From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Peter Xu <peterx@redhat.com>
Cc: Alexander Graf <graf@amazon.com>, kvm list <kvm@vger.kernel.org>,
Aaron Lewis <aaronlewis@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Jonathan Corbet <corbet@lwn.net>,
Vitaly Kuznetsov <vkuznets@redhat.com>,
Wanpeng Li <wanpengli@tencent.com>,
Jim Mattson <jmattson@google.com>, Joerg Roedel <joro@8bytes.org>,
KarimAllah Raslan <karahmed@amazon.de>,
Dan Carpenter <dan.carpenter@oracle.com>,
Maxim Levitsky <mlevitsk@redhat.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v8 6/8] KVM: x86: VMX: Prevent MSR passthrough when MSR access is denied
Date: Mon, 5 Oct 2020 11:43:20 -0700 [thread overview]
Message-ID: <20201005184320.GA15803@linux.intel.com> (raw)
In-Reply-To: <20201002011139.GA5473@xz-x1>
On Thu, Oct 01, 2020 at 09:11:39PM -0400, Peter Xu wrote:
> Hi,
>
> I reported in the v13 cover letter of kvm dirty ring series that this patch
> seems to have been broken. Today I tried to reproduce with a simplest vm, and
> after a closer look...
>
> On Fri, Sep 25, 2020 at 04:34:20PM +0200, Alexander Graf wrote:
> > @@ -3764,15 +3859,14 @@ static u8 vmx_msr_bitmap_mode(struct kvm_vcpu *vcpu)
> > return mode;
> > }
> >
> > -static void vmx_update_msr_bitmap_x2apic(struct kvm_vcpu *vcpu,
> > - unsigned long *msr_bitmap, u8 mode)
> > +static void vmx_update_msr_bitmap_x2apic(struct kvm_vcpu *vcpu, u8 mode)
> > {
> > int msr;
> >
> > - for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) {
> > - unsigned word = msr / BITS_PER_LONG;
> > - msr_bitmap[word] = (mode & MSR_BITMAP_MODE_X2APIC_APICV) ? 0 : ~0;
> > - msr_bitmap[word + (0x800 / sizeof(long))] = ~0;
> > + for (msr = 0x800; msr <= 0x8ff; msr++) {
> > + bool intercepted = !!(mode & MSR_BITMAP_MODE_X2APIC_APICV);
> > +
> > + vmx_set_intercept_for_msr(vcpu, msr, MSR_TYPE_RW, intercepted);
Yeah, this is busted.
> > }
> >
> > if (mode & MSR_BITMAP_MODE_X2APIC) {
>
> ... I think we may want below change to be squashed:
>
> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> index d160aad59697..7d3f2815b04d 100644
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
> @@ -3781,9 +3781,10 @@ static void vmx_update_msr_bitmap_x2apic(struct kvm_vcpu *vcpu, u8 mode)
> int msr;
>
> for (msr = 0x800; msr <= 0x8ff; msr++) {
> - bool intercepted = !!(mode & MSR_BITMAP_MODE_X2APIC_APICV);
> + bool apicv = mode & MSR_BITMAP_MODE_X2APIC_APICV;
>
> - vmx_set_intercept_for_msr(vcpu, msr, MSR_TYPE_RW, intercepted);
> + vmx_set_intercept_for_msr(vcpu, msr, MSR_TYPE_R, !apicv);
> + vmx_set_intercept_for_msr(vcpu, msr, MSR_TYPE_W, true);
I would prefer a full revert of sorts. Allowing userspace to intercept reads
to x2APIC MSRs when APICV is fully enabled for the guest simply can't work.
The LAPIC and thus virtual APIC is in-kernel and cannot be directly accessed
by userspace. I doubt it actually affects real world performance, but
resetting each MSR one-by-one bugs me.
Intercepting writes to TPR, EOI and SELF_IPI are somewhat plausible, but I
just don't see how intercepting reads when APICV is active is a sane setup.
I'll send a patch and we can go from there.
> }
>
> if (mode & MSR_BITMAP_MODE_X2APIC) {
>
> This fixes my problem the same as having this patch reverted.
>
> --
> Peter Xu
>
next prev parent reply other threads:[~2020-10-05 19:41 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-25 14:34 [PATCH v8 0/8] Allow user space to restrict and augment MSR emulation Alexander Graf
2020-09-25 14:34 ` [PATCH v8 1/8] KVM: x86: Return -ENOENT on unimplemented MSRs Alexander Graf
2020-09-25 16:40 ` Jim Mattson
2020-09-25 14:34 ` [PATCH v8 2/8] KVM: x86: Deflect unknown MSR accesses to user space Alexander Graf
2020-09-28 16:05 ` Aaron Lewis
2020-09-25 14:34 ` [PATCH v8 3/8] KVM: x86: Add infrastructure for MSR filtering Alexander Graf
2020-09-28 16:08 ` Aaron Lewis
2020-09-25 14:34 ` [PATCH v8 4/8] KVM: x86: Prepare MSR bitmaps for userspace tracked MSRs Alexander Graf
2020-09-25 14:34 ` [PATCH v8 5/8] KVM: x86: SVM: Prevent MSR passthrough when MSR access is denied Alexander Graf
2020-09-25 22:01 ` Paolo Bonzini
2020-09-25 22:22 ` Paolo Bonzini
2020-09-25 14:34 ` [PATCH v8 6/8] KVM: x86: VMX: " Alexander Graf
2020-10-02 1:11 ` Peter Xu
2020-10-05 18:43 ` Sean Christopherson [this message]
2020-09-25 14:34 ` [PATCH v8 7/8] KVM: x86: Introduce MSR filtering Alexander Graf
2020-09-28 16:09 ` Aaron Lewis
2020-09-25 14:34 ` [PATCH v8 8/8] KVM: selftests: Add test for user space MSR handling Alexander Graf
2020-09-28 16:10 ` Aaron Lewis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201005184320.GA15803@linux.intel.com \
--to=sean.j.christopherson@intel.com \
--cc=aaronlewis@google.com \
--cc=corbet@lwn.net \
--cc=dan.carpenter@oracle.com \
--cc=graf@amazon.com \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=karahmed@amazon.de \
--cc=kvm@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mlevitsk@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).