Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp5494587pxv; Wed, 21 Jul 2021 06:56:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwR/YlCqMHBPMe5mTDg+wT1atwej6IWpKSg6KFYkGunZ7cZ5RfMfXQjyisIWwMsVpilUV1g X-Received: by 2002:a05:6602:59d:: with SMTP id v29mr16367608iox.132.1626875798154; Wed, 21 Jul 2021 06:56:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626875798; cv=none; d=google.com; s=arc-20160816; b=gtuK2xp0mEB15xzu29MuxvVvqmrwVQr4zSfmcHB5fDjHu/YY+V2sM/gwNZhqfDHAaT sqGGIL3jZdsxaH7bKuqSQZwsPda4g7rgBS0f7rlA4OvkzyscYp5zhOH32oRVzoyWJBLZ zgB7HMaHXFlnBhBThhEDT/sx56aoE9h3LiD4h5fHiI/PySUzrgFgGihQC4BmfqeNrwti 1jpfb3xWXanwLUX1XFKpfZTo2kRoDXMguo8ywg7EtiRQY5wvMgZm8SbX/YH8SutAKkIC QySEN3dOnj9HeUmG125RUA/xatc7nHoqWiowhK/ycAbNMQzbW0DSn/uQQMCfHKsJIaIQ t/Ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:dkim-signature; bh=BhZuTxoecOSBTlHMJqTl/6bVqh22YD7O7U2gF62TFQ0=; b=rY4Gx7N+cTSoav33kTqb5P9ZQJOjPuz+PkIElZ6/6N3XGkxxuJvjf9B7F9/TrFqXkp zGRRINCbheCIE7j2rgXiml+ANSIKO09z3Ppmk5n/afUkL3NmtBb/1WFOPxbkLPBk0P4C xNuni/O1OIvy+RDaRxIyBw3szkK5n4Y9S2UIiP6vhoco9RJekkUok8P4kKUHsh5XXUOq GSLNw/KppDA6zD3cnpjz51WE+bK/df4HFbiX9Reowg/QER4OIw4BYbzh1jO5qjatUwwK 5p8+WxmT+FCJUPmEtLBHIbvx9vMxupdLVjRsg08t3OutmJPf2JLDYgG6g1frF6dOTCOd W7YQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=TAIVsR8t; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p10si19858661iov.66.2021.07.21.06.56.26; Wed, 21 Jul 2021 06:56:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=TAIVsR8t; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237101AbhGULwK (ORCPT + 99 others); Wed, 21 Jul 2021 07:52:10 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:44848 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236999AbhGULwB (ORCPT ); Wed, 21 Jul 2021 07:52:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1626870757; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=BhZuTxoecOSBTlHMJqTl/6bVqh22YD7O7U2gF62TFQ0=; b=TAIVsR8tCd+AVnu9uYqmTYX0KuAYjHTg9W72agjitaWDYvKze4ItqLxBNxw18YalJLJMFp 0PoyBgHs/Yb6KX9qgbeJEICFkYZRKBLEDS3IJYbLNwoetG2oPp9M9c6HvgXk9zysytfcM7 sDwQB9ZWrymVIZbHH5o0yVzAfxyh7r4= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-498-F0QuZQAWM7irIa0IyJTGAQ-1; Wed, 21 Jul 2021 08:32:36 -0400 X-MC-Unique: F0QuZQAWM7irIa0IyJTGAQ-1 Received: by mail-ed1-f70.google.com with SMTP id cw12-20020a056402228cb02903a4b3e93e15so971806edb.2 for ; Wed, 21 Jul 2021 05:32:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=BhZuTxoecOSBTlHMJqTl/6bVqh22YD7O7U2gF62TFQ0=; b=OP69u6Hjdxb8rJulf/my5/vB/jNDrsU8XgzqENnJebzX7Qe3Uoh5PuRvYNWuQtGnm7 ejO9PFwbku4VYxHRI0DqiPfRyDcoPM2uCK4YPuvbybRFy93jbBsnMEMAhBCtO+FbvPdD Wynk433mYo+4a18nkvAnhL0z/Bs8gXWKuskOsmQFDXJLt8FowgfyKL7xPX9raIkcxFrH XX+vHDFNan121Aw4kszPWv29j/USzr17lrPxAAB3u6VYWoT7ce1rRmxRY7dFQr4cNVmP 8aQrlY284ti3Zo0wTPrCzyChWW7HoPnOfr9AHM+IDTbWe2YheoIVBXILL+AUd1IEoprR 2gRw== X-Gm-Message-State: AOAM530Qq58QpUxSkhgCDd5/j2iS7mhOZEEe+yMajQnlAbTMxsrxXrL4 JG4/uIbJwrEHDH/x8gVOz4n8vNIx7HzaEz2jDNo3kJUGNP2SGpRruAGG/upSIF6JasPzM1Ymp3X EKOlClMLRSbERu7QT9N861zQf X-Received: by 2002:aa7:d353:: with SMTP id m19mr49379415edr.162.1626870755241; Wed, 21 Jul 2021 05:32:35 -0700 (PDT) X-Received: by 2002:aa7:d353:: with SMTP id m19mr49379391edr.162.1626870755109; Wed, 21 Jul 2021 05:32:35 -0700 (PDT) Received: from vitty.brq.redhat.com (g-server-2.ign.cz. [91.219.240.2]) by smtp.gmail.com with ESMTPSA id s18sm810368ejc.52.2021.07.21.05.32.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Jul 2021 05:32:34 -0700 (PDT) From: Vitaly Kuznetsov To: Sean Christopherson , Tom Lendacky Cc: Peter Gonda , kvm list , linux-kernel@vger.kernel.org, x86@kernel.org, Paolo Bonzini , Jim Mattson , Joerg Roedel , Wanpeng Li , Borislav Petkov , Ingo Molnar , Thomas Gleixner , Brijesh Singh Subject: Re: [PATCH] KVM: SVM: Do not terminate SEV-ES guests on GHCB validation failure In-Reply-To: References: <324d9228-03e9-0fe2-59c0-5e41e449211b@amd.com> <468cee77-aa0a-cf4a-39cf-71b5bfb3575e@amd.com> Date: Wed, 21 Jul 2021 14:32:33 +0200 Message-ID: <8735s7sv8e.fsf@vitty.brq.redhat.com> MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Sean Christopherson writes: > On Thu, May 20, 2021, Tom Lendacky wrote: >> On 5/20/21 2:16 PM, Sean Christopherson wrote: >> > On Mon, May 17, 2021, Tom Lendacky wrote: >> >> On 5/14/21 6:06 PM, Peter Gonda wrote: >> >>> On Fri, May 14, 2021 at 1:22 PM Tom Lendacky wrote: >> >>>> >> >>>> Currently, an SEV-ES guest is terminated if the validation of the VMGEXIT >> >>>> exit code and parameters fail. Since the VMGEXIT instruction can be issued >> >>>> from userspace, even though userspace (likely) can't update the GHCB, >> >>>> don't allow userspace to be able to kill the guest. >> >>>> >> >>>> Return a #GP request through the GHCB when validation fails, rather than >> >>>> terminating the guest. >> >>> >> >>> Is this a gap in the spec? I don't see anything that details what >> >>> should happen if the correct fields for NAE are not set in the first >> >>> couple paragraphs of section 4 'GHCB Protocol'. >> >> >> >> No, I don't think the spec needs to spell out everything like this. The >> >> hypervisor is free to determine its course of action in this case. >> > >> > The hypervisor can decide whether to inject/return an error or kill the guest, >> > but what errors can be returned and how they're returned absolutely needs to be >> > ABI between guest and host, and to make the ABI vendor agnostic the GHCB spec >> > is the logical place to define said ABI. >> >> For now, that is all we have for versions 1 and 2 of the spec. We can >> certainly extend it in future versions if that is desired. >> >> I would suggest starting a thread on what we would like to see in the next >> version of the GHCB spec on the amd-sev-snp mailing list: >> >> amd-sev-snp@lists.suse.com > > Will do, but in the meantime, I don't think we should merge a fix of any kind > until there is consensus on what the VMM behavior will be. IMO, fixing this in > upstream is not urgent; I highly doubt anyone is deploying SEV-ES in production > using a bleeding edge KVM. Sorry for resurrecting this old thread but were there any deveopments here? I may have missed something but last time I've checked a single "rep; vmmcall" from userspace was still crashing the guest. The issue, however, doesn't seem to reproduce with Vmware ESXi which probably means they're just skipping the instruction and not even injecting #GP (AFAIR, I don't have an environment to re-test handy). -- Vitaly