Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp293339pxj;
        Thu, 3 Jun 2021 06:55:25 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxSNaj1sCcs2ucjOJzENnbVhSgMggTR0ZMRVlf30+IeDZNEnw5Bjq7Uzn8o7Q/iWs7q/A00
X-Received: by 2002:a17:906:180a:: with SMTP id v10mr6899325eje.22.1622728525449;
        Thu, 03 Jun 2021 06:55:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622728525; cv=none;
        d=google.com; s=arc-20160816;
        b=UXMojWJ4o0/I5qgWXqcWQIRcd8xvNTGpX6vBwmO1S/NKmrF3mPi+qJpP7/4U8OjmWG
         bvMahXB2fOWsjgiZC79XzC5VBAYsACkXxCH/N+6WIlV5USalkkSSFPyopTB6QyWmEyAO
         J8NhYoFXBVVXw0s7CCM2RG65uGklDzuT85gW7FFLaauXLvCOQnurcBYJ5iUGqxbHhz2u
         qdjtO4IrLn4phtEF6vOLM42wTI/wrY7kLWmrmYFwgID5jshEsxHgVaN+C+W0OD14HOfc
         fK7C0g+6ZU7Pzxcd13yQGzQKxtjmWYIsWBGKKUky7iKSpGqeXXRmnpmSM2K0g0QstYrO
         pjUQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:message-id:date:references
         :in-reply-to:subject:cc:to:from:dkim-signature;
        bh=aGzYnwJ/79uwHhGm7246c+BQzOFvMTF+2K8gC73yhXY=;
        b=Sgmm/jbKMr1bdd+Bco4UdTNxQYhGqyGAFIAkGzx0UQnX8ILpFflZcqKeZqLZ+q6ID+
         vkpAVFL+vuyuo/Fei7kxSoF0BX5JHWJynqeSWc9mHrpjmtA7avCE2N4j6tzzwOcUnglS
         j0PAE5dolb0BtwUjvlqlM/snK2CuwEthlV52gzePvYuva5B8DP138nDb3BAzcpyxNrb/
         7MMqrC30BI0D9OqwYMdkONBGKcKHXpjzkrz3nn96SCx/kew+u8b5zpqTtRET2oQ8TFnF
         qeQOEYWceYvUlwu0/GIOp7LUacClwm2Ri7ffValMYMKqsY/uf3s1ko2qQ990JLOnr+X4
         W3JQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=PRs0PZEd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id s18si2610117eji.59.2021.06.03.06.55.01;
        Thu, 03 Jun 2021 06:55:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=PRs0PZEd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230428AbhFCNyV (ORCPT <rfc822;luming.yu@gmail.com> + 99 others);
        Thu, 3 Jun 2021 09:54:21 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:51570 "EHLO
        us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S230352AbhFCNyU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 Jun 2021 09:54:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1622728355;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=aGzYnwJ/79uwHhGm7246c+BQzOFvMTF+2K8gC73yhXY=;
        b=PRs0PZEdcngDjg5rn2TmVCT0JvWyeb1MqnqQuVuU3NKhDVqkgUw3cTZ8WIRgUYuChjzlKg
        Qb6t/7uUWS7uEfqut4mz6cfriitXh47HDkmdJ4UGqJ8McA0vDr4uukNGSFk+/aFqw1GviI
        3w8eVVS+S2qddeARdoqXRJEkmbSMx3w=
Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com
 [209.85.208.69]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-552-2BEPgwoiNqmhsz5b3HI0sg-1; Thu, 03 Jun 2021 09:52:33 -0400
X-MC-Unique: 2BEPgwoiNqmhsz5b3HI0sg-1
Received: by mail-ed1-f69.google.com with SMTP id y18-20020a0564022712b029038ffac1995eso3313578edd.12
        for <linux-kernel@vger.kernel.org>; Thu, 03 Jun 2021 06:52:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date
         :message-id:mime-version;
        bh=aGzYnwJ/79uwHhGm7246c+BQzOFvMTF+2K8gC73yhXY=;
        b=OPSkLxFg9L8D0pI4pxJ4slWOR+aFaIctgVrBcEzTDnP6p96Q+D3+/N2WkuNb8eEDi+
         zO4qz2X2yzult7kjRkHcO4mtOzeyezR4BKUDoLHNtjnPKpJmeA/ASyac+FyAgEwBFxGU
         wThtPeCQ1S2vutPbRnRQnvqnH236o03+5ZKfrnSXLDLk4iueVN8+AgvcRYc7WQPSO/YF
         oRQlY/Eo9hvctDgUv4aJA0P3BUGHCUEZAiHH/e9u1anR5Uk2Cb+sJeSq1gu7WcccaWHF
         tdQVm2Ifixt8GMmPGXkL1/jaz7uUj/XgECYt8D2F4k9nY6Fu3tODqqbzo4cqXqZfNyHA
         Db+Q==
X-Gm-Message-State: AOAM533bomPtL68o76S0QdrKvijGR7TuP+WwfG+f+6SnfR60fpx1lLgc
        nrTPjqsexxjBdAa/9OgdKWt55orpQLgy9n63UTYpx6xrcgsjSM4gAYYedFV3ImtSJ6mcVvkn6CH
        1OIjM5SHyL4q7hmkjywKjr9+z
X-Received: by 2002:aa7:db94:: with SMTP id u20mr43820035edt.381.1622728352472;
        Thu, 03 Jun 2021 06:52:32 -0700 (PDT)
X-Received: by 2002:aa7:db94:: with SMTP id u20mr43820025edt.381.1622728352333;
        Thu, 03 Jun 2021 06:52:32 -0700 (PDT)
Received: from vitty.brq.redhat.com (g-server-2.ign.cz. [91.219.240.2])
        by smtp.gmail.com with ESMTPSA id p7sm1824947edw.43.2021.06.03.06.52.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 03 Jun 2021 06:52:31 -0700 (PDT)
From:   Vitaly Kuznetsov <vkuznets@redhat.com>
To:     Xiaoyao Li <xiaoyao.li@intel.com>, Tao Xu <tao3.xu@intel.com>
Cc:     x86@kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        pbonzini@redhat.com, seanjc@google.com, wanpengli@tencent.com,
        jmattson@google.com, joro@8bytes.org, tglx@linutronix.de,
        mingo@redhat.com, bp@alien8.de, hpa@zytor.com
Subject: Re: [PATCH v2] KVM: VMX: Enable Notify VM exit
In-Reply-To: <660ceed2-7569-6ce6-627a-9a4e860b8aa9@intel.com>
References: <20210525051204.1480610-1-tao3.xu@intel.com>
 <871r9k36ds.fsf@vitty.brq.redhat.com>
 <660ceed2-7569-6ce6-627a-9a4e860b8aa9@intel.com>
Date:   Thu, 03 Jun 2021 15:52:30 +0200
Message-ID: <87fsxz12e9.fsf@vitty.brq.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Xiaoyao Li <xiaoyao.li@intel.com> writes:

> On 6/2/2021 6:31 PM, Vitaly Kuznetsov wrote:
>> Tao Xu <tao3.xu@intel.com> writes:
>> 
>>> There are some cases that malicious virtual machines can cause CPU stuck
>>> (event windows don't open up), e.g., infinite loop in microcode when
>>> nested #AC (CVE-2015-5307). No event window obviously means no events,
>>> e.g. NMIs, SMIs, and IRQs will all be blocked, may cause the related
>>> hardware CPU can't be used by host or other VM.
>>>
>>> To resolve those cases, it can enable a notify VM exit if no event
>>> window occur in VMX non-root mode for a specified amount of time
>>> (notify window). Since CPU is first observed the risk of not causing
>>> forward progress, after notify window time in a units of crystal clock,
>>> Notify VM exit will happen. Notify VM exit can happen incident to delivery
>>> of a vectored event.
>>>
>>> Expose a module param for configuring notify window, which is in unit of
>>> crystal clock cycle.
>>> - A negative value (e.g. -1) is to disable this feature.
>>> - Make the default as 0. It is safe because an internal threshold is added
>>> to notify window to ensure all the normal instructions being coverd.
>>> - User can set it to a large value when they want to give more cycles to
>>> wait for some reasons, e.g., silicon wrongly kill some normal instruction
>>> due to internal threshold is too small.
>>>
>>> Notify VM exit is defined in latest Intel Architecture Instruction Set
>>> Extensions Programming Reference, chapter 9.2.
>>>
>>> Co-developed-by: Xiaoyao Li <xiaoyao.li@intel.com>
>>> Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
>>> Signed-off-by: Tao Xu <tao3.xu@intel.com>
>>> ---
>>>
>>> Changelog:
>>> v2:
>>>       Default set notify window to 0, less than 0 to disable.
>>>       Add more description in commit message.
>> 
>> Sorry if this was already discussed, but in case of nested
>> virtualization and when L1 also enables
>> SECONDARY_EXEC_NOTIFY_VM_EXITING, shouldn't we just reflect NOTIFY exits
>> during L2 execution to L1 instead of crashing the whole L1?
>> 
>
> yes. If we expose it to nested, it should reflect the Notify VM exit to 
> L1 when L1 enables it.
>
> But regarding nested, there are more things need to be discussed. e.g.,
> 1) It has dependence between L0 and L1, for security consideration. When 
> L0 enables it, it shouldn't be turned off during L2 VM is running.
>     a. Don't expose to L1 but enable for L1 when L2 VM is running.
>     b. expose it to L1 and force it enabled.

Could you please elaborate on the 'security' concern? My understanding
that during L2 execution:
If L0 enables the feature and L1 doesn't, vmexit goes to L0.
If L1 enables the feature and L0 doesn't, vmexit goes to L1.
If both L0 and L1 enable the feature, vmexit can probably (I didn't put
enough though in it I'm afraid) go to the one which has smaller window.

>
> 2) When expose it to L1, vmcs02.notify_window needs to be 
> min(L0.notify_window, L1.nofity_window)
>
> We don't deal with nested to make this Patch simple.

Sure, I just wanted to check with you what's the future plan and if the
behavior you introduce is desireable in nested case.

-- 
Vitaly