Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1398378ybt;
        Thu, 18 Jun 2020 07:50:20 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxMO0/McpeHpwbchxAGIiCeLlF31KWdWGBzKuXvrkyjrDMiQrHid90Mm+Rtt1MHq81Vv/fH
X-Received: by 2002:a17:906:2e55:: with SMTP id r21mr4181714eji.338.1592491819833;
        Thu, 18 Jun 2020 07:50:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1592491819; cv=none;
        d=google.com; s=arc-20160816;
        b=a9KUU8YlrzplW81LZLyJCxlKwbyKBnhqpA3jlZ9hwOGIIatvHaC1D82i5fXnTfE4uk
         lbtDzamIkYRZmBrJhWHspownO5AJS5CNvPd/CzgPq/3FVThdnG2VAvjmL6E2lXMhw/7b
         4hkoFVmC4uxTD0SOGczFTEMWthyvxa470i/1I1HMgVT0ADWyD9onAYOgUt0qjQM8joSk
         FDaUmmEdUOgLhUlL6wL0eqDBXVkq745e1b76Egy7MkGzX0JUXd8Br+0fOxtDAAR+QhS/
         KtLuFG2C1mGnb+iszTHWA00KX8F4Ref0cgiHJTV+qApLtfYg9+wLXBe1/Iw0tBu4CnRB
         JNYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:ironport-sdr:ironport-sdr;
        bh=CVtVY11IhjQh0cuSH0CnjeYYMedWEjMDD+8UT7k9POM=;
        b=gjLnuK1ADo9WINuIiGH9Agcc8R9WBW5Faqk/et9fVjiMXTazp0kOJsyv/xmadr7Ljr
         QrGpOxv8DWnzfj3gtt3v/7WjdpCLHtXoQ5RqlA/Zaq6oxUDj6ufFGHxprtKBxnsZ+KUH
         M2lfxcrf4iPTGceNG5xAUC55oR9i/xlHhtC0tqJ7es4qyMFfpFHIUR4lLqQ/oCrZzFLy
         +8LXaaAirBuxcMdeD52zvWE2GpTv/rSMJaR8JVdob+rLEtXZwIBhT5Ha4XswQ0jB3GCZ
         QptX6lTESFOyTSRoIBBzCxmOnnZaox8GN433MFYsolZ1p6kIEMWO3qlDN0Nm6cwzKWBh
         3r+g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id e26si2452958edy.327.2020.06.18.07.49.57;
        Thu, 18 Jun 2020 07:50:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731336AbgFROrU (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Thu, 18 Jun 2020 10:47:20 -0400
Received: from mga18.intel.com ([134.134.136.126]:37512 "EHLO mga18.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730972AbgFROqq (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Jun 2020 10:46:46 -0400
IronPort-SDR: YTPfJnLBCgiQD2m3BnlYGtIwhquabKGHkC8cHFoqX6IRZFjZd13FiL7KkPnYqKznpUThCKc0rg
 sQyzN7bFQhcQ==
X-IronPort-AV: E=McAfee;i="6000,8403,9655"; a="129934642"
X-IronPort-AV: E=Sophos;i="5.75,526,1589266800"; 
   d="scan'208";a="129934642"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
  by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Jun 2020 07:46:42 -0700
IronPort-SDR: WGKHqT4NW9u/bPt4hQJ2PRe+VhtNaO04N5bA77bBJhGDBMYgmIJugixFWDKjUdJZV7JIGT1nS8
 X5yhIIUDsMHg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.75,526,1589266800"; 
   d="scan'208";a="477218525"
Received: from otcsectest.jf.intel.com (HELO 258ff54ff3c0) ([10.54.30.81])
  by fmsmga006.fm.intel.com with ESMTP; 18 Jun 2020 07:46:39 -0700
Date:   Thu, 18 Jun 2020 14:43:14 +0000
From:   "Andersen, John" <john.s.andersen@intel.com>
To:     Dave Hansen <dave.hansen@intel.com>
Cc:     corbet@lwn.net, pbonzini@redhat.com, tglx@linutronix.de,
        mingo@redhat.com, bp@alien8.de, x86@kernel.org, hpa@zytor.com,
        shuah@kernel.org, sean.j.christopherson@intel.com,
        liran.alon@oracle.com, drjones@redhat.com,
        rick.p.edgecombe@intel.com, kristen@linux.intel.com,
        vkuznets@redhat.com, wanpengli@tencent.com, jmattson@google.com,
        joro@8bytes.org, mchehab+huawei@kernel.org,
        gregkh@linuxfoundation.org, paulmck@kernel.org,
        pawan.kumar.gupta@linux.intel.com, jgross@suse.com,
        mike.kravetz@oracle.com, oneukum@suse.com, luto@kernel.org,
        peterz@infradead.org, fenghua.yu@intel.com,
        reinette.chatre@intel.com, vineela.tummalapalli@intel.com,
        dave.hansen@linux.intel.com, arjan@linux.intel.com,
        caoj.fnst@cn.fujitsu.com, bhe@redhat.com, nivedita@alum.mit.edu,
        keescook@chromium.org, dan.j.williams@intel.com,
        eric.auger@redhat.com, aaronlewis@google.com, peterx@redhat.com,
        makarandsonare@google.com, linux-doc@vger.kernel.org,
        linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
        linux-kselftest@vger.kernel.org,
        kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
Message-ID: <20200618144314.GB23@258ff54ff3c0>
References: <20200617190757.27081-1-john.s.andersen@intel.com>
 <20200617190757.27081-3-john.s.andersen@intel.com>
 <0fa9682e-59d4-75f7-366f-103d6b8e71b8@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <0fa9682e-59d4-75f7-366f-103d6b8e71b8@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jun 18, 2020 at 07:18:09AM -0700, Dave Hansen wrote:
> On 6/17/20 12:07 PM, John Andersen wrote:
> > +#define KVM_CR0_PIN_ALLOWED	(X86_CR0_WP)
> > +#define KVM_CR4_PIN_ALLOWED	(X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_UMIP)
> 
> Why *is* there an allowed set?  Why don't we just allow everything?
> 
> Shouldn't we also pin any unknown bits?  The CR4.FSGSBASE bit is an
> example of something that showed up CPUs without Linux knowing about it.
>  If set, it causes problems.  This set couldn't have helped FSGSBASE
> because it is not in the allowed set.
> 
> Let's say Intel loses its marbles and adds a CR4 bit that lets userspace
> write to kernel memory.  Linux won't set it, but an attacker would go
> after it, first thing.

The allowed set came about because there were comments from internal review
where it was said that allowing the guest to pin TS and MP adds unnecessary
complexity.

Also because KVM always intercepts these bits via the CR0/4_GUEST_HOST_MASK. If
we allow setting of any bits, then we have to add some infrastructure for
modifying the mask when pinned bits are updated. I have a patch for that if we
want to go that route, but it doesn't account for the added complexity
mentioned above.