Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp4339280ybz; Tue, 28 Apr 2020 09:37:24 -0700 (PDT) X-Google-Smtp-Source: APiQypIJNUcDUkHZ4DTqfEywCRrfEFTtbS8hpoMgLePjUtf+RXy2/aG36aF+Ssjn5dBuQzMfhjWz X-Received: by 2002:a05:6402:14ce:: with SMTP id f14mr16497599edx.244.1588091844685; Tue, 28 Apr 2020 09:37:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588091844; cv=none; d=google.com; s=arc-20160816; b=NI/YTZBgLQJdCODzfm76kP3a9qwXjZq5mL4u07AlpmNykHweUO9d5u8hexIodgVEiJ AOpFIr9Bxi587N29e7ala4J7Rd2edveo4g6dMZl8C6mVTXdfNfozhQsqdCEI1WVvTeLw LGfDPcSFdT6Th3mMmScNRLAdwoMF+ZCkMPz9YjwYKfOuJJm+og0b9YNhJ7H19IVZSzdA hLNwycY1kjURjvH+vN0RZRcvaYwFvOGxmbAAHE6Jhmq/XOUeDiEWhI9vrhQAF9V2l4Bj 43Z69IwVXXNSNH51lq4zCZGqLH/9zPaNXVY4RvgoTlhdXcBTzpMpChZIp7rAa4e5cWtK GZMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:ironport-sdr :dkim-signature; bh=NkF5SbZpxP0klLCtbS1gxDhW5wUaZhmch0yuDL0TpCk=; b=iRPIaz1SX5iEaAYAXgk25rFLMWxzdIDJLwoV8ihTJjbGuU+2d1IkCuFnC0YXBQrycc jLRaeSFhbsgsZbTZ+PU1xEj+6WLzkqoIhGHuohnlk54QqoI7NkdwolWHQzloeeVexDYJ hJJYh+tDDkoWSAtPDdNvVIh2davU62QBp0R2mYRMq9T2kNAQYTtlwzpEWjUPn7Lc/Vpu Fyz3c1xHV+eGx9p3LaBbdCEfGcYzR0ruOPRmwhatsDEdyUWLYgg6d12whca0BiPdEVsP N12ZQyxXnXI/jLgnQEEnIPk3Ajx/9cY77Kve4V++Jr6TgCLTEQLhonj3uKT8rkyoq7Ws 2Vrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@citrix.com header.s=securemail header.b="Hh6rbJ/i"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=citrix.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 23si2113921ejn.282.2020.04.28.09.37.00; Tue, 28 Apr 2020 09:37:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@citrix.com header.s=securemail header.b="Hh6rbJ/i"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=citrix.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728217AbgD1Qem (ORCPT + 99 others); Tue, 28 Apr 2020 12:34:42 -0400 Received: from esa1.hc3370-68.iphmx.com ([216.71.145.142]:41417 "EHLO esa1.hc3370-68.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727920AbgD1Qem (ORCPT ); Tue, 28 Apr 2020 12:34:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1588091682; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=0w6FX0efDJGzaehxYFThqDcH+QYQY0rUFheCeGs7Cu8=; b=Hh6rbJ/iPzcUR7mXtI/JsIkAoONMYJDe1d9dBhzle4u/71WgG1f0Uv/1 O+llj8ANszXzQayUR9csmuHioEQ04dnEIeSGyxRCTqbFdlsJTFMvzLIb2 ZEWualsGbtiUsgWyD8ZABX1DhR77Az3thzQUEM1/NdyJPgKj4BNuSlZkp 0=; Authentication-Results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: None (esa1.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa1.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa1.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa1.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa1.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa1.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: GfTE0zwlZX/DF1ctKDqrxqeVbE8WVcfOvsjN98osQHnlIj+bOA/2LFcYVb0aH7461lKjAVAfLx 7j15tUKm7Q9jukDiXGBXe4JArojeffWncpdbJdc8J++Ucn0eFvbBbxBJWeB9VAlVhEsRfeADRX IWdKBPAe2bZuNVhHpQqKaPx3D4feKv58+vQM9FlmpNzLI+AL1Z6D6MtcVx42gwF/6YidSiYLvI o3l7R+GG2CLL3cZaUut58uQQSlPrgZH5ynhcWk//W7GtWbcIlSDiJOv63nzSwdEOcFOfFhx9DW 9eM= X-SBRS: 2.7 X-MesageID: 16638438 X-Ironport-Server: esa1.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.73,328,1583211600"; d="scan'208";a="16638438" Subject: Re: Should SEV-ES #VC use IST? (Re: [PATCH] Allow RDTSC and RDTSCP from userspace) To: Joerg Roedel , Andy Lutomirski CC: Joerg Roedel , Dave Hansen , "Tom Lendacky" , Mike Stunes , "Dan Williams" , Dave Hansen , "H. Peter Anvin" , "Juergen Gross" , Jiri Slaby , Kees Cook , kvm list , LKML , Peter Zijlstra , "Thomas Hellstrom" , Linux Virtualization , X86 ML , "Sean Christopherson" References: <20200425191032.GK21900@8bytes.org> <910AE5B4-4522-4133-99F7-64850181FBF9@amacapital.net> <20200425202316.GL21900@8bytes.org> <20200428075512.GP30814@suse.de> From: Andrew Cooper Message-ID: <1b232a8e-af99-4f7b-05c5-584b82853ac5@citrix.com> Date: Tue, 28 Apr 2020 17:34:36 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <20200428075512.GP30814@suse.de> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Content-Language: en-GB X-ClientProxiedBy: AMSPEX02CAS02.citrite.net (10.69.22.113) To AMSPEX02CL02.citrite.net (10.69.22.126) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 28/04/2020 08:55, Joerg Roedel wrote: > On Mon, Apr 27, 2020 at 10:37:41AM -0700, Andy Lutomirski wrote: >> I have a somewhat serious question: should we use IST for #VC at all? >> As I understand it, Rome and Naples make it mandatory for hypervisors >> to intercept #DB, which means that, due to the MOV SS mess, it's sort >> of mandatory to use IST for #VC. But Milan fixes the #DB issue, so, >> if we're running under a sufficiently sensible hypervisor, we don't >> need IST for #VC. > The reason for #VC being IST is not only #DB, but also SEV-SNP. SNP adds > page ownership tracking between guest and host, so that the hypervisor > can't remap guest pages without the guest noticing. > > If there is a violation of ownership, which can happen at any memory > access, there will be a #VC exception to notify the guest. And as this > can happen anywhere, for example on a carefully crafted stack page set > by userspace before doing SYSCALL, the only robust choice for #VC is to > use IST. The kernel won't ever touch the guest stack before restoring %rsp in the syscall path, but the (minimum 2) memory accesses required to save the user %rsp and load the kernel stack may be subject to #VC exceptions, as are instruction fetches at the head of the SYSCALL path. So yes - #VC needs IST. Sorry for the noise.  (That said, it is unfortunate that the hypervisor messing with the memory backing the guest #VC handler results in an infinite loop, rather than an ability to cleanly terminate.) ~Andrew