Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp472097pxu; Thu, 7 Jan 2021 09:28:51 -0800 (PST) X-Google-Smtp-Source: ABdhPJywX2gW6Dnf17eSUKieCgrAtInSg5gYnGXsKJJhLTBOMzT92e06awS3lkwvAHwfU7gCxa0/ X-Received: by 2002:a17:906:94d4:: with SMTP id d20mr6994081ejy.475.1610040531212; Thu, 07 Jan 2021 09:28:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610040531; cv=none; d=google.com; s=arc-20160816; b=OAdbRN5sKt52r3wMde8H2UYc3d6eQGdSoUyiF+3qN7h1CNt+VE0gRy0/EVOE94y9/l 32RO6idEf7veRNO1zfRe3SvtwpdMTvYlICaiLhgkZHDBeTnSTJ8n+RaC0wR72m/KaMyV eLCdUqMC2oHmQje6eoagpV8mPoIApCS+HEEXlDpfuBuNNCBVq8+3vBux38ke1jcoCxPm CbdUJQ5PQe/OU47rk6lRtUS9mdmwAiiEW0XQ95D9QV5nLjNaVDQldp627hmv6CYC6OR+ OSi6GHMRhveA3PBFFa3m2TrQDkvYOvf/CFdukEGWZEBkwHottLZC9MDf9hFux9D0POdv po7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=6lWkPYmqT0bK/p92szu7J/reIaTk7BKnOinjKdXvDN8=; b=brBlEiVRhES9OWdidCxMp6d1IyxTdo8eiEse/Fs19AkUqDAbAZLHj8SU8+lLN+SBxG qVDwe0G7G9mkcA4Twz+NuZ9I4A1s8+HPwK0YsKESUyDwQXRqWuhlPAnqq6x/oavA0qX4 DvjNS5rq/dDivhTDaAfgMkPzzLaehGqQHASb6bm2zHocsejTyBsjhuSivumz9iJv52TV zLthq5d90akZo1ZmeZ572Vl251Np2545dPWp6b1QlZ7CRnUrU7UW+0CAgZj5TgpGFFba OQeXNqLONzC64j1zY2tl1wIT5PsstnmCo7kqaFEHuXzzaRAG8reAGHQPeVFowrL4GRU4 S51g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="H58Wk18/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o26si2586150edw.74.2021.01.07.09.28.26; Thu, 07 Jan 2021 09:28:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="H58Wk18/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729016AbhAGR1P (ORCPT + 99 others); Thu, 7 Jan 2021 12:27:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55756 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726436AbhAGR1O (ORCPT ); Thu, 7 Jan 2021 12:27:14 -0500 Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F209FC0612F5 for ; Thu, 7 Jan 2021 09:26:33 -0800 (PST) Received: by mail-pg1-x532.google.com with SMTP id i7so5398243pgc.8 for ; Thu, 07 Jan 2021 09:26:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=6lWkPYmqT0bK/p92szu7J/reIaTk7BKnOinjKdXvDN8=; b=H58Wk18/UoqqmlC3FTHkIhsh5gQb7JOahE4qtlxf2WAsFOWRKSWzfyzBQUG4a1T4Xr NIvrYLeLcsaP/9EJtK6gnVr4ygLmGlPWDKCCijCB0Cc1SKVu6GS4QvJHE/KXSfLxu0zW TlEhQ3AvR+4kpFRhII6qUaLoipkhhQy03/rtDmPoQq+MqYWvdJf7NtyQP1nHw7NzY+cM iV4tiF+t5aGrrOEdbCYSS3YoakbJVvD0mw8IQLQ9I8upo81SZmJ9/N55LOwrwJ1nC3HV KZd9PUL73CyNUCwYGDFMTdoDKtUto+iWIezfC9NJtUlfqBNHCr4yZeojX9xaZP+xNBQG OwoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=6lWkPYmqT0bK/p92szu7J/reIaTk7BKnOinjKdXvDN8=; b=pZEOHvEkEq6eRVAzeQqf18VFI69OsoZEyZ3YzsNfl/z5mIPqJTKqxMAMtfIpOKfr48 fN0ykKRX5DdWQL+QdzHyEytyagEAYLJFIBOe6yfoZFGKZcTGeu6P/nVXitVhA7atXSMq YPTQ5V4r/h7slgGopxF/DMhzTV4d4XU8kyZRdI6d49VNqHXw1PPUnUTBpyNdkXgr01cw hKzX9VBimMaFqG+azUPLIOan+Uj1ry5+UftKsZpAsJPNE5Rr95Iqrghei+Tz6jmTkkK0 rdndUGPs5lV4lKp6Si4Wu5SinGum9GgwjddLWu1zfPDOkYcnzJHJQydAHrZ0v2sKhAQC S5+A== X-Gm-Message-State: AOAM530gVBbRXBmHp/mI+fQw94oIRoBZOby2CXw9YGguRMQr+9BFuIP4 EN4zUUVbfP4sWFma6Hk5YBm2RA== X-Received: by 2002:a63:7402:: with SMTP id p2mr2866216pgc.101.1610040393358; Thu, 07 Jan 2021 09:26:33 -0800 (PST) Received: from google.com ([2620:15c:f:10:1ea0:b8ff:fe73:50f5]) by smtp.gmail.com with ESMTPSA id z5sm6581160pff.44.2021.01.07.09.26.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Jan 2021 09:26:32 -0800 (PST) Date: Thu, 7 Jan 2021 09:26:25 -0800 From: Sean Christopherson To: Ashish Kalra Cc: Steve Rutherford , "Dr. David Alan Gilbert" , "Singh, Brijesh" , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , Joerg Roedel , Borislav Petkov , "Lendacky, Thomas" , X86 ML , KVM list , LKML , "dovmurik@linux.vnet.ibm.com" , "tobin@ibm.com" , "jejb@linux.ibm.com" , "frankeh@us.ibm.com" , jon.grimm@amd.com Subject: Re: [PATCH v2 1/9] KVM: x86: Add AMD SEV specific Hypercall3 Message-ID: References: <765f86ae-7c68-6722-c6e0-c6150ce69e59@amd.com> <20201211225542.GA30409@ashkalra_ubuntu_server> <20201212045603.GA27415@ashkalra_ubuntu_server> <20201218193956.GJ2956@work-vm> <20201218195641.GL2956@work-vm> <20210106230555.GA13999@ashkalra_ubuntu_server> <20210107170728.GA16965@ashkalra_ubuntu_server> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210107170728.GA16965@ashkalra_ubuntu_server> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 07, 2021, Ashish Kalra wrote: > Hello Steve, > > On Wed, Jan 06, 2021 at 05:01:33PM -0800, Steve Rutherford wrote: > > Avoiding an rbtree for such a small (but unstable) list seems correct. > > > > For the unencrypted region list strategy, the only questions that I > > have are fairly secondary. > > - How should the kernel upper bound the size of the list in the face > > of malicious guests, but still support large guests? (Something > > similar to the size provided in the bitmap API would work). > > I am thinking of another scenario, where a malicious guest can make > infinite/repetetive hypercalls and DOS attack the host. > > But probably this is a more generic issue, this can be done by any guest > and under any hypervisor, i don't know what kind of mitigations exist > for such a scenario ? > > Potentially, the guest memory donation model can handle such an attack, > because in this model, the hypervisor will expect only one hypercall, > any repetetive hypercalls can make the hypervisor disable the guest ? KVM doesn't need to explicitly bound its tracking structures, it just needs to use GFP_KERNEL_ACCOUNT when allocating kernel memory for the structures so that the memory will be accounted to the task/process/VM. Shadow MMU pages are the only exception that comes to mind; they're still accounted properly, but KVM also explicitly limits them for a variety of reasons. The size of the list will naturally be bounded by the size of the guest; and assuming KVM proactively merges adjancent regions, that upper bound is probably reasonably low compared to other allocations, e.g. the aforementioned MMU pages. And, using a list means a malicious guest will get automatically throttled as the latency of walking the list (to merge/delete existing entries) will increase with the size of the list.