Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp6105665iob; Tue, 10 May 2022 10:24:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyNNLBVRDMcjmUb19LlxfPWwhj+66gnb8kh954aUrvTI56T1n6X0JTleli589G9DoZWo7/v X-Received: by 2002:a17:906:1c12:b0:6f3:9eed:e0 with SMTP id k18-20020a1709061c1200b006f39eed00e0mr21124831ejg.656.1652203494055; Tue, 10 May 2022 10:24:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652203494; cv=none; d=google.com; s=arc-20160816; b=IG+Udb5maPh6XmZwZJ077tivDWrB14I714cHa0fcbts7Na9gN0jmafFUmYugrM8eTj 7pYB8K5EZB4zMFrcjC5s1ZYNSZB58Wx23RKu/qTquhggmaKDbphVJOrtT6KGF0iJvvPn 51nVrX9u8l3HTaUNS00c0eVZ/nPlaVR0WWuybYSnwUotjkvOZxzjfw+hWgn1KpxkuRk0 3HXu6WRkByGE0yhapu2qqhn0qFqBK3PrtbmRCLFTgjcXskMM/nX1f6jfa3PgOkcYj9OM FWArHLgTLtr9na0cmixtDFqRGZqloqTqSAo8+kmZ0A63YCHUbUJajakeDrAzFFctKSb9 o3Kg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=gfpjV8IALC9FJVn33em1iNVzqEpeGBseY180FMbd8Ow=; b=s1Gha1jzbWQRN1QQwkTWHNzd4FNlbys2lbd42d0ABgKXMCCjY1rEPO0W9FsmiSlIS9 q/+9pTzSV162VAR38hm/sG5D8J1IakD/x2/ikf+501OaRgAGUPW0sSOo4Zjvh+DJykzT Z2DoI+3X+BQsyGuU5RFGMBhcqFHUAaKKpqZaIerBjsSU5GLDeJXN3D5qMRGdPxV9QLPA 06LRZLvhtbfZh4plU3U/IRipGD8BJXmVGegkEoE+YW6ABziBEKOLueOIsQDQLY1Q6U2p 8VLJLyFss5rtpmrXHlwHmnfDwIe3+E1inCPJbLuZeUlz+b5MasB0JHvBXN3ZdwiX9pQI kKOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=WiHjV1Bm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hr29-20020a1709073f9d00b006f3cea934edsi20458889ejc.917.2022.05.10.10.24.29; Tue, 10 May 2022 10:24:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=WiHjV1Bm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346966AbiEJQC7 (ORCPT + 99 others); Tue, 10 May 2022 12:02:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50372 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347623AbiEJP5y (ORCPT ); Tue, 10 May 2022 11:57:54 -0400 Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4F26C2B033D for ; Tue, 10 May 2022 08:50:37 -0700 (PDT) Received: by mail-pf1-x431.google.com with SMTP id bo5so15280275pfb.4 for ; Tue, 10 May 2022 08:50:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=gfpjV8IALC9FJVn33em1iNVzqEpeGBseY180FMbd8Ow=; b=WiHjV1BmyyNgau3dtoPNO9BFYoSW3ODWrDGqHWLJzczmgkziq9lKDze3/+3u36SK4z P7gSeY8DT4ugkQneFF+5GPFbUhUvCLLPB8Ywc8ahh7mq8JDL483utRzqZ2KbeC6CA63A h9FdIysAawhAqcvTPyJEFK4ZAuGmLwpybu5jhDBZU8suS3Ku61+0o2SvSo+QYGv+MVEt LnZu9nwvZYvUBXaV1VCx3mCMiWkmIVJynDySDY0v1ZOtLa2aQOZiDOxSox0zDEz0CgBm vl+U2krr59IK9ZbN71JrixmQbyjiXmWVaw1SDaZEsa8HK51l8toG9cswPLXti+ti2/N7 mnKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=gfpjV8IALC9FJVn33em1iNVzqEpeGBseY180FMbd8Ow=; b=mkpSrn733GAI1pAg/yHNnE1yrOdr27y3ybr8lq6NTIGhZ+rXwq2fx/wUq6dz6DLfAA m7EjZCoRMDP4D5f3LCmrg+TJNLQHrfhmqRgcinMrl4+mDeK5vdjrkp7RZnVcAKB3QHUr /C5pPh2zK88IUcZDutAr/scz3tEceIE0vtF6K5HGyLIAXZWVRNGIWVXHByKNQzGKQJAH 1m+gu5rpFjIgavKvxbmYcHqb1Ve/b8nXDPktlRHmB3V8zrDJdLTtHyRdqYePczguzKel ADCiaWQRzl8YXfHKFzwA7pBo4hK1J4MC9UPs/YqIWhkvHXDrOQ/2Sw2fCtiQHa0oGtDd znBg== X-Gm-Message-State: AOAM531ZxFCu96p+7E4oCt3xz0yuGJsKgynd0P84d6WMxtyW6Wj6V0aL U57Bf6fGEpv0R4uh5G1PmE9H/w== X-Received: by 2002:a65:6aa3:0:b0:3ab:23fb:adae with SMTP id x3-20020a656aa3000000b003ab23fbadaemr17341359pgu.278.1652197835222; Tue, 10 May 2022 08:50:35 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id x2-20020a623102000000b0050dc76281easm10879795pfx.196.2022.05.10.08.50.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 May 2022 08:50:34 -0700 (PDT) Date: Tue, 10 May 2022 15:50:31 +0000 From: Sean Christopherson To: Jon Kohler Cc: Borislav Petkov , Thomas Gleixner , Ingo Molnar , Dave Hansen , "x86@kernel.org" , "H. Peter Anvin" , Paolo Bonzini , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Josh Poimboeuf , Peter Zijlstra , Balbir Singh , Kim Phillips , "linux-kernel@vger.kernel.org" , "kvm@vger.kernel.org" , Andrea Arcangeli , Kees Cook , Waiman Long Subject: Re: [PATCH v3] x86/speculation, KVM: only IBPB for switch_mm_always_ibpb on vCPU load Message-ID: References: <4E46337F-79CB-4ADA-B8C0-009E7500EDF8@nutanix.com> <520D7CBE-55FA-4EB9-BC41-9E8D695334D1@nutanix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <520D7CBE-55FA-4EB9-BC41-9E8D695334D1@nutanix.com> X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 10, 2022, Jon Kohler wrote: > > > On May 10, 2022, at 10:44 AM, Sean Christopherson wrote: > > > > On Sat, Apr 30, 2022, Borislav Petkov wrote: > >> But I'm likely missing a virt aspect here so I'd let Sean explain what > >> the rules are... > > > > I don't think you're missing anything. I think the original 15d45071523d ("KVM/x86: > > Add IBPB support") was simply wrong. > > > > As I see it: > > > > 1. If the vCPUs belong to the same VM, they are in the same security domain and > > do not need an IPBP. > > > > 2. If the vCPUs belong to different VMs, and each VM is in its own mm_struct, > > defer to switch_mm_irqs_off() to handle IBPB as an mm switch is guaranteed to > > occur prior to loading a vCPU belonging to a different VMs. > > > > 3. If the vCPUs belong to different VMs, but multiple VMs share an mm_struct, > > then the security benefits of an IBPB when switching vCPUs are dubious, at best. > > > > If we only consider #1 and #2, then KVM doesn't need an IBPB, period. > > > > #3 is the only one that's a grey area. I have no objection to omitting IBPB entirely > > even in that case, because none of us can identify any tangible value in doing so. > > Thanks, Sean. Our messages crossed in flight, I sent a reply to your earlier message > just a bit ago. This is super helpful to frame this up. > > What would you think framing the patch like this: > > x86/speculation, KVM: remove IBPB on vCPU load > > Remove IBPB that is done on KVM vCPU load, as the guest-to-guest > attack surface is already covered by switch_mm_irqs_off() -> > cond_mitigation(). > > The original 15d45071523d ("KVM/x86: Add IBPB support") was simply wrong in > its guest-to-guest design intention. There are three scenarios at play > here: > > 1. If the vCPUs belong to the same VM, they are in the same security > domain and do not need an IPBP. > 2. If the vCPUs belong to different VMs, and each VM is in its own mm_struct, > switch_mm_irqs_off() will handle IBPB as an mm switch is guaranteed to > occur prior to loading a vCPU belonging to a different VMs. > 3. If the vCPUs belong to different VMs, but multiple VMs share an mm_struct, > then the security benefits of an IBPB when switching vCPUs are dubious, > at best. > > Issuing IBPB from KVM vCPU load would only cover #3, but there are no Just to hedge, there are no _known_ use cases. > real world tangible use cases for such a configuration. and I would further qualify this with: but there are no known real world, tangible use cases for running multiple VMs belonging to different security domains in a shared address space. Running multiple VMs in a single address space is plausible and sane, _if_ they are all in the same security domain or security is not a concern. That way the statement isn't invalidated if someone pops up with a use case for running multiple VMs but has no security story. Other than that, LGTM. > If multiple VMs > are sharing an mm_structs, prediction attacks are the least of their > security worries. > > Fixes: 15d45071523d ("KVM/x86: Add IBPB support") > (Reviewedby/signed of by people here) > (Code change simply whacks IBPB in KVM vmx/svm and thats it) > > >