Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp733940iog;
        Thu, 30 Jun 2022 09:08:41 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1urJhYVyfqgK4XsMIc3g0s+7cxi5b/sc5qVwkxnmZ3zsme5S8z8WeITShqsqtg6Xng2vdrk
X-Received: by 2002:a05:6402:1910:b0:435:ccca:1d8c with SMTP id e16-20020a056402191000b00435ccca1d8cmr12768995edz.211.1656605321181;
        Thu, 30 Jun 2022 09:08:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1656605321; cv=none;
        d=google.com; s=arc-20160816;
        b=oSf7kEhgkbPYa0EEKMRqlkmjcUxJXO1JN4/JpZ9ndhX46zvyiYV06zJyg30Vg3xhH8
         6qfiAk6pobiBVvGkTNYg1+OoVoPxCrghijVKh6c2S1a/X6wrrfMhzPI96GiGzlx0j6zC
         czmyHJ+gKdqucVUtj3NDzinF7tyaqyQIGC+Ra5q1RCrqERb5DZ52llXsZ8u7cIezvZ0m
         BGkVNurjGmjp16FHXpOd+NfBTrwcWnrc57ThWOB7eioY1i1yJV1jLKfM0l8YxgNTN4+Y
         Cx7In4lrEM7tR+9hlLxsAJAbO011rNzgo7EOjSe7/o4uQbeqWJze967bj9avRkwSJBgY
         KTPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=xgBbKieDiC7Mnkk7RkqR7SZbMT1idh4KZCFyw9gKf4Y=;
        b=dgdvWY+xVI3ACKU+6Sf/UPugLYVdRfF6+RfKxxhZsohFDaAUVgwIsd3Ef5SPLhCVEA
         6UJFBTwXgFv7WoHKNIjzGrsgW37i1kOt1H+cFUvNm4cgpydbStDV+gZOWB+rlzJtZca3
         08dZEzyV8GbtJxbMI4vHwp6rllETwzac2IEymivBGCkMXD6CXpgJ8uZxdUJX25vzr5Wi
         neWAj3Kb1OPZYUX4EoKr+MEU5Tzr/3kzZHPmQLL9nFNLBOkH94vDmp42VGJW+u4Nrqvb
         v6c0njbNhlclnbyvizhZHX7ZBxprdSA1uXos61spcWJTBmCDaJDY4A65xYen6pifLNnN
         2qVg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=ku3hrIfI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id v1-20020a50d081000000b0043572b5ef82si1179806edd.546.2022.06.30.09.08.15;
        Thu, 30 Jun 2022 09:08:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=ku3hrIfI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236280AbiF3QBH (ORCPT <rfc822;aleksandr.v.piskunov@gmail.com>
        + 99 others); Thu, 30 Jun 2022 12:01:07 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39060 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235713AbiF3QBF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 30 Jun 2022 12:01:05 -0400
Received: from mail-oa1-x31.google.com (mail-oa1-x31.google.com [IPv6:2001:4860:4864:20::31])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 567D0205F3
        for <linux-kernel@vger.kernel.org>; Thu, 30 Jun 2022 09:01:04 -0700 (PDT)
Received: by mail-oa1-x31.google.com with SMTP id 586e51a60fabf-fb6b4da1dfso26395815fac.4
        for <linux-kernel@vger.kernel.org>; Thu, 30 Jun 2022 09:01:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=xgBbKieDiC7Mnkk7RkqR7SZbMT1idh4KZCFyw9gKf4Y=;
        b=ku3hrIfINU9Gz6j8NGGS8tEzEjIt945AWd286RiwiyhiB+M3vBwVxOO7Q7EW6jUV7m
         msAjfB8cyE2oOxPd1l/4xwbQ46dD5JhCRYdI+5ReKNcMnmvJJJ2YdoZETJ3HWJcJixHO
         2TDSuMgiixgv1nNXaQs9/wzTz1sLy6Nt0ycyUwTHa1shKUnBrsQjkGUHaznvxLFnO1+c
         RDiCatJYGDyaSiPpWJdW+6T5PZhkIPidNplRzy6W2wLGFDq124r0EyyHOicDvVdM23HM
         q8k/qthmHfmGYUvT36IIm8CJg8t+3ufupoIjfF+xk6P6Ufeg6TIBR53LucRwj0qngXN9
         zKIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=xgBbKieDiC7Mnkk7RkqR7SZbMT1idh4KZCFyw9gKf4Y=;
        b=bHCIEPvGLiL1k0uY+M9GlircQqkbuvDITZuuPeo0eNgq9eJtb8cppodeQNdKgXdYKT
         y0+bJfjpqimr41MbaW9dLgamTpjxMQEourHWLFWbMqOBRSrFFzosQO2L8OOZ7cl9Oyrp
         0L/5Ih+P2DJPJFoKuZ9XaN0tGoOFMBvpopO9KJUTXz9OYXho/7ohItucvs7pTGKcwVus
         Y9SRQBYFjBryfXoyvISNrHHGBm5VAC8Mq0RQKNgoNO+Zc7nTsqUnSLNOBHeaIndBxt1O
         BZnPo6oHV569iFJhPab4dzHMmJVDTC2qDA8SF2xSqombMgV7d2vD4e+l6YZCskhp0a4J
         2jhA==
X-Gm-Message-State: AJIora+3OH2DRqj1LShPZHziOsVi3AFyShEkK0XRyIh830Iq1gLS9anP
        pK/1/XEv01zkkvyLxEcyK5UOFL02sjV52BD+LhZkEQ==
X-Received: by 2002:a05:6870:c596:b0:101:6409:ae62 with SMTP id
 ba22-20020a056870c59600b001016409ae62mr6901331oab.112.1656604863408; Thu, 30
 Jun 2022 09:01:03 -0700 (PDT)
MIME-Version: 1.0
References: <20220621150902.46126-1-mlevitsk@redhat.com> <20220621150902.46126-12-mlevitsk@redhat.com>
 <CALMp9eSe5jtvmOPWLYCcrMmqyVBeBkg90RwtR4bwxay99NAF3g@mail.gmail.com> <42da1631c8cdd282e5d9cfd0698b6df7deed2daf.camel@redhat.com>
In-Reply-To: <42da1631c8cdd282e5d9cfd0698b6df7deed2daf.camel@redhat.com>
From:   Jim Mattson <jmattson@google.com>
Date:   Thu, 30 Jun 2022 09:00:52 -0700
Message-ID: <CALMp9eRNZ8D5aRyUEkc7CORz-=bqzfVCSf6nOGZhqQfWfte0dw@mail.gmail.com>
Subject: Re: [PATCH v2 11/11] KVM: x86: emulator/smm: preserve interrupt
 shadow in SMRAM
To:     Maxim Levitsky <mlevitsk@redhat.com>
Cc:     kvm@vger.kernel.org, Sean Christopherson <seanjc@google.com>,
        x86@kernel.org, Kees Cook <keescook@chromium.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        linux-kernel@vger.kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
        Borislav Petkov <bp@alien8.de>, Joerg Roedel <joro@8bytes.org>,
        Ingo Molnar <mingo@redhat.com>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        Wanpeng Li <wanpengli@tencent.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jun 29, 2022 at 11:00 PM Maxim Levitsky <mlevitsk@redhat.com> wrote:
>
> On Wed, 2022-06-29 at 09:31 -0700, Jim Mattson wrote:
> > On Tue, Jun 21, 2022 at 8:09 AM Maxim Levitsky <mlevitsk@redhat.com> wrote:
> > > When #SMI is asserted, the CPU can be in interrupt shadow
> > > due to sti or mov ss.
> > >
> > > It is not mandatory in  Intel/AMD prm to have the #SMI
> > > blocked during the shadow, and on top of
> > > that, since neither SVM nor VMX has true support for SMI
> > > window, waiting for one instruction would mean single stepping
> > > the guest.
> > >
> > > Instead, allow #SMI in this case, but both reset the interrupt
> > > window and stash its value in SMRAM to restore it on exit
> > > from SMM.
> > >
> > > This fixes rare failures seen mostly on windows guests on VMX,
> > > when #SMI falls on the sti instruction which mainfest in
> > > VM entry failure due to EFLAGS.IF not being set, but STI interrupt
> > > window still being set in the VMCS.
> >
> > I think you're just making stuff up! See Note #5 at
> > https://sandpile.org/x86/inter.htm.
> >
> > Can you reference the vendors' documentation that supports this change?
> >
>
> First of all, just to note that the actual issue here was that
> we don't clear the shadow bits in the guest interruptability field
> in the vmcb on SMM entry, that triggered a consistency check because
> we do clear EFLAGS.IF.
> Preserving the interrupt shadow is just nice to have.
>
>
> That what Intel's spec says for the 'STI':
>
> "The IF flag and the STI and CLI instructions do not prohibit the generation of exceptions and nonmaskable inter-
> rupts (NMIs). However, NMIs (and system-management interrupts) may be inhibited on the instruction boundary
> following an execution of STI that begins with IF = 0."
>
> Thus it is likely that #SMI are just blocked when in shadow, but it is easier to implement
> it this way (avoids single stepping the guest) and without any user visable difference,
> which I noted in the patch description, I noted that there are two ways to solve this,
> and preserving the int shadow in SMRAM is just more simple way.

It's not true that there is no user-visible difference. In your
implementation, the SMI handler can see that the interrupt was
delivered in the interrupt shadow.

The right fix for this problem is to block SMI in an interrupt shadow,
as is likely the case for all modern CPUs.

>
> As for CPUS that neither block SMI nor preserve the int shadaw, in theory they can, but that would
> break things, as noted in this mail
>
> https://lore.kernel.org/lkml/1284913699-14986-1-git-send-email-avi@redhat.com/
>
> It is possible though that real cpu supports HLT restart flag, which makes this a non issue,
> still. I can't rule out that a real cpu doesn't preserve the interrupt shadow on SMI, but
> I don't see why we can't do this to make things more robust.

Because, as I said, I think you're just making stuff up...unless, of
course, you have documentation to back this up.