Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1703888yba; Sat, 27 Apr 2019 05:25:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqzQbF1xoJWK99DN1YHogc8MwhORmq76PnaLjM4PBqYuCjBZpnaIEtEdsyYg0w5+K5DdnjiP X-Received: by 2002:a62:69c2:: with SMTP id e185mr52413271pfc.119.1556367918937; Sat, 27 Apr 2019 05:25:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556367918; cv=none; d=google.com; s=arc-20160816; b=Gz29Vg4XTweDOYoZBwob10pOofo8fmtw08Z36UKJQ04lAR0O9O/0JQB7OCVsV+K7DR P1Wm4hLN5u8IPCK7cPTHlPSmKpvaUfrD6xJh5Lti6YjfP9OhVzcmxu3FgCfWRwYCyRKJ D0OnpvJxPfjCM674czQzbbCNr/2AlbZmsTjbuK4Gikkw63Yyv7oRV4UtOc7izAMYpEO4 X322Ay9pjXOWmKW+t+LNP3RsLO7fu+7SvfHJLu2SCZEDhZnB7W8ewGygmjgulMgBOz5T cUMNJgqwzVTDw7CU8dZhNKlbHEfuWmHdC8aCNPy0hSXJE5Nz2QJV4yGroTHCtogQUFNP KDNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id; bh=tFFcfGJVwc5GeSD+jqf40loS9r9Hpo3Be0lCC0JYHP0=; b=J53poYsZ1SI+aYmYxpCAySlppSgYiEC16Vnv8SXZsJggmJlM5KHsu3c8RR6ifJCHF+ GYIKqLMLziRNVN0h2E4TNBk4O0/W0N1YXmADI80VhcnFViFqIk69yM113czkpThfcS76 +JDNLPF9wI4cHY77qDfnZlii3zmWa6hC7YvUHA6eaVytpSHjIIR/Fg7PqFIm/ljpQDd0 CVqSf5HRIBNtoHesnZ5oC6+HRbsnaOUGRa352ky7NLSkDnvnL5vqN8RKu445Bg5z+QPm WKmtCCCfoLGXDVE6xWifmetF5ayo2a2uzNk1E8MD+kl8TteSxX8OI6JdWQzP/SGjYDK2 U2/A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v11si1953442plo.205.2019.04.27.05.25.03; Sat, 27 Apr 2019 05:25:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726326AbfD0MYJ (ORCPT + 99 others); Sat, 27 Apr 2019 08:24:09 -0400 Received: from mga09.intel.com ([134.134.136.24]:3996 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725942AbfD0MYJ (ORCPT ); Sat, 27 Apr 2019 08:24:09 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Apr 2019 05:24:07 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,400,1549958400"; d="scan'208";a="137942462" Received: from lxy-dell.sh.intel.com ([10.239.159.145]) by orsmga008.jf.intel.com with ESMTP; 27 Apr 2019 05:24:04 -0700 Message-ID: <7395908840acfbf806146f5f20d3509342771a19.camel@linux.intel.com> Subject: Re: [PATCH v8 12/15] kvm/vmx: Emulate MSR TEST_CTL From: Xiaoyao Li To: Thomas Gleixner , Fenghua Yu Cc: Ingo Molnar , Borislav Petkov , H Peter Anvin , Paolo Bonzini , Dave Hansen , Ashok Raj , Peter Zijlstra , Ravi V Shankar , Christopherson Sean J , Kalle Valo , Michael Chan , linux-kernel , x86 , kvm@vger.kernel.org, netdev@vger.kernel.org, linux-wireless@vger.kernel.org Date: Sat, 27 Apr 2019 20:20:50 +0800 In-Reply-To: References: <1556134382-58814-1-git-send-email-fenghua.yu@intel.com> <1556134382-58814-13-git-send-email-fenghua.yu@intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5 (3.28.5-2.el7) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2019-04-25 at 09:42 +0200, Thomas Gleixner wrote: > On Wed, 24 Apr 2019, Fenghua Yu wrote: > > > > +static void atomic_switch_msr_test_ctl(struct vcpu_vmx *vmx) > > +{ > > + u64 host_msr_test_ctl; > > + > > + if (!boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT)) > > + return; > > Again: MSR_TST_CTL is not only about LOCK_DETECT. Check the control mask. > > > + host_msr_test_ctl = this_cpu_read(msr_test_ctl_cache); > > + > > + if (host_msr_test_ctl == vmx->msr_test_ctl) { > > This still assumes that the only bit which can be set in the MSR is that > lock detect bit. > > > + clear_atomic_switch_msr(vmx, MSR_TEST_CTL); > > + } else { > > + add_atomic_switch_msr(vmx, MSR_TEST_CTL, vmx->msr_test_ctl, > > + host_msr_test_ctl, false); > > So what happens here is that if any other bit is set on the host, VMENTER > will happily clear it. There are two bits of MSR TEST_CTL defined in Intel SDM now, which is bit 29 and bit 31. Bit 31 is not used in kernel, and here we only need to switch bit 29 between host and guest. So should I also change the name to atomic_switch_split_lock_detect() to indicate that we only switch bit 29? > guest = (host & ~vmx->test_ctl_mask) | vmx->test_ctl; > > That preserves any bits which are not exposed to the guest. > > But the way more interesting question is why are you exposing the MSR and > the bit to the guest at all if the host has split lock detection enabled? > > That does not make any sense as you basically allow the guest to switch it > off and then launch a slowdown attack. If the host has it enabled, then a > guest has to be treated like any other process and the #AC trap has to be > caught by the hypervisor which then kills the guest. > > Only if the host has split lock detection disabled, then you can expose it > and allow the guest to turn it on and handle it on its own. Indeed, if we use split lock detection for protection purpose, when host has it enabled we should directly pass it to guest and forbid guest from disabling it. And only when host disables split lock detection, we can expose it and allow the guest to turn it on. If it is used for protection purpose, then it should follow what you said and this feature needs to be disabled by default. Because there are split lock issues in old/current kernels and BIOS. That will cause the existing guest booting failure and killed due to those split lock. If it is only used for debug purpose, I think it might be OK to enable this feature by default and make it indepedent between host and guest? So I think how to handle this feature between host and guest depends on how we use it? Once you give me a decision, I will follow it in next version. > Thanks, > > tglx > >