Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp423784pxk;
        Sun, 30 Aug 2020 08:38:53 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJx7fVvjUFIScrAQaW9gzfkslGPnSpGjb2vkzoNtTpJvkXcDud+S8ebruGTV9tg9gyOkn3E5
X-Received: by 2002:a17:907:374:: with SMTP id rs20mr125622ejb.135.1598801933602;
        Sun, 30 Aug 2020 08:38:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1598801933; cv=none;
        d=google.com; s=arc-20160816;
        b=fUsgFIjFCnO61LuQS45QeZbsk9bbj5bi63pUXGbmNTM/3qYqG/CWEH+9n/bMMEa1I0
         zkONpT/Ug+m7GAeYpG1SnlYc0ikUbuUUjVKGrv5KnVj242ur+5wTF1/uNgJSm47fyT+B
         sxM9rE5tFewWPzr5I11lWgfW7oz+JLQDXPo7fH4WLmCf9p60LZLpr3etPqdct4IwgrCc
         0asxyE0jkjUQvvORRqw+2tZz5MyZZusrRGEhedstFnlYpCtxi0rBB+t32RWkf2qNq4qJ
         r6ncoJitXAzu344ggmkTWVB//apTIrunuGA56i0XYLYmMTkGNXT1EWiRFpe5LLcKnfc8
         6k6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=e+HEznL866vLhO1zzTpEsg1iQSgVNmx9Aswwxn872ug=;
        b=OcEJ9z3VxTxxR9mtbg3m9hSkYwVVD2REdT8JCx7O0JOVhariECAPCtxmY4JkP+6sU9
         G+i9qPf/jzTcKce86x3qLhAVaX++Uku2pcNUle9dnfPz33tnN5liH8gYIG/miq2HOgSy
         Pyw2eDDnfdHZgFumyZXlAh9h8CoZn2qc2l04cfVUEah3fN304sLR0dKDypDt2yIow2wJ
         dLTWH6soPRx0xp7v3F7JDMEsYoK/e46COcYt6QBV2utw8ndGQg46GgB0ZOH/ESkcYNSW
         z6pg50mkkAZfml1+SlBa1Aug+odQywUQZRyVSnpODx1RugnKfPA3FQMQSai2FgDiSAam
         odIQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=vbfkGqLL;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id p18si1120210edr.166.2020.08.30.08.38.30;
        Sun, 30 Aug 2020 08:38:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=vbfkGqLL;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726388AbgH3Ph4 (ORCPT <rfc822;tanxianhu@gmail.com> + 99 others);
        Sun, 30 Aug 2020 11:37:56 -0400
Received: from mail.kernel.org ([198.145.29.99]:43722 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726023AbgH3Phw (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 30 Aug 2020 11:37:52 -0400
Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id D3A66208DB
        for <linux-kernel@vger.kernel.org>; Sun, 30 Aug 2020 15:37:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1598801872;
        bh=Ky8WZcvLA6RRhgL1u44QnF3iAcvOtIXT+Pxx/AL88xs=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=vbfkGqLLfy2DbjB/ExklgKrk5bLby4XxBr7haICm78qf4jr/56msMPDO+PDMkEZff
         H3HgwGKuspVp0ACLXkVBjyMeIRixs5BxB7V65ro84b7L41Kpm9PCr2vDWmNZg7Y2XH
         XQLGlWb+idXtRCV9x1ZZ2HCCMcNOAge/wStVHodg=
Received: by mail-wr1-f54.google.com with SMTP id e16so3587995wrm.2
        for <linux-kernel@vger.kernel.org>; Sun, 30 Aug 2020 08:37:51 -0700 (PDT)
X-Gm-Message-State: AOAM531SKIVAVtMXQbWPqvKJb7sgbbrqlW35+moh5vuHusgl+cgUv48K
        fC9LJzt6nTKdAC8jfiOZJwq7Wuq4VLLusRDnvgXDsg==
X-Received: by 2002:a5d:6a47:: with SMTP id t7mr1252760wrw.75.1598801870331;
 Sun, 30 Aug 2020 08:37:50 -0700 (PDT)
MIME-Version: 1.0
References: <875z98jkof.fsf@nanos.tec.linutronix.de> <3babf003-6854-e50a-34ca-c87ce4169c77@citrix.com>
 <20200825043959.GF15046@sjchrist-ice> <CALCETrUP1T2k3UzZMsXMfAD83xbYEG+nAv3a-LeBjNW+=ijJAg@mail.gmail.com>
 <20200825171903.GA20660@sjchrist-ice> <CALCETrWy2x-RByfknjjKxRbE0LBPk2Ugj1d58xYHb91ogbfnvA@mail.gmail.com>
 <20200826191644.GC21065@sjchrist-ice>
In-Reply-To: <20200826191644.GC21065@sjchrist-ice>
From:   Andy Lutomirski <luto@kernel.org>
Date:   Sun, 30 Aug 2020 08:37:39 -0700
X-Gmail-Original-Message-ID: <CALCETrUwqka6M9wxkwFYvq-5Byi8JFiiPNRdYQRw3_2m1hXd0w@mail.gmail.com>
Message-ID: <CALCETrUwqka6M9wxkwFYvq-5Byi8JFiiPNRdYQRw3_2m1hXd0w@mail.gmail.com>
Subject: Re: TDX #VE in SYSCALL gap (was: [RFD] x86: Curing the exception and
 syscall trainwreck in hardware)
To:     Sean Christopherson <sean.j.christopherson@intel.com>
Cc:     Andy Lutomirski <luto@kernel.org>,
        Andrew Cooper <andrew.cooper3@citrix.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        Pu Wen <puwen@hygon.cn>,
        Stephen Hemminger <sthemmin@microsoft.com>,
        Sasha Levin <alexander.levin@microsoft.com>,
        Dirk Hohndel <dirkhh@vmware.com>,
        Jan Kiszka <jan.kiszka@siemens.com>,
        Tony W Wang-oc <TonyWWang-oc@zhaoxin.com>,
        "H. Peter Anvin" <hpa@linux.intel.com>,
        Asit Mallick <asit.k.mallick@intel.com>,
        Gordon Tetlow <gordon@tetlows.org>,
        David Kaplan <David.Kaplan@amd.com>,
        Tony Luck <tony.luck@intel.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Aug 26, 2020 at 12:16 PM Sean Christopherson
<sean.j.christopherson@intel.com> wrote:
>
> On Tue, Aug 25, 2020 at 10:28:53AM -0700, Andy Lutomirski wrote:
> > On Tue, Aug 25, 2020 at 10:19 AM Sean Christopherson
> > <sean.j.christopherson@intel.com> wrote:
> > > One thought would be to have the TDX module (thing that runs in SEAM and
> > > sits between the VMM and the guest) provide a TDCALL (hypercall from guest
> > > to TDX module) to the guest that would allow the guest to specify a very
> > > limited number of GPAs that must never generate a #VE, e.g. go straight to
> > > guest shutdown if a disallowed GPA would go pending.  That seems doable
> > > from a TDX perspective without incurring noticeable overhead (assuming the
> > > list of GPAs is very small) and should be easy to to support in the guest,
> > > e.g. make a TDCALL/hypercall or two during boot to protect the SYSCALL
> > > page and its scratch data.
> >
> > I guess you could do that, but this is getting gross.  The x86
> > architecture has really gone off the rails here.
>
> Does it suck less than using an IST?  Honest question.
>
> I will add my voice to the "fix SYSCALL" train, but the odds of that getting
> a proper fix in time to intercept TDX are not good.  On the other hand,
> "fixing" the SYSCALL issue in the TDX module is much more feasible, but only
> if we see real value in such an approach as opposed to just using an IST.  I
> personally like the idea of a TDX module solution as I think it would be
> simpler for the kernel to implement/support, and would mean we wouldn't need
> to roll back IST usage for #VE if the heavens should part and bestow upon us
> a sane SYSCALL.

There's no such thing as "just" using an IST.  Using IST opens a huge
can of works due to its recursion issues.

The TDX module solution is utterly gross but may well suck less than
using an IST.