From: Sean Christopherson <seanjc@google.com>
To: Jon Kohler <jon@nutanix.com>
Cc: pbonzini@redhat.com, tglx@linutronix.de, mingo@redhat.com,
bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org,
hpa@zytor.com, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org,
Sergey Dyasli <sergey.dyasli@nutanix.com>
Subject: Re: [RFC PATCH 12/18] KVM: x86/mmu: Introduce shadow_ux_mask
Date: Mon, 12 May 2025 12:13:42 -0700 [thread overview]
Message-ID: <aCJIZgHi67_lze_v@google.com> (raw)
In-Reply-To: <20250313203702.575156-13-jon@nutanix.com>
On Thu, Mar 13, 2025, Jon Kohler wrote:
> @@ -28,6 +28,7 @@ u64 __read_mostly shadow_host_writable_mask;
> u64 __read_mostly shadow_mmu_writable_mask;
> u64 __read_mostly shadow_nx_mask;
> u64 __read_mostly shadow_x_mask; /* mutual exclusive with nx_mask */
> +u64 __read_mostly shadow_ux_mask;
> u64 __read_mostly shadow_user_mask;
> u64 __read_mostly shadow_accessed_mask;
> u64 __read_mostly shadow_dirty_mask;
> @@ -313,8 +314,14 @@ u64 make_huge_page_split_spte(struct kvm *kvm, u64 huge_spte,
> * the page executable as the NX hugepage mitigation no longer
> * applies.
> */
> - if ((role.access & ACC_EXEC_MASK) && is_nx_huge_page_enabled(kvm))
> + if ((role.access & ACC_EXEC_MASK) && is_nx_huge_page_enabled(kvm)) {
This is wrong, and probably so is every other chunk of KVM that looks at
ACC_EXEC_MASK. E.g. if a guest hugepage is executable for user but not supervisor,
KVM will fail to make the small child user-executable.
The bug in make_spte() is even worse, because KVM would let an MBEC-aware guest
trigger the iTLB multi-hit #MC.
> child_spte = make_spte_executable(child_spte);
> + // TODO: For LKML: switch to vcpu->arch.pt_guest_exec_control? up
> + // for suggestions on how best to toggle this.
No, it belongs in the role.
> + if (enable_pt_guest_exec_control &&
> + role.access & ACC_USER_EXEC_MASK)
> + child_spte |= shadow_ux_mask;
> + }
> }
>
> return child_spte;
> @@ -326,7 +333,7 @@ u64 make_nonleaf_spte(u64 *child_pt, bool ad_disabled)
> u64 spte = SPTE_MMU_PRESENT_MASK;
>
> spte |= __pa(child_pt) | shadow_present_mask | PT_WRITABLE_MASK |
> - shadow_user_mask | shadow_x_mask | shadow_me_value;
> + shadow_user_mask | shadow_x_mask | shadow_ux_mask | shadow_me_value;
>
> if (ad_disabled)
> spte |= SPTE_TDP_AD_DISABLED;
> @@ -420,7 +427,8 @@ void kvm_mmu_set_me_spte_mask(u64 me_value, u64 me_mask)
> }
> EXPORT_SYMBOL_GPL(kvm_mmu_set_me_spte_mask);
>
> -void kvm_mmu_set_ept_masks(bool has_ad_bits, bool has_exec_only)
> +void kvm_mmu_set_ept_masks(bool has_ad_bits, bool has_exec_only,
> + bool has_guest_exec_ctrl)
> {
> shadow_user_mask = VMX_EPT_READABLE_MASK;
> shadow_accessed_mask = has_ad_bits ? VMX_EPT_ACCESS_BIT : 0ull;
> @@ -428,8 +436,14 @@ void kvm_mmu_set_ept_masks(bool has_ad_bits, bool has_exec_only)
> shadow_nx_mask = 0ull;
> shadow_x_mask = VMX_EPT_EXECUTABLE_MASK;
> /* VMX_EPT_SUPPRESS_VE_BIT is needed for W or X violation. */
> + // For LKML Review:
> + // Do we need to modify shadow_present_mask in the MBEC case?
No, because MBEC bifurcates X, it doesn't change whether or not an EPTE can be
X without being R. From the SDM:
1. If the “mode-based execute control for EPT” VM-execution control is 1,
setting bit 0 indicates also that software may also configure EPT
paging-structure entries in which bits 1:0 are both clear and in which bit 10
is set (indicating a translation that can be used to fetch instructions from a
supervisor-mode linear address or a user-mode linear address).
> shadow_present_mask =
> (has_exec_only ? 0ull : VMX_EPT_READABLE_MASK) | VMX_EPT_SUPPRESS_VE_BIT;
> +
> + shadow_ux_mask =
> + has_guest_exec_ctrl ? VMX_EPT_USER_EXECUTABLE_MASK : 0ull;
This is EPT specific code, just call this what it is:
shadow_ux_mask = has_mbec ? VMX_EPT_USER_EXECUTABLE_MASK : 0ull;
> +
> /*
> * EPT overrides the host MTRRs, and so KVM must program the desired
> * memtype directly into the SPTEs. Note, this mask is just the mask
> @@ -484,6 +498,7 @@ void kvm_mmu_reset_all_pte_masks(void)
> shadow_dirty_mask = PT_DIRTY_MASK;
> shadow_nx_mask = PT64_NX_MASK;
> shadow_x_mask = 0;
> + shadow_ux_mask = 0;
> shadow_present_mask = PT_PRESENT_MASK;
>
> /*
> diff --git a/arch/x86/kvm/mmu/spte.h b/arch/x86/kvm/mmu/spte.h
> index d9e22133b6d0..dc2f0dc9c46e 100644
> --- a/arch/x86/kvm/mmu/spte.h
> +++ b/arch/x86/kvm/mmu/spte.h
> @@ -171,6 +171,7 @@ extern u64 __read_mostly shadow_mmu_writable_mask;
> extern u64 __read_mostly shadow_nx_mask;
> extern u64 __read_mostly shadow_x_mask; /* mutual exclusive with nx_mask */
> extern u64 __read_mostly shadow_user_mask;
> +extern u64 __read_mostly shadow_ux_mask;
> extern u64 __read_mostly shadow_accessed_mask;
> extern u64 __read_mostly shadow_dirty_mask;
> extern u64 __read_mostly shadow_mmio_value;
> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> index 0aadfa924045..d16e3f170258 100644
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
> @@ -8544,7 +8544,8 @@ __init int vmx_hardware_setup(void)
>
> if (enable_ept)
> kvm_mmu_set_ept_masks(enable_ept_ad_bits,
> - cpu_has_vmx_ept_execute_only());
> + cpu_has_vmx_ept_execute_only(),
> + enable_pt_guest_exec_control);
Without the module param, just cpu_has_vmx_mbec().
next prev parent reply other threads:[~2025-05-12 19:13 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-13 20:36 [RFC PATCH 00/18] KVM: VMX: Introduce Intel Mode-Based Execute Control (MBEC) Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 01/18] KVM: VMX: Remove EPT_VIOLATIONS_ACC_*_BIT defines Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 02/18] KVM: nVMX: Decouple EPT RWX bits from EPT Violation protection bits Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 03/18] KVM: x86: Add module parameter for Intel MBEC Jon Kohler
2025-05-12 18:08 ` Sean Christopherson
2025-05-13 2:18 ` Jon Kohler
2025-05-13 7:57 ` Shah, Amit
2025-12-23 4:15 ` Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 04/18] KVM: VMX: add cpu_has_vmx_mbec helper Jon Kohler
2025-05-12 18:14 ` Sean Christopherson
2025-05-13 2:17 ` Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 05/18] KVM: x86: Add pt_guest_exec_control to kvm_vcpu_arch Jon Kohler
2025-04-22 6:27 ` Chao Gao
2025-05-12 18:15 ` Sean Christopherson
2025-12-23 4:15 ` Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 06/18] KVM: VMX: Wire up Intel MBEC enable/disable logic Jon Kohler
2025-04-22 7:06 ` Chao Gao
2025-05-12 18:23 ` Sean Christopherson
2025-05-13 2:16 ` Jon Kohler
2025-05-13 13:28 ` Sean Christopherson
2025-05-14 11:14 ` Shah, Amit
2025-05-14 12:55 ` Sean Christopherson
2025-06-16 9:27 ` Shah, Amit
2025-06-17 14:13 ` Sean Christopherson
2025-07-09 13:40 ` Shah, Amit
2025-12-23 4:15 ` Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 07/18] KVM: VMX: Define VMX_EPT_USER_EXECUTABLE_MASK Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 08/18] KVM: x86/mmu: Remove SPTE_PERM_MASK Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 09/18] KVM: x86/mmu: Extend access bitfield in kvm_mmu_page_role Jon Kohler
2025-05-12 18:32 ` Sean Christopherson
2025-05-13 2:14 ` Jon Kohler
2025-12-23 4:15 ` Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 10/18] KVM: VMX: Extend EPT Violation protection bits Jon Kohler
2025-05-12 18:37 ` Sean Christopherson
2025-12-23 4:15 ` Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 11/18] KVM: VMX: Enhance EPT violation handler for PROT_USER_EXEC Jon Kohler
2025-05-12 18:54 ` Sean Christopherson
2025-12-23 4:15 ` Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 12/18] KVM: x86/mmu: Introduce shadow_ux_mask Jon Kohler
2025-04-23 3:06 ` Chao Gao
2025-05-12 19:13 ` Sean Christopherson [this message]
2025-12-23 4:15 ` Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 13/18] KVM: x86/mmu: Adjust SPTE_MMIO_ALLOWED_MASK to understand MBEC Jon Kohler
2025-04-23 5:37 ` Chao Gao
2025-05-12 19:37 ` Sean Christopherson
2025-05-13 2:11 ` Jon Kohler
2025-12-23 4:15 ` Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 14/18] KVM: x86/mmu: Extend is_executable_pte " Jon Kohler
2025-04-23 6:16 ` Chao Gao
2025-05-12 21:16 ` Sean Christopherson
2025-05-13 2:09 ` Jon Kohler
2025-12-23 4:15 ` Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 15/18] KVM: x86/mmu: Extend make_spte " Jon Kohler
2025-05-12 21:29 ` Sean Christopherson
2025-05-13 2:04 ` Jon Kohler
2025-05-13 17:54 ` Sean Christopherson
2025-12-23 4:15 ` Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 16/18] KVM: nVMX: Setup Intel MBEC in nested secondary controls Jon Kohler
2025-05-12 21:32 ` Sean Christopherson
2025-12-23 4:15 ` Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 17/18] KVM: VMX: Allow MBEC with EVMCS Jon Kohler
2025-05-12 21:35 ` Sean Christopherson
2025-05-13 2:01 ` Jon Kohler
2025-12-23 4:16 ` Jon Kohler
2025-03-13 20:36 ` [RFC PATCH 18/18] KVM: x86: Enable module parameter for MBEC Jon Kohler
2025-04-15 9:29 ` [RFC PATCH 00/18] KVM: VMX: Introduce Intel Mode-Based Execute Control (MBEC) Mickaël Salaün
2025-04-15 14:43 ` Sean Christopherson
2025-05-12 15:26 ` Jon Kohler
2025-04-15 14:43 ` Jon Kohler
2025-04-16 15:44 ` Mickaël Salaün
2025-04-23 13:54 ` Adrian-Ken Rueegsegger
2025-05-12 15:26 ` Jon Kohler
2025-05-12 21:46 ` Sean Christopherson
2025-05-13 1:59 ` Jon Kohler
2025-12-23 4:17 ` Jon Kohler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aCJIZgHi67_lze_v@google.com \
--to=seanjc@google.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jon@nutanix.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=sergey.dyasli@nutanix.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.