Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5337683ybi; Tue, 28 May 2019 11:17:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqwWBG1a/4JB9ZoiNOlmjIldse9kSlY3nAjKeF/slKfrHu0V8c2rDaydtUaikBPveD2lE8Ex X-Received: by 2002:a63:f410:: with SMTP id g16mr29862044pgi.428.1559067471872; Tue, 28 May 2019 11:17:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559067471; cv=none; d=google.com; s=arc-20160816; b=kLfR4zSj9Nu4pKrDS6/vqzOMh+vEgUBv/zHMFl5hkATHg6xrwEyjiqWsSYoREUP4fV 4I1KYl6xd2z4ib3y/huRSXgTrPhdhGt5p7lOh7tqzOHzQqPj9LbsqpHWCtsBVgW9smgK purVbfXdsDIDrENrGSfz406r5YOqnXh3WfJbMYhYaKqEUxujcUkyKdZAmn2trhwIWkg3 nybr5neOiMRJjWslC1SAJFnh4ue8vMhIEL++Dvdp8kQD5m9Zn2EbHLFwGJkfN6bv+Pl6 s0FrFctC5UDi/szyuealFHlpUxKXOWMQRQ7xOti3M+fuKxbucg8OsIKPY3Ve0ykrvlrG k/9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=NrgcPgHYGkaYgv7K/Tp1YWUKuygAmk8ZPyKQdnHtMXo=; b=eA6N4/FuXcnXUk024TQ+CKDge2YjAqSgMEN6k4hORMbn5oA9poSP4lBN/qCV1icEVZ Ks/cUWXweDm96XKAjJE0buun/eVZzsn0ric/KNz1EEPQkCZue20/81Ir3a9G+YjthuU/ Zakqcd0n6CXoB7o7KhjBxNRJwG4AqeVh8A8dYKkz6c/NeVD1HfQ177ETD3NqasKi5zQA si3CrpTF6JLvodKCet+zvos3WudwNRbnTdWq3vrG1liXWlSQZbqsEhvd9WzaDNhj3S4j jz31aQMwz9T2Zt7wGgb2qrRAiXdduOs/qF5CUP9fsOHDts3eXmsiplCl3Fm9LJWNF16Y 2SSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="T3/gJAXz"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x8si21919025pgg.443.2019.05.28.11.17.34; Tue, 28 May 2019 11:17:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="T3/gJAXz"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727933AbfE1SO0 (ORCPT + 99 others); Tue, 28 May 2019 14:14:26 -0400 Received: from mail-ed1-f68.google.com ([209.85.208.68]:40081 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727844AbfE1SOZ (ORCPT ); Tue, 28 May 2019 14:14:25 -0400 Received: by mail-ed1-f68.google.com with SMTP id s19so4968018edq.7 for ; Tue, 28 May 2019 11:14:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NrgcPgHYGkaYgv7K/Tp1YWUKuygAmk8ZPyKQdnHtMXo=; b=T3/gJAXzSCD9ylg1zjwPF62H6wUuPSS2GpBRyhduNWz1LC2jLHVRN93Q4ebs4CfPIM ASMkGU8jM3dbdxifPr+cEGlU1N7KgjE8NkNvFIoCq2lviEfWs6ZeYrxrFVLerX7VhKV2 ChqB6Gr39Cyw+nxO0labgQACSdXhjmnJ36Kw96T2G107InanNTWZMZ78McjRmPgQ9oYJ 5Nzut0vDWIdfph0sYGa+YGahu/xk88dxzDtSJ+FCGHtWfZKDydFeJOYNxwEHCvbkgfm0 myOtABdWdGbXHLoksGcwCqDETiW26zmkHEEPkWo+M+k5y7Rph/Azitux+7x5zMrDcVg9 QXhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NrgcPgHYGkaYgv7K/Tp1YWUKuygAmk8ZPyKQdnHtMXo=; b=tMREKtvkTHSZDGMC2nZ0H6jX+fGmMSVr4OFinIa8JcvIRCJ5aE94Uca62TluA2314e LJeu5jfPOCTz68OMcn+YnK+SCi3hLsJVl8hP+SlhrHja5NUlk8Jt4Z0E0fi63r7FH8Wz 1nVVXm3Dx0rtSt7Q1r/ZhZQ/2Ay6PqlpAC54SS3c+vZEvB3XN4xwGH0DybOLgfSO1XCg JJ+CQtSn3qVj0hMpatUAgVLqEq+AaxFizAxRJU4qYJ2pqlMRqEqZb8ipdHAERPT68GXY a7jedBVlfVpOcxDkuVkOJh68q6e3JLWMVtstq2e292vYIH57Uf7xR614DWaDHFdqUHct budQ== X-Gm-Message-State: APjAAAVlCAYZypWT8aM6CwyW2+G3RykDuERZ0vvywGBnoLKnMZ97MWxB GEwOkxfkOzmisU+BgWYftB24w7W+dcfzuiIz/Xq8Ww== X-Received: by 2002:aa7:c391:: with SMTP id k17mr131122962edq.166.1559067263524; Tue, 28 May 2019 11:14:23 -0700 (PDT) MIME-Version: 1.0 References: <5CEC9667.30100@intel.com> In-Reply-To: <5CEC9667.30100@intel.com> From: Eric Hankland Date: Tue, 28 May 2019 11:14:12 -0700 Message-ID: Subject: Re: [PATCH v1] KVM: x86: PMU Whitelist To: Wei Wang Cc: pbonzini@redhat.com, rkrcmar@redhat.com, linux-kernel@vger.kernel.org, kvm@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 27, 2019 at 6:56 PM Wei Wang wrote: > > On 05/23/2019 06:23 AM, Eric Hankland wrote: > > - Add a VCPU ioctl that can control which events the guest can monitor. > > > > Signed-off-by: ehankland > > --- > > Some events can provide a guest with information about other guests or the > > host (e.g. L3 cache stats); providing the capability to restrict access > > to a "safe" set of events would limit the potential for the PMU to be used > > in any side channel attacks. This change introduces a new vcpu ioctl that > > sets an event whitelist. If the guest attempts to program a counter for > > any unwhitelisted event, the kernel counter won't be created, so any > > RDPMC/RDMSR will show 0 instances of that event. > > The general idea sounds good to me :) > > For the implementation, I would have the following suggestions: > > 1) Instead of using a whitelist, it would be better to use a blacklist to > forbid the guest from counting any core level information. So by default, > kvm maintains a list of those core level events, which are not supported to > the guest. > > The userspace ioctl removes the related events from the blacklist to > make them usable by the guest. > > 2) Use vm ioctl, instead of vcpu ioctl. The blacklist-ed events can be > VM wide > (unnecessary to make each CPU to maintain the same copy). > Accordingly, put the pmu event blacklist into kvm->arch. > > 3) Returning 1 when the guest tries to set the evetlsel msr to count an > event which is on the blacklist. > > Best, > Wei Thanks for the feedback. I have a couple concerns with a KVM maintained blacklist. First, I'm worried it will be difficult to keep such a list up to date and accurate (both coming up with the initial list since there are so many events, and updating it whenever any new events are published or vulnerabilities are discovered). Second, users may want to differentiate between whole-socket and sub-socket VMs (some events may be fine for the whole-socket case) - keeping a single blacklist wouldn't allow for this. Let me know what you think. I'll try implementing the other suggestions. -Eric