From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mm01.cs.columbia.edu (mm01.cs.columbia.edu [128.59.11.253]) by smtp.lore.kernel.org (Postfix) with ESMTP id DC6F8C433EF for ; Tue, 25 Jan 2022 15:11:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 3DFE349EB1; Tue, 25 Jan 2022 10:11:01 -0500 (EST) X-Virus-Scanned: at lists.cs.columbia.edu Authentication-Results: mm01.cs.columbia.edu (amavisd-new); dkim=softfail (fail, message has been altered) header.i=@kernel.org Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lytzjJ6JKbqa; Tue, 25 Jan 2022 10:11:00 -0500 (EST) Received: from mm01.cs.columbia.edu (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 1771449AF7; Tue, 25 Jan 2022 10:11:00 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id E70E840B9F for ; Tue, 25 Jan 2022 10:10:58 -0500 (EST) X-Virus-Scanned: at lists.cs.columbia.edu Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDwZ9F9ZbiG5 for ; Tue, 25 Jan 2022 10:10:57 -0500 (EST) Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mm01.cs.columbia.edu (Postfix) with ESMTPS id B69A0411D2 for ; Tue, 25 Jan 2022 10:10:57 -0500 (EST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2B66DB81813; Tue, 25 Jan 2022 15:10:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DB4B6C340E5; Tue, 25 Jan 2022 15:10:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1643123454; bh=827Zl6UTbu4+DODgqO5pwb2rOj9GCDpTQYVElhmcxEk=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=vAftbCY6wfyApG6ImaV7i4/RB+857+ZVJG5aasCxCyYUaBgWyju/37RZVSeoZNQm0 ePQJq1yfPtHz4E8LAG23pqp6Qv/305+5RSMdyf0B5jQBw6hD6ICgWZpFk6i+NnNza+ Z/RdHWNh35bj5WVSklD+twb6YCCMMatGVd6+iKjvbkl4BStJa2nGmLEUXJ6d0Jz/AO JCejWJ3Ycz3eIX85LP9y0t5BNE58/3caA4QzIW98rCKZ14mE/rYjPl2YI8wxPUKGOf 0eaE+/Qf7d1W8U//CIG4h4EhNiaximmfy8drzLYznmu22dubxrKEpTWOXMR3jlijiO v7xGW9oF4LMzA== Received: from sofa.misterjones.org ([185.219.108.64] helo=why.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nCNTA-002wXr-LC; Tue, 25 Jan 2022 15:10:52 +0000 Date: Tue, 25 Jan 2022 15:10:52 +0000 Message-ID: <87pmof7sw3.wl-maz@kernel.org> From: Marc Zyngier To: Sean Christopherson Subject: Re: [RFC PATCH v3 01/11] KVM: Capture VM start In-Reply-To: References: <20220104194918.373612-1-rananta@google.com> <20220104194918.373612-2-rananta@google.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") X-SA-Exim-Connect-IP: 185.219.108.64 X-SA-Exim-Rcpt-To: seanjc@google.com, rananta@google.com, jmattson@google.com, kvm@vger.kernel.org, will@kernel.org, pshier@google.com, linux-kernel@vger.kernel.org, catalin.marinas@arm.com, pbonzini@redhat.com, kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false Cc: kvm@vger.kernel.org, Catalin Marinas , Peter Shier , linux-kernel@vger.kernel.org, Paolo Bonzini , Will Deacon , kvmarm@lists.cs.columbia.edu, Linux ARM , Jim Mattson X-BeenThere: kvmarm@lists.cs.columbia.edu X-Mailman-Version: 2.1.14 Precedence: list List-Id: Where KVM/ARM decisions are made List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kvmarm-bounces@lists.cs.columbia.edu Sender: kvmarm-bounces@lists.cs.columbia.edu It's probably time I jump on this thread On Thu, 13 Jan 2022 17:21:19 +0000, Sean Christopherson wrote: > > On Wed, Jan 12, 2022, Raghavendra Rao Ananta wrote: > > On Tue, Jan 11, 2022 at 11:16 AM Jim Mattson wrote: > > > Perhaps it would help if you explained *why* you are doing this. It > > > sounds like you are either trying to protect against a malicious > > > userspace, or you are trying to keep userspace from doing something > > > stupid. In general, kvm only enforces constraints that are necessary > > > to protect the host. If that's what you're doing, I don't understand > > > why live migration doesn't provide an end-run around your protections. > > It's mainly to safeguard the guests. With respect to migration, KVM > > and the userspace are collectively playing a role here. It's up to the > > userspace to ensure that the registers are configured the same across > > migrations and KVM ensures that the userspace doesn't modify the > > registers after KVM_RUN so that they don't see features turned OFF/ON > > during execution. I'm not sure if it falls into the definition of > > protecting the host. Do you see a value in adding this extra > > protection from KVM? > > Short answer: probably not? Well, I beg to defer. > There is precedent for disallowing userspace from doing stupid > things, but that's either for KVM's protection (as Jim pointed out), > or because KVM can't honor the change, e.g. x86 is currently in the > process of disallowing most CPUID changes after KVM_RUN because KVM > itself consumes the CPUID information and KVM doesn't support > updating some of it's own internal state (because removing features > like GB hugepage support is nonsensical and would require a large > pile of complicated, messy code). We provide quite a lot of CPU emulation based on the feature registers exposed to the guest. Allowing userspace to change this stuff once the guest is running is a massive attack vector. > Restricing CPUID changes does offer some "protection" to the guest, but that's > not the goal. E.g. KVM won't detect CPUID misconfiguration in the migration > case, and trying to do so is a fool's errand. > > If restricting updates in the arm64 is necessary to ensure KVM provides sane > behavior, then it could be justified. But if it's purely a sanity check on > behalf of the guest, then it's not justified. No. This is about preventing userspace from tripping the kernel into doing things it really shouldn't by flipping bits of configuration that should be set in stone. M. -- Without deviation from the norm, progress is not possible. _______________________________________________ kvmarm mailing list kvmarm@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/kvmarm