From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29E98C4363D for ; Fri, 25 Sep 2020 17:02:21 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id AA8DC208B6 for ; Fri, 25 Sep 2020 17:02:20 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="jx/DJ7ul" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org AA8DC208B6 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=pYgkH05C0hX+Jntpku9r8DNiM8XIEhxf21E9kZkCRT4=; b=jx/DJ7ulAAs9uRs5yjY2AxnuC jQ339guBuvR0iLeUdg5wbxZVS/C9mJqX4Or2gFh+h/yC98UdzN7joTOw8tfSY64ytS44g9fldGOF1 UYDd5PbW2+7IIaFXQSm2O31pWFYE6n6wmeYjIKqIueePcc/cbPb7Yipu2ivrLJIT6vEhSbXu+ia/W tHfRiVZhk2c2DTdiLd+IihKO/R+t5Gy9mr3gU9zwbwgdS69AOyguoZpBg1AtqUhKCsmYrSeizPMlp F5ENYcLXpi6L6eWIWswLypAKeAbhL5fi4KaTyNI/h7ozSppMei22N8ICXSqeFUk5r0R4vSMODtrrW L6npxge6w==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kLr5Y-0006mq-5J; Fri, 25 Sep 2020 17:00:52 +0000 Received: from mga14.intel.com ([192.55.52.115]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kLr5V-0006mE-5S for linux-arm-kernel@lists.infradead.org; Fri, 25 Sep 2020 17:00:50 +0000 IronPort-SDR: YdXPl0ZZAEEpRLKdJJBePy1C4/imp0Ta0cfNshCksT8lnlaBO4ijHNcso5HW/ceNlSl8ojtMUK 1jvp/E4EjwYg== X-IronPort-AV: E=McAfee;i="6000,8403,9755"; a="160840158" X-IronPort-AV: E=Sophos;i="5.77,302,1596524400"; d="scan'208";a="160840158" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2020 10:00:45 -0700 IronPort-SDR: 6N8ivLkqnnd2bn5U+j4zqY15q1XntncTtYZH1JiR4NLnvBVXx96w0CnbSmk4HwsES3EEo7c23V rfEb4OHh8buw== X-IronPort-AV: E=Sophos;i="5.77,302,1596524400"; d="scan'208";a="310885499" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.160]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2020 10:00:44 -0700 Date: Fri, 25 Sep 2020 10:00:42 -0700 From: Sean Christopherson To: Marc Zyngier Subject: Re: [RFC PATCH 0/3] KVM: Introduce "VM bugged" concept Message-ID: <20200925170042.GB31528@linux.intel.com> References: <20200923224530.17735-1-sean.j.christopherson@intel.com> <874knlrf4a.wl-maz@kernel.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <874knlrf4a.wl-maz@kernel.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200925_130049_607891_E0CEFA20 X-CRM114-Status: GOOD ( 23.74 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Cornelia Huck , Wanpeng Li , Janosch Frank , kvm@vger.kernel.org, Suzuki K Poulose , Joerg Roedel , David Hildenbrand , linux-kernel@vger.kernel.org, kvm-ppc@vger.kernel.org, linux-mips@vger.kernel.org, Paul Mackerras , Christian Borntraeger , Aleksandar Markovic , James Morse , linux-arm-kernel@lists.infradead.org, Huacai Chen , Paolo Bonzini , Vitaly Kuznetsov , Claudio Imbrenda , Julien Thierry , Jim Mattson Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, Sep 25, 2020 at 05:32:53PM +0100, Marc Zyngier wrote: > Hi Sean, > > On Wed, 23 Sep 2020 23:45:27 +0100, > Sean Christopherson wrote: > > > > This series introduces a concept we've discussed a few times in x86 land. > > The crux of the problem is that x86 has a few cases where KVM could > > theoretically encounter a software or hardware bug deep in a call stack > > without any sane way to propagate the error out to userspace. > > > > Another use case would be for scenarios where letting the VM live will > > do more harm than good, e.g. we've been using KVM_BUG_ON for early TDX > > enabling as botching anything related to secure paging all but guarantees > > there will be a flood of WARNs and error messages because lower level PTE > > operations will fail if an upper level operation failed. > > > > The basic idea is to WARN_ONCE if a bug is encountered, kick all vCPUs out > > to userspace, and mark the VM as bugged so that no ioctls() can be issued > > on the VM or its devices/vCPUs. > > > > RFC as I've done nowhere near enough testing to verify that rejecting the > > ioctls(), evicting running vCPUs, etc... works as intended. > > I'm quite like the idea. However, I wonder whether preventing the > vcpus from re-entering the guest is enough. When something goes really > wrong, is it safe to allow the userspace process to terminate normally > and free the associated memory? Yes and no. Yes, there are potential scenarios where freeing memory is unsafe, e.g. with TDX, improper sanitization of memory can lead to machine checks due to integrity errors, i.e. freeing memory that wasn't sanitized is not safe. But, our in-development code intentionally leaks pages that couldn't be sanitized (with plenty of yelling). So, "no" in the sense that, IMO, KVM should be written such that it's sufficiently paranoid when handling "special" memory (or other state). > And is it still safe to allow new VMs to be started? Hmm, anything that is truly fatal to the host/KVM should probably use BUG() or even panic() directly. E.g. to avoid a userspace bypass by unloading and reloading KVM when it's built as a module, we'd have to set a flag in the kernel proper. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel