From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 9/9] KVM: x86: Disable KVM_INTEL_PROVE_VE by default
Date: Tue, 21 May 2024 17:29:23 -0700 [thread overview]
Message-ID: <Zk08Yx-GCBqsIMcL@google.com> (raw)
In-Reply-To: <CABgObfaE+M5QuTfAZ01OjeB87vGmjRgDUH=rnNX8FHzc7t1Oag@mail.gmail.com>
On Tue, May 21, 2024, Paolo Bonzini wrote:
> On Tue, May 21, 2024 at 8:18 PM Sean Christopherson <seanjc@google.com> wrote:
> > > - This should never be enabled in a production environment.
> > > + Note that #VE trapping appears to be buggy on some CPUs.
> >
> > I see where you're coming from, but I don't think "trapping" is much better,
> > e.g. it suggests there's something broken with the interception of #VEs. Ah,
> > the entire help text is weird.
>
> Yeah, I didn't want to say #VE is broken altogether -
Ah, yeah, good call. The #VE isn't broken per se, just spurious/unexpected.
> interception is where we saw issues,
It's not an issue with interception, disabling #VE intercepts results in the #VE
being delivered to the guest.
Test suite: ept_access_test_not_present
PTE[4] @ 109fff8 = 9fed0007
PTE[3] @ 9fed0ff0 = 9fed1007
PTE[2] @ 9fed1000 = 9fed2007
VA PTE @ 9fed2000 = 8000000007
Created EPT @ 9feca008 = 11d2007
Created EPT @ 11d2000 = 11d3007
Created EPT @ 11d3000 = 11d4007
L1 hva = 40000000, hpa = 40000000, L2 gva = ffffffff80000000, gpa = 8000000000
Unhandled exception 8 #DF at ip 0000000000410d39
error_code=0000 rflags=00010097 cs=00000008
rax=ffffffff80000000 rcx=0000000000000000 rdx=0000000000000000 rbx=0000000000000000
rbp=000000009fec6fe0 rsi=0000000000000000 rdi=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 r11=0000000000000000
r12=ffffffff80000008 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000
cr0=0000000080010031 cr2=0000000000000000 cr3=000000000109f000 cr4=0000000000002020
cr8=0000000000000000
STACK: @410d39 40144a 4002dd
> and #VE is used in production as far as I know (not just by TDX; at least Xen
> and maybe Hyper-V use it for anti-malware purposes?).
Hmm, maybe a spurious #VE is benign? Or it really is limited to A/D bits being
disabled? Not that us speculating is going to change anything :-)
> Maybe "Note: there appear to be bugs in some CPUs that will trigger
> the WARN, in particular with eptad=0 and/or nested virtualization"
> covers all bases.
Works for me. Maybe tweak it slightly to explain why the WARN is triggered?
Note, some CPUs appear to generate spurious EPT Violations #VEs that trigger
KVM's WARN, in particular with eptad=0 and/or nested virtualization.
next prev parent reply other threads:[~2024-05-22 0:29 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-18 0:04 [PATCH 0/9] KVM: x86: Fixes for KVM_INTEL_PROVE_VE Sean Christopherson
2024-05-18 0:04 ` [PATCH 1/9] KVM: x86/mmu: Use SHADOW_NONPRESENT_VALUE for atomic zap in TDP MMU Sean Christopherson
2024-05-20 12:38 ` Huang, Kai
2024-05-21 7:21 ` Isaku Yamahata
2024-05-18 0:04 ` [PATCH 2/9] KVM: nVMX: Initialize #VE info page for vmcs02 when proving #VE support Sean Christopherson
2024-05-20 23:09 ` Huang, Kai
2024-05-20 23:22 ` Sean Christopherson
2024-05-20 23:49 ` Huang, Kai
2024-05-21 0:21 ` Sean Christopherson
2024-05-21 0:42 ` Huang, Kai
2024-05-21 1:02 ` Sean Christopherson
2024-05-18 0:04 ` [PATCH 3/9] KVM: nVMX: Always handle #VEs in L0 (never forward #VEs from L2 to L1) Sean Christopherson
2024-05-18 0:04 ` [PATCH 4/9] KVM: x86/mmu: Add sanity checks that KVM doesn't create EPT #VE SPTEs Sean Christopherson
2024-05-18 0:04 ` [PATCH 5/9] KVM: VMX: Dump VMCS on unexpected #VE Sean Christopherson
2024-05-18 0:04 ` [PATCH 6/9] KVM: x86/mmu: Print SPTEs " Sean Christopherson
2024-05-18 0:04 ` [PATCH 7/9] KVM: VMX: Don't kill the VM on an " Sean Christopherson
2024-05-18 0:04 ` [PATCH 8/9] KVM: VMX: Enumerate EPT Violation #VE support in /proc/cpuinfo Sean Christopherson
2024-05-18 0:04 ` [PATCH 9/9] KVM: x86: Disable KVM_INTEL_PROVE_VE by default Sean Christopherson
2024-05-21 17:36 ` Paolo Bonzini
2024-05-21 18:18 ` Sean Christopherson
2024-05-21 20:25 ` Paolo Bonzini
2024-05-22 0:29 ` Sean Christopherson [this message]
2024-05-23 16:41 ` [PATCH 0/9] KVM: x86: Fixes for KVM_INTEL_PROVE_VE Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zk08Yx-GCBqsIMcL@google.com \
--to=seanjc@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.