Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp647885pxk; Wed, 16 Sep 2020 13:15:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyFz04kJnpSHgK6TBcu8H87+/uKVgWZA324ue47ss6+BzEYE4LuFjU5p7FhWM+KBfMbqNxi X-Received: by 2002:a17:906:4a81:: with SMTP id x1mr23691899eju.541.1600287319155; Wed, 16 Sep 2020 13:15:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600287319; cv=none; d=google.com; s=arc-20160816; b=XW490vOgPY1bYfZzcr+AIZxbFI3/0gIy7pULRdNBrCilmPVH7OR1VNgL5WbJZd38DX VFS6wKHzH9iiFacOaFwN1UuUJEAl4pGxwFr5nqZSNxVQY9mVuHiVR1p1ZXmRpe/Qo6b+ 0JXcKWzLuXbzVlo3x2QaPglp4Wczv5X8GcBU9ACPzLMV6WIZS658+ZXi1aX34ID9fFBB B37wycEb7/+QFShA+808do4l996IBHpdr4bOhLvI6+oWUvCp/AMoYFFZYS24WQoVAQ08 8Xq0Tri/GXb5bYssMmNAvcavBdk+nGtCiE+PamO0HJkC8y5sWS/S9iGHi2ZBxAYlyUNA rvGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=WTCEXV2u4+i9HL2MMnq/glN2ilMyxl52NR06ee0GgqI=; b=nmYBP6ijHTD9iH7LqRXmVO7TcAV/uZyrNtVHf/xutWbbIaLrwo9SswtVTesyIJxipF cFDDpubOIjQAGweQ6fmZ33EbU+38+pGE9PXWUCRrI8KQ67lZvCujnPmHfsZ2MYQiZ5vc Eix8dQzjUc/57dUAzyYp4kllWvBi+LO/asrrA25FAEnA9Tra6MZUZ+2IxJk+EKW7CG/b oxb+9XnhbNufFgoB7bpE61Da8q+/kpNYljGK1Bg89BTjRzkSlyhU2JihyKyva2oRJfWb 3GsJPa9Nx2aLuEs/DG4QFB3h/ivb7GASHASgM7MgmBe9PAVr90354BBNC7c1C7EDp74D mrKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=s7OvZ4k0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dp9si11966644ejc.203.2020.09.16.13.14.56; Wed, 16 Sep 2020 13:15:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=s7OvZ4k0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728185AbgIPUNu (ORCPT + 99 others); Wed, 16 Sep 2020 16:13:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58438 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727263AbgIPUN3 (ORCPT ); Wed, 16 Sep 2020 16:13:29 -0400 Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85AF2C061354 for ; Wed, 16 Sep 2020 13:13:13 -0700 (PDT) Received: by mail-ej1-x641.google.com with SMTP id lo4so12705574ejb.8 for ; Wed, 16 Sep 2020 13:13:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WTCEXV2u4+i9HL2MMnq/glN2ilMyxl52NR06ee0GgqI=; b=s7OvZ4k0X7Pw/YnFXPKn5Ssxyktso0XlkEWg8Ij8fpLQLTsn54sqNK2C19JaPgH3YT Q6wO5+CpziRHkRIR30K7Fm8GwZ6iYHI+T6Acw4WahChKZ/t7rSDaFJc9Txc3wBm+WIsE gf7L45v47+T6MmK+JdJPaVaykD7W/oAl3ornmLk4a2d+MUBp37OFzc+FuXyQ1T8rHxVB uQUoLkdr1VYohRqnGs7BNUX0dhjNdjcRIA+07PzaKxA/LjFD2UUpcl2tkqCfwRaPKs2/ ETUN51b1wV9G2k/ROZlQN3xYXCTrdWJr1uZbFG3PmdICKdnMMdhiPphRVdY8OLGDp5M/ dMjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WTCEXV2u4+i9HL2MMnq/glN2ilMyxl52NR06ee0GgqI=; b=b+2IZ9LOE0Xsrj72XcZCTWLRNTgcKK2RSK+Stui8/0Uyx1uopai35MNNJMgd/+CBRm NXiDNYo6GD4bnnrarQhyUX/p+kGpuDgCLGY9vsMLu16A0XNxTS4jHpnYeFGYpRArruoJ rqfEI2n16N2Nw/Gry9ESDunslu838sByrNFgQoVNuRWTR0oVDxmOMHBiJipiQH4j3IHR 4v6LY3uaXTlBDkWCbDFacR748h28ePhwEWYiCbKo3iwhLI6ljlcZFCkpcso2kxR8hwVh sT2OSQ96mNbFoEIP+BBM0/hmXkWTaOsKb8taK1hvGfih2+pUkinczjparOQU8DfK5Mlg oD+w== X-Gm-Message-State: AOAM533fSmBH/zAB7ztTEHgi57OlKYaxE8Kkjv1/r8gnr48jfd4DowYX hhiGApGeTLS+KtmN/uNtnvhQS/J5hSy89el9i/22aA== X-Received: by 2002:a17:906:4d97:: with SMTP id s23mr28200879eju.157.1600287191923; Wed, 16 Sep 2020 13:13:11 -0700 (PDT) MIME-Version: 1.0 References: <20200902125935.20646-1-graf@amazon.com> <20200902125935.20646-6-graf@amazon.com> In-Reply-To: From: Aaron Lewis Date: Wed, 16 Sep 2020 13:13:00 -0700 Message-ID: Subject: Re: [PATCH v6 5/7] KVM: x86: VMX: Prevent MSR passthrough when MSR access is denied To: Alexander Graf Cc: Paolo Bonzini , Jonathan Corbet , Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , KarimAllah Raslan , Dan Carpenter , kvm list , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > > > >> + > >> /* > >> * These 2 parameters are used to config the controls for Pause-Loop Exiting: > >> * ple_gap: upper bound on the amount of time between two successive > >> @@ -622,6 +642,41 @@ static inline bool report_flexpriority(void) > >> return flexpriority_enabled; > >> } > > > > One thing that seems to be missing is removing MSRs from the > > permission bitmap or resetting the permission bitmap to its original > > state before adding changes on top of it. This would be needed on > > subsequent calls to kvm_vm_ioctl_set_msr_filter(). When that happens > > the original changes made by KVM_REQ_MSR_FILTER_CHANGED need to be > > backed out before applying the new set. > > I'm not sure I follow. Subsequent calls to set_msr_filter() will invoke > the "please reset the whole MSR passthrough bitmap to a consistent > state" which will then reapply the in-kvm desired state through the > bitmap and filter state on top on each of those. > Yes, you're correct. I discovered this after the fact by adding a test to the selftest I wrote for the deny list system which I revamped to work for your filter system. It proved the permission bitmaps are in fact set as expected on subsequent calls. You can disregard this comment. As a side note, I'm happy to share the test if you'd like. I also used it to uncover an issue in the first commit of this series.