Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp6164312imd; Wed, 31 Oct 2018 07:46:21 -0700 (PDT) X-Google-Smtp-Source: AJdET5cp6iX/34oQKThUz3oM32To8tWm+as6eLsmWk+TdGWxsdVYse/IA6JRjt8Iicl7mjLjtsOD X-Received: by 2002:a65:4646:: with SMTP id k6mr3402369pgr.153.1540997181097; Wed, 31 Oct 2018 07:46:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540997181; cv=none; d=google.com; s=arc-20160816; b=CZkA/boT+Vbrh7qm/EaFLR8FdkWDyFcj3Qt4OnwJtJvidj2Xyj+JkXoBcDf2s+Bh3Q Lc8c0a2HcyaQjQC4JGuxpSggv2wfgjQl113b7zdXlg5IOqZuzfFjIzVXCIC0fK0sqqb3 TC8M9w4PFdSKyp8lsDTZd0Dpi/JBgZHNTX+T2mw0J8jDnoVa1mcifyXpw1zhuJTi7ti0 1OAjigUQymUgMOxgD4nfWcGYeJUxWy0ADSWOObO9aM2gOFVOG2cGR1ve3On/iHKKpCq7 JUq5tZbMlpOWQAWRPQBs9KXXQ/V9OABxk1Jcbs61o+MJpMljG0IceA1uYYPd7IE3hIvZ HLEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:openpgp:from:references:cc:to:subject; bh=88OVL0wQpAQSryh/TVnVWULCxVSNc3hGpUb9FVQ0Nr0=; b=MJxwpXRuoyST6fdR69RrJPwkePE/Pgh9I1akJbiw5/SeVk6F3yzByC8Y1T+erlCxrx K6fLgo7Sp3Y3+50jIElYsvtIJkX56c7TsilFJzvn+OIEKjlxPe1bk3WklSRMx44cMN6F jP6rzJnrF9kxJ4/iC260DohLrwAv40VDqBumMwDYIBKC+BN4nV17YYKxy3whtqRKTNcD oqGfBy6obLjb80Ce1qLoVi1VxFQnSjMy+olmE3H0nmi/3+mw0UWojS5HR7IDD4Ewamld DS5/UHAO37Eq2MYHdOU2EznBntrG/i4OI+FnqqRbZS+mwCywpEMa4U0OlDuKiEe2UNLj Iz7A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q61-v6si20178838plb.418.2018.10.31.07.46.06; Wed, 31 Oct 2018 07:46:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729684AbeJaXma (ORCPT + 99 others); Wed, 31 Oct 2018 19:42:30 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49748 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729526AbeJaXma (ORCPT ); Wed, 31 Oct 2018 19:42:30 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DCD4EC01CB8E; Wed, 31 Oct 2018 14:44:10 +0000 (UTC) Received: from [10.36.112.62] (ovpn-112-62.ams2.redhat.com [10.36.112.62]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 76A405C1B2; Wed, 31 Oct 2018 14:44:00 +0000 (UTC) Subject: Re: [PATCH v13 08/12] KVM: x86: Add Intel PT context switch for each vcpu To: Alexander Shishkin , Luwei Kang , kvm@vger.kernel.org, x86@kernel.org Cc: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, hpa@zytor.com, rkrcmar@redhat.com, joro@8bytes.org, songliubraving@fb.com, peterz@infradead.org, kstewart@linuxfoundation.org, gregkh@linuxfoundation.org, thomas.lendacky@amd.com, konrad.wilk@oracle.com, mattst88@gmail.com, Janakarajan.Natarajan@amd.com, dwmw@amazon.co.uk, jpoimboe@redhat.com, marcorr@google.com, ubizjak@gmail.com, sean.j.christopherson@intel.com, jmattson@google.com, linux-kernel@vger.kernel.org, Chao Peng References: <1540368316-12998-1-git-send-email-luwei.kang@intel.com> <1540368316-12998-9-git-send-email-luwei.kang@intel.com> <87a7n37iuf.fsf@ashishki-desk.ger.corp.intel.com> <87y3af65fi.fsf@ashishki-desk.ger.corp.intel.com> <87r2g65osg.fsf@ashishki-desk.ger.corp.intel.com> <2cb38ceb-9c86-4174-0b2b-9f070eb0df48@redhat.com> <87lg6e5h89.fsf@ashishki-desk.ger.corp.intel.com> From: Paolo Bonzini Openpgp: preference=signencrypt Autocrypt: addr=pbonzini@redhat.com; prefer-encrypt=mutual; keydata= xsEhBFRCcBIBDqDGsz4K0zZun3jh+U6Z9wNGLKQ0kSFyjN38gMqU1SfP+TUNQepFHb/Gc0E2 CxXPkIBTvYY+ZPkoTh5xF9oS1jqI8iRLzouzF8yXs3QjQIZ2SfuCxSVwlV65jotcjD2FTN04 hVopm9llFijNZpVIOGUTqzM4U55sdsCcZUluWM6x4HSOdw5F5Utxfp1wOjD/v92Lrax0hjiX DResHSt48q+8FrZzY+AUbkUS+Jm34qjswdrgsC5uxeVcLkBgWLmov2kMaMROT0YmFY6A3m1S P/kXmHDXxhe23gKb3dgwxUTpENDBGcfEzrzilWueOeUWiOcWuFOed/C3SyijBx3Av/lbCsHU Vx6pMycNTdzU1BuAroB+Y3mNEuW56Yd44jlInzG2UOwt9XjjdKkJZ1g0P9dwptwLEgTEd3Fo UdhAQyRXGYO8oROiuh+RZ1lXp6AQ4ZjoyH8WLfTLf5g1EKCTc4C1sy1vQSdzIRu3rBIjAvnC tGZADei1IExLqB3uzXKzZ1BZ+Z8hnt2og9hb7H0y8diYfEk2w3R7wEr+Ehk5NQsT2MPI2QBd wEv1/Aj1DgUHZAHzG1QN9S8wNWQ6K9DqHZTBnI1hUlkp22zCSHK/6FwUCuYp1zcAEQEAAc0f UGFvbG8gQm9uemluaSA8Ym9uemluaUBnbnUub3JnPsLBTQQTAQIAIwUCVEJ7AwIbAwcLCQgH AwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEH4VEAzNNmmxNcwOniaZVLsuy1lW/ntYCA0Caz0i sHpmecK8aWlvL9wpQCk4GlOX9L1emyYXZPmzIYB0IRqmSzAlZxi+A2qm9XOxs5gJ2xqMEXX5 FMtUH3kpkWWJeLqe7z0EoQdUI4EG988uv/tdZyqjUn2XJE+K01x7r3MkUSFz/HZKZiCvYuze VlS0NTYdUt5jBXualvAwNKfxEkrxeHjxgdFHjYWhjflahY7TNRmuqPM/Lx7wAuyoDjlYNE40 Z+Kun4/KjMbjgpcF4Nf3PJQR8qXI6p3so2qsSn91tY7DFSJO6v2HwFJkC2jU95wxfNmTEUZc znXahYbVOwCDJRuPrE5GKFd/XJU9u5hNtr/uYipHij01WXal2cce1S5mn1/HuM1yo1u8xdHy IupCd57EWI948e8BlhpujUCU2tzOb2iYS0kpmJ9/oLVZrOcSZCcCl2P0AaCAsj59z2kwQS9D du0WxUs8waso0Qq6tDEHo8yLCOJDzSz4oojTtWe4zsulVnWV+wu70AioemAT8S6JOtlu60C5 dHgQUD1Tp+ReXpDKXmjbASJx4otvW0qah3o6JaqO79tbDqIvncu3tewwp6c85uZd48JnIOh3 utBAu684nJakbbvZUGikJfxd887ATQRUQnHuAQgAx4dxXO6/Zun0eVYOnr5GRl76+2UrAAem Vv9Yfn2PbDIbxXqLff7oyVJIkw4WdhQIIvvtu5zH24iYjmdfbg8iWpP7NqxUQRUZJEWbx2CR wkMHtOmzQiQ2tSLjKh/cHeyFH68xjeLcinR7jXMrHQK+UCEw6jqi1oeZzGvfmxarUmS0uRuf fAb589AJW50kkQK9VD/9QC2FJISSUDnRC0PawGSZDXhmvITJMdD4TjYrePYhSY4uuIV02v02 8TVAaYbIhxvDY0hUQE4r8ZbGRLn52bEzaIPgl1p/adKfeOUeMReg/CkyzQpmyB1TSk8lDMxQ zCYHXAzwnGi8WU9iuE1P0wARAQABwsEzBBgBAgAJBQJUQnHuAhsMAAoJEH4VEAzNNmmxp1EO oJy0uZggJm7gZKeJ7iUpeX4eqUtqelUw6gU2daz2hE/jsxsTbC/w5piHmk1H1VWDKEM4bQBT uiJ0bfo55SWsUNN+c9hhIX+Y8LEe22izK3w7mRpvGcg+/ZRG4DEMHLP6JVsv5GMpoYwYOmHn plOzCXHvmdlW0i6SrMsBDl9rw4AtIa6bRwWLim1lQ6EM3PWifPrWSUPrPcw4OLSwFk0CPqC4 HYv/7ZnASVkR5EERFF3+6iaaVi5OgBd81F1TCvCX2BEyIDRZLJNvX3TOd5FEN+lIrl26xecz 876SvcOb5SL5SKg9/rCBufdPSjojkGFWGziHiFaYhbuI2E+NfWLJtd+ZvWAAV+O0d8vFFSvr iy9enJ8kxJwhC0ECbSKFY+W1eTIhMD3aeAKY90drozWEyHhENf4l/V+Ja5vOnW+gCDQkGt2Y 1lJAPPSIqZKvHzGShdh8DduC0U3xYkfbGAUvbxeepjgzp0uEnBXfPTy09JGpgWbg0w91GyfT /ujKaGd4vxG2Ei+MMNDmS1SMx7wu0evvQ5kT9NPzyq8R2GIhVSiAd2jioGuTjX6AZCFv3ToO 53DliFMkVTecLptsXaesuUHgL9dKIfvpm+rNXRn9wAwGjk0X/A== Message-ID: Date: Wed, 31 Oct 2018 15:43:58 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 In-Reply-To: <87lg6e5h89.fsf@ashishki-desk.ger.corp.intel.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Wed, 31 Oct 2018 14:44:11 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 31/10/2018 15:21, Alexander Shishkin wrote: > Paolo Bonzini writes: > >> On 31/10/2018 12:38, Alexander Shishkin wrote: >>>> There is no standard way to tell the guest that the host overrode its >>>> choice to use PT. However, the host will get a PGD/PGE packet around >>>> vmentry and vmexit, so there _will_ be an indication that the guest >>>> owned the MSRs for that period of time. >>> >>> Not if they are not tracing the kernel. >> >> If they are not tracing the kernel why should they be tracing the guest >> at all? > > To trace the guest userspace, perhaps? Tracing the guest userspace and not the kernel is pretty much useless. I'd also be surprised if it worked at all, and/or would consider it a bug if it worked. IMO tracing the kernel in system-wide mode should trace either all or none of the guest, but certainly not just the guest kernel. Tracing userspace should trace none of the guest. >>>> If PT context switching is enabled with the module parameter, we could >>>> also reject creation of events with the attribute set. However that >>>> won't help if the event is created before KVM is even loaded. >>> >>> In that case, modprobe kvm should fail. >> >> Does that mean that an unprivileged user can effectively DoS >> virtualization for everyone on the machine? (Honest question). > > Would the leave-PT-to-the-host still be allowed? Would ignoring the > module parameter in that case and falling back to this mode still be > fine? That would still prevent the feature from being accessed, until someone with root access can rmmod kvm-intel. > I'm not really the one to brainstorm solutions here. There are > possibilities of solving this, and the current patchset does not even > begin to acknowledge the existence of the problem, which is what my ACK > depends on. Well, one way it does acknowledge the existence of the problem is by not turning the option on by default. BTW, Intel (not you) also doesn't acknowledge the existence of the problem, by not suggesting a solution in the SDM. The SDM includes examples of host-only, guest-only and combined tracing, but not separate host and guest tracing. Paolo