Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3610725ybt; Tue, 23 Jun 2020 06:42:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwP5pW0B9jyevmp8ShuwLSAvfb3KkgPy2erTc0ZnKPOhGCp+cjnknWNMbqAGhHIbtQL/r6E X-Received: by 2002:a17:906:824c:: with SMTP id f12mr10761841ejx.443.1592919761923; Tue, 23 Jun 2020 06:42:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592919761; cv=none; d=google.com; s=arc-20160816; b=gUYQ3Glp3TelnzVyBD9Lem4Lj1lNqep4viZ/lUhqyMZu/rlcvbf+nQFUS31jWUKjGj m62DYDGRMCBel99kC8kL7YWeRnKyLxRllCy8/iyQSSVSn9hlDVnxZpqzloKA8O5nN+oU SSUeGEFu5FCNYDU0QTVXBpcWz6evK4rtqPqPVz+jRI0sZvtkfXgkLJztnEH/HirL56kW anUyrOykSSinLA4/Y6Zl1qfqfKrcfvDfb46xNZFDp1g+RpSYk1EAqSCHVO+d9wtnUr+0 CG9Zv945MSIOGtw2hYc3q1dhbA9tUazDVBB6Kl3ZTMqAJ3YypAJ7X+sabaL49KKQsWwR VfWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=JsVOaL6u508uDSFChKxlpNJ4zQVf8SwwzsSRtj3LWNE=; b=rC74OaeQ2OXxGpCrijI0QR13lZ3YuKPN7GwYsfHhZ6imHF0hDNj+bxYuIacLUFiLVt jyrlz96QK30fdxp/mIHAAUeD1x1ib4HhVFaf5jfFXr7/ixJlCD1iA/fGTw1bWfuhk2Vb UFgEuVoLSCZz0+qFbOWXQu/ulLIF98BPHov2B4OKKJFVxIb68p+6mGhh/O4dcc2hhb0p uQ+BQCVSiKif6ga4two96PtLjk4oJJKYhHf/02GXf+2Jst3AWFUeuu1qkVUrcRLZDFmx Tl9RhxQqlfT3dguSEfo2/ONP9ZbsyoVKF+NxR9epDSZVUI0slSYnNTgkaGKcRPH09yjp Vn6g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ly15si11021873ejb.649.2020.06.23.06.42.17; Tue, 23 Jun 2020 06:42:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732700AbgFWNkI (ORCPT + 99 others); Tue, 23 Jun 2020 09:40:08 -0400 Received: from mx2.suse.de ([195.135.220.15]:59130 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732631AbgFWNkH (ORCPT ); Tue, 23 Jun 2020 09:40:07 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 6A681ACF2; Tue, 23 Jun 2020 13:40:05 +0000 (UTC) Date: Tue, 23 Jun 2020 15:40:03 +0200 From: Joerg Roedel To: Peter Zijlstra Cc: Andy Lutomirski , Joerg Roedel , Dave Hansen , Tom Lendacky , Mike Stunes , Dan Williams , Dave Hansen , "H. Peter Anvin" , Juergen Gross , Jiri Slaby , Kees Cook , kvm list , LKML , Thomas Hellstrom , Linux Virtualization , X86 ML , Sean Christopherson , Andrew Cooper Subject: Re: Should SEV-ES #VC use IST? (Re: [PATCH] Allow RDTSC and RDTSCP from userspace) Message-ID: <20200623134003.GD14101@suse.de> References: <910AE5B4-4522-4133-99F7-64850181FBF9@amacapital.net> <20200425202316.GL21900@8bytes.org> <20200428075512.GP30814@suse.de> <20200623110706.GB4817@hirez.programming.kicks-ass.net> <20200623113007.GH31822@suse.de> <20200623114818.GD4817@hirez.programming.kicks-ass.net> <20200623120433.GB14101@suse.de> <20200623125201.GG4817@hirez.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200623125201.GG4817@hirez.programming.kicks-ass.net> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 23, 2020 at 02:52:01PM +0200, Peter Zijlstra wrote: > On Tue, Jun 23, 2020 at 02:04:33PM +0200, Joerg Roedel wrote: > > No, the recursion check is fine, because overwriting an already used IST > > stack doesn't matter (as long as it can be detected) if we are going to > > panic anyway. It doesn't matter because the kernel will not leave the > > currently running handler anymore. > > You only have that guarantee when any SNP #VC from kernel is an > automatic panic. But in that case, what's the point of having the > recursion count? It is not a recursion count, it is a stack-recursion check. Basically walk down the stack and look if your current stack is already in use. Yes, this can be optimized, but that is what is needed. IIRC the current prototype code for SNP just pre-validates all memory in the VM and doesn't support moving pages around on the host. So any #VC SNP exception would be fatal, yes. In a scenario with on-demand validation of guest pages and support for guest-assisted page-moving on the HV side it would be more complicated. Basically all memory that is accessed during #VC exception handling must stay validated at all times, including the IST stack. So saying this, I don't understand why _all_ SNP #VC exceptions from kernel space must be fatal? Regards, Joerg