Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp1390139ybx; Tue, 5 Nov 2019 15:26:27 -0800 (PST) X-Google-Smtp-Source: APXvYqyt+cVHNJOuc+GXxqxVxirjzalzYA7n5jUg/1obJNlplbkkYNJm7QkJQRSAdYIinsLfcxtu X-Received: by 2002:aa7:cf97:: with SMTP id z23mr25374961edx.245.1572996387365; Tue, 05 Nov 2019 15:26:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572996387; cv=none; d=google.com; s=arc-20160816; b=LxdwvDA2yrtUrLa2FkmtuZ6AXsbBiRF3uUr9qTGBz3XwCe5BTKVXgd0R88v3zWbxue Jz78xE49WKiag7unEY+3N9idrsbXjsE5jATlUs58HIhhlYlvN0LoTqib2yxPT+EH1Sqw +cs3BfeOesTc+P9YLQCJ5uXa7zbE2l78iDfjxDa+Nj3gSB4YxI+tQoPr5PoS473YqPl+ MCbFPj2xVEYGKHVKXy0plmtlx67YIQ8+lU850PTgmdsxX/9kDZ0Glc3Z01Uad3NbcENg pPj/lPZbCFOkT74Z7r8BzrWfHmPLuFC1dJi/nCWW1ou5oOosotujsOXEWCQovY1/Xnsg 5S9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=y3dKicojWdcq/8oH3XwM5YooYyfMYqSPqBI+TIWD2CA=; b=BEClvlCX9We09FUOquPYMII62IK5ABbnN/OuMCbaJi0WUoSVwZfV1TxTgUfouJYcOG SD+LKjkQ5pishlbKLhLkVIYLFF9DT0cixpiXq0Owu2EjAfaKCFARErb3eXG5LnJtrqbL foO0zpBC54ihrZgynS+67fy4bBZBuP65RUOXJ6ps2ARtJ/B0R7gGvOOJtj3dObStigm/ PrYdHPwgKUnxzr+lwBtSxfjwMFZB55XiwleqGqSHen2Mmr/f74OTVCnuapFXq82U1Q7N lcnwdjAtcPJgSNmuel8LHbMVc5mjs282oKjttCB7720BQt8LCJWQ77PbIo4Ym98DcU+3 q+IA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id qp14si460220ejb.274.2019.11.05.15.26.01; Tue, 05 Nov 2019 15:26:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729494AbfKEXZC (ORCPT + 99 others); Tue, 5 Nov 2019 18:25:02 -0500 Received: from mga04.intel.com ([192.55.52.120]:54702 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727046AbfKEXZB (ORCPT ); Tue, 5 Nov 2019 18:25:01 -0500 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Nov 2019 15:25:00 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,271,1569308400"; d="scan'208";a="226251719" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.41]) by FMSMGA003.fm.intel.com with ESMTP; 05 Nov 2019 15:25:00 -0800 Date: Tue, 5 Nov 2019 15:25:00 -0800 From: Sean Christopherson To: Vitaly Kuznetsov Cc: kvm@vger.kernel.org, x86@kernel.org, Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Jim Mattson , Liran Alon , linux-kernel@vger.kernel.org, "H. Peter Anvin" , "Peter Zijlstra (Intel)" Subject: Re: [PATCH RFC] KVM: x86: tell guests if the exposed SMT topology is trustworthy Message-ID: <20191105232500.GA25887@linux.intel.com> References: <20191105161737.21395-1-vkuznets@redhat.com> <20191105193749.GA20225@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191105193749.GA20225@linux.intel.com> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 05, 2019 at 11:37:50AM -0800, Sean Christopherson wrote: > On Tue, Nov 05, 2019 at 05:17:37PM +0100, Vitaly Kuznetsov wrote: > > Virtualized guests may pick a different strategy to mitigate hardware > > vulnerabilities when it comes to hyper-threading: disable SMT completely, > > use core scheduling, or, for example, opt in for STIBP. Making the > > decision, however, requires an extra bit of information which is currently > > missing: does the topology the guest see match hardware or if it is 'fake' > > and two vCPUs which look like different cores from guest's perspective can > > actually be scheduled on the same physical core. Disabling SMT or doing > > core scheduling only makes sense when the topology is trustworthy. > > > > Add two feature bits to KVM: KVM_FEATURE_TRUSTWORTHY_SMT with the meaning > > that KVM_HINTS_TRUSTWORTHY_SMT bit answers the question if the exposed SMT > > topology is actually trustworthy. It would, of course, be possible to get > > away with a single bit (e.g. 'KVM_FEATURE_FAKE_SMT') and not lose backwards > > compatibility but the current approach looks more straightforward. > > I'd stay away from "trustworthy", especially if this is controlled by > userspace. Whether or not the hint is trustworthy is purely up to the > guest. Right now it doesn't really matter, but that will change as we > start moving pieces of the host out of the guest's TCB. > > It may make sense to split the two (or even three?) cases, e.g. > KVM_FEATURE_NO_SMT and KVM_FEATURE_ACCURATE_TOPOLOGY. KVM can easily > enforce NO_SMT _today_, i.e. allow it to be set if and only if SMT is > truly disabled. Verifying that the topology exposed to the guest is legit > is a completely different beast. Scratch the ACCURATE_TOPOLOGY idea, I doubt there's a real use case for setting ACCURATE_TOPOLOGY and not KVM_HINTS_REALTIME. A feature flag to state that SMT is disabled seems simple and useful.