Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1292652pxb; Fri, 21 Jan 2022 14:33:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJzXs0eZ5xNI3T4FS9Y1Xv72Ytun2KQVb0PbV9f4LTIDh0hH4r5lMlJWgNFqNeUL26svbp2k X-Received: by 2002:aa7:9d01:0:b0:4bd:ea4b:bec8 with SMTP id k1-20020aa79d01000000b004bdea4bbec8mr5252168pfp.43.1642804436475; Fri, 21 Jan 2022 14:33:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642804436; cv=none; d=google.com; s=arc-20160816; b=QRPVz4Q3eafM8pdlfXOL2LO8sIpDxohY4Z3FY1meth1TDUrN3kOD/DtCUmtAdIoae0 GDmGZAQuB1rZeeHfqsk0QCd5dKdeDUgG2Vz63VSfcCPyM6GFk7xmToqRwYzyfRS6vDtK kajgkZQQBuqzu1hdhk/wdeieln4/DAm/qDzmSWdtUnPT0ek+hr1swjAeRcic08T08cY4 1wpCuxQiUBCQzH+gIAkSM/tEzC0TENrNlP5iRjspV9IsgBGPf2bDJfbMPcg4OmJMy89g hWfimnA6Vk4BDXOPzs7J3yNuQCy1pJ+4UBKcqcR8q3JiNocbTU90e0SB05H0UeXWFSKO jMfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=LgnhRIvXZbEoD4dNyz5NkE0CJ53Si0Wk9Up+SOzAYhA=; b=qKts8ATzoRqW38G4O7IZRyhRp45XwmIG+jlYd5A/vti+EJvx98ADrreqlS0Y9XUXnF MVODwty+SfkgF7qN02GRZZeQCuHEwKjnqbY9pscQhOjGRPHhFFJyvTxBIBo2oEWdQ/8/ gJvkeHT8LKemkTHgAgg8mSVn0nhuPDaci576fxST6NtTzrOOjwCHq5SjhVl23DrhYIq0 acIzfRoyfEjNCMtkWmQwymhPA22EF0ZaurQnIJivJkeFWyzfCi1ctEw06E7FAdhMkqAM 3HGVIXvocHIb8WPgTjvLhzOUfwrpQTNdRAqc5xLItp1Or2CfGUg1W1GVP1AA3J4aliUa 7VTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=o0PDYUEK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b5si7396934plz.335.2022.01.21.14.33.40; Fri, 21 Jan 2022 14:33:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=o0PDYUEK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233576AbiATTQ2 (ORCPT + 99 others); Thu, 20 Jan 2022 14:16:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42166 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231733AbiATTQ1 (ORCPT ); Thu, 20 Jan 2022 14:16:27 -0500 Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 246E3C06161C for ; Thu, 20 Jan 2022 11:16:27 -0800 (PST) Received: by mail-yb1-xb35.google.com with SMTP id l68so20158671ybl.0 for ; Thu, 20 Jan 2022 11:16:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LgnhRIvXZbEoD4dNyz5NkE0CJ53Si0Wk9Up+SOzAYhA=; b=o0PDYUEKjpAJB9YJb3t9C+jB2PyVuPdaf4pkP7QzpQGjwttuO4V6bAkg6ZwhH+0o7n w6rEaAmsW34ThZTLSkfmf3+Ry8zWG5uUJWFGZsqfD68jhT+TpIg+gESR/1ui84iExdXZ pXIz89dINxbGyM1TkNJTcWtPU9VovT8UpDY+CfrT32NrUzsLxSCYHH+q11bvcZzt1FIt /m2zCZ+noC5CtDQj6TEcUJAzkGW4vAY7r5SagGWwt5ugxZktJ1VcSGmLjyp7b1yolR9l mjDjMhtbGrMh0uopZEljedyO2f15zEIvPAKr72Wezz6KjaeA8jirH9oBzuP99x+0pl1E 7Izw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LgnhRIvXZbEoD4dNyz5NkE0CJ53Si0Wk9Up+SOzAYhA=; b=0XygXBkKmnpd9DI1yulFCaCcVzZN936DE0XkrfN2277PvB0aeYBEA9gWPEqUr3CcIt q3VyV1w5R3ZrgGuf4aYwDdbzD47Zel6/Jhjpm6ykT+IwO+YCNdd5uFNzayDXv+/6P7LY tlaWJtqFIkHNSY/qxFsD+iQTO820FtETx4OcSWTVZKGp9vK+Rw8UYSxNQv5HUHsD/9d4 pPcRBh8zZA9HNcsVu1pMnncJ0M/4IaBmHsiPQptIu2bTPSJ3gIHAAihjk3UwkLoag0R6 E7FkA+N/FQPFkv/X6+QeLbANviUMWjYVRa66a0dxaCpY3x8ICxDoB4GJ5SaJ2Po3i3nA HNdA== X-Gm-Message-State: AOAM531QSOQN3GIf/911HGkem52zNecAHf6dbwApUMY/mrw2Idqul58K V8WKX+r8kNJkqu6gq3GZ6GmWF7fFu7T2f8yau78mTg== X-Received: by 2002:a25:d055:: with SMTP id h82mr694673ybg.543.1642706186084; Thu, 20 Jan 2022 11:16:26 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Raghavendra Rao Ananta Date: Thu, 20 Jan 2022 11:16:15 -0800 Message-ID: Subject: Re: [RFC PATCH v3 01/11] KVM: Capture VM start To: Sean Christopherson Cc: Reiji Watanabe , kvm@vger.kernel.org, Marc Zyngier , Peter Shier , linux-kernel@vger.kernel.org, Catalin Marinas , Paolo Bonzini , Will Deacon , kvmarm@lists.cs.columbia.edu, Linux ARM , Jim Mattson Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 19, 2022 at 4:27 PM Sean Christopherson wrote: > > On Tue, Jan 18, 2022, Reiji Watanabe wrote: > > On Tue, Jan 18, 2022 at 4:07 PM Sean Christopherson wrote: > > > > > > On Fri, Jan 14, 2022, Reiji Watanabe wrote: > > > > The restriction, with which KVM doesn't need to worry about the changes > > > > in the registers after KVM_RUN, could potentially protect or be useful > > > > to protect KVM and simplify future changes/maintenance of the KVM codes > > > > that consumes the values. > > > > > > That sort of protection is definitely welcome, the previously mentioned CPUID mess > > > on x86 would have benefit greatly by KVM being restrictive in the past. That said, > > > hooking KVM_RUN is likely the wrong way to go about implementing any restrictions. > > > Running a vCPU is where much of the vCPU's state is explicitly consumed, but it's > > > all too easy for KVM to implicity/indirectly consume state via a different ioctl(), > > > e.g. if there are side effects that are visible in other registers, than an update > > > can also be visible to userspace via KVM_{G,S}ET_{S,}REGS, at which point disallowing > > > modifying state after KVM_RUN but not after reading/writing regs is arbitrary and > > > inconsitent. > > > > Thank you for your comments ! > > I think I understand your concern, and that's a great point. > > That's not the case for those pseudo registers though at least for now :) > > BTW, is this concern specific to hooking KVM_RUN ? (Wouldn't it be the > > same for the option with "if kvm->created_vcpus > 0" ?) > > Not really? The goal with created_vcpus is to avoid having inconsistent state in > "struct kvm_vcpu" with respect to the VM as whole. "struct kvm" obvioulsy can't > be inconsistent with itself, e.g. even if userspace consumes some side effect, > that's simply "the state". Did that make sense? Hard to explain in writing :-) > > > > If possible, preventing modification if kvm->created_vcpus > 0 is ideal as it's > > > a relatively common pattern in KVM, and provides a clear boundary to userpace > > > regarding what is/isn't allowed. > > > > Yes, I agree that would be better in general. For (pseudo) registers, > > What exactly are these pseudo registers? If it's something that's an immutable > property of the (virtual) system, then it might make sense to use a separate, > non-vCPU mechanism for setting/getting their values. Then you can easily restrict > the to pre-created_vcpus, e.g. see x86's KVM_SET_IDENTITY_MAP_ADDR. > In general, these pseudo-registers are reserved non-architectural register spaces, currently being used to represent KVM-as-a-firmware's versioning across guests' migrations [1]. That is, the user-space configures these registers for the guests to see same 'firmware' versions before and after migrations. The model is built over the existing KVM_GET_REG_LIST and KVM_[SET|GET]_ONE_REG APIs. Since this series' efforts falls into the same realm, the idea was keep this consistent with the existing model to which VMMs (such as QEMU) are already used to. Granted, even though these registers should technically be immutable, there was no similar protection employed for the existing psuedo-registers. I was wondering if that could be of any value if we start providing one; But I guess not, since it may break the user-space's expectations of KVM (and probably why we didn't have it earlier). Regards, Raghavendra [1]: https://github.com/torvalds/linux/blob/master/Documentation/virt/kvm/arm/psci.rst > > I would think preventing modification if kvm->created_vcpus > 0 might > > not be a very good option for KVM/ARM though considering usage of > > KVM_GET_REG_LIST and KVM_{G,S}ET_ONE_REG.