From: "Radim Krčmář" <rkrcmar@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] kvm: x86: disable KVM_FAST_MMIO_BUS
Date: Wed, 16 Aug 2017 21:03:17 +0200 [thread overview]
Message-ID: <20170816190316.GA2566@flask> (raw)
In-Reply-To: <81dabc78-edfd-32fc-024c-c57330386a51@redhat.com>
2017-08-16 19:19+0200, Paolo Bonzini:
> On 16/08/2017 18:50, Michael S. Tsirkin wrote:
>> On Wed, Aug 16, 2017 at 03:30:31PM +0200, Paolo Bonzini wrote:
>>> While you can filter out instruction fetches, that's not enough. A data
>>> read could happen because someone pointed the IDT to MMIO area, and who
>>> knows what the VM-exit instruction length points to in that case.
>>
>> Thinking more about it, I don't really see how anything
>> legal guest might be doing with virtio would trigger anything
>> but a fault after decoding the instruction. How does
>> skipping instruction even make sense in the example you give?
>
> There's no such thing as a legal guest. Anything that the hypervisor
> does, that differs from real hardware, is a possible escalation path.
>
> This in fact makes me doubt the EMULTYPE_SKIP patch too.
The main hack is that we expect EPT misconfig within a given range to be
a MMIO NULL write. I think it is fine -- EMULTYPE_SKIP is a common path
that should have well tested error paths and, IIUC, virtio doesn't allow
any other access, so it is a problem of the guest if a buggy/malicious
application can access virtio memory.
>>>>> Plus of course it wouldn't be guaranteed to work on nested.
>>>>
>>>> Not sure I got this one.
>>>
>>> Not all nested hypervisors are setting the VM-exit instruction length
>>> field on EPT violations, since it's documented not to be set.
>>
>> So that's probably the real issue - nested virt which has to do it
>> in software at extra cost. We already limit this to intel processors,
Hm, there is no reason to exclude SVM.
>> how about we blacklist nested virt for this optimization?
Not every hypervisor can be easily detected ... KVM uses standard
features and SDM clearly says that the instruction length field is
undefined.
We only lose performance if we decode the instruction, but piling
workarounds creates unexpected corner cases.
I still don't see acceptable alternatives to Paolo's solution.
next prev parent reply other threads:[~2017-08-16 19:03 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-16 11:22 [PATCH] kvm: x86: disable KVM_FAST_MMIO_BUS Paolo Bonzini
2017-08-16 12:07 ` Radim Krčmář
2017-08-16 13:37 ` Paolo Bonzini
2017-08-16 14:06 ` Michael S. Tsirkin
2017-08-16 14:17 ` Paolo Bonzini
2017-08-17 8:15 ` David Hildenbrand
2017-08-16 12:58 ` Michael S. Tsirkin
2017-08-16 13:05 ` Paolo Bonzini
2017-08-16 13:16 ` Michael S. Tsirkin
2017-08-16 13:30 ` Paolo Bonzini
2017-08-16 14:03 ` Michael S. Tsirkin
2017-08-16 16:50 ` Michael S. Tsirkin
2017-08-16 17:19 ` Paolo Bonzini
2017-08-16 19:03 ` Radim Krčmář [this message]
2017-08-16 19:59 ` Michael S. Tsirkin
2017-08-16 21:25 ` Paolo Bonzini
2017-08-16 22:31 ` Michael S. Tsirkin
2017-08-17 9:00 ` Paolo Bonzini
2017-08-17 12:14 ` Paolo Bonzini
2017-08-17 13:23 ` Radim Krčmář
2017-08-17 15:15 ` Michael S. Tsirkin
2017-08-17 13:51 ` Radim Krčmář
2017-08-17 15:27 ` Michael S. Tsirkin
2017-08-16 19:47 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170816190316.GA2566@flask \
--to=rkrcmar@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox