return 1;
if (!guest_cpuid_has(vcpu, X86_FEATURE_SBPB))
reserved_bits |= PRED_CMD_SBPB;
}
if (!boot_cpu_has(X86_FEATURE_IBPB))
reserved_bits |= PRED_CMD_IBPB;
if (!boot_cpu_has(X86_FEATURE_SBPB))
reserved_bits |= PRED_CMD_SBPB;
if (!data)
break;
wrmsrl(MSR_IA32_PRED_CMD, data);
break;
}
There are more wrinkles though. KVM passes through MSR_IA32_PRED_CMD based on
IBPB. If hardware supports both IBPB and SBPB, but userspace does NOT exposes
SBPB to the guest, then KVM will create a virtualization hole where the guest can
write SBPB against userspace's wishes. I haven't read up on SBPB enought o know
whether or not that's problematic.
And conversely, if userspace expoes SBPB but not IBPB, then KVM will intercept
writes to MSR_IA32_PRED_CMD and probably tank guest performance. Again, I haven't
paid attention enough to know if this is a reasonable configuration, i.e. whether
or not it's worth caring about in KVM.
If the virtualization holes are deemed safe, then the easiest thing would be to
treat MSR_IA32_PRED_CMD as existing if either IBPB or SBPB exists. E.g.
diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
index b1658c0de847..e4db844a58fe 100644
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -174,7 +174,8 @@ static inline bool guest_has_spec_ctrl_msr(struct kvm_vcpu *vcpu)
static inline bool guest_has_pred_cmd_msr(struct kvm_vcpu *vcpu)
{
return (guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) ||
- guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBPB));
+ guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBPB) ||
+ guest_cpuid_has(vcpu, X86_FEATURE_SBPB));
}
static inline bool supports_cpuid_fault(struct kvm_vcpu *vcpu)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 12688754c556..aa4620fb43f8 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3656,17 +3656,33 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
vcpu->arch.perf_capabilities = data;
kvm_pmu_refresh(vcpu);
break;
- case MSR_IA32_PRED_CMD:
- if (!msr_info->host_initiated && !guest_has_pred_cmd_msr(vcpu))
- return 1;
+ case MSR_IA32_PRED_CMD: {
+ u64 reserved_bits = ~(PRED_CMD_IBPB | PRED_CMD_SBPB);
+
+ if (!msr_info->host_initiated) {
+ if (!guest_has_pred_cmd_msr(vcpu))
+ return 1;
+
+ if (!guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) &&
+ !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBPB))
+ reserved_bits |= PRED_CMD_IBPB;
+
+ if (!guest_cpuid_has(vcpu, X86_FEATURE_SBPB))
+ reserved_bits |= PRED_CMD_SBPB;
+ }
+
+ if (!boot_cpu_has(X86_FEATURE_IBPB))
+ reserved_bits |= PRED_CMD_IBPB;
+
+ if (!boot_cpu_has(X86_FEATURE_SBPB))
+ reserved_bits |= PRED_CMD_SBPB;
- if (!boot_cpu_has(X86_FEATURE_IBPB) || (data & ~PRED_CMD_IBPB))
- return 1;
if (!data)
break;
- wrmsrl(MSR_IA32_PRED_CMD, PRED_CMD_IBPB);
+ wrmsrl(MSR_IA32_PRED_CMD, data);
break;
+ }
case MSR_IA32_FLUSH_CMD:
if (!msr_info->host_initiated &&
!guest_cpuid_has(vcpu, X86_FEATURE_FLUSH_L1D))
next prev parent reply other threads:[~2023-08-21 16:35 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-21 1:18 [PATCH 00/22] SRSO fixes/cleanups Josh Poimboeuf
2023-08-21 1:18 ` [PATCH 01/22] x86/srso: Fix srso_show_state() side effect Josh Poimboeuf
2023-08-21 5:42 ` Nikolay Borisov
2023-08-21 6:04 ` Borislav Petkov
2023-08-21 16:17 ` Josh Poimboeuf
2023-08-22 5:23 ` Borislav Petkov
2023-08-21 1:18 ` [PATCH 02/22] x86/srso: Set CPUID feature bits independently of bug or mitigation status Josh Poimboeuf
2023-08-21 5:42 ` Nikolay Borisov
2023-08-21 9:27 ` Andrew Cooper
2023-08-21 14:06 ` Borislav Petkov
2023-08-23 5:20 ` Borislav Petkov
2023-08-23 12:22 ` Andrew Cooper
2023-08-24 4:24 ` Borislav Petkov
2023-08-24 22:04 ` Josh Poimboeuf
2023-08-25 6:42 ` Borislav Petkov
2023-08-21 13:59 ` Borislav Petkov
2023-08-21 1:19 ` [PATCH 03/22] KVM: x86: Support IBPB_BRTYPE and SBPB Josh Poimboeuf
2023-08-21 9:34 ` Andrew Cooper
2023-08-21 16:23 ` Josh Poimboeuf
2023-08-21 16:35 ` Sean Christopherson [this message]
2023-08-21 16:46 ` Nikolay Borisov
2023-08-21 16:50 ` Sean Christopherson
2023-08-21 17:05 ` Josh Poimboeuf
2023-08-24 16:39 ` Sean Christopherson
2023-08-24 17:07 ` Josh Poimboeuf
2023-08-21 16:49 ` Sean Christopherson
2023-08-21 1:19 ` [PATCH 04/22] x86/srso: Fix SBPB enablement for spec_rstack_overflow=off Josh Poimboeuf
2023-08-21 14:16 ` Borislav Petkov
2023-08-21 16:36 ` Josh Poimboeuf
2023-08-22 5:54 ` Borislav Petkov
2023-08-22 6:07 ` Borislav Petkov
2023-08-22 21:59 ` Josh Poimboeuf
2023-08-23 1:27 ` Borislav Petkov
2023-08-21 1:19 ` [PATCH 05/22] x86/srso: Fix SBPB enablement for mitigations=off Josh Poimboeuf
2023-08-23 5:57 ` Borislav Petkov
2023-08-23 20:55 ` Josh Poimboeuf
2023-08-23 23:02 ` Josh Poimboeuf
2023-08-21 1:19 ` [PATCH 06/22] x86/srso: Print actual mitigation if requested mitigation isn't possible Josh Poimboeuf
2023-08-23 6:06 ` Borislav Petkov
2023-08-21 1:19 ` [PATCH 07/22] x86/srso: Remove default case in srso_select_mitigation() Josh Poimboeuf
2023-08-23 6:18 ` Borislav Petkov
2023-08-21 1:19 ` [PATCH 08/22] x86/srso: Downgrade retbleed IBPB warning to informational message Josh Poimboeuf
2023-08-24 4:43 ` Borislav Petkov
2023-08-21 1:19 ` [PATCH 09/22] x86/srso: Simplify exit paths Josh Poimboeuf
2023-08-21 1:19 ` [PATCH 10/22] x86/srso: Print mitigation for retbleed IBPB case Josh Poimboeuf
2023-08-24 4:48 ` Borislav Petkov
2023-08-24 21:40 ` Josh Poimboeuf
2023-08-21 1:19 ` [PATCH 11/22] x86/srso: Slight simplification Josh Poimboeuf
2023-08-24 4:55 ` Borislav Petkov
2023-08-21 1:19 ` [PATCH 12/22] x86/srso: Remove redundant X86_FEATURE_ENTRY_IBPB check Josh Poimboeuf
2023-08-25 7:09 ` Borislav Petkov
2023-08-21 1:19 ` [PATCH 13/22] x86/srso: Fix vulnerability reporting for missing microcode Josh Poimboeuf
2023-08-25 7:25 ` Borislav Petkov
2023-08-21 1:19 ` [PATCH 14/22] x86/srso: Fix unret validation dependencies Josh Poimboeuf
2023-08-21 1:19 ` [PATCH 15/22] x86/alternatives: Remove faulty optimization Josh Poimboeuf
2023-08-21 1:19 ` [PATCH 16/22] x86/srso: Unexport untraining functions Josh Poimboeuf
2023-08-21 5:50 ` Nikolay Borisov
2023-08-21 1:19 ` [PATCH 17/22] x86/srso: Disentangle rethunk-dependent options Josh Poimboeuf
2023-08-21 1:19 ` [PATCH 18/22] x86/rethunk: Use SYM_CODE_START[_LOCAL]_NOALIGN macros Josh Poimboeuf
2023-08-21 1:19 ` [PATCH 19/22] x86/srso: Improve i-cache locality for alias mitigation Josh Poimboeuf
2023-08-21 1:19 ` [PATCH 20/22] x86/retpoline: Remove .text..__x86.return_thunk section Josh Poimboeuf
2023-08-21 1:19 ` [PATCH 21/22] x86/nospec: Refactor UNTRAIN_RET[_*] Josh Poimboeuf
2023-08-21 1:19 ` [PATCH 22/22] x86/calldepth: Rename __x86_return_skl() to call_depth_return_thunk() Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZOOSXc9NE1rMHDZ1@google.com \
--to=seanjc@google.com \
--cc=David.Kaplan@amd.com \
--cc=andrew.cooper3@citrix.com \
--cc=babu.moger@amd.com \
--cc=bp@alien8.de \
--cc=gregkh@linuxfoundation.org \
--cc=jpoimboe@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nik.borisov@suse.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.