Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17AC4C433F5 for ; Tue, 11 Jan 2022 19:18:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345658AbiAKTSY (ORCPT ); Tue, 11 Jan 2022 14:18:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40296 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350698AbiAKTRg (ORCPT ); Tue, 11 Jan 2022 14:17:36 -0500 Received: from mail-ot1-x334.google.com (mail-ot1-x334.google.com [IPv6:2607:f8b0:4864:20::334]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28231C06118C for ; Tue, 11 Jan 2022 11:16:59 -0800 (PST) Received: by mail-ot1-x334.google.com with SMTP id a23-20020a9d4717000000b0056c15d6d0caso19673253otf.12 for ; Tue, 11 Jan 2022 11:16:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RmmeEOXgL4aczt2lYfVEJ81JJyR5GHuXnUEqtqtBYAw=; b=cOATJM7qKaMwa1rfMreaSBRrwDDzMO7PjOtbZd5NEoxEnpoVYSyEoZ9YYXqeYIXSvr YE9v8N/iag490QDHMRj+L/DdGLjpFJHDqQCT7vnsL3SeJdwkX63Af178WulVTiUohxbi 2Z/g/UTUnmDWrvpF1A4BuycMUQiQMZtfEfDMEJMhly8ysY21Lwy1FYkVyAAHc2Y+CloD QUqxx8+pjJdctbF3pQ+CoqO2LSEEj2OAsTt02lMfMbyq/L2h4o6KshlrJhMnTMxz7HRI kj1j8PJ6vmHhfhTs5wV82Z3hYb9FrcuJ2q8JzsdRPEiJYoahPTsWOV6v37b2pmdg3f9Q Qtpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RmmeEOXgL4aczt2lYfVEJ81JJyR5GHuXnUEqtqtBYAw=; b=blyBUQt8NGLuT2Xa991X4XzJxvWkWGOexyfeGvVHZLyfJW86IdMWdiAwlgvgwKbV5U XPPwgijTSrj3Skmit0V3LmH1RfgOkf1qDPB6CiolujoJRStcM31sx7zyco2uBT5IJ6fC GNaocIvbKZ2WMQtfHiMds6k7ZYQJvm7LzuL8FJX+ntiQnKXac7hfwJ8uCkAiOa3R42a+ SGPj7NT8ZOKmLhVMkiR1VaVg1HaFLTgrs62mg/MZM2LJmGZuUUDL4bp3gaQ8JZTDkPa4 yibDAUYWJDOqbRSGwn5TkRduNLe3FsEY+UX4hgx9cycbQQvkajARdijs5DM24jDRqIRU lF1A== X-Gm-Message-State: AOAM5338tkzvFffLcqPlR3mjfIog50KoceXzBiIqy978YOjBAV4fbBqw Y05FrPYlJN4sbvG0hWhTWlYGDeVYHK0rQmm3ecd5Sg== X-Google-Smtp-Source: ABdhPJyFhnhDMW2ISK4zn+lMszvCQjj7MkaLiyC7O4OUsyaW0HdldRqbQFmZ06I5CZ/gdojGHnnTpqjIXgdkiahuGYk= X-Received: by 2002:a05:6830:441f:: with SMTP id q31mr4578699otv.14.1641928618059; Tue, 11 Jan 2022 11:16:58 -0800 (PST) MIME-Version: 1.0 References: <20220104194918.373612-1-rananta@google.com> <20220104194918.373612-2-rananta@google.com> In-Reply-To: From: Jim Mattson Date: Tue, 11 Jan 2022 11:16:46 -0800 Message-ID: Subject: Re: [RFC PATCH v3 01/11] KVM: Capture VM start To: Raghavendra Rao Ananta Cc: Reiji Watanabe , Marc Zyngier , Andrew Jones , James Morse , Alexandru Elisei , Suzuki K Poulose , Paolo Bonzini , Catalin Marinas , Will Deacon , Peter Shier , Ricardo Koller , Oliver Upton , Jing Zhang , Linux ARM , kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, kvm@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 11, 2022 at 10:52 AM Raghavendra Rao Ananta wrote: > > On Mon, Jan 10, 2022 at 3:57 PM Jim Mattson wrote: > > > > On Mon, Jan 10, 2022 at 3:07 PM Raghavendra Rao Ananta > > wrote: > > > > > > On Fri, Jan 7, 2022 at 4:05 PM Jim Mattson wrote: > > > > > > > > On Fri, Jan 7, 2022 at 3:43 PM Raghavendra Rao Ananta > > > > wrote: > > > > > > > > > > Hi Reiji, > > > > > > > > > > On Thu, Jan 6, 2022 at 10:07 PM Reiji Watanabe wrote: > > > > > > > > > > > > Hi Raghu, > > > > > > > > > > > > On Tue, Jan 4, 2022 at 11:49 AM Raghavendra Rao Ananta > > > > > > wrote: > > > > > > > > > > > > > > Capture the start of the KVM VM, which is basically the > > > > > > > start of any vCPU run. This state of the VM is helpful > > > > > > > in the upcoming patches to prevent user-space from > > > > > > > configuring certain VM features after the VM has started > > > > > > > running. > > > > > > > > What about live migration, where the VM has already technically been > > > > started before the first call to KVM_RUN? > > > > > > My understanding is that a new 'struct kvm' is created on the target > > > machine and this flag should be reset, which would allow the VMM to > > > restore the firmware registers. However, we would be running KVM_RUN > > > for the first time on the target machine, thus setting the flag. > > > So, you are right; It's more of a resume operation from the guest's > > > point of view. I guess the name of the variable is what's confusing > > > here. > > > > I was actually thinking that live migration gives userspace an easy > > way to circumvent your restriction. You said, "This state of the VM is > > helpful in the upcoming patches to prevent user-space from configuring > > certain VM features after the VM has started running." However, if you > > don't ensure that these VM features are configured the same way on the > > target machine as they were on the source machine, you have not > > actually accomplished your stated goal. > > > Isn't that up to the VMM to save/restore and validate the registers > across migrations? Yes, just as it is up to userspace not to make bad configuration changes after the first VMRUN. > Perhaps I have to re-word my intentions for the patch- userspace > should be able to configure the registers before issuing the first > KVM_RUN. Perhaps it would help if you explained *why* you are doing this. It sounds like you are either trying to protect against a malicious userspace, or you are trying to keep userspace from doing something stupid. In general, kvm only enforces constraints that are necessary to protect the host. If that's what you're doing, I don't understand why live migration doesn't provide an end-run around your protections.