From: Sean Christopherson <seanjc@google.com>
To: Adrian Hunter <adrian.hunter@intel.com>
Cc: Rick P Edgecombe <rick.p.edgecombe@intel.com>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"kas@kernel.org" <kas@kernel.org>,
Xiaoyao Li <xiaoyao.li@intel.com>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Yan Y Zhao <yan.y.zhao@intel.com>,
"x86@kernel.org" <x86@kernel.org>,
wenlong hou <houwenlong.hwl@antgroup.com>
Subject: Re: [PATCH v4 1/4] KVM: TDX: Synchronize user-return MSRs immediately after VP.ENTER
Date: Tue, 21 Oct 2025 09:46:32 -0700 [thread overview]
Message-ID: <aPe46Ev0wWks6Hz2@google.com> (raw)
In-Reply-To: <4841c40b-47b0-4b1b-985f-d1a16cbe81fa@intel.com>
On Tue, Oct 21, 2025, Adrian Hunter wrote:
> On 21/10/2025 18:06, Sean Christopherson wrote:
> > On Tue, Oct 21, 2025, Adrian Hunter wrote:
> >> On 21/10/2025 01:55, Edgecombe, Rick P wrote:
> >>>> + * Several of KVM's user-return MSRs are clobbered by the TDX-Module if
> >>>> + * VP.ENTER succeeds, i.e. on TD-Exit. Mark those MSRs as needing an
> >>>> + * update to synchronize the "current" value in KVM's cache with the
> >>>> + * value in hardware (loaded by the TDX-Module).
> >>>> + */
> >>>
> >>> I think we should be synchronizing only after a successful VP.ENTER with a real
> >>> TD exit, but today instead we synchronize after any attempt to VP.ENTER.
> >
> > Well this is all completely @#($*#. Looking at the TDX-Module source, if the
> > TDX-Module synthesizes an exit, e.g. because it suspects a zero-step attack, it
> > will signal a "normal" exit but not "restore" VMM state.
> >
> >> If the MSR's do not get clobbered, does it matter whether or not they get
> >> restored.
> >
> > It matters because KVM needs to know the actual value in hardware. If KVM thinks
> > an MSR is 'X', but it's actually 'Y', then KVM could fail to write the correct
> > value into hardware when returning to userspace and/or when running a different
> > vCPU.
>
> I don't quite follow: if an MSR does not get clobbered, where does the
> incorrect value come from?
kvm_set_user_return_msr() elides the WRMSR if the current value in hardware matches
the new, desired value. If KVM thinks the MSR is 'X', and KVM wants to set the MSR
to 'X', then KVM will skip the WRMSR and continue on with the wrong value.
Using MSR_TSC_AUX as an example, let's say the vCPU task is running on CPU1, and
that there's a non-TDX vCPU (with guest-side CPU=0) also scheduled on CPU1. Before
VP.ENTER, MSR_TSC_AUX=user_return_msrs[slot].curr=1 (the host's CPU1 value). After
a *failed* VP.ENTER, MSR_TSC_AUX will still be '1', but it's "curr" value in
user_return_msrs will be '0' due to kvm_user_return_msr_update_cache() incorrectly
thinking the TDX-Module clobbered the MSR to '0'
When KVM runs the non-TDX vCPU, which wants to run with MSR_TSC_AUX=0, then
kvm_set_user_return_msr() will see msrs->values[slot].curr==value==0 and not do
the WRMSR. KVM will then run the non-TDX vCPU with MSR_TSC_AUX=1 and corrupt the
guest.
next prev parent reply other threads:[~2025-10-21 16:46 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-16 22:28 [PATCH v4 0/4] KVM: x86: User-return MSR cleanups Sean Christopherson
2025-10-16 22:28 ` [PATCH v4 1/4] KVM: TDX: Synchronize user-return MSRs immediately after VP.ENTER Sean Christopherson
2025-10-20 22:55 ` Edgecombe, Rick P
2025-10-21 13:37 ` Adrian Hunter
2025-10-21 15:06 ` Sean Christopherson
2025-10-21 16:36 ` Adrian Hunter
2025-10-21 16:46 ` Sean Christopherson [this message]
2025-10-21 18:54 ` Edgecombe, Rick P
2025-10-21 19:33 ` Sean Christopherson
2025-10-21 20:49 ` Edgecombe, Rick P
2025-10-23 5:59 ` Xiaoyao Li
2025-10-16 22:28 ` [PATCH v4 2/4] KVM: x86: Leave user-return notifier registered on reboot/shutdown Sean Christopherson
2025-10-17 5:32 ` Chao Gao
2025-10-17 15:27 ` Sean Christopherson
2025-10-16 22:28 ` [PATCH v4 3/4] KVM: x86: Don't disable IRQs when unregistering user-return notifier Sean Christopherson
2025-10-16 22:28 ` [PATCH v4 4/4] KVM: x86: Drop "cache" from user return MSR setter that skips WRMSR Sean Christopherson
2025-10-17 2:52 ` Chao Gao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aPe46Ev0wWks6Hz2@google.com \
--to=seanjc@google.com \
--cc=adrian.hunter@intel.com \
--cc=houwenlong.hwl@antgroup.com \
--cc=kas@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=x86@kernel.org \
--cc=xiaoyao.li@intel.com \
--cc=yan.y.zhao@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).