From: Sean Christopherson <seanjc@google.com>
To: Rick P Edgecombe <rick.p.edgecombe@intel.com>
Cc: "tglx@kernel.org" <tglx@kernel.org>,
Dave Hansen <dave.hansen@intel.com>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"dmaluka@chromium.org" <dmaluka@chromium.org>,
"x86@kernel.org" <x86@kernel.org>,
"binbin.wu@linux.intel.com" <binbin.wu@linux.intel.com>,
"bp@alien8.de" <bp@alien8.de>, "kas@kernel.org" <kas@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"hpa@zytor.com" <hpa@zytor.com>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
Isaku Yamahata <isaku.yamahata@intel.com>,
"mingo@redhat.com" <mingo@redhat.com>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>
Subject: Re: [PATCH] KVM: TDX: Fix APIC MSR ranges in tdx_has_emulated_msr()
Date: Fri, 3 Apr 2026 12:07:53 -0700 [thread overview]
Message-ID: <adAQCXI-7Yj0wcKA@google.com> (raw)
In-Reply-To: <401db97a254b356ad8539a5d637d68ee826179a5.camel@intel.com>
On Fri, Apr 03, 2026, Rick P Edgecombe wrote:
> On Fri, 2026-04-03 at 09:30 -0700, Sean Christopherson wrote:
> > > > It comes down to a tradeoff. Should we prioritize code simplicity by dropping the function,
> > > > or keep it to explicitly catch this misbehaving guest corner case?
> > >
> > > I think from KVM's perspective it doesn't want to help the guest behave
> > > correctly.
> >
> > Uh, yes KVM does does. KVM is responsible for emulating the APIC timer, isn't it?
>
> Yea totally. We need to emulate the interface accurately. But we are kind of
> making up the contract after the fact. If the guest performs the wrong type of
> MSR write, should we make the contract that the VMM should help it catch it's
> mistake?
>
> >
> > > So we can ignore that I think. But it does really care to not define
> > > any specific guest ABI that it has to maintain. So tdx_has_emulated_msr() has
> > > some value there. And even more, it wants to not allow the guest to hurt the
> > > host.
> > >
> > > On the latter point, another problem with deleting tdx_has_emulated_msr() is the
> > > current code path skips the checks done in the other MSR paths. So we would need
> > > to call some appropriate higher up MSR helper to protect the host? And that
> > > wades into the CPUID bit consistency issues.
> > >
> > > So maybe... could we do a more limited version of the deletion where we allow
> > > all the APIC MSRs through? We'd have to check that it won't cause problems.
> >
> > What? No. KVM can't get actually read/write most (all?) MSRs, allowing access
> > is far worse than returning an error, as for all intents and purposes KVM will
> > silently drop writes, and return garbage on reads.
> >
> > > Failing that, we should maybe just explicitly list the ones TDX supports rather
> > > than the current way we define the APIC ones. As you mention below, it's not
> > > correct in other ways too so it could be more robust.
> >
> > No? Don't we just want to allow access to MSRs that aren't accelerated? What
> > the TDX-Module supports is largely irrelevant, I think.
>
> Not sure if I might be missing the point here. As above, we don't have enough
> info to know which MSRs are accelerated. If the guest enabled #VE reduction, it
> changes which ones are accelerated and the VMM is not notified.
What does the "accleration" in that case? Or does it reduce which ones are
accelerated?
> I think the below is a sane limitation, but doesn't lets KVM perfectly notify
> the guest when it screws up.
>
> So the line would be to block MSRs that can never be emulated.
>
> BTW, I've been treating this secret contract change as an arch mistake to at
> least not build on. It's a whole subject though... Let me know if you are
> interested in the details.
next prev parent reply other threads:[~2026-04-03 19:07 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-18 19:01 [PATCH] KVM: TDX: Fix APIC MSR ranges in tdx_has_emulated_msr() Dmytro Maluka
2026-03-18 19:42 ` Dave Hansen
2026-03-18 20:30 ` Dmytro Maluka
2026-03-19 1:14 ` Binbin Wu
2026-03-19 1:48 ` Dave Hansen
2026-03-19 7:40 ` Binbin Wu
2026-03-19 19:33 ` Edgecombe, Rick P
2026-04-03 16:30 ` Sean Christopherson
2026-04-03 18:40 ` Edgecombe, Rick P
2026-04-03 19:07 ` Sean Christopherson [this message]
2026-04-03 19:30 ` Edgecombe, Rick P
2026-04-03 23:07 ` Sean Christopherson
2026-04-04 0:11 ` Edgecombe, Rick P
2026-04-06 23:07 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adAQCXI-7Yj0wcKA@google.com \
--to=seanjc@google.com \
--cc=binbin.wu@linux.intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=dmaluka@chromium.org \
--cc=hpa@zytor.com \
--cc=isaku.yamahata@intel.com \
--cc=kas@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=tglx@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.