From: Sean Christopherson <seanjc@google.com>
To: Yan Zhao <yan.y.zhao@intel.com>
Cc: pbonzini@redhat.com, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, rick.p.edgecombe@intel.com,
kai.huang@intel.com, adrian.hunter@intel.com,
reinette.chatre@intel.com, xiaoyao.li@intel.com,
tony.lindgren@intel.com, binbin.wu@linux.intel.com,
dmatlack@google.com, isaku.yamahata@intel.com,
isaku.yamahata@gmail.com
Subject: Re: [PATCH 3/7] KVM: TDX: Retry locally in TDX EPT violation handler on RET_PF_RETRY
Date: Mon, 27 Jan 2025 09:04:59 -0800 [thread overview]
Message-ID: <Z5e8uycCzOlMwP_t@google.com> (raw)
In-Reply-To: <Z5dQtuVO2mQfusOY@yzhao56-desk.sh.intel.com>
On Mon, Jan 27, 2025, Yan Zhao wrote:
> On Fri, Jan 24, 2025 at 05:23:36PM -0800, Sean Christopherson wrote:
> My previous consideration is that
> when there's a pending interrupt that can be recognized, given the current VM
> Exit reason is EPT violation, the next VM Entry will not deliver the interrupt
> since the condition to recognize and deliver interrupt is unchanged after the
> EPT violation VM Exit.
> So checking pending interrupt brings only false positive, which is unlike
> checking PID that the vector in the PID could arrive after the EPT violation VM
> Exit and PID would be cleared after VM Entry even if the interrupts are not
> deliverable. So checking PID may lead to true positive and less false positive.
>
> But I understand your point now. As checking PID can also be false positive, it
> would be no harm to introduce another source of false positive.
Yep. FWIW, I agree that checking VMXIP is theoretically "worse", in the sense
that it's much more likely to be a false positive. Off the top of my head, the
only time VMXIP will be set with RFLAGS.IF=1 on an EPT Violation is if the EPT
violation happens in an STI or MOV_SS/POP_SS shadow.
> So using kvm_vcpu_has_events() looks like a kind of trade-off?
> kvm_vcpu_has_events() can make TDX's code less special but might lead to the
> local vCPU more vulnerable to the 0-step mitigation, especially when interrupts
> are disabled in the guest.
Ya. I think it's worth worth using kvm_vcpu_has_events() though. In practice,
observing VMXIP=1 with RFLAGS=0 on an EPT Violation means the guest is accessing
memory for the first time in atomic kernel context. That alone seems highly
unlikely. Add in that triggering retry requires an uncommon race, and the overall
probability becomes miniscule.
> > That code needs a comment, because depending on the behavior of that field, it
> > might not even be correct.
> >
> > > (2) kvm_vcpu_has_events() may lead to unnecessary breaks due to exception
> > > pending. However, vt_inject_exception() is NULL for TDs.
> >
> > Wouldn't a pending exception be a KVM bug?
> Hmm, yes, it should be.
> Although kvm_vcpu_ioctl_x86_set_mce() can invoke kvm_queue_exception() to queue
> an exception for TDs,
I thought TDX didn't support synthetic #MCs?
> this should not occur while VCPU_RUN is in progress.
Not "should not", _cannot_, because they're mutually exclusive.
next prev parent reply other threads:[~2025-01-27 17:05 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-13 2:09 [PATCH 0/7] KVM: TDX SEPT SEAMCALL retry Yan Zhao
2025-01-13 2:10 ` [PATCH 1/7] KVM: TDX: Return -EBUSY when tdh_mem_page_add() encounters TDX_OPERAND_BUSY Yan Zhao
2025-01-14 22:24 ` Edgecombe, Rick P
2025-01-15 4:59 ` Yan Zhao
2025-01-13 2:11 ` [PATCH 2/7] KVM: x86/mmu: Return RET_PF* instead of 1 in kvm_mmu_page_fault() Yan Zhao
2025-01-14 22:24 ` Edgecombe, Rick P
2025-01-15 4:58 ` Yan Zhao
2025-01-13 2:12 ` [PATCH 3/7] KVM: TDX: Retry locally in TDX EPT violation handler on RET_PF_RETRY Yan Zhao
2025-01-17 21:14 ` Sean Christopherson
2025-01-20 8:05 ` Yan Zhao
2025-01-25 1:23 ` Sean Christopherson
2025-01-27 9:24 ` Yan Zhao
2025-01-27 17:04 ` Sean Christopherson [this message]
2025-02-05 7:34 ` Yan Zhao
2025-01-13 2:12 ` [PATCH 4/7] KVM: TDX: Kick off vCPUs when SEAMCALL is busy during TD page removal Yan Zhao
2025-01-16 6:23 ` Binbin Wu
2025-01-16 6:28 ` Binbin Wu
2025-01-16 8:18 ` Yan Zhao
2025-01-13 2:13 ` [PATCH 5/7] fixup! KVM: TDX: Implement hooks to propagate changes of TDP MMU mirror page table Yan Zhao
2025-01-16 6:30 ` Binbin Wu
2025-01-13 2:13 ` [PATCH 6/7] " Yan Zhao
2025-01-13 2:13 ` [PATCH 7/7] fixup! KVM: TDX: Implement TDX vcpu enter/exit path Yan Zhao
2025-01-14 22:27 ` [PATCH 0/7] KVM: TDX SEPT SEAMCALL retry Edgecombe, Rick P
2025-01-15 16:43 ` Paolo Bonzini
2025-01-16 0:52 ` Yan Zhao
2025-01-16 11:07 ` Paolo Bonzini
2025-01-17 9:52 ` Yan Zhao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z5e8uycCzOlMwP_t@google.com \
--to=seanjc@google.com \
--cc=adrian.hunter@intel.com \
--cc=binbin.wu@linux.intel.com \
--cc=dmatlack@google.com \
--cc=isaku.yamahata@gmail.com \
--cc=isaku.yamahata@intel.com \
--cc=kai.huang@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=reinette.chatre@intel.com \
--cc=rick.p.edgecombe@intel.com \
--cc=tony.lindgren@intel.com \
--cc=xiaoyao.li@intel.com \
--cc=yan.y.zhao@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox