Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1752146ybi; Sat, 1 Jun 2019 03:52:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqx0xmmHmPFIHJLcAmp988kwaFmVCQ/oh5EKZ81uushfqJ6Gk/vkX+QBOc2Sb5TYSfepXVLg X-Received: by 2002:a63:ec02:: with SMTP id j2mr7169922pgh.340.1559386365842; Sat, 01 Jun 2019 03:52:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559386365; cv=none; d=google.com; s=arc-20160816; b=SUeJE085YOWW1wNwdD9aXAhU3jPCyCPUmauC1Snf1doapBTgze15FSN8PMP1UXqkBC wTP/ApHK+C5neilBJgQEW/K/HvsvvikomsIwnjYHASw1ww+sEpqBfOfL82m3qULzEGKv bKoAb5x7ADOb1U4a8lT4v2o/BFPqZvHdn7DNkd1KIukaSeTHWtpy6u5/NDt22GeWK81x v+DY429gbgNkb/o84UfLf3Tskp2AZVTArxcua3+o7FZ7NjYIjAq1AMqp1zUiy2RKUlZb dezidNJLRSdsbb/QOp5AnsX7N7sMzl9oQ1dA0yp7QcGsOqmNC1uCyZyxcXJv83b4Vj4D +VPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:in-reply-to :references:subject:cc:to:mime-version:user-agent:from:date :message-id; bh=/w0lm/aWg8/xBNtMr8+gVUrcATnkDK23uRz/CH2cPv0=; b=gRuKJZjOBLJHcV6kDYEbUYfA3XPAAOzw/VFS2vPHElYyzcLp5vx/wM+pvvm696ysAs 5hIhR0i6p3SmSOx0F0D4IrD5k5I/JzCSXXwM11FFohSNOHGWSEW8v0mdHlWa3TnKrZl8 ltX60VnhP2aSwEEL0e5m+mcEDSKNSiiOKMF68cbVj720bqALLwmWSz75+w3/i6KeKRZ9 eR4bcrhtPmp9CKqnsmLAMgkOuZp6zLG/3BQ7AY1j0+wiQG0Dz3Azn6fgM+3tcoGzO32E P/nU5pKPmlSBN0RKYVp2suVmKf0Cy67qqgjsUnHAbYZyIjNbbF3UKxsKOJ54SCcYADLz VgaA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 13si9455811pgk.239.2019.06.01.03.52.30; Sat, 01 Jun 2019 03:52:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727276AbfFAKuS (ORCPT + 99 others); Sat, 1 Jun 2019 06:50:18 -0400 Received: from mga12.intel.com ([192.55.52.136]:44926 "EHLO mga12.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726109AbfFAKuR (ORCPT ); Sat, 1 Jun 2019 06:50:17 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Jun 2019 03:50:16 -0700 X-ExtLoop1: 1 Received: from unknown (HELO [10.239.13.7]) ([10.239.13.7]) by orsmga007.jf.intel.com with ESMTP; 01 Jun 2019 03:50:15 -0700 Message-ID: <5CF2599B.3030001@intel.com> Date: Sat, 01 Jun 2019 18:55:23 +0800 From: Wei Wang User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Eric Hankland CC: pbonzini@redhat.com, rkrcmar@redhat.com, linux-kernel@vger.kernel.org, kvm@vger.kernel.org Subject: Re: [PATCH v1] KVM: x86: PMU Whitelist References: <5CEC9667.30100@intel.com> <5CEE3AC4.3020904@intel.com> <5CF07D37.9090805@intel.com> In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/01/2019 03:59 AM, Eric Hankland wrote: > > With anythread=0, I'm not aware of any events that directly give info > about other VMs, but monitoring events related to shared resources > (e.g. LLC References and LLC Misses) could indirectly give you info > about how heavily other users are using that resource. My question is that have we proved that this indirect info leakage indeed happens? The spec states that the counter will count the related events generated by the logical CPU with AnyThread=0. I would be inclined to trust the hardware behavior documented in the spec unless we could prove there is a problem. > > I tried returning 1 when the guest tries to write the eventsel msr for > a disallowed event - the behavior on modern guest kernels looks > reasonable (warns once about an unchecked MSR access error), but it > looks like guests using older kernels (older than 2016) might panic > due to the gpfault (not to mention I'm not sure about the behavior on > non-linux kernels). So I'm hesitant to return 1 - what do you think? From the guest point of view, returning 0 means that the event counting is running well. That is, the guest is expecting to get some count numbers. So better not to zero the value when the guest does rdpmc/rdmsr to get the count in this case. I think we could just ensure "AnyThread=0" in the config, and create the kernel counter as usual. > I also looked into moving from a vcpu ioctl to a vm ioctl - I can send > out a version of the patch with this change once we settle on the > other issues. It will involve some extra locking every time the > counters are programmed to ensure the whitelist or blacklist isn't > removed during access. > Yes, the above discussion needs to be done first. Best, Wei