Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp779892pxb; Fri, 21 Jan 2022 03:10:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJzP3zLpDiHI8x6EYfOUzIzdKOM6MO6YoAZfXxbSCdMGzvKnUXmrsrvo0CCeWgRhVCJExoPY X-Received: by 2002:a05:6a00:21c7:b0:4bc:1d4d:dfe with SMTP id t7-20020a056a0021c700b004bc1d4d0dfemr3426837pfj.15.1642763431448; Fri, 21 Jan 2022 03:10:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642763431; cv=none; d=google.com; s=arc-20160816; b=JrXGb4q2KkskZ7gILiDix6z+r0Q46f4wi6WoLLg2DpnZkjXI+RjhGt3iM061f6vSqo 5BbVtpk4ZiGVND/6KXRr4elJmx4kFxb/2VU4jsWE5C4UsTjz1uCr+3nLGxH4K84/09oz woD6eMQdgIHHgKVh3iv8TRSOeIEoGbAG6NIKwvEvwy5n8Pu5sLU2qBhlcpUmJhYAzj35 Dt6CFZZgeWYiVDjPbDykXkgAUxB1sO9npnJyVr/YavBA0d5T/N4cEx2KXFkD7XJDN8hB TsslnMnXo+z01eF6sIJXRxRPoLBsucWxedNoLPhLrGsaOXJS6CSfZA61WrCcj4sMaaC9 k3Rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=2A0o9RStrnIxmL11KBIrT0fGYmNaZT0XLIaxHQF5rjs=; b=OfXYqgElfavPbm6yP+MpkCFPIqFkTGVPsJA3cRUI7silq828LBZB//2gIZJ6Vz1efO ZH7JhwvIvu+B6L8L1JPRLVvXZsXxSfSqw+GA8/rrIxNXfASfIuZQKHm/VATVkYypH646 txn6nUpXzUW3mbvSVqa32+eR4gaQJ/e849l5dLbSPkLeXEQiMUZktoT5v8TOwtzJE97O 6VkugxFIfHUhsc5H3Bjpqc1fu5qwHdh0Opvx39WIRJdpSC7kJ+UmQbA17r0EIciLYoPV IFzrrLBBpEPmS/aYTGiGRxhcVqIH6Teti9mbI65/MI7ZVyq4BFNZEPud1Y9yhc4XYOYH 23kA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=dag6jxRD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id rj6si12431235pjb.15.2022.01.21.03.10.18; Fri, 21 Jan 2022 03:10:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=dag6jxRD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344503AbiARWya (ORCPT + 99 others); Tue, 18 Jan 2022 17:54:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60480 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231467AbiARWyZ (ORCPT ); Tue, 18 Jan 2022 17:54:25 -0500 Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 65431C06161C for ; Tue, 18 Jan 2022 14:54:25 -0800 (PST) Received: by mail-yb1-xb32.google.com with SMTP id z22so1467869ybi.11 for ; Tue, 18 Jan 2022 14:54:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2A0o9RStrnIxmL11KBIrT0fGYmNaZT0XLIaxHQF5rjs=; b=dag6jxRDJUEiQYlvYUtjYS/OfkScCbS15kuV1kOlQvrem03MJYgdAwaEHsk7xkMGTO kFHIj3pxg2l26Gamk9bynAV2Zfontn1hV5i3Z18gq3jN3xjnwhxB20CVOjA4+vlA0R02 ceyCS6rF1ci0H0IzntFxCa97kN3hwPwH9Z5sBLk8kMfM4ZECEp0lNsPAGgF1rYgVCvUR PGkIyNBVj8eZ5YoiH4PXKb+AZcWt0b511F2zYUm4g2+HsrQfl/5+64z1s3gsYWingZHi WN++EpOE6AguKoOdixg8BZ9R5wasNuqelZQvKvhUyQa3VDRdqhnIkSRieTj99s3sWzle ku3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2A0o9RStrnIxmL11KBIrT0fGYmNaZT0XLIaxHQF5rjs=; b=AnLsTnGpm7cQk7mNX4jjQjiQhadshOyjGlJcRDVxtUgq6CldASa2yHwezWvBYjYbbM R7rBSVG9bXHFTuTiZ4ecDqZhH9tE2E4L3UOX3YQxyl9Rnily+RS5Wc1k1x0fylnVCOuE FXSBBhmHzSv2w4w83MGFX9a740s1gC+3WLVgSw4xVGtUNBBE+cMXzGtePEprImxdaDbf WlDVrwzrHbQho35L34ia7rUhPsWF4a4tE7xndh5Pk1s2XHBwZmHko4KIL8DbyS0JJISM Xk2JL005OIbNI7ggYfSfrNh4o1/NS1qk4YMPU+YZSUp0KtlvymDlZkavPYY2HXXIg69q 0FXg== X-Gm-Message-State: AOAM530HcafGvVk9aAuyiHRVr6ksS5FNvqmrmFaNKxePRhQOQWV3j8mj +0yqklmCk19S9YykfTtMHaYI38zXUmPvkgozliE5/NtC81iLYQ== X-Received: by 2002:a25:d055:: with SMTP id h82mr6237602ybg.543.1642546464435; Tue, 18 Jan 2022 14:54:24 -0800 (PST) MIME-Version: 1.0 References: <20220104194918.373612-1-rananta@google.com> <20220104194918.373612-2-rananta@google.com> In-Reply-To: From: Raghavendra Rao Ananta Date: Tue, 18 Jan 2022 14:54:13 -0800 Message-ID: Subject: Re: [RFC PATCH v3 01/11] KVM: Capture VM start To: Reiji Watanabe Cc: Sean Christopherson , kvm@vger.kernel.org, Marc Zyngier , Peter Shier , linux-kernel@vger.kernel.org, Catalin Marinas , Paolo Bonzini , Will Deacon , kvmarm@lists.cs.columbia.edu, Linux ARM , Jim Mattson Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 14, 2022 at 1:51 PM Reiji Watanabe wrote: > > On Thu, Jan 13, 2022 at 9:21 AM Sean Christopherson wrote: > > > > On Wed, Jan 12, 2022, Raghavendra Rao Ananta wrote: > > > On Tue, Jan 11, 2022 at 11:16 AM Jim Mattson wrote: > > > > Perhaps it would help if you explained *why* you are doing this. It > > > > sounds like you are either trying to protect against a malicious > > > > userspace, or you are trying to keep userspace from doing something > > > > stupid. In general, kvm only enforces constraints that are necessary > > > > to protect the host. If that's what you're doing, I don't understand > > > > why live migration doesn't provide an end-run around your protections. > > > It's mainly to safeguard the guests. With respect to migration, KVM > > > and the userspace are collectively playing a role here. It's up to the > > > userspace to ensure that the registers are configured the same across > > > migrations and KVM ensures that the userspace doesn't modify the > > > registers after KVM_RUN so that they don't see features turned OFF/ON > > > during execution. I'm not sure if it falls into the definition of > > > protecting the host. Do you see a value in adding this extra > > > protection from KVM? > > > > Short answer: probably not? > > > > There is precedent for disallowing userspace from doing stupid things, but that's > > either for KVM's protection (as Jim pointed out), or because KVM can't honor the > > change, e.g. x86 is currently in the process of disallowing most CPUID changes > > after KVM_RUN because KVM itself consumes the CPUID information and KVM doesn't > > support updating some of it's own internal state (because removing features like > > GB hugepage support is nonsensical and would require a large pile of complicated, > > messy code). > > > > Restricing CPUID changes does offer some "protection" to the guest, but that's > > not the goal. E.g. KVM won't detect CPUID misconfiguration in the migration > > case, and trying to do so is a fool's errand. > > > > If restricting updates in the arm64 is necessary to ensure KVM provides sane > > behavior, then it could be justified. But if it's purely a sanity check on > > behalf of the guest, then it's not justified. > > The pseudo firmware hvc registers, which this series are adding, are > used by KVM to identify available hvc features for the guest, and not > directly exposed to the guest as registers. > The ways the KVM code in the series consumes the registers' values are > very limited, and no KVM data/state is created based on their values. > But, as the code that consumes the registers grows in the future, > I wouldn't be surprised if KVM consumes them differently than it does > now (e.g. create another data structure based on the register values). > I'm not sure though :) > > The restriction, with which KVM doesn't need to worry about the changes > in the registers after KVM_RUN, could potentially protect or be useful > to protect KVM and simplify future changes/maintenance of the KVM codes > that consumes the values. > I thought this was one of the reasons for having the restriction. > Well, that wasn't the original intention of the patch, but just to protect the guests from the userspace's dynamic updates. Having said that, and based on what Sean mentioned in his last reply, it could be inconsistent from what KVM has been doing so far and would be difficult to cover all the scenarios that userspace can mess things up for guests. I'll plan to drop this patch in the next version, and bring it back back to arm64 if we really need it. Thanks Sean, Jim, and Reiji for the comments and discussion. Regards, Raghavendra > Thanks, > Reiji