From: Sean Christopherson <seanjc@google.com>
To: Nicolas Saenz Julienne <nsaenz@amazon.com>
Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
pbonzini@redhat.com, vkuznets@redhat.com,
linux-doc@vger.kernel.org, linux-hyperv@vger.kernel.org,
linux-arch@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
graf@amazon.de, dwmw2@infradead.org, pdurrant@amazon.com,
mlevitsk@redhat.com, jgowans@amazon.com, corbet@lwn.net,
decui@microsoft.com, tglx@linutronix.de, mingo@redhat.com,
bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org,
amoorthy@google.com
Subject: Re: [PATCH 16/18] KVM: x86: Take mem attributes into account when faulting memory
Date: Thu, 22 Aug 2024 09:58:43 -0700 [thread overview]
Message-ID: <ZsduQ7tg0oQFDY8h@google.com> (raw)
In-Reply-To: <D3MJJCTNY7OM.WOB5W8AVBH9G@amazon.com>
On Thu, Aug 22, 2024, Nicolas Saenz Julienne wrote:
> On Sun Jun 9, 2024 at 3:49 PM UTC, Nicolas Saenz Julienne wrote:
> > Take into account access restrictions memory attributes when faulting
> > guest memory. Prohibited memory accesses will cause an user-space fault
> > exit.
> >
> > Additionally, bypass a warning in the !tdp case. Access restrictions in
> > guest page tables might not necessarily match the host pte's when memory
> > attributes are in use.
> >
> > Signed-off-by: Nicolas Saenz Julienne <nsaenz@amazon.com>
>
> I now realize that only taking into account memory attributes during
> faults isn't good enough for VSM. We should check the attributes anytime
> KVM takes GPAs as input for any action initiated by the guest. If the
> memory attributes are incompatible with such action, it should be
> stopped. Failure to do so opens side channels that unprivileged VTLs can
> abuse to infer information about privileged VTL. Some examples I came up
> with:
> - Guest page walks: VTL0 could install malicious directory entries that
> point to GPAs only visible to VTL1. KVM will happily continue the
> walk. Among other things, this could be use to infer VTL1's GVA->GPA
> mappings.
> - PV interfaces like the Hyper-V TSC page or VP assist page, could be
> used to modify portions of VTL1 memory.
> - Hyper-V hypercalls that take GPAs as input/output can be abused in a
> myriad of ways. Including ones that exit into user-space.
>
> We would be protected against all these if we implemented the memory
> access restrictions through the memory slots API. As is, it has the
> drawback of having to quiesce the whole VM for any non-trivial slot
> modification (i.e. VSM's memory protections). But if we found a way to
> speed up the slot updates we could rely on that, and avoid having to
> teach kvm_read/write_guest() and friends to deal with memattrs. Note
> that we would still need to use memory attributes to request for faults
> to exit onto user-space on those select GPAs. Any opinions or
> suggestions?
>
> Note that, for now, I'll stick with the memory attributes approach to
> see what the full solution looks like.
FWIW, I suspect we'll be better off honoring memory attributes. It's not just
the KVM side that has issues with memslot updates, my understanding is userspace
has also built up "slow" code with respect to memslot updates, in part because
it's such a slow path in KVM.
next prev parent reply other threads:[~2024-08-22 16:58 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-09 15:49 [PATCH 00/18] Introducing Core Building Blocks for Hyper-V VSM Emulation Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 01/18] KVM: x86: hyper-v: Introduce XMM output support Nicolas Saenz Julienne
2024-07-08 14:59 ` Vitaly Kuznetsov
2024-07-17 14:12 ` Nicolas Saenz Julienne
2024-07-29 13:53 ` Vitaly Kuznetsov
2024-08-05 14:08 ` Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 02/18] KVM: x86: hyper-v: Introduce helpers to check if VSM is exposed to guest Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 03/18] hyperv-tlfs: Update struct hv_send_ipi{_ex}'s declarations Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 04/18] KVM: x86: hyper-v: Introduce VTL awareness to Hyper-V's PV-IPIs Nicolas Saenz Julienne
2024-09-13 18:02 ` Sean Christopherson
2024-09-16 14:52 ` Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 05/18] KVM: x86: hyper-v: Introduce MP_STATE_HV_INACTIVE_VTL Nicolas Saenz Julienne
2024-09-13 19:01 ` Sean Christopherson
2024-09-16 15:33 ` Nicolas Saenz Julienne
2024-09-18 7:56 ` Sean Christopherson
2024-06-09 15:49 ` [PATCH 06/18] KVM: x86: hyper-v: Exit on Get/SetVpRegisters hcall Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 07/18] KVM: x86: hyper-v: Exit on TranslateVirtualAddress hcall Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 08/18] KVM: x86: hyper-v: Exit on StartVirtualProcessor and GetVpIndexFromApicId hcalls Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 09/18] KVM: Define and communicate KVM_EXIT_MEMORY_FAULT RWX flags to userspace Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 10/18] KVM: x86: Keep track of instruction length during faults Nicolas Saenz Julienne
2024-09-13 19:10 ` Sean Christopherson
2024-06-09 15:49 ` [PATCH 11/18] KVM: x86: Pass the instruction length on memory fault user-space exits Nicolas Saenz Julienne
2024-09-13 19:11 ` Sean Christopherson
2024-09-16 15:53 ` Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 12/18] KVM: x86/mmu: Introduce infrastructure to handle non-executable mappings Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 13/18] KVM: x86/mmu: Avoid warning when installing non-private memory attributes Nicolas Saenz Julienne
2024-09-13 19:13 ` Sean Christopherson
2024-06-09 15:49 ` [PATCH 14/18] KVM: x86/mmu: Init memslot if memory attributes available Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 15/18] KVM: Introduce RWX memory attributes Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 16/18] KVM: x86: Take mem attributes into account when faulting memory Nicolas Saenz Julienne
2024-08-22 15:21 ` Nicolas Saenz Julienne
2024-08-22 16:58 ` Sean Christopherson [this message]
2024-09-13 18:26 ` Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 17/18] KVM: Introduce traces to track memory attributes modification Nicolas Saenz Julienne
2024-06-09 15:49 ` [PATCH 18/18] KVM: x86: hyper-v: Handle VSM hcalls in user-space Nicolas Saenz Julienne
2024-07-03 9:55 ` [PATCH 00/18] Introducing Core Building Blocks for Hyper-V VSM Emulation Nicolas Saenz Julienne
2024-07-03 12:48 ` Vitaly Kuznetsov
2024-07-03 13:18 ` Nicolas Saenz Julienne
2024-09-13 19:19 ` Sean Christopherson
2024-09-16 16:32 ` Nicolas Saenz Julienne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZsduQ7tg0oQFDY8h@google.com \
--to=seanjc@google.com \
--cc=amoorthy@google.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=decui@microsoft.com \
--cc=dwmw2@infradead.org \
--cc=graf@amazon.de \
--cc=jgowans@amazon.com \
--cc=kvm@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=mlevitsk@redhat.com \
--cc=nsaenz@amazon.com \
--cc=pbonzini@redhat.com \
--cc=pdurrant@amazon.com \
--cc=tglx@linutronix.de \
--cc=vkuznets@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).