Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5337683ybi;
        Tue, 28 May 2019 11:17:51 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwWBG1a/4JB9ZoiNOlmjIldse9kSlY3nAjKeF/slKfrHu0V8c2rDaydtUaikBPveD2lE8Ex
X-Received: by 2002:a63:f410:: with SMTP id g16mr29862044pgi.428.1559067471872;
        Tue, 28 May 2019 11:17:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559067471; cv=none;
        d=google.com; s=arc-20160816;
        b=kLfR4zSj9Nu4pKrDS6/vqzOMh+vEgUBv/zHMFl5hkATHg6xrwEyjiqWsSYoREUP4fV
         4I1KYl6xd2z4ib3y/huRSXgTrPhdhGt5p7lOh7tqzOHzQqPj9LbsqpHWCtsBVgW9smgK
         purVbfXdsDIDrENrGSfz406r5YOqnXh3WfJbMYhYaKqEUxujcUkyKdZAmn2trhwIWkg3
         nybr5neOiMRJjWslC1SAJFnh4ue8vMhIEL++Dvdp8kQD5m9Zn2EbHLFwGJkfN6bv+Pl6
         s0FrFctC5UDi/szyuealFHlpUxKXOWMQRQ7xOti3M+fuKxbucg8OsIKPY3Ve0ykrvlrG
         k/9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=NrgcPgHYGkaYgv7K/Tp1YWUKuygAmk8ZPyKQdnHtMXo=;
        b=eA6N4/FuXcnXUk024TQ+CKDge2YjAqSgMEN6k4hORMbn5oA9poSP4lBN/qCV1icEVZ
         Ks/cUWXweDm96XKAjJE0buun/eVZzsn0ric/KNz1EEPQkCZue20/81Ir3a9G+YjthuU/
         Zakqcd0n6CXoB7o7KhjBxNRJwG4AqeVh8A8dYKkz6c/NeVD1HfQ177ETD3NqasKi5zQA
         si3CrpTF6JLvodKCet+zvos3WudwNRbnTdWq3vrG1liXWlSQZbqsEhvd9WzaDNhj3S4j
         jz31aQMwz9T2Zt7wGgb2qrRAiXdduOs/qF5CUP9fsOHDts3eXmsiplCl3Fm9LJWNF16Y
         2SSQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="T3/gJAXz";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x8si21919025pgg.443.2019.05.28.11.17.34;
        Tue, 28 May 2019 11:17:51 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="T3/gJAXz";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727933AbfE1SO0 (ORCPT <rfc822;zzmahb@gmail.com> + 99 others);
        Tue, 28 May 2019 14:14:26 -0400
Received: from mail-ed1-f68.google.com ([209.85.208.68]:40081 "EHLO
        mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727844AbfE1SOZ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 May 2019 14:14:25 -0400
Received: by mail-ed1-f68.google.com with SMTP id s19so4968018edq.7
        for <linux-kernel@vger.kernel.org>; Tue, 28 May 2019 11:14:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=NrgcPgHYGkaYgv7K/Tp1YWUKuygAmk8ZPyKQdnHtMXo=;
        b=T3/gJAXzSCD9ylg1zjwPF62H6wUuPSS2GpBRyhduNWz1LC2jLHVRN93Q4ebs4CfPIM
         ASMkGU8jM3dbdxifPr+cEGlU1N7KgjE8NkNvFIoCq2lviEfWs6ZeYrxrFVLerX7VhKV2
         ChqB6Gr39Cyw+nxO0labgQACSdXhjmnJ36Kw96T2G107InanNTWZMZ78McjRmPgQ9oYJ
         5Nzut0vDWIdfph0sYGa+YGahu/xk88dxzDtSJ+FCGHtWfZKDydFeJOYNxwEHCvbkgfm0
         myOtABdWdGbXHLoksGcwCqDETiW26zmkHEEPkWo+M+k5y7Rph/Azitux+7x5zMrDcVg9
         QXhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=NrgcPgHYGkaYgv7K/Tp1YWUKuygAmk8ZPyKQdnHtMXo=;
        b=tMREKtvkTHSZDGMC2nZ0H6jX+fGmMSVr4OFinIa8JcvIRCJ5aE94Uca62TluA2314e
         LJeu5jfPOCTz68OMcn+YnK+SCi3hLsJVl8hP+SlhrHja5NUlk8Jt4Z0E0fi63r7FH8Wz
         1nVVXm3Dx0rtSt7Q1r/ZhZQ/2Ay6PqlpAC54SS3c+vZEvB3XN4xwGH0DybOLgfSO1XCg
         JJ+CQtSn3qVj0hMpatUAgVLqEq+AaxFizAxRJU4qYJ2pqlMRqEqZb8ipdHAERPT68GXY
         a7jedBVlfVpOcxDkuVkOJh68q6e3JLWMVtstq2e292vYIH57Uf7xR614DWaDHFdqUHct
         budQ==
X-Gm-Message-State: APjAAAVlCAYZypWT8aM6CwyW2+G3RykDuERZ0vvywGBnoLKnMZ97MWxB
        GEwOkxfkOzmisU+BgWYftB24w7W+dcfzuiIz/Xq8Ww==
X-Received: by 2002:aa7:c391:: with SMTP id k17mr131122962edq.166.1559067263524;
 Tue, 28 May 2019 11:14:23 -0700 (PDT)
MIME-Version: 1.0
References: <CAOyeoRWfPNmaWY6Lifdkdj3KPPM654vzDO+s3oduEMCJP+Asow@mail.gmail.com>
 <5CEC9667.30100@intel.com>
In-Reply-To: <5CEC9667.30100@intel.com>
From:   Eric Hankland <ehankland@google.com>
Date:   Tue, 28 May 2019 11:14:12 -0700
Message-ID: <CAOyeoRWhfyuuYdguE6Wrzd7GOdow9qRE4MZ4OKkMc5cdhDT53g@mail.gmail.com>
Subject: Re: [PATCH v1] KVM: x86: PMU Whitelist
To:     Wei Wang <wei.w.wang@intel.com>
Cc:     pbonzini@redhat.com, rkrcmar@redhat.com,
        linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, May 27, 2019 at 6:56 PM Wei Wang <wei.w.wang@intel.com> wrote:
>
> On 05/23/2019 06:23 AM, Eric Hankland wrote:
> > - Add a VCPU ioctl that can control which events the guest can monitor.
> >
> > Signed-off-by: ehankland <ehankland@google.com>
> > ---
> > Some events can provide a guest with information about other guests or the
> > host (e.g. L3 cache stats); providing the capability to restrict access
> > to a "safe" set of events would limit the potential for the PMU to be used
> > in any side channel attacks. This change introduces a new vcpu ioctl that
> > sets an event whitelist. If the guest attempts to program a counter for
> > any unwhitelisted event, the kernel counter won't be created, so any
> > RDPMC/RDMSR will show 0 instances of that event.
>
> The general idea sounds good to me :)
>
> For the implementation, I would have the following suggestions:
>
> 1) Instead of using a whitelist, it would be better to use a blacklist to
> forbid the guest from counting any core level information. So by default,
> kvm maintains a list of those core level events, which are not supported to
> the guest.
>
> The userspace ioctl removes the related events from the blacklist to
> make them usable by the guest.
>
> 2) Use vm ioctl, instead of vcpu ioctl. The blacklist-ed events can be
> VM wide
> (unnecessary to make each CPU to maintain the same copy).
> Accordingly, put the pmu event blacklist into kvm->arch.
>
> 3) Returning 1 when the guest tries to set the evetlsel msr to count an
> event which is on the blacklist.
>
> Best,
> Wei

Thanks for the feedback. I have a couple concerns with a KVM
maintained blacklist. First, I'm worried it will be difficult to keep
such a list up to date and accurate (both coming up with the initial
list since there are so many events, and updating it whenever any new
events are published or vulnerabilities are discovered). Second, users
may want to differentiate between whole-socket and sub-socket VMs
(some events may be fine for the whole-socket case) - keeping a single
blacklist wouldn't allow for this. Let me know what you think. I'll
try implementing the other suggestions.
-Eric