From: Sean Christopherson <seanjc@google.com>
To: Xiaoyao Li <xiaoyao.li@intel.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Tom Lendacky <thomas.lendacky@amd.com>,
Mathias Krause <minipli@grsecurity.net>,
John Allen <john.allen@amd.com>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Chao Gao <chao.gao@intel.com>,
Maxim Levitsky <mlevitsk@redhat.com>,
Zhang Yi Z <yi.z.zhang@linux.intel.com>
Subject: Re: [PATCH v15 13/41] KVM: x86: Enable guest SSP read/write interface with new uAPIs
Date: Mon, 15 Sep 2025 15:12:28 -0700 [thread overview]
Message-ID: <aMiPTEu_WfmEZiqT@google.com> (raw)
In-Reply-To: <aca9d389-f11e-4811-90cf-d98e345a5cc2@intel.com>
On Mon, Sep 15, 2025, Xiaoyao Li wrote:
> On 9/13/2025 7:22 AM, Sean Christopherson wrote:
> > @@ -6097,11 +6105,22 @@ static int kvm_get_set_one_reg(struct kvm_vcpu *vcpu, unsigned int ioctl,
> > static int kvm_get_reg_list(struct kvm_vcpu *vcpu,
> > struct kvm_reg_list __user *user_list)
> > {
> > - u64 nr_regs = 0;
> > + u64 nr_regs = guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) ? 1 : 0;
>
> I wonder what's the semantic of KVM returning KVM_REG_GUEST_SSP on
> KVM_GET_REG_LIST. Does it ensure KVM_{G,S}ET_ONE_REG returns -EINVAL on
> KVM_REG_GUEST_SSP when it's not enumerated by KVM_GET_REG_LIST?
>
> If so, but KVM_{G,S}ET_ONE_REG can succeed on GUEST_SSP even if
> !guest_cpu_cap_has() when @ignore_msrs is true.
Ugh, great catch. Too many knobs. The best idea I've got it to to exempt KVM-
internal MSRs from ignore_msrs and report_ignored_msrs on host-initiated writes.
That's unfortunately still a userspace visible change, and would continue to be
userspace-visible, e.g. if we wanted to change the magic value for
MSR_KVM_INTERNAL_GUEST_SSP.
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index c78acab2ff3f..6a50261d1c5c 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -511,6 +511,11 @@ static bool kvm_is_advertised_msr(u32 msr_index)
return false;
}
+static bool kvm_is_internal_msr(u32 msr)
+{
+ return msr == MSR_KVM_INTERNAL_GUEST_SSP;
+}
+
typedef int (*msr_access_t)(struct kvm_vcpu *vcpu, u32 index, u64 *data,
bool host_initiated);
@@ -544,6 +549,9 @@ static __always_inline int kvm_do_msr_access(struct kvm_vcpu *vcpu, u32 msr,
if (host_initiated && !*data && kvm_is_advertised_msr(msr))
return 0;
+ if (host_initiated && kvm_is_internal_msr(msr))
+ return ret;
+
if (!ignore_msrs) {
kvm_debug_ratelimited("unhandled %s: 0x%x data 0x%llx\n",
op, msr, *data);
Alternatively, simply exempt host writes from ignore_msrs. Aha! And KVM even
documents that as the behavior:
kvm.ignore_msrs=[KVM] Ignore guest accesses to unhandled MSRs.
Default is 0 (don't ignore, but inject #GP)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index c78acab2ff3f..177253e75b41 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -544,7 +544,7 @@ static __always_inline int kvm_do_msr_access(struct kvm_vcpu *vcpu, u32 msr,
if (host_initiated && !*data && kvm_is_advertised_msr(msr))
return 0;
- if (!ignore_msrs) {
+ if (host_initiated || !ignore_msrs) {
kvm_debug_ratelimited("unhandled %s: 0x%x data 0x%llx\n",
op, msr, *data);
return ret;
So while it's technically an ABI change (arguable since it's guarded by an
off-by-default param), I suspect we can get away with it. Hmm, commit 6abe9c1386e5
("KVM: X86: Move ignore_msrs handling upper the stack") exempted KVM-internal
MSR accesses from ignore_msrs, but doesn't provide much in the way of justification
for _why_ that's desirable.
Argh, and that same mini-series extended the behavior to feature MSRs, again
without seeming to consider whether or not it's actually desirable to suppress
bad VMM accesses. Even worse, that decision likely generated an absurd amount
of churn and noise due to splattering helpers and variants all over the place. :-(
commit 12bc2132b15e0a969b3f455d90a5f215ef239eff
Author: Peter Xu <peterx@redhat.com>
AuthorDate: Mon Jun 22 18:04:42 2020 -0400
Commit: Paolo Bonzini <pbonzini@redhat.com>
CommitDate: Wed Jul 8 16:21:40 2020 -0400
KVM: X86: Do the same ignore_msrs check for feature msrs
Logically the ignore_msrs and report_ignored_msrs should also apply to feature
MSRs. Add them in.
For 6.18, I think the safe play is to go with the first path (exempt KVM-internal
MSRs), and then try to go for the second approach (exempt all host accesses) for
6.19. KVM's ABI for ignore_msrs=true is already all kinds of messed up, so I'm
not terribly concerned about temporarily making it marginally worse.
next prev parent reply other threads:[~2025-09-15 22:12 UTC|newest]
Thread overview: 130+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-12 23:22 [PATCH v15 00/41] KVM: x86: Mega-CET Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 01/41] KVM: SEV: Rename kvm_ghcb_get_sw_exit_code() to kvm_get_cached_sw_exit_code() Sean Christopherson
2025-09-15 16:15 ` Tom Lendacky
2025-09-15 16:30 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 02/41] KVM: SEV: Read save fields from GHCB exactly once Sean Christopherson
2025-09-15 17:32 ` Tom Lendacky
2025-09-15 21:08 ` Sean Christopherson
2025-09-17 21:47 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 03/41] KVM: SEV: Validate XCR0 provided by guest in GHCB Sean Christopherson
2025-09-15 18:41 ` Tom Lendacky
2025-09-15 21:22 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 04/41] KVM: x86: Introduce KVM_{G,S}ET_ONE_REG uAPIs support Sean Christopherson
2025-09-15 6:29 ` Xiaoyao Li
2025-09-16 7:10 ` Binbin Wu
2025-09-17 13:14 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 05/41] KVM: x86: Report XSS as to-be-saved if there are supported features Sean Christopherson
2025-09-16 7:12 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 06/41] KVM: x86: Check XSS validity against guest CPUIDs Sean Christopherson
2025-09-16 7:20 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 07/41] KVM: x86: Refresh CPUID on write to guest MSR_IA32_XSS Sean Christopherson
2025-09-16 7:23 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 08/41] KVM: x86: Initialize kvm_caps.supported_xss Sean Christopherson
2025-09-16 7:29 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 09/41] KVM: x86: Load guest FPU state when access XSAVE-managed MSRs Sean Christopherson
2025-09-15 17:04 ` Xin Li
2025-09-16 6:51 ` Xiaoyao Li
2025-09-16 8:28 ` Binbin Wu
2025-09-17 2:51 ` Binbin Wu
2025-09-17 12:47 ` Sean Christopherson
2025-09-17 21:56 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 10/41] KVM: x86: Add fault checks for guest CR4.CET setting Sean Christopherson
2025-09-16 8:33 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 11/41] KVM: x86: Report KVM supported CET MSRs as to-be-saved Sean Christopherson
2025-09-15 6:30 ` Xiaoyao Li
2025-09-16 8:46 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 12/41] KVM: VMX: Introduce CET VMCS fields and control bits Sean Christopherson
2025-09-15 6:31 ` Xiaoyao Li
2025-09-16 9:00 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 13/41] KVM: x86: Enable guest SSP read/write interface with new uAPIs Sean Christopherson
2025-09-15 6:55 ` Xiaoyao Li
2025-09-15 22:12 ` Sean Christopherson [this message]
2025-09-16 5:52 ` Xiaoyao Li
2025-09-19 17:47 ` Sean Christopherson
2025-09-19 17:58 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 14/41] KVM: VMX: Emulate read and write to CET MSRs Sean Christopherson
2025-09-16 7:07 ` Xiaoyao Li
2025-09-16 7:48 ` Chao Gao
2025-09-16 8:10 ` Xiaoyao Li
2025-09-19 22:11 ` Sean Christopherson
2025-09-17 7:52 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 15/41] KVM: x86: Save and reload SSP to/from SMRAM Sean Christopherson
2025-09-16 7:37 ` Xiaoyao Li
2025-09-17 7:53 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 16/41] KVM: VMX: Set up interception for CET MSRs Sean Christopherson
2025-09-15 17:21 ` Xin Li
2025-09-16 7:40 ` Xiaoyao Li
2025-09-17 8:32 ` Binbin Wu
2025-09-17 13:44 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 17/41] KVM: VMX: Set host constant supervisor states to VMCS fields Sean Christopherson
2025-09-16 7:44 ` Xiaoyao Li
2025-09-17 8:48 ` Xiaoyao Li
2025-09-17 21:25 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 18/41] KVM: x86: Don't emulate instructions affected by CET features Sean Christopherson
2025-09-17 8:16 ` Chao Gao
2025-09-17 21:15 ` Sean Christopherson
2025-09-18 14:54 ` Chao Gao
2025-09-18 18:02 ` Sean Christopherson
2025-09-17 8:19 ` Xiaoyao Li
2025-09-18 14:15 ` Chao Gao
2025-09-19 1:25 ` Sean Christopherson
2025-09-17 8:45 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 19/41] KVM: x86: Enable CET virtualization for VMX and advertise to userspace Sean Christopherson
2025-09-18 1:57 ` Binbin Wu
2025-09-19 22:57 ` Sean Christopherson
2025-09-18 2:18 ` Binbin Wu
2025-09-18 18:05 ` Sean Christopherson
2025-09-19 7:10 ` Xiaoyao Li
2025-09-19 14:25 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 20/41] KVM: nVMX: Virtualize NO_HW_ERROR_CODE_CC for L1 event injection to L2 Sean Christopherson
2025-09-18 2:27 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 21/41] KVM: nVMX: Prepare for enabling CET support for nested guest Sean Christopherson
2025-09-15 17:45 ` Xin Li
2025-09-18 4:48 ` Xin Li
2025-09-18 18:05 ` Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 22/41] KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 23/41] KVM: nVMX: Add consistency checks for CET states Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 24/41] KVM: nVMX: Advertise new VM-Entry/Exit control bits for CET state Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 25/41] KVM: x86: SVM: Emulate reads and writes to shadow stack MSRs Sean Christopherson
2025-09-15 17:56 ` Xin Li
2025-09-15 20:43 ` Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 26/41] KVM: nSVM: Save/load CET Shadow Stack state to/from vmcb12/vmcb02 Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 27/41] KVM: x86: SVM: Update dump_vmcb with shadow stack save area additions Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 28/41] KVM: x86: SVM: Pass through shadow stack MSRs as appropriate Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 29/41] KVM: SEV: Synchronize MSR_IA32_XSS from the GHCB when it's valid Sean Christopherson
2025-09-16 18:55 ` John Allen
2025-09-16 19:53 ` Sean Christopherson
2025-09-16 20:33 ` John Allen
2025-09-16 21:38 ` Sean Christopherson
2025-09-16 22:55 ` John Allen
2025-09-18 19:48 ` John Allen
2025-09-18 20:34 ` Sean Christopherson
2025-09-18 20:44 ` Sean Christopherson
2025-09-18 21:23 ` John Allen
2025-09-18 21:42 ` Edgecombe, Rick P
2025-09-18 22:18 ` John Allen
2025-09-19 13:40 ` Tom Lendacky
2025-09-19 16:13 ` John Allen
2025-09-19 17:29 ` Edgecombe, Rick P
2025-09-19 20:58 ` Edgecombe, Rick P
2025-09-22 9:19 ` Kiryl Shutsemau
2025-09-22 9:33 ` Upadhyay, Neeraj
2025-09-22 9:54 ` Kiryl Shutsemau
2025-09-12 23:23 ` [PATCH v15 30/41] KVM: SVM: Enable shadow stack virtualization for SVM Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 31/41] KVM: x86: Add human friendly formatting for #XM, and #VE Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 32/41] KVM: x86: Define Control Protection Exception (#CP) vector Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 33/41] KVM: x86: Define AMD's #HV, #VC, and #SX exception vectors Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 34/41] KVM: selftests: Add ex_str() to print human friendly name of " Sean Christopherson
2025-09-15 9:07 ` Chao Gao
2025-09-12 23:23 ` [PATCH v15 35/41] KVM: selftests: Add an MSR test to exercise guest/host and read/write Sean Christopherson
2025-09-15 8:22 ` Chao Gao
2025-09-15 17:00 ` Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 36/41] KVM: selftests: Add support for MSR_IA32_{S,U}_CET to MSRs test Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 37/41] KVM: selftests: Extend MSRs test to validate vCPUs without supported features Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 38/41] KVM: selftests: Add KVM_{G,S}ET_ONE_REG coverage to MSRs test Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 39/41] KVM: selftests: Add coverate for KVM-defined registers in " Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 40/41] KVM: selftests: Verify MSRs are (not) in save/restore list when (un)supported Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 41/41] KVM: VMX: Make CR4.CET a guest owned bit Sean Christopherson
2025-09-15 13:18 ` [PATCH v15 00/41] KVM: x86: Mega-CET Mathias Krause
2025-09-15 21:20 ` John Allen
2025-09-16 13:53 ` Chao Gao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aMiPTEu_WfmEZiqT@google.com \
--to=seanjc@google.com \
--cc=chao.gao@intel.com \
--cc=john.allen@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=minipli@grsecurity.net \
--cc=mlevitsk@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=thomas.lendacky@amd.com \
--cc=xiaoyao.li@intel.com \
--cc=yi.z.zhang@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).