From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1
	autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CC47FC433F5
	for <linux-kernel@archiver.kernel.org>; Wed, 22 Sep 2021 18:17:13 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id B5ACD60EE5
	for <linux-kernel@archiver.kernel.org>; Wed, 22 Sep 2021 18:17:13 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237045AbhIVSSk (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Wed, 22 Sep 2021 14:18:40 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:24225 "EHLO
        us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S236988AbhIVSSj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 Sep 2021 14:18:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1632334628;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=X1RNdzwECzWOd3skE6jAuBuPxRlUo2QTTfIOpVKuePE=;
        b=WSPnp3CYXp9BTi/ZepKJI21bN/dyQNIQkgOZ85sjE7g/6PTNXhMQRgMzh4zA7P4deplmHg
        O2qwov0XiM/5K5WpATfoeBsJ9WM7QwFzTneq4tUW3GFxqUSv4lQmd0Wur+KynI4ks4Ju7k
        +AYElgJX629NC1yDCYnGrWZ25ECeTz0=
Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com
 [209.85.208.70]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-356-FOgTYFJrP_2ZNYBL5IXygA-1; Wed, 22 Sep 2021 14:17:07 -0400
X-MC-Unique: FOgTYFJrP_2ZNYBL5IXygA-1
Received: by mail-ed1-f70.google.com with SMTP id 2-20020a508e02000000b003d871759f5dso4052370edw.10
        for <linux-kernel@vger.kernel.org>; Wed, 22 Sep 2021 11:17:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=X1RNdzwECzWOd3skE6jAuBuPxRlUo2QTTfIOpVKuePE=;
        b=Q3VJWMuiMXoMZkXv2Sz0/u4W/xFMDiB4DRMhrOJTyXj72uzKmUOuzzZUbRL3O3Fvhs
         fmwFwaUDkQ8yTq/VCjACaaF72kRNoTq/9yUYY6cTlfO7dLHmezw0q8AUyO5qIfDWZPez
         k1t/axLPanIdAJPmm7WolwIqIltJUb4ofxb7focGyY9rqex7/BqALmxv5BqNmVXCAd+v
         FgRW0+EmKzcESraMGXJMG0XjqOwcAxGBaSXj7DxaeYmxN3aqpTXNokrZrGGobiCw5IKu
         7KZQ8WUv5l/Yx1nuvbMU6idvZGDs4gx3Yjx8yj5cuXlEOoGwgTCoWKd8uosfwOoc2lUN
         ih0A==
X-Gm-Message-State: AOAM533LHTsKQnXZ8N2VQyfO2OTRq5J7oR7EEjqZWd7VDlWtEIQJMGl4
        or6Bwc6N89UgifNo9+jSSkZyu3tJm6s/OeFCWnGXjh38uTnIqIM8yNrjLEx/h5k2w6Q6aHL3/UI
        aiCo2UE9+tHTwNk2VHtADtei0
X-Received: by 2002:a17:906:3854:: with SMTP id w20mr558550ejc.537.1632334626250;
        Wed, 22 Sep 2021 11:17:06 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy16BuPQRa+6D5Hn397FwBp1Z/87NfPihYAA2nSbTOPhV+4HrB5uje403kIuyAR9tJ2Kna6xw==
X-Received: by 2002:a17:906:3854:: with SMTP id w20mr558525ejc.537.1632334625991;
        Wed, 22 Sep 2021 11:17:05 -0700 (PDT)
Received: from ?IPv6:2001:b07:6468:f312:c8dd:75d4:99ab:290a? ([2001:b07:6468:f312:c8dd:75d4:99ab:290a])
        by smtp.gmail.com with ESMTPSA id r2sm1555167edo.59.2021.09.22.11.17.02
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 22 Sep 2021 11:17:05 -0700 (PDT)
Subject: Re: [PATCH v3 0/7] KVM: few more SMM fixes
To:     Sean Christopherson <seanjc@google.com>
Cc:     Maxim Levitsky <mlevitsk@redhat.com>, kvm@vger.kernel.org,
        linux-kernel@vger.kernel.org, Jim Mattson <jmattson@google.com>,
        Wanpeng Li <wanpengli@tencent.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        "H. Peter Anvin" <hpa@zytor.com>, Borislav Petkov <bp@alien8.de>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        Ingo Molnar <mingo@redhat.com>,
        "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" <x86@kernel.org>,
        Joerg Roedel <joro@8bytes.org>
References: <20210913140954.165665-1-mlevitsk@redhat.com>
 <22916f0c-2e3a-1fd6-905e-5d647c15c45b@redhat.com>
 <YUtBqsiur6uFWh3o@google.com>
 <427038b4-a856-826c-e9f4-01678d33ab83@redhat.com>
 <YUtRSK8SwMfEZ2ca@google.com>
From:   Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <a7343926-b0a1-db2a-c78d-fe2f708ce5c0@redhat.com>
Date:   Wed, 22 Sep 2021 20:17:02 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <YUtRSK8SwMfEZ2ca@google.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 22/09/21 17:52, Sean Christopherson wrote:
> On Wed, Sep 22, 2021, Paolo Bonzini wrote:
>> On 22/09/21 16:46, Sean Christopherson wrote:
>>> On Wed, Sep 22, 2021, Paolo Bonzini wrote:
>>>> On 13/09/21 16:09, Maxim Levitsky wrote:
>>>>>      KVM: x86: nVMX: re-evaluate emulation_required on nested VM exit
>>>
>>> ...
>>>> Queued, thanks.  However, I'm keeping patch 1 for 5.16 only.
>>>
>>> I'm pretty sure the above patch is wrong, emulation_required can simply be
>>> cleared on emulated VM-Exit.
>>
>> Are you sure?
> 
> Pretty sure, but not 100% sure :-)
> 
>> I think you can at least set the host segment fields to a data segment that
>> requires emulation.  For example the DPL of the host DS is hardcoded to zero,
>> but the RPL comes from the selector field and the DS selector is not
>> validated.
> 
> HOST_DS_SEL is validated:
> 
>    In the selector field for each of CS, SS, DS, ES, FS, GS and TR, the RPL
>    (bits 1:0) and the TI flag (bit 2) must be 0.

Ah, I think that's a bug in the manual.  In "27.5.2 Loading Host Segment 
and Descriptor-Table Registers" the reference to 26.3.1.2 should be 
26.2.3 ("Checks on Host Segment and Descriptor-Table Registers").  That 
one does cover all segment registers.  Hmm, who do we ask now about 
fixing Intel manuals?

So yeah, a WARN_ON_ONCE might be in order.  But I don't feel super safe 
making it false when it is possible to make KVM do something that is at 
least sensible.

Paolo

>> Therefore a subsequent vmentry could fail the access rights tests of 26.3.1.2
>> Checks on Guest Segment Registers:
> 
> Yes, but this path is loading host state on VM-Exit.
> 
>> DS, ES, FS, GS. The DPL cannot be less than the RPL in the selector field if
>> (1) the “unrestricted guest” VM-execution control is 0; (2) the register is
>> usable; and (3) the Type in the access-rights field is in the range 0 – 11
>> (data segment or non-conforming code segment).
>>
>> Paolo
>>
>