Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp786597ybx; Thu, 7 Nov 2019 02:41:52 -0800 (PST) X-Google-Smtp-Source: APXvYqySuuFQEpQ/6ev6uXLk4/UKJSXeym0DbIm+nz6nhaw8G1s+s/CrdYaEpu+o8h0OlWJGgV1a X-Received: by 2002:aa7:db55:: with SMTP id n21mr2706196edt.113.1573123312565; Thu, 07 Nov 2019 02:41:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573123312; cv=none; d=google.com; s=arc-20160816; b=FXCnqHkiQFZdo3YS54Fzmt+RfyLW49/AoraEB5eBJelvl+StJyjk1hH6i1SoZydKjJ TH2ofZjVuSrTrDvP3qgHyi8/FyMaYWhdBw8iZEgrrawaOGBFhYPtZbpBPTOWtT2lWWZs UjR8c0AENJc7NQY0OTs+jmTvwNz8G+rfWSBXZIBCuvnIFQ5E+A4/AlnjgWY5WlIHi0g4 Xh0oc0i2Owpr8WHhQcwAxe9mZRU8xfZ3H1JJnoPVoWNsF3TuYDKsrnrKtKhNxYOF77cp ZVuzgtQnMiCG0j84U6kGUNGBDu/4yDws1cRM4twxHBAMk56JN4zrDslVHaAnfoOWIkwb vcuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from; bh=1cBytUypSmrDIXCTuphD26i91wQdyJsDQ/c6D49Q3/s=; b=wKtUvQlIF3tg3Ygg9DdJvfW7Ujfsx4oaDv0M39ZrhiaRaEoZBA4uEbj/Pz6C5cBqXM fJR7u9u5Ni1BWZcdt8wgIM+D1L1Bqv6GgbontxGSxMAuTD4u1UWnvza1KFqx+NxMnhGf F8LofXg0RBeteNLyCAKtLWEfnZAf6PX+IpJ9fR5MvysO1JViQVBU6W8YjIb9M+IK40qm 0qgfwY8C9CeuzBNWz0VA7hhPsE6jif1E3e+1gGXt5ifiDV1lq7eR32A6vhtFSVD8VKSa bgU/YHHwtgGCEwVzyo2lIZfKs5/7kNBVluBJ2c5GQ8Uk7XzwUxMbAabKE5CnHo8XERNq RMDA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id hh3si1081839ejb.2.2019.11.07.02.41.29; Thu, 07 Nov 2019 02:41:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388109AbfKGKi2 (ORCPT + 99 others); Thu, 7 Nov 2019 05:38:28 -0500 Received: from mx1.redhat.com ([209.132.183.28]:46102 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727562AbfKGKi2 (ORCPT ); Thu, 7 Nov 2019 05:38:28 -0500 Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 98D4437F41 for ; Thu, 7 Nov 2019 10:38:27 +0000 (UTC) Received: by mail-wr1-f70.google.com with SMTP id b4so744441wrn.8 for ; Thu, 07 Nov 2019 02:38:27 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=1cBytUypSmrDIXCTuphD26i91wQdyJsDQ/c6D49Q3/s=; b=kE0PO/YLMKqY6vOpNZiC/H7SE9j1v5UbzexDCPWWuEH2b5IPmcDPTA5ehPXR+19IQO mBEYM5W2Z/t+PwYPPTCi46LJfhkzEdku6NUHyzNgFcQ5U35SSoRnTFMOg38BydwGnQql TDRG03wogMJsZyT+V/JiBFlWYrb7ZjzBiYTvHYVkv4OMICzcFOrKkCgyDF+j4+n4Zj7s Zr8T38C8uDuacQDdYOzV+YVooO7EwrFnaEWbA4xdpEk6uqGdM3YMoWocQ5KUpQMlE/p5 KH6k24xlxIe6/dT29mIwvY4ix8hGNa967BVa49tNnwMAhKDBUqCcA93n0uJmFkhgHaug 3TfA== X-Gm-Message-State: APjAAAW+R2e43asdUurxRlNDSQMA7wQA05whfH3vr27N0wJD1QcC18kv pCwryrhhnnv2wLwb9IjgKqD5KYEsKNSuRiMBk8a2If6fRuTqpFxXdW6QgjKp/x9bqY7tu0LRslQ PEEzRBuZZInNUByyIECo3SAkd X-Received: by 2002:adf:ea50:: with SMTP id j16mr2050954wrn.295.1573123106316; Thu, 07 Nov 2019 02:38:26 -0800 (PST) X-Received: by 2002:adf:ea50:: with SMTP id j16mr2050934wrn.295.1573123106058; Thu, 07 Nov 2019 02:38:26 -0800 (PST) Received: from vitty.brq.redhat.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id j14sm1756813wrp.16.2019.11.07.02.38.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Nov 2019 02:38:25 -0800 (PST) From: Vitaly Kuznetsov To: Sean Christopherson Cc: kvm@vger.kernel.org, x86@kernel.org, Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Jim Mattson , Liran Alon , linux-kernel@vger.kernel.org, "H. Peter Anvin" , "Peter Zijlstra \(Intel\)" Subject: Re: [PATCH RFC] KVM: x86: tell guests if the exposed SMT topology is trustworthy In-Reply-To: <20191105232500.GA25887@linux.intel.com> References: <20191105161737.21395-1-vkuznets@redhat.com> <20191105193749.GA20225@linux.intel.com> <20191105232500.GA25887@linux.intel.com> Date: Thu, 07 Nov 2019 11:38:24 +0100 Message-ID: <87ftj0as4f.fsf@vitty.brq.redhat.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Sean Christopherson writes: > On Tue, Nov 05, 2019 at 11:37:50AM -0800, Sean Christopherson wrote: >> On Tue, Nov 05, 2019 at 05:17:37PM +0100, Vitaly Kuznetsov wrote: >> > Virtualized guests may pick a different strategy to mitigate hardware >> > vulnerabilities when it comes to hyper-threading: disable SMT completely, >> > use core scheduling, or, for example, opt in for STIBP. Making the >> > decision, however, requires an extra bit of information which is currently >> > missing: does the topology the guest see match hardware or if it is 'fake' >> > and two vCPUs which look like different cores from guest's perspective can >> > actually be scheduled on the same physical core. Disabling SMT or doing >> > core scheduling only makes sense when the topology is trustworthy. >> > >> > Add two feature bits to KVM: KVM_FEATURE_TRUSTWORTHY_SMT with the meaning >> > that KVM_HINTS_TRUSTWORTHY_SMT bit answers the question if the exposed SMT >> > topology is actually trustworthy. It would, of course, be possible to get >> > away with a single bit (e.g. 'KVM_FEATURE_FAKE_SMT') and not lose backwards >> > compatibility but the current approach looks more straightforward. >> >> I'd stay away from "trustworthy", especially if this is controlled by >> userspace. Whether or not the hint is trustworthy is purely up to the >> guest. Right now it doesn't really matter, but that will change as we >> start moving pieces of the host out of the guest's TCB. >> >> It may make sense to split the two (or even three?) cases, e.g. >> KVM_FEATURE_NO_SMT and KVM_FEATURE_ACCURATE_TOPOLOGY. KVM can easily >> enforce NO_SMT _today_, i.e. allow it to be set if and only if SMT is >> truly disabled. Verifying that the topology exposed to the guest is legit >> is a completely different beast. > > Scratch the ACCURATE_TOPOLOGY idea, I doubt there's a real use case for > setting ACCURATE_TOPOLOGY and not KVM_HINTS_REALTIME. A feature flag to > state that SMT is disabled seems simple and useful. You seem to have the most conservative ideas around) I wasn't actually thinking about KVM enforcing anything here, my goal was to provide guest with enough information so it can adjust its SMT related settings accordingly. These could be: - 'nosmt' - STIBP - Core scheduling (not yet upstream afaik) - Manual vCPU pinning for certain tasks (including running nested guests). [E.g. nested Hyper-V hides 'md_clear' from its guests when it doesn't see 'NoNonarchitecturalCoreSharing' from the underlying hypervisor as it's pointless] - (Liran's idea): Using SMT information for better scheduling KVM_FEATURE_NO_SMT would cover one case, however, it's basically the same as not exposing hyperthreads by KVM userspace, just enforced. Do you think that such enforcement makes sense? What the guest is supposed to do when it sees the flag (compared to what's doing now)? ('KVM_HINTS_REALTIME' may actually imply what we want, however, judging by its name it may gain additional meaning in the future like 'always do busy polling everywhere') -- Vitaly