Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1890919pxb; Mon, 8 Mar 2021 08:46:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJxRoGz4gAhDS5xixjQS7kAJyE6YWqXd50zRxM0VAIcgiaNeSt0co5herfme2WeP4KZNJCJJ X-Received: by 2002:a50:fa42:: with SMTP id c2mr23429679edq.159.1615222009382; Mon, 08 Mar 2021 08:46:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615222009; cv=none; d=google.com; s=arc-20160816; b=wEpuUE36TKckfgX9D3N8/dCgb4jcvsAYaKmHHg5QH4bl9nxU9IeQl4yrDEHTOZHuu4 8SAbNrJYSFOc7S/f4q3rtfFVLa7LPtCS+kz9NTwCJqg0iVndwVImBNxY2uhkKd4WT1t/ PPVefU+lejvsBg8QwIuj0YD1IgUVY3gI02yjOBlnKO8mfX9+xdK+0ww3ZfzKZLfc4rh7 uCuhBSsdH0L3gtI0zbGSxdTN+X6Hj+5WXhOZRtkf4TphJfWjZWMzsta4jR2xVMmCSoBy CW88frGPz+a7cmK/SzQYH0s1WPxhqgP7rMG+bIpErpAW+8ztpSkbujQTD85dFY/vQCVC 51PQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=iLW4p27vj1YK1a09zBC63IOwGVQvzr8I/pdVVsxQoyM=; b=Cv/ApfDuWLaFcRg877BmVxrV9/Z8VC4eD0JzwzHALsUD8eJdYVFGMRdZ9O5oBCqJ5m AdqeNIZe3Ng6/5YyAE5NLcwO3wenr70Z9CgosCCORDpL9vuzIpmWR4YyZmZPGZo+dpsC Bw9PCJcqv4aC/kWwcZpPbMzV20DFb1AoksgD4J0PyrwmVqMpNZ2g8+u86qdwvr69EEsg LOJ2ylSiMpRKzdqGb5bWfPDTL5wQSMebQKRJ1M5ck3PnVUecyHyivzmjs7tSv4ivynFi /joQSKXoKUNfZ1gyHVmXQ4FtZyv9YTjiM72nu0Rm14+SOI0DlUzb3SJA0dwxdnf6i3Fl /3vw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dJZZA9Ky; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qk3si7336788ejb.638.2021.03.08.08.46.25; Mon, 08 Mar 2021 08:46:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dJZZA9Ky; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230342AbhCHQpH (ORCPT + 99 others); Mon, 8 Mar 2021 11:45:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229790AbhCHQpB (ORCPT ); Mon, 8 Mar 2021 11:45:01 -0500 Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99562C06174A for ; Mon, 8 Mar 2021 08:45:01 -0800 (PST) Received: by mail-pf1-x436.google.com with SMTP id x7so4106457pfi.7 for ; Mon, 08 Mar 2021 08:45:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=iLW4p27vj1YK1a09zBC63IOwGVQvzr8I/pdVVsxQoyM=; b=dJZZA9KySyT/iRgRCP0Bhl/FyT1PTnP/oQUROzUdCz+27QozfYk7TXX3YQCM1EvzQG 5d4NpSsLN4yoBZn9fI503M9osDOH0wP8LNqMgzcs8RLaS0oJHApG34uA/xCSOZPkz4JV GV4Cj6BYqCOGclsSZYFqPcPbJljYX/z5blhYgMYoWbgk5jSVRNg2dE2XTVvRYDj1eYq8 sS0NlmK535hFtBP6wGrugEb+tfREvIB2q9j+lukvtG24NPCKcear49qahGnu6ycmujlz jFva29bsCuU3W6X+/t+plwrbT3AZzvep6sQvaGjKuVfFlmN/YTy+oYpfzTz5F8tosPnU Hb9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=iLW4p27vj1YK1a09zBC63IOwGVQvzr8I/pdVVsxQoyM=; b=kdsuU1F6kNkXgceYXnTmoaXM7qGFXfQxIRWf0c3daY6FenCE+RoBhO7xMedvvMHjeV 2LY1KC2WE4Byxk4gsBYDVHlK2rayltsHGUxY/HFACRoXvbNagLj7JrohL8ifcSNA6NYd ViSUzml/cjT27Kang/niZd+0/KkWZKkCDNtD/x40sYFQ7FLGnNLLt3yXwjxGknLm9T48 mxezPZiPBriUHVco4JwLUVVMnG9stJMsMIsPtFNGjHhHb2CsDUoxlxQguduKyODKN8BY uuzTibMj5XcGCSwMSch1gaZMN69JBnxix2HTzcs23qioXf9zL8kImsQmF9CEZNEm4RjP sGZA== X-Gm-Message-State: AOAM533SqS6q2noZiCIUiDzg58uLQibby3XDINhe+uoTsQP5j9/93qWX 8oP6IlbSZkoh/k4UB3aCKhqpKbsnPmxanA== X-Received: by 2002:a63:461d:: with SMTP id t29mr20862531pga.192.1615221900941; Mon, 08 Mar 2021 08:45:00 -0800 (PST) Received: from google.com ([2620:15c:f:10:cc8b:42a0:da69:7e82]) by smtp.gmail.com with ESMTPSA id y8sm11651516pfe.36.2021.03.08.08.44.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Mar 2021 08:45:00 -0800 (PST) Date: Mon, 8 Mar 2021 08:44:53 -0800 From: Sean Christopherson To: Paolo Bonzini Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, vkuznets@redhat.com, mlevitsk@redhat.com, Jim Mattson Subject: Re: [PATCH 03/28] KVM: nSVM: inject exceptions via svm_check_nested_events Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Mar 06, 2021, Paolo Bonzini wrote: > On 06/03/21 02:39, Sean Christopherson wrote: > > Unless KVM (L0) knowingly wants to override L1, e.g. KVM_GUESTDBG_* cases, KVM > > shouldn't do a damn thing except forward the exception to L1 if L1 wants the > > exception. > > > > ud_interception() and gp_interception() do quite a bit before forwarding the > > exception, and in the case of #UD, it's entirely possible the #UD will never get > > forwarded to L1. #GP is even more problematic because it's a contributory > > exception, and kvm_multiple_exception() is not equipped to check and handle > > nested intercepts before vectoring the exception, which means KVM will > > incorrectly escalate a #GP->#DF and #GP->#DF->Triple Fault instead of exiting > > to L1. That's a wee bit problematic since KVM also has a soon-to-be-fixed bug > > where it kills L1 on a Triple Fault in L2... > > I agree with the #GP problem, but this is on purpose. For example, if L1 > CPUID has MOVBE and it is being emulated via #UD, L1 would be right to set > MOVBE in L2's CPUID and expect it not to cause a #UD. The opposite is also true, since KVM has no way of knowing what CPU model L1 has exposed to L2. Though admittedly hiding MOVBE is a rather contrived case. But, the other EmulateOnUD instructions that don't have an intercept condition, SYSENTER, SYSEXIT, SYSCALL, and VMCALL, are also suspect. SYS* will mostly do the right thing, though it's again technically possible that KVM will do the wrong thing since KVM doesn't know L2's CPU model. VMCALL is also probably ok in most scenarios, but patching L2's code from L0 KVM is sketchy. > The same is true for the VMware #GP interception case. I highly doubt that will ever work out as intended for the modified IO #GP behavior. The only way emulating #GP in L2 is correct if L1 wants to pass through the capabilities to L2, i.e. the I/O access isn't intercepted by L1. That seems unlikely. If the I/O is is intercepted by L1, bypassing the IOPL and TSS-bitmap checks is wrong and will cause L1 to emulate I/O for L2 userspace that should never be allowed. Odds are there isn't a corresponding emulated port in L1, i.e. there's no major security flaw, but it's far from good behavior. I can see how some of the instructions will kinda sorta work, but IMO forwading them to L1 is much safer, even if it means that L1 will see faults that should be impossible. At least for KVM-on-KVM, those spurious faults are benign since L1 likely also knows how to emulate the #UD and #GP instructions.