Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp282582pxj; Thu, 3 Jun 2021 06:38:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxBuoSgPf43VN8Ttz3vGZ8IH79eyTVrCs2KtFL4bF5cJB9gNj13HlUbtYXSjsDlmsULgQMc X-Received: by 2002:a05:6402:430b:: with SMTP id m11mr43395317edc.31.1622727506960; Thu, 03 Jun 2021 06:38:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622727506; cv=none; d=google.com; s=arc-20160816; b=AXYRKGgYEjxth4qztxxRhgZtieLFn0O5bdMveayEzCUQqO/ZnlmD5eJYxQY14slIRR 5tq8G8nbM66j3AtLNNP/rHmJL4CZ0s4cRRoEDfxS/lKFnnCXE+jA7amKdPS3u+ZrGQ8L mAMSDvCUvfOhx7nnEC3QsIDWIB11FHRsSRSkC28sQhL0g2aAAloDqG9z2e6COxTq5tl6 fENhIYRLmpa7yVtAf7mYaxOWNCaGaAcPHU7hSG9tsgtka7oCYdVOjPGjvcPZmwNu5WYN 3ib5M1LIBc5ODgaWago7zs8ElNQJfbikhZ40yHhwSAu/eGCUtsdtrWfp4MEzbEi41Gja iX+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=SSOZn7NeOxtNAr4b0FWuz+EfX/KEGNf2pixj/JYi27A=; b=ldpjWTk6wt44FahAA9Z/IpeRW0zdUo6+li/4z/b8O4uMKlWvUpqZm+QsZwhcrJNc6W NJpyrcykDOKhPxYWWu/mkbTJXTp24jx6RAHNjjUbbKkKZvz/dhHuGvXV3/8R0DvziJ2V a/gX3uq8WgQm+zEFrp7JcSEp9vCXXjdl7StpFiVAz8PztvAGoC6bHiZX9EuRc8Uz2QLu Gb6koAefZQHqO5QdQ564MHx/QCwWVnfb5KCHspHuhj7VLbmksNRwBhts0VVft1Jaazus MzYWmqMucBkDjdlAGqYxdUgm+b/RcInD07HHC+i2pjzYhQKYJZf3oY38lNi/cDL3TqPD OsCg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=b2ZiPMTM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k2si2266782ejs.648.2021.06.03.06.38.03; Thu, 03 Jun 2021 06:38:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=b2ZiPMTM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230434AbhFCNht (ORCPT + 99 others); Thu, 3 Jun 2021 09:37:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60248 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230092AbhFCNhs (ORCPT ); Thu, 3 Jun 2021 09:37:48 -0400 Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 106DAC061756 for ; Thu, 3 Jun 2021 06:35:52 -0700 (PDT) Received: by mail-ot1-x32d.google.com with SMTP id 5-20020a9d01050000b02903c700c45721so4673463otu.6 for ; Thu, 03 Jun 2021 06:35:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SSOZn7NeOxtNAr4b0FWuz+EfX/KEGNf2pixj/JYi27A=; b=b2ZiPMTMK0z2jIOFY2UNLrgwmt+7m8+y8A0XTLvoF9Z8GLkdoO4vh+/OkwfbxSPOa9 E+VjhvpG2v0CzpGPM+fdgsMfJOxK5Oiix3ApM55K0ZBCiD8LbTACd1XYnwgDVRhll0XT m0UNRuKzJrIHCM1kVtG3vd+9/LMRZJmMAPnyjX2s2+JRUQWawHqxIkTEWxZn8cBzlWKw dyYTaRwg6biI8J70RfcYIX0vqQ5VipfmLXwJ8ymiUxSM0bW6iE4lgfFaUmtd888BIc83 1bvMyhJZXdTr3nnBko1jytmqVKuMNm5N3jiREZuptB+HJ9yM8jb9TWlfxl6hagWc6rGb rAog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SSOZn7NeOxtNAr4b0FWuz+EfX/KEGNf2pixj/JYi27A=; b=CXY83gqDqD2APmc4Emf05GTKId11psLWVnJ5LUva3jdE7EYaglHgImPHVtnMsHSjfj g+ZwauYKRdDI8nLnODrEI/LZLDr446PcCEonaNKXGhxopkmOuX6eL7DX6SiXI6SBx2lM g/ZBbdnoOJeoUtpjKFtWQXOuK76CZdxugtScWlucjd288N4eYi4h3fTtYq71Gw+MkOg/ YdbCvPkRDmpAm5mfA8QmdBhTLeijNAbPsxLkYrjg9JqvalCjNbE1T4gewKEs/5hd9/DI JWIbhk5+sqBeF0kVW0s6b/UUv8vlvF/WEFBN++NlAwyDTcuY5PaOt9moPRJq4XpWhRX3 tqgA== X-Gm-Message-State: AOAM532IXANsQRTMfbnfttP+pMCRhtsFRUZXl4QAjrOeHkF8COQ25rN6 ZlXqKyTX63S5nQZnCnMdfRK5AuXxLA9fDmw4tkPXhw== X-Received: by 2002:a9d:5786:: with SMTP id q6mr30221203oth.56.1622727351073; Thu, 03 Jun 2021 06:35:51 -0700 (PDT) MIME-Version: 1.0 References: <20210525051204.1480610-1-tao3.xu@intel.com> <871r9k36ds.fsf@vitty.brq.redhat.com> <660ceed2-7569-6ce6-627a-9a4e860b8aa9@intel.com> In-Reply-To: <660ceed2-7569-6ce6-627a-9a4e860b8aa9@intel.com> From: Jim Mattson Date: Thu, 3 Jun 2021 06:35:40 -0700 Message-ID: Subject: Re: [PATCH v2] KVM: VMX: Enable Notify VM exit To: Xiaoyao Li Cc: Vitaly Kuznetsov , Tao Xu , "the arch/x86 maintainers" , kvm list , LKML , Paolo Bonzini , Sean Christopherson , Wanpeng Li , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H . Peter Anvin" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 2, 2021 at 6:25 PM Xiaoyao Li wrote: > > On 6/2/2021 6:31 PM, Vitaly Kuznetsov wrote: > > Tao Xu writes: > > > >> There are some cases that malicious virtual machines can cause CPU stuck > >> (event windows don't open up), e.g., infinite loop in microcode when > >> nested #AC (CVE-2015-5307). No event window obviously means no events, > >> e.g. NMIs, SMIs, and IRQs will all be blocked, may cause the related > >> hardware CPU can't be used by host or other VM. > >> > >> To resolve those cases, it can enable a notify VM exit if no event > >> window occur in VMX non-root mode for a specified amount of time > >> (notify window). Since CPU is first observed the risk of not causing > >> forward progress, after notify window time in a units of crystal clock, > >> Notify VM exit will happen. Notify VM exit can happen incident to delivery > >> of a vectored event. > >> > >> Expose a module param for configuring notify window, which is in unit of > >> crystal clock cycle. > >> - A negative value (e.g. -1) is to disable this feature. > >> - Make the default as 0. It is safe because an internal threshold is added > >> to notify window to ensure all the normal instructions being coverd. > >> - User can set it to a large value when they want to give more cycles to > >> wait for some reasons, e.g., silicon wrongly kill some normal instruction > >> due to internal threshold is too small. > >> > >> Notify VM exit is defined in latest Intel Architecture Instruction Set > >> Extensions Programming Reference, chapter 9.2. > >> > >> Co-developed-by: Xiaoyao Li > >> Signed-off-by: Xiaoyao Li > >> Signed-off-by: Tao Xu > >> --- > >> > >> Changelog: > >> v2: > >> Default set notify window to 0, less than 0 to disable. > >> Add more description in commit message. > > > > Sorry if this was already discussed, but in case of nested > > virtualization and when L1 also enables > > SECONDARY_EXEC_NOTIFY_VM_EXITING, shouldn't we just reflect NOTIFY exits > > during L2 execution to L1 instead of crashing the whole L1? > > > > yes. If we expose it to nested, it should reflect the Notify VM exit to > L1 when L1 enables it. > > But regarding nested, there are more things need to be discussed. e.g., > 1) It has dependence between L0 and L1, for security consideration. When > L0 enables it, it shouldn't be turned off during L2 VM is running. > a. Don't expose to L1 but enable for L1 when L2 VM is running. > b. expose it to L1 and force it enabled. > > 2) When expose it to L1, vmcs02.notify_window needs to be > min(L0.notify_window, L1.nofity_window) I don't think this can be a simple 'min', since L1's clock may run at a different frequency from L0's clock.