Re: [PATCH] KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Sean Christopherson <seanjc@google.com>
To: Xiaoyao Li <xiaoyao.li@intel.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	 Kai Huang <kai.huang@intel.com>,
	Rick Edgecombe <rick.p.edgecombe@intel.com>
Subject: Re: [PATCH] KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL
Date: Thu, 16 Oct 2025 11:28:57 -0700	[thread overview]
Message-ID: <aPE5aZpsDYpIqngX@google.com> (raw)
In-Reply-To: <456146b7-e4f3-46d4-8b30-8b0ccb250f08@intel.com>

On Wed, Oct 15, 2025, Xiaoyao Li wrote:
> On 10/15/2025 9:57 PM, Sean Christopherson wrote:
> > On Wed, Oct 15, 2025, Xiaoyao Li wrote:
> > > On 10/15/2025 7:10 AM, Sean Christopherson wrote:
> > > > diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> > > > index 76271962cb70..f64a1eb241b6 100644
> > > > --- a/arch/x86/kvm/vmx/nested.c
> > > > +++ b/arch/x86/kvm/vmx/nested.c
> > > > @@ -6728,6 +6728,14 @@ static bool nested_vmx_l1_wants_exit(struct kvm_vcpu *vcpu,
> > > >    	case EXIT_REASON_NOTIFY:
> > > >    		/* Notify VM exit is not exposed to L1 */
> > > >    		return false;
> > > > +	case EXIT_REASON_SEAMCALL:
> > > > +	case EXIT_REASON_TDCALL:
> > > > +		/*
> > > > +		 * SEAMCALL and TDCALL unconditionally VM-Exit, but aren't
> > > > +		 * virtualized by KVM for L1 hypervisors, i.e. L1 should
> > > > +		 * never want or expect such an exit.
> > > > +		 */
> > > 
> > > The i.e. part is confusing? It is exactly forwarding the EXITs to L1, while
> > > it says L1 should never want or expect such an exit.
> > 
> > Gah, the comment is right, the code is wrong.
> 
> So the intent was to return false here? to let L0 handle the exit?

Correct.

> Then I have a question, why not implement it in nested_vmx_l0_wants_exit()?
> what's the reason and rule here?

The basic gist of "l0/l1 wants exit" is that each entity (L0 and L1) should act
independently.  And if both L0 and L1 "want" the exit, then L0 wins.

E.g. for EXIT_REASON_EXTERNAL_INTERRUPT, KVM _always_ wants the exit because KVM
unconditionally runs with PIN_BASED_EXT_INTR_MASK set.  But L1 might want the
exit too, i.e. if it too is running with PIN_BASED_EXT_INTR_MASK.  But L1 doesn't
get the exit because L0's desire trumps L1.

Other exit are less straightfoward.  E.g. EXIT_REASON_EXCEPTION_NMI is filled with
conditionals because KVM needs to determine if the exception was due to something
KVM did, i.e. if the exception needs to be resolved by KVM, or if it the exception
isn't at all related to KVM and thus isn't "want" by L0.  But the exception may
still be routed to L0, e.g. if L1 doesn't want it.

For this particular case, L1 _can't_ want the exit, because the exit simply shouldn't
exist from L1's perspective.  Whether or not L0 wants the exit can't really be
known, because that would require predicting the future.  E.g. in the unlikely
case that KVM somehow virtualized some piece of TDX and thus exposed SEAMCALL
and/or TDCALL exits to L1, then nested_vmx_l1_wants_exit() _must_ be updated,
if only to consult the L1 VMXON state.  But L0's wants may or may not change;
if there are no scenarios where KVM/L0 "wants" the exit, then there wouldn't be
a need to modify nested_vmx_l0_wants_exit().

And so the most future-resistant location for this particular case is
nested_vmx_l1_wants_exit().

next prev parent reply	other threads:[~2025-10-16 18:28 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-14 23:10 [PATCH] KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL Sean Christopherson
2025-10-15  0:22 ` dan.j.williams
2025-10-15 13:56   ` Sean Christopherson
2025-10-15 15:49     ` dan.j.williams
2025-10-15  1:13 ` Chao Gao
2025-10-15  3:11   ` Xiaoyao Li
2025-10-15 13:20     ` Sean Christopherson
2025-10-15 10:36 ` Xiaoyao Li
2025-10-15 13:57   ` Sean Christopherson
2025-10-15 14:45     ` Xiaoyao Li
2025-10-16 18:28       ` Sean Christopherson [this message]
2025-10-15 13:38 ` Binbin Wu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aPE5aZpsDYpIqngX@google.com \
    --to=seanjc@google.com \
    --cc=kai.huang@intel.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=rick.p.edgecombe@intel.com \
    --cc=xiaoyao.li@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox