Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp5527461yba; Mon, 13 May 2019 12:26:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqwOfOLp27sScalXk8+tS3vMrd/DMJx45+OX0YmdtzSdEINKEIqI7fgb4XXu9uLG+ZaWtWCN X-Received: by 2002:a17:902:2924:: with SMTP id g33mr6484882plb.57.1557775581064; Mon, 13 May 2019 12:26:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557775581; cv=none; d=google.com; s=arc-20160816; b=B2WwgGmaUbek1U22tbIt1ThiTfUImkeYcbAR35h+gMqeTSqBqrk7JVC7l3fNwnRFLb Hhoe3zbKRGZxJt87uoXwgGVmxjHcHtvgrWHFx69IhAiYsl/woub5RypVq9ie2dUEfDaT q8fcPkatDvCEW+Fxk3/FfysHyd1/nTLNd9D6B16f5S2XduvKdSUmarqrxIxsMPrK2ZUG mXDD3bxd3Na3J8B3vX2f6R7nAgSqE0JLgknT0YY4wW02lq3q/9vFM0Hif7ovcdPP7cqm t1dCniUikGu9shyB0NMjY7ju9ZoVNEtoLxJGNBaXmN7uCQk8rLDBMbv0u3hXOqz/1+gR XI/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=9cwGdwpNsId3jbcdh2kF6oX2uSsyHzellJ1hwDZnCY8=; b=PbH3mop92N45iRZF1Q2MRkO4jl/LZCNLBOH4b2BrSexJfJ722qP69QjdwK7uMtTHmt J8kse/kKny2Ftz/bCBL4PsGgD3+TfVaMcDjvIlnA116h8eIP3PcLd/IpGw07a8q/quq/ OpSCcIISfUm3nKCRlN4bPgvXIz8L/jzyMbZyWNG0LPX7CiPwrbdAXwxeW8WhYyRp7RGc ZNEAY0EQPOxoW1sK4gqYerelrUZjJyoJDAqOdfs6I0sTB5ylZQ5iUTASUxhRbz9lQFKJ OOLKvlShOu7LUcqxoiNKcgjKZicITYJ+/wdhitRan8/p6rtfFFVFAedKYMHfMq+4Kjdz OqWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AD3U09r7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h40si3660081plb.243.2019.05.13.12.26.04; Mon, 13 May 2019 12:26:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AD3U09r7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729441AbfEMQA2 (ORCPT + 99 others); Mon, 13 May 2019 12:00:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:42512 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726866AbfEMQA2 (ORCPT ); Mon, 13 May 2019 12:00:28 -0400 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3F63C21537 for ; Mon, 13 May 2019 16:00:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557763226; bh=4bcLIFwRGdrxUSdLyYcDKBhiisD8Iba6LGdB6inApCI=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=AD3U09r7iadGQx9xKbeGtVco8OzKuPg56V0gCnVoJ/QhP1NKeI/l6NioJQod0RAw5 efv1W0cVsndHHYOXwwIWp0FMOC+k8HgKKyi06hYNpjbnnmrFVtYZKLTdjORICG+SZu mNQUApnmoJ+bqhQLGnlM/Z/jq/ZnhSyCSOdz5iAQ= Received: by mail-wm1-f42.google.com with SMTP id o189so14472292wmb.1 for ; Mon, 13 May 2019 09:00:26 -0700 (PDT) X-Gm-Message-State: APjAAAW6Lpwbc1uEIsRReRo5Fh0DTmT/c3MS6xTvdkMNL6o3azo0bmbd L1z3udJG/RBkSlrVn19dstNDUI+GQKh9ypcz0KmrQA== X-Received: by 2002:a1c:eb18:: with SMTP id j24mr17012407wmh.32.1557763224812; Mon, 13 May 2019 09:00:24 -0700 (PDT) MIME-Version: 1.0 References: <1557758315-12667-1-git-send-email-alexandre.chartre@oracle.com> <1557758315-12667-20-git-send-email-alexandre.chartre@oracle.com> In-Reply-To: From: Andy Lutomirski Date: Mon, 13 May 2019 09:00:13 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC KVM 19/27] kvm/isolation: initialize the KVM page table with core mappings To: Dave Hansen Cc: Alexandre Chartre , Paolo Bonzini , Radim Krcmar , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , Dave Hansen , Andrew Lutomirski , Peter Zijlstra , kvm list , X86 ML , Linux-MM , LKML , Konrad Rzeszutek Wilk , jan.setjeeilers@oracle.com, Liran Alon , Jonathan Adams Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 13, 2019 at 8:50 AM Dave Hansen wrote: > > > + /* > > + * Copy the mapping for all the kernel text. We copy at the PMD > > + * level since the PUD is shared with the module mapping space. > > + */ > > + rv = kvm_copy_mapping((void *)__START_KERNEL_map, KERNEL_IMAGE_SIZE, > > + PGT_LEVEL_PMD); > > + if (rv) > > + goto out_uninit_page_table; > > Could you double-check this? We (I) have had some repeated confusion > with the PTI code and kernel text vs. kernel data vs. __init. > KERNEL_IMAGE_SIZE looks to be 512MB which is quite a bit bigger than > kernel text. > > > + /* > > + * Copy the mapping for cpu_entry_area and %esp fixup stacks > > + * (this is based on the PTI userland address space, but probably > > + * not needed because the KVM address space is not directly > > + * enterered from userspace). They can both be copied at the P4D > > + * level since they each have a dedicated P4D entry. > > + */ > > + rv = kvm_copy_mapping((void *)CPU_ENTRY_AREA_PER_CPU, P4D_SIZE, > > + PGT_LEVEL_P4D); > > + if (rv) > > + goto out_uninit_page_table; > > cpu_entry_area is used for more than just entry from userspace. The gdt > mapping, for instance, is needed everywhere. You might want to go look > at 'struct cpu_entry_area' in some more detail. > > > +#ifdef CONFIG_X86_ESPFIX64 > > + rv = kvm_copy_mapping((void *)ESPFIX_BASE_ADDR, P4D_SIZE, > > + PGT_LEVEL_P4D); > > + if (rv) > > + goto out_uninit_page_table; > > +#endif > > Why are these mappings *needed*? I thought we only actually used these > fixup stacks for some crazy iret-to-userspace handling. We're certainly > not doing that from KVM context. > > Am I forgetting something? > > > +#ifdef CONFIG_VMAP_STACK > > + /* > > + * Interrupt stacks are vmap'ed with guard pages, so we need to > > + * copy mappings. > > + */ > > + for_each_possible_cpu(cpu) { > > + stack = per_cpu(hardirq_stack_ptr, cpu); > > + pr_debug("IRQ Stack %px\n", stack); > > + if (!stack) > > + continue; > > + rv = kvm_copy_ptes(stack - IRQ_STACK_SIZE, IRQ_STACK_SIZE); > > + if (rv) > > + goto out_uninit_page_table; > > + } > > + > > +#endif > > I seem to remember that the KVM VMENTRY/VMEXIT context is very special. > Interrupts (and even NMIs?) are disabled. Would it be feasible to do > the switching in there so that we never even *get* interrupts in the KVM > context? That would be nicer. Looking at this code, it occurs to me that mapping the IRQ stacks seems questionable. As it stands, this series switches to a normal CR3 in some C code somewhere moderately deep in the APIC IRQ code. By that time, I think you may have executed traceable code, and, if that happens, you lose. i hate to say this, but any shenanigans like this patch does might need to happen in the entry code *before* even switching to the IRQ stack. Or perhaps shortly thereafter. We've talked about moving context tracking to C. If we go that route, then this KVM context mess could go there, too -- we'd have a low-level C wrapper for each entry that would deal with getting us ready to run normal C code. (We need to do something about terminology. This kvm_mm thing isn't an mm in the normal sense. An mm has normal kernel mappings and varying user mappings. For example, the PTI "userspace" page tables aren't an mm. And we really don't want a situation where the vmalloc fault code runs with the "kvm_mm" mm active -- it will totally malfunction.)