Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp265079pxb; Mon, 2 Nov 2020 21:37:29 -0800 (PST) X-Google-Smtp-Source: ABdhPJxnhFvwFVdFdPoBEt6RvEZMF4vZkLcvhkd0KQqVOhNpcyPNBG6X49HqiiQzGcRR0MdZ9PNf X-Received: by 2002:a50:f98b:: with SMTP id q11mr6242475edn.345.1604381849222; Mon, 02 Nov 2020 21:37:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604381849; cv=none; d=google.com; s=arc-20160816; b=UuQT01gueRC1RAR+yOD7IaZPek3Y7IhT7td55rWiYlH4r2ZFZ6gJhB8dBZOpBZBeAy Z2ZpRmD/N6GrhdyuTFQdrv8nLWOK6g7pWm+4M26uuoGknDV/iVePeuQx8Xt4YMEuKyHL Jsd/LDg925BPAGG5r63RzeNBWDyjuiVhn3RYAZHRH7EekGxpsqioCA4jBxPtV/744Raa /1biDwV/MMRa7arBhFlbMqqFP5tCEU44Bq1GC8d4ZdNDW7i2FLhBDVX1Dn77kVJACGKL ppi1Gy2E9gums8P0kOjzuhMBxPUOSCJoGJhVDT7RupLFCt7xMUhqHrDU+G8/NA+/M7Nq zHkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:ironport-sdr:ironport-sdr; bh=5rWURXupPKpz/URSJXmq3rYrZMsN2ViCEbi3CSHIjfQ=; b=coZrD8rAtYu9mul/JfwQU/51Cub7LXT5Oh6kcrO4v6fmYWlK7F1J/ia8IY/19+iVQK 8WW9ftaVbykbFapiU0rus2xU1nfc7zJrXpGuTGy9vrUUMrkfefVXwfjr2MZz5dZ4Edjp yqle8VkP2qIxxHOT1Xr4B0M+qbA3dqC+spNBuB5tV7/5yBw3IgVUiv3PsjEJVMrlXzq+ KuCzp8a23kSdCajWXWkL/2d404GdlqX1dcx+j3VPmzCrFjz0NusX9hBXufWFC7NwjpCS QXJGI2tIHCB0fZh79qaRlAy5+Ab4uuU/BHFZ6T+FX1sIhOGBMKqHQwW0GXaItKEr8zjH rekw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p14si5637883ejg.51.2020.11.02.21.37.06; Mon, 02 Nov 2020 21:37:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727308AbgKCFfM (ORCPT + 99 others); Tue, 3 Nov 2020 00:35:12 -0500 Received: from mga11.intel.com ([192.55.52.93]:45876 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725934AbgKCFfM (ORCPT ); Tue, 3 Nov 2020 00:35:12 -0500 IronPort-SDR: /8G/iwx1jS1P9pvqL/CYU12LHgN0LireLJQsJW6R3YR1Hr7bDIieiIoSKKmXq5Idsoz4gZtV7I /cnFd3tpUeTA== X-IronPort-AV: E=McAfee;i="6000,8403,9793"; a="165498172" X-IronPort-AV: E=Sophos;i="5.77,447,1596524400"; d="scan'208";a="165498172" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Nov 2020 21:35:11 -0800 IronPort-SDR: pvXmgZq8pEXonYygE2Xdqk69XDdFwn87bm3Tg7b+fGG1MIhdL2gAzuDXzcaic8ZnrtsOLoFU1f b8Qae/eTGlUw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.77,447,1596524400"; d="scan'208";a="353081268" Received: from unknown (HELO [0.0.0.0]) ([10.109.19.69]) by fmsmga004.fm.intel.com with ESMTP; 02 Nov 2020 21:35:08 -0800 Subject: Re: [PATCH] KVM: VMX: Enable Notify VM exit To: Sean Christopherson , Andy Lutomirski Cc: Paolo Bonzini , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , X86 ML , kvm list , LKML , Xiaoyao Li References: <20201102061445.191638-1-tao3.xu@intel.com> <20201102173130.GC21563@linux.intel.com> From: Tao Xu Message-ID: <34576238-eedf-4a94-880a-c961d2d5b237@intel.com> Date: Tue, 3 Nov 2020 13:35:08 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20201102173130.GC21563@linux.intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/3/20 1:31 AM, Sean Christopherson wrote: > On Mon, Nov 02, 2020 at 08:43:30AM -0800, Andy Lutomirski wrote: >> On Sun, Nov 1, 2020 at 10:14 PM Tao Xu wrote: >>> 2. Another patch to disable interception of #DB and #AC when notify >>> VM-Exiting is enabled. >> >> Whoa there. >> >> A VM control that says "hey, CPU, if you messed up and livelocked for >> a long time, please break out of the loop" is not a substitute for >> fixing the livelocks. So I don't think you get do disable >> interception of #DB and #AC. > > I think that can be incorporated into a module param, i.e. let the platform > owner decide which tool(s) they want to use to mitigate the legacy architecture > flaws. > >> I also think you should print a loud warning > > I'm not so sure on this one, e.g. userspace could just spin up a new instance > if its malicious guest and spam the kernel log. > >> and have some intelligent handling when this new exit triggers. > > We discussed something similar in the context of the new bus lock VM-Exit. I > don't know that it makes sense to try and add intelligence into the kernel. > In many use cases, e.g. clouds, the userspace VMM is trusted (inasmuch as > userspace can be trusted), while the guest is completely untrusted. Reporting > the error to userspace and letting the userspace stack take action is likely > preferable to doing something fancy in the kernel. > > > Tao, this patch should probably be tagged RFC, at least until we can experiment > with the threshold on real silicon. KVM and kernel behavior may depend on the > accuracy of detecting actual attacks, e.g. if we can set a threshold that has > zero false negatives and near-zero false postives, then it probably makes sense > to be more assertive in how such VM-Exits are reported and logged. > Sorry, I should add RFC tag for this patch. I will add it next time.