From: Sean Christopherson <seanjc@google.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Xi Ruoyao <xry111@xry111.site>,
Dave Hansen <dave.hansen@linux.intel.com>,
Michael Kelley <mhklinux@outlook.com>,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
"H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, linux-kernel@vger.kernel.org,
Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH v7 2/2] x86/mm: Don't disable INVLPG if the kernel is running on a hypervisor
Date: Tue, 16 Apr 2024 16:21:37 -0700 [thread overview]
Message-ID: <Zh8IAcT0fQoyes_1@google.com> (raw)
In-Reply-To: <af4c78c1-ccd5-4c4d-92de-564a44fa815b@intel.com>
On Thu, Apr 11, 2024, Dave Hansen wrote:
> On 4/11/24 09:22, Sean Christopherson wrote:
> > In other words, simply checking HYPERVISOR *might* be safe, but it might not.
> > If we wanted to be paranoid, this could also check X86_FEATURE_VMX, which also
> > doesn't guarantee VMX non-root mode and would unnecessarily restrict PCID usage
> > to setups that allow nested VMX, but AFAIK there aren't any hypervisors which
> > fully emulate VMX.
>
> X86_FEATURE_HYPERVISOR is most commonly used for vulnerabilities to see
> if the data coming out of CPUID is likely to be garbage or not. I think
> that's the most important thing to focus on.
>
> It's arguable that x86_match_cpu() itself should just have a:
>
> /*
> * Don't even waste our time when running under a hypervisor.
> * They lie.
> */
> if (boot_cpu_bas(X86_FEATURE_HYPERVISOR))
> return NULL;
>
> (well, it should probably actually be in the for() loop because folks
> might be looking for an X86_FEATURE_* that is set by software or derived
> from actually agreed-upon host<->guest ABI, but you get my point...)
>
> If the hypervisor is duplicitous enough to keep X86_FEATURE_HYPERVISOR
> from getting set, then the hypervisor gets to clean up the mess. The
> kernel can just wash its hands of the whole thing.
>
> So, there are two broad cases and a few sub-cases:
>
> 1. "Nice" hypervisor. Kernel sees X86_FEATURE_HYPERVISOR and knows that
> x86_match_cpu() and invlpg_miss_ids[] are irrelevant because:
> 1a. It is running in VMX non-root mode and is not vulnerable, or
> 1b. CPUID is a lie and x86_match_cpu() is meaningless, or
> 1c. The kernel is in ring3 and can't execute INVLPG anyway. Whatever
> is running in ring0 will have to deal with it.
> 2. X86_FEATURE_HYPERVISOR is unset.
> 2a. "Mean" hypervisor. All bets are off anyway.
> 2b. Actual bare metal. Actually look for the bug.
>
> I _think_ I'm OK with skipping the mitigation in all of the #1 cases and
> applying it in both of the #2 cases. I don't think that checking for
> VMX makes it much better.
>
> Am I missing anything?
I'm a-ok with just checking HYPERVISOR, I agree that the hypervisor is fully
responsible for correctly emulating PCID and INVLPG stuff for (1c).
My reaction was really just to the changelog equating HYPERVSIOR to VMX non-root.
next prev parent reply other threads:[~2024-04-16 23:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-11 14:43 [PATCH v7 1/2] x86/mm: Don't disable INVLPG if "incomplete Global INVLPG flushes" is fixed by microcode Xi Ruoyao
2024-04-11 14:43 ` [PATCH v7 2/2] x86/mm: Don't disable INVLPG if the kernel is running on a hypervisor Xi Ruoyao
2024-04-11 16:22 ` Sean Christopherson
2024-04-11 17:13 ` Dave Hansen
2024-04-16 23:21 ` Sean Christopherson [this message]
2024-04-11 16:11 ` [PATCH v7 1/2] x86/mm: Don't disable INVLPG if "incomplete Global INVLPG flushes" is fixed by microcode Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zh8IAcT0fQoyes_1@google.com \
--to=seanjc@google.com \
--cc=andrew.cooper3@citrix.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mhklinux@outlook.com \
--cc=mingo@redhat.com \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=xry111@xry111.site \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.