Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp976509ybg; Wed, 29 Jul 2020 02:36:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzhGTJEkDsImoxzr5GG/q8AG0fkM/+tKpNKqweOqQb0oeIIGIG7VuSt9CPXPkgR6V9ylQcs X-Received: by 2002:a17:906:aad2:: with SMTP id kt18mr11740266ejb.537.1596015389575; Wed, 29 Jul 2020 02:36:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596015389; cv=none; d=google.com; s=arc-20160816; b=Tf6E9XApFAuXrJLL0UCyCYWYnUti7IodwG5KIbThZgEG6MewO01Do2ALUzkeWJgwRV G+uqQR/5ZyR6nqhDTdWn3EtOLOvAm/8CeiLnxMijIAzT/ac5d/j4a11ikJZiBrF/zK4G Iwn1yH5R4zk4tprIaY1KeA8Lx6vaZ3sN58XW5UUZilgHhR6Y6QLojBF7V4Hlvfn42mvz 7c58esHEKu/nN1N+z8rIObcrg49nXdr1ceZPut4Do0lY87ViuI6ddtVtsfJcZKs4vHpp +mqLLF7EebfcihhcpmjSW53feA+HDlC7qO7NDye2+PYx8BCPRfYd/6MXdBVBFSS6c+2N KP7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:ironport-sdr :dkim-signature; bh=CPmDRa3vuqU1bbMybyLZQXed2NrY1QiIjCcEH2vVDEM=; b=zmrCm5zi12lcaHjbf/wxRl2MVN90k1X5cwj40GnKaopIzVlRAYeFqyENl3n+k1KYJ+ 7jEWlInJvZtzoJ6W8EmrC5eMX8P5X2tE85eOkpKoEtprOVcm+VydHgHvATVxBu4KvJBN Sc9OTjfGP4DILbzbbX+4r31ycBC5J1/+wDt+WSLgjoRUpZdCcSl3DdGoEQrVMUqeT2D2 y/orPvw/13zk44cFfEvPJWKiH1ifFc10JE9jmZwrvf+jdGxU4LFuOVcOS+Ws55Ok38Ey hlkZttqLnZ9sXZCRHSCGesz2sr8CHcfEeNG/x6emVFVQfSvhOZbKzw4o3zb9KYbkZZvw D6xQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=Sp0yevnk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p19si701839eju.726.2020.07.29.02.36.07; Wed, 29 Jul 2020 02:36:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=Sp0yevnk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728148AbgG2JfK (ORCPT + 99 others); Wed, 29 Jul 2020 05:35:10 -0400 Received: from smtp-fw-6002.amazon.com ([52.95.49.90]:8150 "EHLO smtp-fw-6002.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726336AbgG2JfJ (ORCPT ); Wed, 29 Jul 2020 05:35:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1596015309; x=1627551309; h=to:cc:references:from:message-id:date:mime-version: in-reply-to:content-transfer-encoding:subject; bh=CPmDRa3vuqU1bbMybyLZQXed2NrY1QiIjCcEH2vVDEM=; b=Sp0yevnku/n+yQedw3Xt7zNCXi+x1jJqczQy5zal1aPJfJszI7j5u/wv hP5/Wd0onpiunVHSA/1y4upZfwpqzREZiSUVvL6y06kh3LHSWLYQqJ9TV vDnU9+7PQDvcTO0Tu9qWYI33ijTdk7UC2JLfaA66ja43tgCBEFurd7PXh E=; IronPort-SDR: w2DBh91tML0IAP7do9j+bfo0znMxsdkk2qzBipPBtq7ve6zc2+h2HCUWOv6iF0xyqoe3P2heAy 6Nem7+gPmiXw== X-IronPort-AV: E=Sophos;i="5.75,409,1589241600"; d="scan'208";a="44781944" Subject: Re: [PATCH] KVM: x86: Deflect unknown MSR accesses to user space Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-1a-821c648d.us-east-1.amazon.com) ([10.43.8.6]) by smtp-border-fw-out-6002.iad6.amazon.com with ESMTP; 29 Jul 2020 09:35:08 +0000 Received: from EX13MTAUWC001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan2.iad.amazon.com [10.40.159.162]) by email-inbound-relay-1a-821c648d.us-east-1.amazon.com (Postfix) with ESMTPS id 5C5FFA22AD; Wed, 29 Jul 2020 09:35:04 +0000 (UTC) Received: from EX13D20UWC002.ant.amazon.com (10.43.162.163) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 29 Jul 2020 09:35:03 +0000 Received: from 38f9d3867b82.ant.amazon.com (10.43.161.203) by EX13D20UWC002.ant.amazon.com (10.43.162.163) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 29 Jul 2020 09:35:00 +0000 To: Vitaly Kuznetsov , Jim Mattson CC: Paolo Bonzini , Jonathan Corbet , Sean Christopherson , Wanpeng Li , Joerg Roedel , kvm list , , LKML , Aaron Lewis References: <20200728004446.932-1-graf@amazon.com> <87d04gm4ws.fsf@vitty.brq.redhat.com> <87y2n2log7.fsf@vitty.brq.redhat.com> <173948e8-4c7a-6dc4-de17-99151bc56d91@amazon.com> <87pn8ellp6.fsf@vitty.brq.redhat.com> From: Alexander Graf Message-ID: <983a46c5-c5e2-ce12-f1e9-19ed0040f5dc@amazon.com> Date: Wed, 29 Jul 2020 11:34:58 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <87pn8ellp6.fsf@vitty.brq.redhat.com> Content-Language: en-US X-Originating-IP: [10.43.161.203] X-ClientProxiedBy: EX13D38UWC003.ant.amazon.com (10.43.162.23) To EX13D20UWC002.ant.amazon.com (10.43.162.163) Content-Type: text/plain; charset="windows-1252"; format="flowed" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 29.07.20 11:22, Vitaly Kuznetsov wrote: > CAUTION: This email originated from outside of the organization. Do not c= lick links or open attachments unless you can confirm the sender and know t= he content is safe. > = > = > = > Alexander Graf writes: > = >> On 29.07.20 10:23, Vitaly Kuznetsov wrote: >>> >>> >>> >>> Jim Mattson writes: >>> >>>> On Tue, Jul 28, 2020 at 5:41 AM Alexander Graf wrote: >>>>> >>> >>> ... >>> >>>>> While it does feel a bit overengineered, it would solve the problem t= hat >>>>> we're turning in-KVM handled MSRs into an ABI. >>>> >>>> It seems unlikely that userspace is going to know what to do with a >>>> large number of MSRs. I suspect that a small enumerated list will >>>> suffice. >>> >>> The list can also be 'wildcarded', i.e. >>> { >>> u32 index; >>> u32 mask; >>> ... >>> } >>> >>> to make it really short. >> >> I like the idea of wildcards, but I can't quite wrap my head around how >> we would implement ignore_msrs in user space with them? >> > = > For that I think we can still deflect all unknown MSR accesses to > userspace (when the CAP is enabled of course ) but MSRs which are on the > list will *have to be deflected*, i.e. KVM can't handle them internally > without consulting with userspace. > = > We can make it tunable through a parameter for CAP enablement if needed. That would still make the set of MSRs implemented in KVM a de-facto ABI, no? Another thing that might be worth bringing up here is that we have an = in-house mechanism to set up a allowlist for KVM handling MSR accesses. = What if we combine the two? int kvm_rdmsr(...) { switch (msr) { [...] default: return -ENOENT; } } int rdmsr(...) { if (!has_allowlist || msr_read_is_allowed(msr)) return kvm_rdmsr(); return -ENOENT; } int handle_rdmsr(...) { switch (rdmsr(msr)) { case 0: return 1; case 1: inject_gp(); return 1; case -ENOENT: if (cap_msr_exit) { run->exit_reason =3D MSR; return 0; } else { inject_gp(); return 1; } } } That way user space can either say "I don't care what you implement, = just tell me all the MSRs you could not handle" or it says "I want you = to handle this exact subset of MSRs, tell me any time there's an out of = bounds access". That would give us the best of both worlds, right? Alex Amazon Development Center Germany GmbH Krausenstr. 38 10117 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B Sitz: Berlin Ust-ID: DE 289 237 879