Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1228467pxb; Fri, 21 Jan 2022 12:49:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJz2/1OHH9jrc0htYvjPrtKa9+qyIK5tHb44Z/jiaz6nxXiCtZ/eGd4S3MiRzdyqm8nZcvfS X-Received: by 2002:a63:6c01:: with SMTP id h1mr4168234pgc.233.1642798161544; Fri, 21 Jan 2022 12:49:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642798161; cv=none; d=google.com; s=arc-20160816; b=eQ3PUvo8vAjVXUdR0mpkNzueFYrgwsaRjZRNzGFfKyfujxtUbhUUF6kW9KB0O8MC/f awMujWV/v69HWVRWa2OD8IFe43IHBbgtMffSVTk6P7zeDNiPQTnXsKbbRszE2GmxSopO W3lrL6sNgUCUQZDrwPoN+14cV3GYllRX0WCkFY29HG6TKh4LWLugv/5hBp9GTtiTx5yl aiFeMaA2u/mtLVIR9D4IRiIIcBJc/J5Ag24gUKHwjq0tHUxfeFLkUfOuHYY2vGk1ubyo Gn2p/WqxLG4/dVM7S5yEY1+FI0x/p+4EkfbchyeoJCkpLU5b7nAnD9RmX2e/EwXnSAcD 0Vtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=+TqAt14XKXCbtB/P6ewZv6dez1U9WqxQBNJ+sItXmlI=; b=ue/K+xEbDjkPnwnehe+cn4RWfYBSK6MJqJvGiGIWpduEtN2jJnKc560oofDDQ8QHxz vZ0dRe9bbwLDVQv6M9G0aADdOfitKM6I43CsXWSxvF4A9NyPHa7flf6xEqXEYQ0YTuR8 WqON7lnPUvVTlK4H+PAxOkm35iYHS4+/TbPT6Hxv+oLTP3OdQQ5OkI1emqkDdP+ZICZl kcPOprtBO0hxSMWauFMWeJmCyOZb75P1GidT8s74PqlPjsOvm1KDSNxNtXYI6qvos6rf JK6jhw4xsYpCb9kwxkMaVbJywjtz7ca3eRmUBxfofeWofB+/4PaBNBqP8ztIdMU/XNeS IAFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="F/r6jm4J"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x14si7638862plg.176.2022.01.21.12.48.43; Fri, 21 Jan 2022 12:49:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="F/r6jm4J"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357766AbiATA1X (ORCPT + 99 others); Wed, 19 Jan 2022 19:27:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40002 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231437AbiATA1U (ORCPT ); Wed, 19 Jan 2022 19:27:20 -0500 Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B035FC06161C for ; Wed, 19 Jan 2022 16:27:20 -0800 (PST) Received: by mail-pj1-x1034.google.com with SMTP id s2-20020a17090ad48200b001b501977b23so3286323pju.2 for ; Wed, 19 Jan 2022 16:27:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=+TqAt14XKXCbtB/P6ewZv6dez1U9WqxQBNJ+sItXmlI=; b=F/r6jm4JzyNVaU7DF6e9U4M2zV1h4k4Mrg4VYBW7l2IN1j8EcwrQiXOcu6Gvnk3jmR Zm2RatSb4zvpG74iCIhDtzCg6rvMo+nBURyCB3QB1+fQAnKweumNAkvx1I0SD+PE25XA 5QD9kMNy3iNJXNSIyNTNzCWpvVz749GYxa3+R3vpzTKty2zLTAegEINhm195SOL+mC+y tkU6I6kM6Ccpiy6EtPro96tevnIfYb9L/UeN5LaOpwbNxRGL8uOeJwIGfpi1eufa0kdF F7O2Ur+Xe5ycOLIpqYgay4HF0msKYazYuSjCZjRzZrXKKAgO4PZHEWZ7mwcdTem4h2oT zocg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=+TqAt14XKXCbtB/P6ewZv6dez1U9WqxQBNJ+sItXmlI=; b=vuK/ybU4mOHkhgLBZf3tpa8mSQtcHBYbK7UDUXRpQENqPpIIl13bwjHbKqpPpKu/ei 5jRYtuyvXClA4ISfDbuvvGpo2ggdHHEi7bbptS7cYNQ2LCDE0xTPBp8lx+c0fsmPtOFB TJrIVBXjDD9LLzTr+FwLsoDylhW+BEqT2WC8msDhh44HQU7bHFpc89oNpj3+RxcYlxM7 SCKYUG3WkoKWwdmru05M2sXurgWfBOImQv15jGNh5xNih3OZBz+EqC4JwD1HljCXnKXe J9m1GHdQmJo9n+PhPVAUv9uA8vjLmXBNhF5kBXf2gTFEWzqRqI4dUktE4olCPMEj1yV+ pSgg== X-Gm-Message-State: AOAM530KAkb8GqjYfBSMp1iHauzu12QdXlw9kSSNT1vxMJfZFsjThmGz q/V94BXhnCeD75+JAnJu/fZdVA== X-Received: by 2002:a17:90a:5d07:: with SMTP id s7mr7432257pji.226.1642638440008; Wed, 19 Jan 2022 16:27:20 -0800 (PST) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id a3sm706367pfo.163.2022.01.19.16.27.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jan 2022 16:27:19 -0800 (PST) Date: Thu, 20 Jan 2022 00:27:16 +0000 From: Sean Christopherson To: Reiji Watanabe Cc: Raghavendra Rao Ananta , kvm@vger.kernel.org, Marc Zyngier , Peter Shier , linux-kernel@vger.kernel.org, Catalin Marinas , Paolo Bonzini , Will Deacon , kvmarm@lists.cs.columbia.edu, Linux ARM , Jim Mattson Subject: Re: [RFC PATCH v3 01/11] KVM: Capture VM start Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 18, 2022, Reiji Watanabe wrote: > On Tue, Jan 18, 2022 at 4:07 PM Sean Christopherson wrote: > > > > On Fri, Jan 14, 2022, Reiji Watanabe wrote: > > > The restriction, with which KVM doesn't need to worry about the changes > > > in the registers after KVM_RUN, could potentially protect or be useful > > > to protect KVM and simplify future changes/maintenance of the KVM codes > > > that consumes the values. > > > > That sort of protection is definitely welcome, the previously mentioned CPUID mess > > on x86 would have benefit greatly by KVM being restrictive in the past. That said, > > hooking KVM_RUN is likely the wrong way to go about implementing any restrictions. > > Running a vCPU is where much of the vCPU's state is explicitly consumed, but it's > > all too easy for KVM to implicity/indirectly consume state via a different ioctl(), > > e.g. if there are side effects that are visible in other registers, than an update > > can also be visible to userspace via KVM_{G,S}ET_{S,}REGS, at which point disallowing > > modifying state after KVM_RUN but not after reading/writing regs is arbitrary and > > inconsitent. > > Thank you for your comments ! > I think I understand your concern, and that's a great point. > That's not the case for those pseudo registers though at least for now :) > BTW, is this concern specific to hooking KVM_RUN ? (Wouldn't it be the > same for the option with "if kvm->created_vcpus > 0" ?) Not really? The goal with created_vcpus is to avoid having inconsistent state in "struct kvm_vcpu" with respect to the VM as whole. "struct kvm" obvioulsy can't be inconsistent with itself, e.g. even if userspace consumes some side effect, that's simply "the state". Did that make sense? Hard to explain in writing :-) > > If possible, preventing modification if kvm->created_vcpus > 0 is ideal as it's > > a relatively common pattern in KVM, and provides a clear boundary to userpace > > regarding what is/isn't allowed. > > Yes, I agree that would be better in general. For (pseudo) registers, What exactly are these pseudo registers? If it's something that's an immutable property of the (virtual) system, then it might make sense to use a separate, non-vCPU mechanism for setting/getting their values. Then you can easily restrict the to pre-created_vcpus, e.g. see x86's KVM_SET_IDENTITY_MAP_ADDR. > I would think preventing modification if kvm->created_vcpus > 0 might > not be a very good option for KVM/ARM though considering usage of > KVM_GET_REG_LIST and KVM_{G,S}ET_ONE_REG.