From: Sean Christopherson <seanjc@google.com>
To: Yan Zhao <yan.y.zhao@intel.com>
Cc: Kevin Tian <kevin.tian@intel.com>,
"jgg@nvidia.com" <jgg@nvidia.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Lai Jiangshan <jiangshanlai@gmail.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
Josh Triplett <josh@joshtriplett.org>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"rcu@vger.kernel.org" <rcu@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Yiwei Zhang <zzyiwei@google.com>
Subject: Re: [PATCH 5/5] KVM: VMX: Always honor guest PAT on CPUs that support self-snoop
Date: Wed, 13 Mar 2024 18:00:59 -0700 [thread overview]
Message-ID: <ZfJMS9ac-MA8mV9u@google.com> (raw)
In-Reply-To: <ZfJA3AaLga5OXoL1@yzhao56-desk.sh.intel.com>
On Thu, Mar 14, 2024, Yan Zhao wrote:
> On Wed, Mar 13, 2024 at 08:09:28AM -0700, Sean Christopherson wrote:
> > On Wed, Mar 13, 2024, Yan Zhao wrote:
> > > > We'll certain fix the security hole on CPUs w/ self-snoop. In this case
> > > > CPU accesses are guaranteed to be coherent and the vulnerability can
> > > > only be exposed via non-coherent DMA which is supposed to be fixed
> > > > by your coming series.
> > > >
> > > > But for old CPUs w/o self-snoop the hole can be exploited using either CPU
> > > > or non-coherent DMA once the guest PAT is honored. As long as nobody
> > > > is willing to actually fix the CPU path (is it possible?) I'm kind of convinced
> > > We can cook a patch to check CPU self-snoop and force WB in EPT even for
> > > non-coherent DMA if no self-snoop. Then back porting such a patch together
> > > with the IOMMU side mitigation for non-coherent DMA.
> >
> > Please don't. This is a "let sleeping dogs lie" situation.
> >
> > let sleeping dogs lie - avoid interfering in a situation that is currently
> > causing no problems but might do so as a result of such interference.
> >
> > Yes, there is technically a flaw, but we have zero evidence that anyone cares or
> > that it is actually problematic in practice. On the other hand, any functional
> > change we make has a non-zero changes of breaking existing setups that have worked
> > for many years.
> >
> > > Otherwise, IOMMU side mitigation alone is meaningless for platforms of CPU of
> > > no self-snoop.
> > >
> > > > by Sean that sustaining the old behavior is probably the best option...
> > > Yes, as long as we think exposing secuirty hole on those platforms is acceptable.
> >
> > Yes, I think it's acceptable. Obviously not ideal, but given the alternatives,
> > I think it is a reasonable risk.
> >
> > Being 100% secure is simply not possible. Security is often about balancing the
> > risk/threat against the cost. In this case, the risk is low (old hardware,
> > uncommon setup for untrusted guests, small window of opportunity, and limited
> > data exposure), whereas the cost is high (decent chance of breaking existing VMs).
> Ok, thanks for explanation!
> I still have one last question: if in future there are CPUs with no selfsnoop
> (for some unknown reason, or just paranoid),
Don't jinx us :-)
> do we allow this unsafe honoring of guest memory type for non-coherent DMAs?
Hmm, no? AIUI, the intent is that all future CPUs will support self-snoop.
Assuming that's the case, then I think it's fair to put the onus on Intel to not
have escapes, i.e. to not end up shipping CPUs with erratas. Then, if an erratum
does come along, we can make a decision, e.g. allow older CPUs by default, but
require an admin opt-in for new CPUs.
But let's just hope that's a problem we never have to deal with. :-D
next prev parent reply other threads:[~2024-03-14 1:01 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-09 1:09 [PATCH 0/5] KVM: VMX: Drop MTRR virtualization, honor guest PAT Sean Christopherson
2024-03-09 1:09 ` [PATCH 1/5] KVM: x86: Remove VMX support for virtualizing guest MTRR memtypes Sean Christopherson
2024-03-11 7:44 ` Yan Zhao
2024-03-12 0:08 ` Sean Christopherson
2024-03-12 1:10 ` Dongli Zhang
2024-03-12 17:08 ` Sean Christopherson
2024-03-14 10:31 ` Dongli Zhang
2024-03-14 14:47 ` Sean Christopherson
2024-03-09 1:09 ` [PATCH 2/5] KVM: VMX: Drop support for forcing UC memory when guest CR0.CD=1 Sean Christopherson
2024-03-09 1:09 ` [PATCH 3/5] srcu: Add an API for a memory barrier after SRCU read lock Sean Christopherson
2024-03-09 1:09 ` [PATCH 4/5] KVM: x86: Ensure a full memory barrier is emitted in the VM-Exit path Sean Christopherson
2024-06-20 22:38 ` Paolo Bonzini
2024-06-20 23:42 ` Paul E. McKenney
2024-06-21 0:52 ` Yan Zhao
2024-03-09 1:09 ` [PATCH 5/5] KVM: VMX: Always honor guest PAT on CPUs that support self-snoop Sean Christopherson
2024-03-11 1:16 ` Yan Zhao
2024-03-12 0:25 ` Sean Christopherson
2024-03-12 7:30 ` Tian, Kevin
2024-03-12 16:07 ` Sean Christopherson
2024-03-13 1:18 ` Yan Zhao
2024-03-13 8:52 ` Tian, Kevin
2024-03-13 8:55 ` Yan Zhao
2024-03-13 15:09 ` Sean Christopherson
2024-03-14 0:12 ` Yan Zhao
2024-03-14 1:00 ` Sean Christopherson [this message]
2024-03-25 3:43 ` Chao Gao
2024-04-01 22:29 ` Sean Christopherson
2024-08-30 9:35 ` Vitaly Kuznetsov
2024-08-30 11:05 ` Gerd Hoffmann
2024-08-30 13:47 ` Vitaly Kuznetsov
2024-08-30 13:52 ` Sean Christopherson
2024-08-30 14:06 ` Vitaly Kuznetsov
2024-08-30 14:37 ` Vitaly Kuznetsov
2024-08-30 16:13 ` Sean Christopherson
2024-09-02 8:23 ` Gerd Hoffmann
2024-09-02 1:44 ` Yan Zhao
2024-09-02 9:49 ` Vitaly Kuznetsov
2024-09-03 0:25 ` Yan Zhao
2024-09-03 15:30 ` Sean Christopherson
2024-09-03 16:20 ` Vitaly Kuznetsov
2024-09-04 2:28 ` Yan Zhao
2024-09-04 12:17 ` Yan Zhao
2024-09-05 0:41 ` Sean Christopherson
2024-09-05 9:43 ` Yan Zhao
2024-09-09 5:30 ` Yan Zhao
2024-09-09 13:24 ` Paolo Bonzini
2024-09-09 16:04 ` Sean Christopherson
2024-09-10 1:05 ` Yan Zhao
2024-09-04 11:47 ` Vitaly Kuznetsov
2024-10-07 13:28 ` Linux regression tracking (Thorsten Leemhuis)
2024-10-07 13:38 ` Vitaly Kuznetsov
2024-10-07 14:04 ` Linux regression tracking (Thorsten Leemhuis)
2024-03-22 9:29 ` [PATCH 0/5] KVM: VMX: Drop MTRR virtualization, honor guest PAT Ma, Yongwei
2024-03-22 13:08 ` Yan Zhao
2024-03-25 6:56 ` Ma, XiangfeiX
2024-03-25 8:02 ` Ma, XiangfeiX
2024-06-05 23:20 ` Sean Christopherson
2024-06-06 0:03 ` Paul E. McKenney
-- strict thread matches above, loose matches on Subject: below --
2025-04-10 1:13 [PATCH 5/5] KVM: VMX: Always honor guest PAT on CPUs that support self-snoop Myrsky Lintu
2025-04-10 5:12 ` Yan Zhao
2025-04-10 10:05 ` Myrsky Lintu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZfJMS9ac-MA8mV9u@google.com \
--to=seanjc@google.com \
--cc=jgg@nvidia.com \
--cc=jiangshanlai@gmail.com \
--cc=josh@joshtriplett.org \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paulmck@kernel.org \
--cc=pbonzini@redhat.com \
--cc=rcu@vger.kernel.org \
--cc=yan.y.zhao@intel.com \
--cc=zzyiwei@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).