Received: by 2002:a05:6a10:6006:0:0:0:0 with SMTP id w6csp350562pxa; Wed, 26 Aug 2020 12:20:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxcClqEVjLOXfAwNCdL6CtjeWJhgP4NqdWA6a+JnSckCjfzv+r7RzjQzfrdYDm0I37/sMf2 X-Received: by 2002:a17:906:e218:: with SMTP id gf24mr18086283ejb.469.1598469650026; Wed, 26 Aug 2020 12:20:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598469650; cv=none; d=google.com; s=arc-20160816; b=bTx3l/Op5OQW5V7e3s4gvD5w14iRBp07pzJ9ZBFjVeWabpHYEWp8d2gX6jgzQZm0EQ DBiya2eMYnYpdRvNkCSUAPgtiUpozDb3Xq55EzjH/TYhstjBrNRSo61MgBELKMphWNih I22zKPCmmkv+T8AvmaOSnr4+GDDiTmIMwVYsg/ikaYvx6+y8Vt+Z/42wZPSQIHZm98ZL 0PkyIeenz0y05JWn0ZFhNoKSVluwfOyqfrtlpP+QS8wRRNH8+LVLUj7XqfjQdj6m2zVw /8o3YVcgDdm0ZhJG11pbvHq1U26Qj91omp8TpryTk5kAxiNq74xWsEUoI6wdnAzq5QvX RDyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:ironport-sdr:ironport-sdr; bh=W9BTKB0bnqgQguCWKIyiXVTPcQSJlwr7XaLJCOFcIco=; b=utd5vhDitMVx+vVO3LDnUBGOpMn4NbBOUU0GdXDLqxn2jcYC6AxrxLA8cO1u8uhWN0 //dQFMXaq2Y5jj2HtgyE3dtYM64463DifAVDYB5ffs0YoGcSCrzPk7O/1FZug+297tQ1 7C6iMcgyemtn88V9nZn7y2EAjeEfAV0XU/8XrjUkhRXgqVVTj2qzJi15UkpQcOdbnkm7 rdqebkXhOWOdrbPyUqy4vSXKPS9DHwf6VjBwYq9Ntpo2sW/v3UNSbaKeUOAPLh6jZliu 7YwkI+zrxPA571i6MQNI2fH2GghctuuLoMn2BW2zp5kBA/9moe8wXeGNLA4ZPHNLq+tU Afcg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cy23si2146057edb.311.2020.08.26.12.20.27; Wed, 26 Aug 2020 12:20:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727955AbgHZTQx (ORCPT + 99 others); Wed, 26 Aug 2020 15:16:53 -0400 Received: from mga17.intel.com ([192.55.52.151]:59655 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726947AbgHZTQv (ORCPT ); Wed, 26 Aug 2020 15:16:51 -0400 IronPort-SDR: jV610tOjzDFkO8psRDOY+eELy9UGQKPX72YM+gEQlTRXV1i0o3YRU3+dgV5DWmXImtuHFBy4Eh JiC2ubW82ciQ== X-IronPort-AV: E=McAfee;i="6000,8403,9725"; a="136439034" X-IronPort-AV: E=Sophos;i="5.76,356,1592895600"; d="scan'208";a="136439034" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Aug 2020 12:16:46 -0700 IronPort-SDR: khhe3B+e8qedoDCRPAjkMZI22badvpjZ4qjDoEltARDM6ebHLHFA9u0/yLEfPMus2TO0dNwauZ J2OBEGiH7nuA== X-IronPort-AV: E=Sophos;i="5.76,356,1592895600"; d="scan'208";a="336921169" Received: from sjchrist-ice.jf.intel.com (HELO sjchrist-ice) ([10.54.31.34]) by fmsmga003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Aug 2020 12:16:46 -0700 Date: Wed, 26 Aug 2020 12:16:45 -0700 From: Sean Christopherson To: Andy Lutomirski Cc: Andrew Cooper , Thomas Gleixner , LKML , X86 ML , Linus Torvalds , Tom Lendacky , Pu Wen , Stephen Hemminger , Sasha Levin , Dirk Hohndel , Jan Kiszka , Tony W Wang-oc , "H. Peter Anvin" , Asit Mallick , Gordon Tetlow , David Kaplan , Tony Luck Subject: Re: TDX #VE in SYSCALL gap (was: [RFD] x86: Curing the exception and syscall trainwreck in hardware) Message-ID: <20200826191644.GC21065@sjchrist-ice> References: <875z98jkof.fsf@nanos.tec.linutronix.de> <3babf003-6854-e50a-34ca-c87ce4169c77@citrix.com> <20200825043959.GF15046@sjchrist-ice> <20200825171903.GA20660@sjchrist-ice> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 25, 2020 at 10:28:53AM -0700, Andy Lutomirski wrote: > On Tue, Aug 25, 2020 at 10:19 AM Sean Christopherson > wrote: > > One thought would be to have the TDX module (thing that runs in SEAM and > > sits between the VMM and the guest) provide a TDCALL (hypercall from guest > > to TDX module) to the guest that would allow the guest to specify a very > > limited number of GPAs that must never generate a #VE, e.g. go straight to > > guest shutdown if a disallowed GPA would go pending. That seems doable > > from a TDX perspective without incurring noticeable overhead (assuming the > > list of GPAs is very small) and should be easy to to support in the guest, > > e.g. make a TDCALL/hypercall or two during boot to protect the SYSCALL > > page and its scratch data. > > I guess you could do that, but this is getting gross. The x86 > architecture has really gone off the rails here. Does it suck less than using an IST? Honest question. I will add my voice to the "fix SYSCALL" train, but the odds of that getting a proper fix in time to intercept TDX are not good. On the other hand, "fixing" the SYSCALL issue in the TDX module is much more feasible, but only if we see real value in such an approach as opposed to just using an IST. I personally like the idea of a TDX module solution as I think it would be simpler for the kernel to implement/support, and would mean we wouldn't need to roll back IST usage for #VE if the heavens should part and bestow upon us a sane SYSCALL.