From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C507223328 for ; Tue, 6 Jan 2026 23:48:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767743320; cv=none; b=cJREzKHuP+Kw7fTMBY1Xtfx2sO/wLV+3Non/26uznLQEB5ri4h9xIg6PHa7bEzBZrY6WZaePTx6mXa7Tfn0fDUSDjPs+zG/fUrF4QCxQq/cVdzAY+msLxMLdQ+QYK86nlsq7XVSJ79QaBkQXTzsuOCxUu8kv5eW2mX4boYd7RkI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767743320; c=relaxed/simple; bh=LZ05UVyGXS3uaEnykz4vyYA6HOE4UeTPNaiHJEkTyp8=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=A45n2hPSeWk/2IKlD7nnoqJrpXfFLi5ViyDFw4BStCiUsHdk5YsSpjKy0VR820Jg5JTkixaJ4HB0B1he5deMabz0R07XVUlApGfwQqh52fAdmyXMOot49YDFvL0pmO8fOD8EGKBXbXptizwmunziCrOUq4Bll9YAApLSpmt1qTo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=LYL0KA7C; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="LYL0KA7C" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-2a0d59f0198so17014285ad.1 for ; Tue, 06 Jan 2026 15:48:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1767743319; x=1768348119; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=WZSvW5wtvITu4SJXRjRAbmEfEMA88gTQfQ+s3BSwlg4=; b=LYL0KA7C72jnqkxSabQdx7Ghiy2e8erO8xf3mXeiAO00NNBIhFC+BX4Zq7QBBh7IH1 PDB33xmBwdZra548P9DR+bsgVOUwfHaDzHLN3cmNPV1A4azx2tWiKMiT5zzMqP0kMaOD 3nRjVsQLNS1mmjSOBsELpbZCWnYTw88PMGUMbLRJHE9nL0kZDaJCFferD47sr3skcwjf g7FznvlBsVyGU9sojFqh64MZepATDAuw6XDcqgbPVbN8/wxyTV+WwTqxTC8ALmULOK9r VkVYLP+XD2IGDwMVU/rrOQro4+aYytIg9SpX6DQi7t4FFIgUolllURYiA09OWj4QRwe4 GCxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767743319; x=1768348119; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WZSvW5wtvITu4SJXRjRAbmEfEMA88gTQfQ+s3BSwlg4=; b=ZcVMxRXPm90VML3iatrgB/LX+/FKgxVe2SOVJQGxlEElJYN+vHT8erY4c7JMluE1u7 PlAE0Gq1k71qMsG/ZsJCVf7ObY0eK9cL28+UmCPdUQlpphR/RIVLH1mqMxhMsnOBVCdx JMrrkVksgJYL8XLNxlTvGnvhvJgn4q2vBEeJ/gctocgyObREDsRwhAkUTm7hE7ZUFMaY W8VlN1Wbn/L6e3sGLBOVx84ACkm64ivExHmAliTKTUmnZT8kSK3MfPPaZganj7PH3eGY CgiuRBuntqsrAVzIY6BA482bYZjb/hXSogXQg4rIsrD4vNcaGZ+ZoFduOp3W1SxLjobD /eeQ== X-Forwarded-Encrypted: i=1; AJvYcCV+QkU0ruQ4bfiVxGVEz9+wWgh6p1qGEzIS7wtkVtC0C/jMhyH/j9VIDrZcwxp8uUJNaWDNNmSSaPWqwq0=@vger.kernel.org X-Gm-Message-State: AOJu0Yz11uCRW608JQ99kujcAKtKkrXkGl1icyZ+rA5WnnfAd2vvbgQp mRyXWE++rEP7KMkPFECjPsi/ujLXbndeWelWOKEl8teEDappBIATJ0O+YKSpDpLoZv0Sk2tD0VU sDO0v7w== X-Google-Smtp-Source: AGHT+IEE7vYXak7r+HwQYDu/g5AOkfcndSHO1z6vcKAqtHXXobcOLVQzjsohmyEW9urtWhgG1ubEcOLjj7g= X-Received: from pldd12.prod.google.com ([2002:a17:902:c18c:b0:29e:fd13:927b]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:ce08:b0:2a0:34ee:3725 with SMTP id d9443c01a7336-2a3ee4456c1mr5326115ad.14.1767743318591; Tue, 06 Jan 2026 15:48:38 -0800 (PST) Date: Tue, 6 Jan 2026 15:48:37 -0800 In-Reply-To: <5uwzlb3jvmebvienef5tw7cd6r4wgvtb5m5gu3wcaxh5sery3o@crh6m6cpuaqy> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260106041250.2125920-1-chengkev@google.com> <20260106041250.2125920-2-chengkev@google.com> <5uwzlb3jvmebvienef5tw7cd6r4wgvtb5m5gu3wcaxh5sery3o@crh6m6cpuaqy> Message-ID: Subject: Re: [PATCH 1/2] KVM: SVM: Generate #UD for certain instructions when SVME.EFER is disabled From: Sean Christopherson To: Yosry Ahmed Cc: Kevin Cheng , pbonzini@redhat.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="us-ascii" On Tue, Jan 06, 2026, Yosry Ahmed wrote: > On Tue, Jan 06, 2026 at 10:21:40AM -0800, Sean Christopherson wrote: > > So rather than manually handle the intercepts in svm_set_efer() and fight recalcs, > > trigger KVM_REQ_RECALC_INTERCEPTS and teach svm_recalc_instruction_intercepts() > > about EFER.SVME handling. > > > > After the dust settles, it might make sense to move the #GP intercept logic into > > svm_recalc_intercepts() as well, but that's not a priority. > > Unrelated question about the #GP intercept logic, it seems like if > enable_vmware_backdoor is set, the #GP intercept will be set, even for > SEV guests, which goes against the in svm_set_efer(): > > /* > * Never intercept #GP for SEV guests, KVM can't > * decrypt guest memory to workaround the erratum. > */ > if (svm_gp_erratum_intercept && !sev_guest(vcpu->kvm)) > set_exception_intercept(svm, GP_VECTOR); > > I initially thought if userspace sets enable_vmware_backdoor and runs > SEV guests it's shooting itself in the foot, but given that > enable_vmware_backdoor is a module parameter (i.e. global), isn't it > possible that the host runs some SEV and some non-SEV VMs, where the > non-SEV VMs require the vmware backdoor? Commit 29de732cc95c ("KVM: SEV: Move SEV's GP_VECTOR intercept setup to SEV") moved the override to sev_init_vmcb(): /* * Don't intercept #GP for SEV guests, e.g. for the VMware backdoor, as * KVM can't decrypt guest memory to decode the faulting instruction. */ clr_exception_intercept(svm, GP_VECTOR); I.e. init_vmcb() will set the #GP intercept, then sev_init_vmcb() will immediately clear it.