From: Chao Gao <chao.gao@intel.com>
To: Xiaoyao Li <xiaoyao.li@intel.com>
Cc: <kvm@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<acme@redhat.com>, <bp@alien8.de>, <dave.hansen@linux.intel.com>,
<hpa@zytor.com>, <john.allen@amd.com>, <mingo@kernel.org>,
<mingo@redhat.com>, <minipli@grsecurity.net>,
<mlevitsk@redhat.com>, <namhyung@kernel.org>,
<pbonzini@redhat.com>, <prsampat@amd.com>,
<rick.p.edgecombe@intel.com>, <seanjc@google.com>,
<shuah@kernel.org>, <tglx@linutronix.de>,
<weijiang.yang@intel.com>, <x86@kernel.org>, <xin@zytor.com>
Subject: Re: [PATCH v14 06/22] KVM: x86: Load guest FPU state when access XSAVE-managed MSRs
Date: Wed, 10 Sep 2025 23:24:02 +0800 [thread overview]
Message-ID: <aMGYEvUZ6sg6dPvs@intel.com> (raw)
In-Reply-To: <5077c390-1211-42fc-b753-2a23187cf8ca@intel.com>
On Wed, Sep 10, 2025 at 09:46:01PM +0800, Xiaoyao Li wrote:
>On 9/10/2025 7:18 PM, Chao Gao wrote:
>> On Wed, Sep 10, 2025 at 05:37:50PM +0800, Xiaoyao Li wrote:
>> > On 9/9/2025 5:39 PM, Chao Gao wrote:
>> > > From: Sean Christopherson <seanjc@google.com>
>> > >
>> > > Load the guest's FPU state if userspace is accessing MSRs whose values
>> > > are managed by XSAVES. Introduce two helpers, kvm_{get,set}_xstate_msr(),
>> > > to facilitate access to such kind of MSRs.
>> > >
>> > > If MSRs supported in kvm_caps.supported_xss are passed through to guest,
>> > > the guest MSRs are swapped with host's before vCPU exits to userspace and
>> > > after it reenters kernel before next VM-entry.
>> > >
>> > > Because the modified code is also used for the KVM_GET_MSRS device ioctl(),
>> > > explicitly check @vcpu is non-null before attempting to load guest state.
>> > > The XSAVE-managed MSRs cannot be retrieved via the device ioctl() without
>> > > loading guest FPU state (which doesn't exist).
>> > >
>> > > Note that guest_cpuid_has() is not queried as host userspace is allowed to
>> > > access MSRs that have not been exposed to the guest, e.g. it might do
>> > > KVM_SET_MSRS prior to KVM_SET_CPUID2.
>>
>> ...
>>
>> > > + bool fpu_loaded = false;
>> > > int i;
>> > > - for (i = 0; i < msrs->nmsrs; ++i)
>> > > + for (i = 0; i < msrs->nmsrs; ++i) {
>> > > + /*
>> > > + * If userspace is accessing one or more XSTATE-managed MSRs,
>> > > + * temporarily load the guest's FPU state so that the guest's
>> > > + * MSR value(s) is resident in hardware, i.e. so that KVM can
>> > > + * get/set the MSR via RDMSR/WRMSR.
>> > > + */
>> > > + if (vcpu && !fpu_loaded && kvm_caps.supported_xss &&
>> >
>> > why not check vcpu->arch.guest_supported_xss?
>>
>> Looks like Sean anticipated someone would ask this question.
>
>here it determines whether to call kvm_load_guest_fpu().
>
>- based on kvm_caps.supported_xss, it will always load guest fpu.
>- based on vcpu->arch.guest_supported_xss, it depends on whether userspace
>calls KVM_SET_CPUID2 and whether it enables any XSS feature.
>
>So the difference is when no XSS feature is enabled for the VM.
>
>In this case, if checking vcpu->arch.guest_supported_xss, it will skip
>kvm_load_guest_fpu(). And it will result in GET_MSR gets usrerspace's value
>and SET_MSR changes userspace's value, when MSR access is eventually allowed
>in later do_msr() callback. Is my understanding correctly?
Actually, there will be no functional issue.
Those MSR accesses are always "rejected" with KVM_MSR_RET_UNSUPPORTED by
__kvm_set/get_msr() and get fixup if they are "host_initiated" in
kvm_do_msr_access(). KVM doesn't access any hardware MSRs in the process.
Using vcpu->arch.guest_supported_xss here also works, but the correctness
isn't that obvious for this special case.
next prev parent reply other threads:[~2025-09-10 15:24 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-09 9:39 [PATCH v14 00/22] Enable CET Virtualization Chao Gao
2025-09-09 9:39 ` [PATCH v14 01/22] KVM: x86: Introduce KVM_{G,S}ET_ONE_REG uAPIs support Chao Gao
2025-09-10 9:03 ` Xiaoyao Li
2025-09-10 17:17 ` Sean Christopherson
2025-09-10 17:35 ` Sean Christopherson
2025-09-09 9:39 ` [PATCH v14 02/22] KVM: x86: Report XSS as to-be-saved if there are supported features Chao Gao
2025-09-11 6:52 ` Binbin Wu
2025-09-09 9:39 ` [PATCH v14 03/22] KVM: x86: Check XSS validity against guest CPUIDs Chao Gao
2025-09-10 9:22 ` Xiaoyao Li
2025-09-10 11:33 ` Chao Gao
2025-09-10 18:47 ` Sean Christopherson
2025-09-09 9:39 ` [PATCH v14 04/22] KVM: x86: Refresh CPUID on write to guest MSR_IA32_XSS Chao Gao
2025-09-10 9:23 ` Xiaoyao Li
2025-09-11 7:02 ` Binbin Wu
2025-09-09 9:39 ` [PATCH v14 05/22] KVM: x86: Initialize kvm_caps.supported_xss Chao Gao
2025-09-10 9:36 ` Xiaoyao Li
2025-09-09 9:39 ` [PATCH v14 06/22] KVM: x86: Load guest FPU state when access XSAVE-managed MSRs Chao Gao
2025-09-10 9:37 ` Xiaoyao Li
2025-09-10 11:18 ` Chao Gao
2025-09-10 13:46 ` Xiaoyao Li
2025-09-10 15:24 ` Chao Gao [this message]
2025-09-10 17:50 ` Sean Christopherson
2025-09-09 9:39 ` [PATCH v14 07/22] KVM: x86: Add fault checks for guest CR4.CET setting Chao Gao
2025-09-10 9:38 ` Xiaoyao Li
2025-09-09 9:39 ` [PATCH v14 08/22] KVM: x86: Report KVM supported CET MSRs as to-be-saved Chao Gao
2025-09-09 9:39 ` [PATCH v14 09/22] KVM: VMX: Introduce CET VMCS fields and control bits Chao Gao
2025-09-09 9:39 ` [PATCH v14 10/22] KVM: x86: Enable guest SSP read/write interface with new uAPIs Chao Gao
2025-09-09 9:39 ` [PATCH v14 11/22] KVM: VMX: Emulate read and write to CET MSRs Chao Gao
2025-09-11 8:05 ` Xiaoyao Li
2025-09-11 9:02 ` Chao Gao
2025-09-11 20:24 ` Sean Christopherson
2025-09-09 9:39 ` [PATCH v14 12/22] KVM: x86: Save and reload SSP to/from SMRAM Chao Gao
2025-09-09 9:39 ` [PATCH v14 13/22] KVM: VMX: Set up interception for CET MSRs Chao Gao
2025-09-09 9:39 ` [PATCH v14 14/22] KVM: VMX: Set host constant supervisor states to VMCS fields Chao Gao
2025-09-12 22:04 ` Sean Christopherson
2025-09-09 9:39 ` [PATCH v14 15/22] KVM: x86: Don't emulate instructions guarded by CET Chao Gao
2025-09-11 9:18 ` Xiaoyao Li
2025-09-11 10:42 ` Chao Gao
2025-09-12 6:23 ` Xiaoyao Li
2025-09-12 14:37 ` Sean Christopherson
2025-09-12 15:11 ` Sean Christopherson
2025-09-16 14:42 ` Chao Gao
2025-09-12 14:42 ` Sean Christopherson
2025-09-09 9:39 ` [PATCH v14 16/22] KVM: x86: Enable CET virtualization for VMX and advertise to userspace Chao Gao
2025-09-09 9:39 ` [PATCH v14 17/22] KVM: nVMX: Virtualize NO_HW_ERROR_CODE_CC for L1 event injection to L2 Chao Gao
2025-09-09 9:39 ` [PATCH v14 18/22] KVM: nVMX: Prepare for enabling CET support for nested guest Chao Gao
2025-09-09 9:39 ` [PATCH v14 19/22] KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET Chao Gao
2025-09-09 9:39 ` [PATCH v14 20/22] KVM: nVMX: Add consistency checks for CET states Chao Gao
2025-09-09 9:39 ` [PATCH v14 21/22] KVM: nVMX: Advertise new VM-Entry/Exit control bits for CET state Chao Gao
2025-09-09 9:39 ` [PATCH v14 22/22] KVM: selftest: Add tests for KVM_{GET,SET}_ONE_REG Chao Gao
2025-09-10 18:06 ` Sean Christopherson
2025-09-09 9:52 ` [PATCH v14 00/22] Enable CET Virtualization Chao Gao
2025-09-10 18:29 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aMGYEvUZ6sg6dPvs@intel.com \
--to=chao.gao@intel.com \
--cc=acme@redhat.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=john.allen@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=minipli@grsecurity.net \
--cc=mlevitsk@redhat.com \
--cc=namhyung@kernel.org \
--cc=pbonzini@redhat.com \
--cc=prsampat@amd.com \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
--cc=shuah@kernel.org \
--cc=tglx@linutronix.de \
--cc=weijiang.yang@intel.com \
--cc=x86@kernel.org \
--cc=xiaoyao.li@intel.com \
--cc=xin@zytor.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.