From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D884CECAAA3 for ; Fri, 26 Aug 2022 05:59:49 +0000 (UTC) Received: from localhost ([::1]:52634 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oRSNg-0008HF-GA for qemu-devel@archiver.kernel.org; Fri, 26 Aug 2022 01:59:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44680) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oRSLK-00077W-7w for qemu-devel@nongnu.org; Fri, 26 Aug 2022 01:57:22 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:30877) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oRSLH-0003wa-0i for qemu-devel@nongnu.org; Fri, 26 Aug 2022 01:57:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1661493437; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=wnE06a8KiYVsWq/5ALANFSFIHkoMgGuwqp2QjVRQn6Q=; b=fWGICmoIsSXbcZpNUWqX0Sc65O86o1dKinUdoVQH9vJOVSq9G0llRJc8Quy3GdMjHQLRyV TztDjAtOEfXhGKuwDumN86RdxM9OjX8nX5qkzCcUmRLKPtQ5Rm7MZiVUVflaKz2+lJMp9j ipPlqwfj4XlgqknLVPZ8gVeGe6kFcew= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-629-7G3-Qg_aN4mGPR01UVyngw-1; Fri, 26 Aug 2022 01:57:14 -0400 X-MC-Unique: 7G3-Qg_aN4mGPR01UVyngw-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A8EE285A589; Fri, 26 Aug 2022 05:57:13 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.195.82]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 40C0A40B40C8; Fri, 26 Aug 2022 05:57:13 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 8270B18003AB; Fri, 26 Aug 2022 07:57:11 +0200 (CEST) Date: Fri, 26 Aug 2022 07:57:11 +0200 From: Gerd Hoffmann To: Xiaoyao Li Cc: Paolo Bonzini , Isaku Yamahata , Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= , Philippe =?utf-8?Q?Mathieu-Daud=C3=A9?= , Richard Henderson , "Michael S . Tsirkin" , Marcel Apfelbaum , Cornelia Huck , Marcelo Tosatti , Laszlo Ersek , Eric Blake , Connor Kuehl , erdemaktas@google.com, kvm@vger.kernel.org, qemu-devel@nongnu.org, seanjc@google.com Subject: Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object Message-ID: <20220826055711.vbw2oovti2qevzzx@sirius.home.kraxel.org> References: <20220802074750.2581308-1-xiaoyao.li@intel.com> <20220802074750.2581308-16-xiaoyao.li@intel.com> <20220825113636.qlqmflxcxemh2lmf@sirius.home.kraxel.org> <389a2212-56b8-938b-22e5-24ae2bc73235@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <389a2212-56b8-938b-22e5-24ae2bc73235@intel.com> X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Hi, > For TD guest kernel, it has its own reason to turn SEPT_VE on or off. E.g., > linux TD guest requires SEPT_VE to be disabled to avoid #VE on syscall gap > [1]. Why is that a problem for a TD guest kernel? Installing exception handlers is done quite early in the boot process, certainly before any userspace code runs. So I think we should never see a syscall without a #VE handler being installed. /me is confused. Or do you want tell me linux has no #VE handler? > Frankly speaking, this bit is better to be configured by TD guest > kernel, however current TDX architecture makes the design to let VMM > configure. Indeed. Requiring users to know guest kernel capabilities and manually configuring the vmm accordingly looks fragile to me. Even better would be to not have that bit in the first place and require TD guests properly handle #VE exceptions. > This can cause problems with the "system call gap": a malicious > hypervisor might trigger a #VE for example on the system call entry > code, and when a user process does a system call it would trigger a > and SYSCALL relies on the kernel code to switch to the kernel stack, > this would lead to kernel code running on the ring 3 stack. Hmm? Exceptions switch to kernel context too ... take care, Gerd