Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp1050418pxy; Sat, 1 May 2021 02:11:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzwlZbSjxKoSysUI/L70RZ+fkTdLFQW8jOKpgckdfdbAGQhzwUrdYfX9JxDQuSH1L2w26+N X-Received: by 2002:a05:6a00:1a45:b029:27a:8b43:fa2e with SMTP id h5-20020a056a001a45b029027a8b43fa2emr8908718pfv.61.1619860263476; Sat, 01 May 2021 02:11:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619860263; cv=none; d=google.com; s=arc-20160816; b=j7J++k0f2y1mwCaqbrmCJqqIW3J/QX9U7X05h3R6gEtOASN1Zu2VbUeCMMDCQW4rui Db4CFU4jZOa7GRbwaE8Tuv3xHHFKTF2m8sztYToFW3NRzTwEOM151Is3MePNiwhzHuSc Ot1Pjn9Hkhg9mbrxG0oPPeUN9OtlSqbga6BF6pqBV+wUxRzoHpk1cPPj9AMv3KIajR9z l3ibF5fixXedHFTtDD7Ib8dClrQd6i4BN0q4wzsJ8+ag0zFjjogEqz3UrqM31sjDf9Q3 CwjFL5Mc6M+IaAm47ki0GCD3umfuJsxLA10IHS+Qtg0ZnNyzIwAV/uGKHLg2Kw3plUmi FKtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=TDG+TDZoewmymKPtgSjz1RxtoXK5cpceEnvgfqjHUWI=; b=vLfDSo/+8MHQ/TLgmLuhGis1cjhCGT+7+rutzoP4Ijrq3OKtSHfZSdJWtF7HDs6/ZN WEacphOqUt/7XB8S9B3fla0reIFPRzuiJbm1R4rn5Rgu41EolVlmQLba+x9zH6DcUe57 r39932CmQThszxUcinOOb9QZKhPlE/RkGggtPE7hVPCZg+HJ0hC2nDuHdtHYugoimik7 heGfjSjEE9qkFrUlu7aCx9aKVKsMwNscWNkeDtcB3X14LUENOPl/FhFe0oQPSK0Zw7Dh BUhBYAqpDHLJ8V2kJVxiJfBj/rAtnBGTsgawEnKhyob1WXCUPdJjL49P1s26JpsN2fz+ dr8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="TnM/E+Xw"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o4si990401plg.171.2021.05.01.02.10.48; Sat, 01 May 2021 02:11:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="TnM/E+Xw"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231837AbhEAJCE (ORCPT + 99 others); Sat, 1 May 2021 05:02:04 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:44966 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230117AbhEAJB6 (ORCPT ); Sat, 1 May 2021 05:01:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1619859668; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TDG+TDZoewmymKPtgSjz1RxtoXK5cpceEnvgfqjHUWI=; b=TnM/E+XwTowtwpxdnPL8csEbJJayygZU7MqSXEObJwEMNSlgKWXQy0xgEKSMHXzoLk2IMj LkX4ujBnTj1BtMI57GH8+T+rjsdJGJhsttOFINIUpAKaipOWmepls8PZQivRBPtOJfvsH4 Q3GlAkTSgmaLYg7v7bkQgvG8IBEvuS8= Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com [209.85.218.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-294-f9PqqZ2OO1Gcp3yCRcGTOg-1; Sat, 01 May 2021 05:01:05 -0400 X-MC-Unique: f9PqqZ2OO1Gcp3yCRcGTOg-1 Received: by mail-ej1-f69.google.com with SMTP id r14-20020a1709062cceb0290373a80b4002so71178ejr.20 for ; Sat, 01 May 2021 02:01:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=TDG+TDZoewmymKPtgSjz1RxtoXK5cpceEnvgfqjHUWI=; b=DTuRsLkWMdhcIKsGwwJXP6l/Z+FIq1HR5L5h31Eql5sDowkBUqb4xix4GZJkreTGEm lAb9pUwy6F/2IpgDD3+uCD/D2QPeT2z/3TyE4x9XHOdBtboFHsZYz4NZ3hqQc3mB6JD2 u3wGWjFFMOmcMSKiALxghlGNNolhAAVRd9AaoKXKsCcl9inVA+nh4mIpwjpjp5C7DVNP jY+s38FLk4jp61TeHAPPjBwykifupEwwHxvqSncibdqdqlFb2BX/gzmuWVhW9sEpQYlR oveHNQQroFCIt1Qy6ntUr7hdKlR4AiDD+3MbfjrcvI5bRuJ1gwvR9TEevZfK8VWqUcjL Q4LQ== X-Gm-Message-State: AOAM531vEnglF6X+QkA/K7V7hcG8nwKg4GqNDSsdZXXNYMuDsrJ3/xxo YGceMUQZL+EuiV22xs+VZPV3+SnhiVO4mIaxbUM31XjVpUTnEQxuHVNmmD4KCSc/5WtHHjRH0tV LIGxsPdKinKGoNfAW21Iy525t X-Received: by 2002:a05:6402:4242:: with SMTP id g2mr10269029edb.329.1619859663792; Sat, 01 May 2021 02:01:03 -0700 (PDT) X-Received: by 2002:a05:6402:4242:: with SMTP id g2mr10269003edb.329.1619859663500; Sat, 01 May 2021 02:01:03 -0700 (PDT) Received: from ?IPv6:2001:b07:6468:f312:63a7:c72e:ea0e:6045? ([2001:b07:6468:f312:63a7:c72e:ea0e:6045]) by smtp.gmail.com with ESMTPSA id dj17sm1391672edb.7.2021.05.01.02.01.01 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 01 May 2021 02:01:02 -0700 (PDT) Subject: Re: [PATCH v3 2/2] KVM: X86: Introduce KVM_HC_PAGE_ENC_STATUS hypercall To: Sean Christopherson Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, srutherford@google.com, joro@8bytes.org, brijesh.singh@amd.com, thomas.lendacky@amd.com, ashish.kalra@amd.com, Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , Borislav Petkov , x86@kernel.org References: <20210429104707.203055-1-pbonzini@redhat.com> <20210429104707.203055-3-pbonzini@redhat.com> From: Paolo Bonzini Message-ID: Date: Sat, 1 May 2021 11:01:01 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 30/04/21 22:10, Sean Christopherson wrote: > On Thu, Apr 29, 2021, Paolo Bonzini wrote: >> diff --git a/Documentation/virt/kvm/msr.rst b/Documentation/virt/kvm/msr.rst >> index 57fc4090031a..cf1b0b2099b0 100644 >> --- a/Documentation/virt/kvm/msr.rst >> +++ b/Documentation/virt/kvm/msr.rst >> @@ -383,5 +383,10 @@ MSR_KVM_MIGRATION_CONTROL: >> data: >> This MSR is available if KVM_FEATURE_MIGRATION_CONTROL is present in >> CPUID. Bit 0 represents whether live migration of the guest is allowed. >> + >> When a guest is started, bit 0 will be 1 if the guest has encrypted >> - memory and 0 if the guest does not have encrypted memory. >> + memory and 0 if the guest does not have encrypted memory. If the >> + guest is communicating page encryption status to the host using the >> + ``KVM_HC_PAGE_ENC_STATUS`` hypercall, it can set bit 0 in this MSR to >> + allow live migration of the guest. The MSR is read-only if >> + ``KVM_FEATURE_HC_PAGE_STATUS`` is not advertised to the guest. > > I still don't get the desire to tie MSR_KVM_MIGRATION_CONTROL to PAGE_ENC_STATUS > in any way shape or form. I can understand making it read-only or dropping > writes if it's not intercepted by userspace, but making it read-only for > non-encrypted guests makes it useful only for encrypted guests, which defeats > the purpose of genericizing the MSR. Yeah, I see your point. On the other hand by making it unconditionally writable we must implement the writability in KVM, because a read-only implementation would not comply with the spec. >> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c >> index e9c40be9235c..0c2524bbaa84 100644 >> --- a/arch/x86/kvm/x86.c >> +++ b/arch/x86/kvm/x86.c >> @@ -3279,6 +3279,12 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) >> if (!guest_pv_has(vcpu, KVM_FEATURE_MIGRATION_CONTROL)) >> return 1; >> >> + /* >> + * This implementation is only good if userspace has *not* >> + * enabled KVM_FEATURE_HC_PAGE_ENC_STATUS. If userspace >> + * enables KVM_FEATURE_HC_PAGE_ENC_STATUS it must set up an >> + * MSR filter in order to accept writes that change bit 0. >> + */ >> if (data != !static_call(kvm_x86_has_encrypted_memory)(vcpu->kvm)) >> return 1; > > This behavior doesn't match the documentation. > > a. The MSR is not read-only for legacy guests since they can write '0'. > b. The MSR is not read-only if KVM_FEATURE_HC_PAGE_STATUS isn't advertised, > a guest with encrypted memory can write '1' regardless of whether userspace > has enabled KVM_FEATURE_HC_PAGE_STATUS. Right, I should have said "not changeable" rather than "read-only". > c. The MSR is never fully writable, e.g. a guest with encrypted memory can set > bit 0, but not clear it. This doesn't seem intentional? It is intentional, clearing it would mean preserving the value in the kernel so that userspace can read it. So... I don't know, all in all having both the separate CPUID and the userspace implementation reeks of overengineering. It should be either of these: - separate CPUID bit, MSR unconditionally writable and implemented in KVM. Userspace is expected to ignore the MSR value for encrypted guests unless KVM_FEATURE_HC_PAGE_STATUS is exposed. Userspace should respect it even for unencrypted guests (not a migration-DoS vector, because userspace can just not expose the feature). - make it completely independent from migration, i.e. it's just a facet of MSR_KVM_PAGE_ENC_STATUS saying whether the bitmap is up-to-date. It would use CPUID bit as the encryption status bitmap and have no code at all in KVM (userspace needs to set up the filter and implement everything). At this point I very much prefer the latter, which is basically Ashish's earlier patch. Paolo > Why not simply drop writes? E.g. > > if (data & ~KVM_MIGRATION_READY) > return 1; > break; > > And then do "msr->data = 0;" in the read path. That's just as effective as > making the MSR read-only to force userspace to intercept the MSR if it wants to > do anything useful with the information, and it's easy to document.