2022-01-24 19:26:38

by Kirill A. Shutemov

[permalink] [raw]
Subject: [PATCHv2 28/29] x86/tdx: Warn about unexpected WBINVD

WBINVD causes #VE in TDX guests. There's no reliable way to emulate it.
The kernel can ask for VMM assistance, but VMM is untrusted and can ignore
the request.

Fortunately, there is no use case for WBINVD inside TDX guests.

Warn about any unexpected WBINVD.

Signed-off-by: Kirill A. Shutemov <[email protected]>
---
arch/x86/kernel/tdx.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/arch/x86/kernel/tdx.c b/arch/x86/kernel/tdx.c
index 6048887ac846..22c785c2059c 100644
--- a/arch/x86/kernel/tdx.c
+++ b/arch/x86/kernel/tdx.c
@@ -530,6 +530,10 @@ static bool tdx_virt_exception_kernel(struct pt_regs *regs, struct ve_info *ve)
case EXIT_REASON_IO_INSTRUCTION:
ret = tdx_handle_io(regs, ve->exit_qual);
break;
+ case EXIT_REASON_WBINVD:
+ WARN_ONCE(1, "Unexpected WBINVD\n");
+ ret = true;
+ break;
default:
pr_warn("Unexpected #VE: %lld\n", ve->exit_reason);
break;
--
2.34.1


2022-02-03 20:40:21

by Thomas Gleixner

[permalink] [raw]
Subject: Re: [PATCHv2 28/29] x86/tdx: Warn about unexpected WBINVD

On Mon, Jan 24 2022 at 18:02, Kirill A. Shutemov wrote:

> WBINVD causes #VE in TDX guests. There's no reliable way to emulate it.
> The kernel can ask for VMM assistance, but VMM is untrusted and can ignore
> the request.
>
> Fortunately, there is no use case for WBINVD inside TDX guests.

If there is not usecase, then why

> Warn about any unexpected WBINVD.

instead of terminating the whole thing?

I'm tired of the "let us emit a warning in the hope it gets fixed'
thinking.

That's just wrong. Any code which has an assumption that it relies on
WBINVD to work correctly has to be analysed and not ignored on the
assumption that there is no use case for WBINVD inside TDX guests.

Its's simply wishful thinking that stuff gets fixed because of a
WARN_ONCE(). This has never worked. The only thing which works is to
make stuff fail hard or slow it down in a way which makes it annoying
enough to users to complain.

This is new technology. Anything which wants to use it has to obey to
the rules of this new technology. Just define it to be: WBINVD is
forbidden. End of story.

The Intel approach of 'Let us tolerate all sins of the past' has been
proven to be wrong, broken and outright dangerous in the past. So why
are you insisting to proliferate that?

Thanks,

tglx