Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1012242iob; Fri, 13 May 2022 19:35:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwrxZ1s5W7JsrQ0u9uhYXX0dLJMTnq67bFvQiQxEaypEM4eiOpH78KZ/gfAAttIP25mkoks X-Received: by 2002:a5d:58d0:0:b0:20a:e9f0:aea6 with SMTP id o16-20020a5d58d0000000b0020ae9f0aea6mr6121326wrf.60.1652495705686; Fri, 13 May 2022 19:35:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652495705; cv=none; d=google.com; s=arc-20160816; b=mnCYnNmPw0/pNdMvW5fsun9erdI/UD4x37Ss8lCKxpzMyBGc4nb0ZON4DUWM502pDu EM/B08+qC8RDyfeNShEjkBp15oF0oCHapRzMc2pYrr8TZZsvgfAQulqTmAmfrh6LA6Kb 7MlKaA60JLn9ORaL2BKhhtlwYghV/3r25lOoGCl7rS/GK6YdRCatp07NEM/CFDqp4+Rt qslH0JK4rSsJBP08Jt9bjaFTp8O1qZCz5nRnz7Lhsy5I5arfx5uw9mP1Lb98Txak72q4 R8roVuOnKYuuLPDINIHdHAEFrcYDzfUDHu+L/wH7jV5enNXj4LEXBLnFFhFxIU+OMfWG KDvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=kfZN6PXN3cDIj6QUSkzpmoXvq4z3A1Hj8dUVdgbk/LI=; b=Y9ktYd9m4LnzGUbeGocY6neBlFiTrp2+ePbYlfk4kRN/c+NZqIzj82+5E2FBk7Mk8B 2nfMDmTDd67hKzGnQo2jGFYH5S2lf2cd+7b8CBiFaEqnnod+GlkhNX+iEn5/PW7uVkWy r5eMS2IXMxERDdvrH6HlXNCqX/DDkNXfcQSvD90dwF7gVvxMIg86NJ9qliwerIVFxbWH vbJjimHjD6/mLsTtU5KAJTBBLdNVFBETzNhWHVOiNm8FEQE5I6LDqxRLgfhXTFSgQPhK +dVhOYfnb9XoBSOp6QuuOD/qU9//A0EXDbfGNqGYaGj/TVeZRk8JqW6SHCkCwVLpUj2c hVog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=TDmXlRAC; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id c4-20020adfe744000000b0020aefaea9f9si3365667wrn.634.2022.05.13.19.35.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 19:35:05 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=TDmXlRAC; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D357C4ED7AF; Fri, 13 May 2022 17:47:33 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1358084AbiELTfY (ORCPT + 99 others); Thu, 12 May 2022 15:35:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44454 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232168AbiELTfW (ORCPT ); Thu, 12 May 2022 15:35:22 -0400 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C43C123E29E for ; Thu, 12 May 2022 12:35:21 -0700 (PDT) Received: by mail-pj1-x1032.google.com with SMTP id j10-20020a17090a94ca00b001dd2131159aso8803393pjw.0 for ; Thu, 12 May 2022 12:35:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=kfZN6PXN3cDIj6QUSkzpmoXvq4z3A1Hj8dUVdgbk/LI=; b=TDmXlRACyP52L1jGPGFOWL4byOhwal0rhKM+xO441dFXS3IuZdPlDV85V5K1j0yrPA odDZ67qDA2O6O3JFbd+WH0LQpcmMhogaJYT+wq/7HszRntXNVPXDeSk1gG08QzZRQRIW CHlDNPl4fMOaoqiWI8Phe4dM/4zcQY5u3Nc6eAWh3jfJg4zIRCPnUCYXUMs3QEhDX84q gu+blpAY5EDrIJRk0oKEA6r2HJYVePEmNySaN4Th6TkiPfm4w+kWRDX7DllWMSaIN2l8 6kGOMXnjEhn5ERdzY4qMgzI+UhM3IbSbengxwejfbRcVwb/k2PpeHOn5zgF1HWH89dza nEwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=kfZN6PXN3cDIj6QUSkzpmoXvq4z3A1Hj8dUVdgbk/LI=; b=g57X+XiuTdb+1Uyimqz6BMuX67/rc8FX1Fo7ivYKbrOodqDkC4wooUHuOQ3jtgdGdE hjUa++PVNt7slEsVsn5qxiEb0D9Ayq+qmcYHHOef0KOHSwylNWdrKoT1xZ424ogkKaPa aAKi2HtgZEOPd9Jk3XREHQLwTgEZS/00PItIY0d3VREzU/+c0/VXgn+Esl2WeXxt/04z Yo39H9Y8dmX0xMS8keQ+BcmgCr2DDwxSSgWn3SvVEyPMR91uyEyKJdgFgnp6CmxUcdU8 TreM/IUkVIqs3AyjfRqJ+lsYXumREPC9eqQdQkrA/h3LfgLn/aoAh1jApEIZy55DNKGQ /xoQ== X-Gm-Message-State: AOAM531VR6UxgwIHpTI4dFhabumO/pYrXtCMl7+Wke6gXpOaV7sxzXoh nL3rrsAEPrkiz8GXIJq0RKD3WA== X-Received: by 2002:a17:903:22cb:b0:15e:d715:1bd8 with SMTP id y11-20020a17090322cb00b0015ed7151bd8mr1319276plg.159.1652384121012; Thu, 12 May 2022 12:35:21 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id p187-20020a62d0c4000000b0050dc7628135sm226616pfg.15.2022.05.12.12.35.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 May 2022 12:35:20 -0700 (PDT) Date: Thu, 12 May 2022 19:35:16 +0000 From: Sean Christopherson To: Jon Kohler Cc: Jonathan Corbet , Paolo Bonzini , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Kees Cook , Andrea Arcangeli , Josh Poimboeuf , Kim Phillips , Lukas Bulwahn , Peter Zijlstra , Ashok Raj , KarimAllah Ahmed , David Woodhouse , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Waiman Long Subject: Re: [PATCH v4] x86/speculation, KVM: remove IBPB on vCPU load Message-ID: References: <20220512184514.15742-1-jon@nutanix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 12, 2022, Sean Christopherson wrote: > On Thu, May 12, 2022, Jon Kohler wrote: > > Remove IBPB that is done on KVM vCPU load, as the guest-to-guest > > attack surface is already covered by switch_mm_irqs_off() -> > > cond_mitigation(). > > > > The original commit 15d45071523d ("KVM/x86: Add IBPB support") was simply > > wrong in its guest-to-guest design intention. There are three scenarios > > at play here: > > Jim pointed offline that there's a case we didn't consider. When switching between > vCPUs in the same VM, an IBPB may be warranted as the tasks in the VM may be in > different security domains. E.g. the guest will not get a notification that vCPU0 is > being swapped out for vCPU1 on a single pCPU. > > So, sadly, after all that, I think the IBPB needs to stay. But the documentation > most definitely needs to be updated. > > A per-VM capability to skip the IBPB may be warranted, e.g. for container-like > use cases where a single VM is running a single workload. Ah, actually, the IBPB can be skipped if the vCPUs have different mm_structs, because then the IBPB is fully redundant with respect to any IBPB performed by switch_mm_irqs_off(). Hrm, though it might need a KVM or per-VM knob, e.g. just because the VMM doesn't want IBPB doesn't mean the guest doesn't want IBPB. That would also sidestep the largely theoretical question of whether vCPUs from different VMs but the same address space are in the same security domain. It doesn't matter, because even if they are in the same domain, KVM still needs to do IBPB.