Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp3776767pxu; Mon, 19 Oct 2020 23:23:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwPcrkmuMP4zQpjL26PtO1Flq7/QMiNqX1No60GaBdvA2jbcTdqQzv6p7yk8wZuFE2Oj4Us X-Received: by 2002:a17:906:a1d4:: with SMTP id bx20mr1566322ejb.262.1603175025556; Mon, 19 Oct 2020 23:23:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603175025; cv=none; d=google.com; s=arc-20160816; b=eQN7U14RKrvmWaWwB4k4VGlOgkx1Z/uw8ZUa40mRw5QDdhqsolDMFdye7WdBSbmsku CxxobUeUgFjLxYKq/kE436zKGeGc7nS7aQTOqkoQS3RiUr4PWqMZlgCRxwlP5qGO9U2w 8G9C1bdrdj9v+9gtKxpV/bZSyoy0ycNLlc75xBdy2QNtnzEJzTQu92ZWdutUhdfJMn+v iz0EBbgUqS9GlYqEmXkQIW2AapabDQpyJ467LQYiljEy0k4TEgtnEgu7Dfw//5+a2u7D vEkVNzn13bKADGyFkNiB2pnNvktuiQxuVWL1Vn3qsgDMlFVL3V6zkiB48qsICS5X6pqR EPiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from:dkim-signature; bh=t1VzdQy2NBR4DKX4hGEZc6mXqEZFpQga7kkpLT4rmc8=; b=WZobUEtPLltBESahpGxrw4JZziE+mMATcrGNKm6M0/UE/w7OYk15nFGh5gd1LAbntO oJzs9bNWzABd+WKHvHkEw95zuqn9RDxQyFZl7JijidIX3fDRwG9EydsORgq7QM9HG3Rr nBx/F7lSAQ4/yhi3ecBhAeovPK9PJkx+fz6AxOWybdUrRIPBoyFotWXRoZc2UR2OjGD7 8Hup27bhdqm81/ip6XcDd+UxqwIipiwxoLDJE1mu1MZVjlJrNf9E2U3TzObXU3St5/xT QWAXwtINSwUXakKk58IDll/UpH0r/GhWiJvB8ZhOytteJhubKHETDnDOMiPScfLjNby5 ek5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=TCg8FOze; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m25si572082ejr.600.2020.10.19.23.23.23; Mon, 19 Oct 2020 23:23:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=TCg8FOze; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729895AbgJSRx2 (ORCPT + 99 others); Mon, 19 Oct 2020 13:53:28 -0400 Received: from smtp-fw-6002.amazon.com ([52.95.49.90]:51958 "EHLO smtp-fw-6002.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726005AbgJSRx1 (ORCPT ); Mon, 19 Oct 2020 13:53:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1603130007; x=1634666007; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version:content-transfer-encoding; bh=t1VzdQy2NBR4DKX4hGEZc6mXqEZFpQga7kkpLT4rmc8=; b=TCg8FOzew02DO5a13rWdSKO9NZtRrKoRi2GGGTmJvVkWStJneIQOUy3O 37CM/nP0UZtYQYEMJ6gluV+L1evw+meBp0AFkRi9Lm9aPPwdLowh/UKKI 5ZMeVkCNzKIlVL/8mHlc1R1EE510MZQexFjttQViAd1rGCYrJpRcL+I8j w=; X-IronPort-AV: E=Sophos;i="5.77,395,1596499200"; d="scan'208";a="60609562" Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2c-76e0922c.us-west-2.amazon.com) ([10.43.8.6]) by smtp-border-fw-out-6002.iad6.amazon.com with ESMTP; 19 Oct 2020 17:45:59 +0000 Received: from EX13MTAUWC002.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan2.pdx.amazon.com [10.170.41.162]) by email-inbound-relay-2c-76e0922c.us-west-2.amazon.com (Postfix) with ESMTPS id 2ED3EA86EB; Mon, 19 Oct 2020 17:45:55 +0000 (UTC) Received: from EX13D20UWC002.ant.amazon.com (10.43.162.163) by EX13MTAUWC002.ant.amazon.com (10.43.162.240) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 19 Oct 2020 17:45:54 +0000 Received: from EX13D20UWC001.ant.amazon.com (10.43.162.244) by EX13D20UWC002.ant.amazon.com (10.43.162.163) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 19 Oct 2020 17:45:54 +0000 Received: from EX13D20UWC001.ant.amazon.com ([10.43.162.244]) by EX13D20UWC001.ant.amazon.com ([10.43.162.244]) with mapi id 15.00.1497.006; Mon, 19 Oct 2020 17:45:54 +0000 From: "Graf (AWS), Alexander" To: Paolo Bonzini CC: "linux-kernel@vger.kernel.org" , "kvm@vger.kernel.org" , Aaron Lewis , Peter Xu , Sean Christopherson Subject: Re: [PATCH] KVM: VMX: Forbid userspace MSR filters for x2APIC Thread-Topic: [PATCH] KVM: VMX: Forbid userspace MSR filters for x2APIC Thread-Index: AQHWpj+x3+JT+Cl9gkCqCDyMCFO5/w== Date: Mon, 19 Oct 2020 17:45:54 +0000 Message-ID: <618E2129-7AB5-4F0D-A6C9-E782937FE935@amazon.de> References: <20201019170519.1855564-1-pbonzini@redhat.com> In-Reply-To: <20201019170519.1855564-1-pbonzini@redhat.com> Accept-Language: en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > Am 19.10.2020 um 19:08 schrieb Paolo Bonzini : > = > Allowing userspace to intercept reads to x2APIC MSRs when APICV is > fully enabled for the guest simply can't work. But more in general, > if the LAPIC is in-kernel, allowing accessed by userspace would be very > confusing. If userspace wants to intercept x2APIC MSRs, then it should > first disable in-kernel APIC. > = > We could in principle allow userspace to intercept reads and writes to TP= R, > and writes to EOI and SELF_IPI, but while that could be made it work, it > would still be silly. > = > Cc: Alexander Graf > Cc: Aaron Lewis > Cc: Peter Xu > Cc: Sean Christopherson > Signed-off-by: Paolo Bonzini > --- > arch/x86/kvm/x86.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > = > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index c4015a43cc8a..0faf733538f4 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -5246,6 +5246,13 @@ static int kvm_add_msr_filter(struct kvm *kvm, str= uct kvm_msr_filter_range *user > return r; > } > = > +static bool range_overlaps_x2apic(struct kvm_msr_filter_range *range) > +{ > + u32 start =3D range->base; > + u32 end =3D start + range->nmsrs; > + return start <=3D 0x8ff && end > 0x800; > +} > + > static int kvm_vm_ioctl_set_msr_filter(struct kvm *kvm, void __user *argp) > { > struct kvm_msr_filter __user *user_msr_filter =3D argp; > @@ -5257,6 +5264,16 @@ static int kvm_vm_ioctl_set_msr_filter(struct kvm = *kvm, void __user *argp) > if (copy_from_user(&filter, user_msr_filter, sizeof(filter))) > return -EFAULT; > = > + /* > + * In principle it would be possible to trap x2apic ranges > + * if !lapic_in_kernel. This however would be complicated > + * because KVM_X86_SET_MSR_FILTER can be called before > + * KVM_CREATE_IRQCHIP or KVM_ENABLE_CAP. > + */ > + for (i =3D 0; i < ARRAY_SIZE(filter.ranges); i++) > + if (range_overlaps_x2apic(&filter.ranges[i])) > + return -EINVAL; What if the default action of the filter is to "deny"? Then only an MSR fil= ter to allow access to x2apic MSRs would make the full filtering logic adhe= re to the constraints, no? Also, this really deserves a comment in the API documentation :). In fact, I think a pure comment in documentation is enough. Just make x2api= c && filter on them "undefined behavior". Alex > + > kvm_clear_msr_filter(kvm); > = > default_allow =3D !(filter.flags & KVM_MSR_FILTER_DEFAULT_DENY); > -- > 2.26.2 > = Amazon Development Center Germany GmbH Krausenstr. 38 10117 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B Sitz: Berlin Ust-ID: DE 289 237 879