Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp4045774pxy; Tue, 4 May 2021 16:38:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJweHuVRgt4ranh55/fXJEp//2SicKovUOe+Wh1vz5RiHJdzCzSWSzKMRa/S5vRTJARlHDwz X-Received: by 2002:a05:6402:1b0d:: with SMTP id by13mr17056114edb.328.1620171531902; Tue, 04 May 2021 16:38:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620171531; cv=none; d=google.com; s=arc-20160816; b=u6ISZK8la0d3z1eQCNjfKbexicN/3sYTViaFT/dPomXPegb529uU3XT6htVg83taqM 8joeKxAhYPekaRaQv+tK3bDC7LRxZ0q4mXQgBnkXZJoexlUoHg7nWeBEVaOBBDIBVZQc lwszU/sG02OPg/fzOdgnuEblJ7G8JMFJJ7j9Qkb2Nm2yMdxGr1qijppjcN9G8aqPAxDX I+gmLIxGrWJiugvau4B9Ue+Ftai7YBDmg3wdyHiwJDfbF1W423m0dzoNjlGgAs8CM/hE xW+sLdJEYH1V1d5cHVlAEsQKrCwU9dCrkyBE+kQX9I7q5ut8/x42VSYfRx3ePvTMB7wJ MzCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=1aLXxHaj5Rq1Gy8Fen+iPQHGbUG29jIsimexipAVSW8=; b=RLfiAGmuEiPnIkk7ZLnQ947Wur0KZWY6isD95bE5kCUqTmfTpbJAeTJ2Xp9oust4rW 5ICph+S4KOcyr9wLMDE1xOo3aJjXFKdANKPzQFJfHFdEJvSEaStAsuslw1RYGXzXHQ+5 udRp8MB4onTaMCv1HRd/0n69kq18kBonHkGHi7poD8yE7kzcPZeixGguBL+hw1R3oqzs Xac4kJqKJ5YT512oouVXoVDEzuot/PLK+CdG0UkOlooc8P2sRBGnXGS8pnz9XKCdoziQ uO/moVf/H3zcLJumY5SmgBddyG28pCdp83ylMH5l90AgqDGDQ6AJXkWBdaqaL8WSe4ZM CmaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=FAcOMbmD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id sb14si3808403ejb.322.2021.05.04.16.38.28; Tue, 04 May 2021 16:38:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=FAcOMbmD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233002AbhEDWLM (ORCPT + 99 others); Tue, 4 May 2021 18:11:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48580 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232424AbhEDWLM (ORCPT ); Tue, 4 May 2021 18:11:12 -0400 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C41ADC061574 for ; Tue, 4 May 2021 15:10:15 -0700 (PDT) Received: by mail-pl1-x632.google.com with SMTP id h20so35384plr.4 for ; Tue, 04 May 2021 15:10:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=1aLXxHaj5Rq1Gy8Fen+iPQHGbUG29jIsimexipAVSW8=; b=FAcOMbmD+46OKFgqYORs2t18fQo8LRey2ieRuWIH6JxAgIUWEmUNoIa6xAot1j9nSr oCzB/3WcSa32AOBgQQDaaGO59Bq0qQHqkNVBjKVWRC0eFx4SodCgw0AGvEBkUYGgaVXK VZIh8jAitG5nKodsUh9MdzxhNi8BJ3QBad1hRddDtVAhqhXhT6rg+sEpfS/JZlWF5Qd9 LVqVqNSAzV8Ip2KZ8zOO+PB/JievXM+0j6Zhtjvp64pUgQ2FHmVZLGTRp8wqka5fbXvb jvFVccAQjMZIoq4a7n77JcFdGHSh8NLu+EWubkYDkDbJIepAEAyPwxyhPq8A/XH12/jR nsfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=1aLXxHaj5Rq1Gy8Fen+iPQHGbUG29jIsimexipAVSW8=; b=uMUHcj+wT0wPUIN+OdfltTJzEnL2YPyRRWRKKeidM5MKJLw1G5S3WOfJNW3kYgD9Eh 5MzD+yU4gQceLorSXUTSzE76lx1CSS28mtogE9X6k8s2sx/KjO2DYfz3BYG+/E8fl3gI 4JqYst8MaW/Des6CNgNWPrvsHlcuLOlPJosMCUkvx2JHvgvKWQc++YWnGyZQunhewsMu /fBZkmXn0YcBjusfZkpdpWNohNLyE+Hr9dQa9+VUJYwBSSGP+O8pBlsJvQMasXq55998 y+PTQs8EytxfpKBPq592jtw1JRwNHrSvkDUwHwkstP21y46auE/Ffm7RTWz3rw889YLP tv/Q== X-Gm-Message-State: AOAM531FT0qKKbt2y7TXG78CTxnUeeV7C1zIP+2Uvz25nZIEHeHRwOcp 6uwPuqF+0h1iPYv8206HnHA4yg== X-Received: by 2002:a17:902:9697:b029:ee:c7db:deea with SMTP id n23-20020a1709029697b02900eec7dbdeeamr16969279plp.83.1620166214999; Tue, 04 May 2021 15:10:14 -0700 (PDT) Received: from google.com (240.111.247.35.bc.googleusercontent.com. [35.247.111.240]) by smtp.gmail.com with ESMTPSA id 128sm13064700pfy.194.2021.05.04.15.10.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 May 2021 15:10:14 -0700 (PDT) Date: Tue, 4 May 2021 22:10:10 +0000 From: Sean Christopherson To: Jim Mattson Cc: Paolo Bonzini , Vitaly Kuznetsov , Wanpeng Li , Joerg Roedel , kvm list , LKML , Xiaoyao Li , Reiji Watanabe Subject: Re: [PATCH 03/15] KVM: SVM: Inject #UD on RDTSCP when it should be disabled in the guest Message-ID: References: <20210504171734.1434054-1-seanjc@google.com> <20210504171734.1434054-4-seanjc@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 04, 2021, Jim Mattson wrote: > On Tue, May 4, 2021 at 2:53 PM Sean Christopherson wrote: > > > > On Tue, May 04, 2021, Jim Mattson wrote: > > > On Tue, May 4, 2021 at 10:17 AM Sean Christopherson wrote: > > > > > > > > Intercept RDTSCP to inject #UD if RDTSC is disabled in the guest. > > > > > > > > Note, SVM does not support intercepting RDPID. Unlike VMX's > > > > ENABLE_RDTSCP control, RDTSCP interception does not apply to RDPID. This > > > > is a benign virtualization hole as the host kernel (incorrectly) sets > > > > MSR_TSC_AUX if RDTSCP is supported, and KVM loads the guest's MSR_TSC_AUX > > > > into hardware if RDTSCP is supported in the host, i.e. KVM will not leak > > > > the host's MSR_TSC_AUX to the guest. > > > > > > > > But, when the kernel bug is fixed, KVM will start leaking the host's > > > > MSR_TSC_AUX if RDPID is supported in hardware, but RDTSCP isn't available > > > > for whatever reason. This leak will be remedied in a future commit. > > > > > > > > Fixes: 46896c73c1a4 ("KVM: svm: add support for RDTSCP") > > > > Cc: stable@vger.kernel.org > > > > Signed-off-by: Sean Christopherson > > > > --- > > > ... > > > > @@ -4007,8 +4017,7 @@ static void svm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu) > > > > svm->nrips_enabled = kvm_cpu_cap_has(X86_FEATURE_NRIPS) && > > > > guest_cpuid_has(vcpu, X86_FEATURE_NRIPS); > > > > > > > > - /* Check again if INVPCID interception if required */ > > > > - svm_check_invpcid(svm); > > > > + svm_recalc_instruction_intercepts(vcpu, svm); > > > > > > Does the right thing happen here if the vCPU is in guest mode when > > > userspace decides to toggle the CPUID.80000001H:EDX.RDTSCP bit on or > > > off? > > > > I hate our terminology. By "guest mode", do you mean running the vCPU, or do > > you specifically mean running in L2? > > I mean is_guest_mode(vcpu) is true (i.e. running L2). No, it will not do the right thing, whatever "right thing" even means in this context. That's a pre-existing issue, e.g. INVCPID handling is also wrong. I highly doubt VMX does, or even can, do the right thing either. I'm pretty sure I lobbied in the past to disallow KVM_SET_CPUID* if the vCPU is in guest mode since it's impossible to do the right thing without forcing an exit to L1, e.g. changing MAXPHYSADDR will allow running L2 with an illegal CR3, ditto for various CR4 bits.