Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp4298354imw; Thu, 7 Jul 2022 16:34:11 -0700 (PDT) X-Google-Smtp-Source: AGRyM1tTFwF7OoHgBfslpvPoTeWtPXkhdzlxmi9LphpdO/616MeowWTWYrw4UXILS/5yfTsYZ158 X-Received: by 2002:a05:6402:44a:b0:437:8234:f4c6 with SMTP id p10-20020a056402044a00b004378234f4c6mr829064edw.346.1657236851497; Thu, 07 Jul 2022 16:34:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657236851; cv=none; d=google.com; s=arc-20160816; b=xVEjugeU6lJyVw6W1lEZWjxDFeem5FYaqQeNhgZXYIgp+zbfHtI02czFh7V7VSAe1i 6veHtvQb7z6YLOrcKiuM+l8cpL90IL+jFOWdDvzCtgNbC0CPfz1whQYgRuii52rZ9TEW kdHKEpE0sjzCoiTJLksKqjRht1E8+TLz9tW1ck+mKwNoOOKH1j3UQsUuysRYi8uIiSRN EejmCGzjWfZ06Iu+uUPDlxJA5+L5NjRW1BnsDTDRV240hn62peLJG9wYrAAoH4xXvzta Fgn6gQ7d1vfzBbfiq0DmXMXGO4tW6ph7xwcj4wcwm5Zn4WZIEctqtMTxX4uuhsVwzwAi RR5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=xTPiCq6o5QBRMPOp6LpD2/BgeXHlU+wjUZU6A5lOqmI=; b=tpooHHFOzI8MZEvjakAyaRYFW/2prZ8RgMaf4PH9NBXf5pwm9mTZMrHBXl5BRb5uT4 KVBoILw4bV0eOs0EwiEltzX8lr1h3l1K1RFTlCbn0oWG8MmT5YHra3FiKFk6XP0VElX3 EKoA4JxLRnOQ+6CM1S3CCB/2bi6lIN6hQ7kuA55FMsVvLmnGF7wv/I6RtbzdltZEeXYm 7g3RoOzjTE7/a0Ekm8pXnBbEIlTcD9FtfyyV7EzbsGvb8dAeZjyblDPALh+2bx35ecQo WU6HInte2FUS9MEcf7JDTPClPYFU4LSzFNq05thUWXwhpFLaCy27rn4QweWpSDUSDZhr SxSw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Kv4sBtlH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p22-20020a056402155600b00439fe0779f0si7474381edx.469.2022.07.07.16.33.46; Thu, 07 Jul 2022 16:34:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Kv4sBtlH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236420AbiGGXNB (ORCPT + 99 others); Thu, 7 Jul 2022 19:13:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55644 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236216AbiGGXM5 (ORCPT ); Thu, 7 Jul 2022 19:12:57 -0400 Received: from mail-oa1-x2e.google.com (mail-oa1-x2e.google.com [IPv6:2001:4860:4864:20::2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 805F7675AC for ; Thu, 7 Jul 2022 16:12:56 -0700 (PDT) Received: by mail-oa1-x2e.google.com with SMTP id 586e51a60fabf-10bd4812c29so21504621fac.11 for ; Thu, 07 Jul 2022 16:12:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xTPiCq6o5QBRMPOp6LpD2/BgeXHlU+wjUZU6A5lOqmI=; b=Kv4sBtlHcxjTqD2hQ8a0f+HjkdKVfueMchWfmNrAPSBbJ4NdfSZiCWV3gY6kjp/W2p lGt5A6E5qBpHPQ/bNOE5IXjUnuQQZFczt9RxXeUV7D5onvSNY1UWjlBDFtbHM0/Rf8V+ abZtNfXtI2WXMx50jbKQjhbM628BYGInasWQITioCytDhEDC2RTKWWrfL198mOvkFSnO ZCcoMh3ZNyQoE49UC+mW+5w5v/swVZY9HCQbFuerUhaV1BhJr5kvWiiJv9ZTrO4RIXSO yyYhyUIOFULCq7hELMcAxda2Xr2UIieVxY8DExB4EK3VZdlaN5GI4b4Ks6XeYimwYO0V RTeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xTPiCq6o5QBRMPOp6LpD2/BgeXHlU+wjUZU6A5lOqmI=; b=iytQRc++YUClyBdl3CDMxKQrbYKqBD9kavOEG/3TRQ00I+bMpbMARdMMMrxjCoxya7 NjdbY7+8vzynIpYUlFuO+ImR6HAdIv3I8k1SG/WV1szdRiL6zfAxzf2awxMZNczx66m0 rkscwd+3zo54UblGeXQgSdGcRxp96btg/YjqRlFLmyCfkej5uUTf+uR91cwPDrr+AMJs YjrZymCLCu8d8NGHzCJsuGP7Jzqjt+B5qdZyqPZpTLTUnCx4xvVHHj/n74N0o7H3TQkx HVcsrf9ivz6z7ZQjJRYnaJwGbqkvZZfhoIddg01tsfgVaCtEnUghmHKS2EerxRvBLlFf 8Q5w== X-Gm-Message-State: AJIora9LzL0AtdLY0RLdv6Pw3ZSO5pmcGmgGBMu6y0JExteaFtizBXme HKFKpLoWkBbevaPxWbwAlKqFyWSzjifwzdL5Zzmlbw== X-Received: by 2002:a05:6870:c596:b0:101:6409:ae62 with SMTP id ba22-20020a056870c59600b001016409ae62mr4456421oab.112.1657235575730; Thu, 07 Jul 2022 16:12:55 -0700 (PDT) MIME-Version: 1.0 References: <20220629150625.238286-1-vkuznets@redhat.com> <20220629150625.238286-23-vkuznets@redhat.com> <87wncpotqv.fsf@redhat.com> In-Reply-To: From: Jim Mattson Date: Thu, 7 Jul 2022 16:12:44 -0700 Message-ID: Subject: Re: [PATCH v2 22/28] KVM: VMX: Clear controls obsoleted by EPT at runtime, not setup To: Sean Christopherson Cc: Vitaly Kuznetsov , kvm@vger.kernel.org, Paolo Bonzini , Anirudh Rayabharam , Wanpeng Li , Maxim Levitsky , linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 7, 2022 at 2:39 PM Sean Christopherson wrote: > > On Thu, Jul 07, 2022, Jim Mattson wrote: > > On Thu, Jul 7, 2022 at 12:30 PM Sean Christopherson wrote: > > > > > > On Thu, Jul 07, 2022, Vitaly Kuznetsov wrote: > > > > Jim Mattson writes: > > > > > > > > > On Wed, Jun 29, 2022 at 8:07 AM Vitaly Kuznetsov wrote: > > > > >> > > > > >> From: Sean Christopherson > > > > >> > > > > >> Clear the CR3 and INVLPG interception controls at runtime based on > > > > >> whether or not EPT is being _used_, as opposed to clearing the bits at > > > > >> setup if EPT is _supported_ in hardware, and then restoring them when EPT > > > > >> is not used. Not mucking with the base config will allow using the base > > > > >> config as the starting point for emulating the VMX capability MSRs. > > > > >> > > > > >> Signed-off-by: Sean Christopherson > > > > >> Signed-off-by: Vitaly Kuznetsov > > > > > Nit: These controls aren't "obsoleted" by EPT; they're just no longer > > > > > required. > > Actually, they're still required if unrestricted guest isn't supported. > > > > Isn't that the definition of "obsolete"? They're "no longer in use" when KVM > > > enables EPT. > > > > There are still reasons to use them aside from shadow page table > > maintenance. For example, malware analysis may be interested in > > intercepting CR3 changes to track process context (and to > > enable/disable costly monitoring). EPT doesn't render these events > > "obsolete," because you can't intercept these events using EPT. > > Fair enough, I was using "EPT" in the "KVM is using EPT" sense. But even that's > wrong as KVM intercepts CR3 accesses when EPT is enabled, but unrestricted guest > is disabled and the guest disables paging. MOV-to-CR3 is also a required intercept for allow_smaller_maxphyaddr, when the guest is in PAE mode. So, that one, at least, isn't anywhere near obsolete. :-) > Vitaly, since the CR3 fields are still technically "needed", maybe just be > explicit? > > KVM: VMX: Adjust CR3/INVPLG interception for EPT=y at runtime, not setup