Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp706649imn;
        Thu, 28 Jul 2022 13:18:56 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1v+B/RN+rHN1qb3YT6pwqxbx1mRhnvhH6945cxMPUYH8KjB0IOWvL6bOVpF/zuHdbxD2mzM
X-Received: by 2002:a17:907:272a:b0:72b:8cd9:9ddd with SMTP id d10-20020a170907272a00b0072b8cd99dddmr426107ejl.299.1659039536175;
        Thu, 28 Jul 2022 13:18:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1659039536; cv=none;
        d=google.com; s=arc-20160816;
        b=V6HGSXUV9GLTkpiRGXhlBm19vwy/O02hR1wo28K2sL3L3RR65gvVH4TTDXI6sU5P+A
         p2zG8hufcjjvmYvOHhCyU5Nf8dFywMyuUeNhuUgmFZ4eM0IuVxWKmBVLG3/Qzj8YuBIc
         vtXSWk1gBj47237yoyAxPi8tzUH3KHCe4uNzHOOeqpFYUY+JRuZyJyqnB1CmToYjJRHu
         c1j5yIvX/OfwjZAO0Z98oKGwfKwDGdvZ0OqOWgdCAwjTaO0t/pM0G/EGMxHwOo7wZw7g
         sefc/KabsHJ18QnOVQbl/0JtWse8wdRIicUDHi2ZW0XjuabdA36PoeuCtvpXX0oyslIG
         Y72A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=EplIlrIeqL3qzFgDUGxCxRqOfq3c4zp3SLt5PE7mwGU=;
        b=N2bIoH4S1l6yyrv4MMAorX4KkxmCffHAI5R2eY1F3kXGPfgK6p+ViYKgQjUP72uUIM
         wku9yYdAw9ZVCJuOj6c//ij5HMBLtuu81Dv5Cu0M8G2EJ/r7InktS609L6Cue8sBDXuP
         QJvA/gfYWbyHwWFmk+TuirYWk1ULRxGL657qZmFwbOYdVOGBnq4xUK80qFUAj6cZeQF4
         wldiNxfcfipMWVEOspbZs30fWr/v2LUFoD9PLQ808j5tcM8A69RzUYUC4Qnza8RyGPHT
         t4LgW3x4iSlEXoaPIzJ0IYIxC30Ag0GK0/jjpxdWSpV/0HBk4Qc3XHJQA1uJ4lGbp/k0
         vXAQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=W1MroCyi;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id t28-20020a508d5c000000b0043bfc7006b0si1477191edt.234.2022.07.28.13.18.32;
        Thu, 28 Jul 2022 13:18:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=W1MroCyi;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231455AbiG1UMK (ORCPT <rfc822;allanliu55@gmail.com> + 99 others);
        Thu, 28 Jul 2022 16:12:10 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50830 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230060AbiG1UMG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 28 Jul 2022 16:12:06 -0400
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8ACA074E0C
        for <linux-kernel@vger.kernel.org>; Thu, 28 Jul 2022 13:12:05 -0700 (PDT)
Received: by mail-pg1-x52e.google.com with SMTP id q16so2373026pgq.6
        for <linux-kernel@vger.kernel.org>; Thu, 28 Jul 2022 13:12:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc;
        bh=EplIlrIeqL3qzFgDUGxCxRqOfq3c4zp3SLt5PE7mwGU=;
        b=W1MroCyit8k2GJt5siN1t1/3CC0b3RU0K4uhewMrN4VENd5nCC/xUkSSW/labnEngm
         EbpKboOZXG/G30FXhtu8p7X3zS3WEl6xSOO3rqi+/Abt5c/YVgow09Q85Xn7up7TwlyK
         dUCeZCwZKFnCb8d95f97S99XoOSqMUvxu5xebBv29M+++v2YlNFp4WWACtcDoEP5Mik0
         0JUf9sXG7v7Q8p1dlPRRsreuYMKiCPCJ0ARFjIU85WPUeAZPV5tbynXC1q2J9kwyP2gw
         Yrl0oadQB6gF1iKWkvzuUkTrBejb6f0KyRML3Cm7Ye55dCra8csNTlX25/WV1/9AAswE
         Y+sA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc;
        bh=EplIlrIeqL3qzFgDUGxCxRqOfq3c4zp3SLt5PE7mwGU=;
        b=3usNi/a0zVAoR5uJ4ZMFZbE1Qp/KskZETnvvRO1P5HcLABhCUc83zGgk53SF/rL9vg
         mdBoE5dhQ9sN6gtNFYPoB//T6DfJa3YL64YDhBk/A5RV9oOKPxEGHmuBl7rUUTHT3l4Y
         nF8nTygUmXEAEsPSXTpWdivbuIaetqBycV1ArxeN8GR9wrcXbPJsOMGwZSBAADxeKIA8
         3mpcKNkPXt0FWPHCVv3zu2dsOMNuPoP8WniGvmTBGU8GKyZqnOCkqyDhhZ2vnx6rVMma
         kdh2CKNEGZ9yNCQSHvuzalTpO6B9fF6vJUW8D5gWHx8SU8irgGhXkLnQDMuPunADHTE+
         jtYw==
X-Gm-Message-State: AJIora9E/zcP55XvDMxIjeT4VFgTYcsAk41Owa00u/uqKi5RlDkd/MdB
        FMxpisvRkXxaBbSFwn0NyJ83EQ==
X-Received: by 2002:a05:6a00:1c54:b0:52b:a70e:8207 with SMTP id s20-20020a056a001c5400b0052ba70e8207mr227874pfw.48.1659039124699;
        Thu, 28 Jul 2022 13:12:04 -0700 (PDT)
Received: from google.com (7.104.168.34.bc.googleusercontent.com. [34.168.104.7])
        by smtp.gmail.com with ESMTPSA id rv2-20020a17090b2c0200b001f280153b4dsm4296251pjb.47.2022.07.28.13.12.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 28 Jul 2022 13:12:03 -0700 (PDT)
Date:   Thu, 28 Jul 2022 20:11:59 +0000
From:   Sean Christopherson <seanjc@google.com>
To:     Kai Huang <kai.huang@intel.com>
Cc:     Isaku Yamahata <isaku.yamahata@gmail.com>,
        isaku.yamahata@intel.com, kvm@vger.kernel.org,
        linux-kernel@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH v7 041/102] KVM: VMX: Introduce test mode related to EPT
 violation VE
Message-ID: <YuLtj4/pgUZBc6f9@google.com>
References: <cover.1656366337.git.isaku.yamahata@intel.com>
 <cadf3221e3f7b911c810f15cfe300dd5337a966d.1656366338.git.isaku.yamahata@intel.com>
 <52915310c9118a124da2380daf3d753a818de05e.camel@intel.com>
 <20220719144936.GX1379820@ls.amr.corp.intel.com>
 <9945dbf586d8738b7cf0af53bfb760da9eb9e882.camel@intel.com>
 <20220727233955.GC3669189@ls.amr.corp.intel.com>
 <af9e3b06ba9e16df4bfd768dfdd78f2e0277cbe5.camel@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <af9e3b06ba9e16df4bfd768dfdd78f2e0277cbe5.camel@intel.com>
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,
        USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jul 28, 2022, Kai Huang wrote:
> On Wed, 2022-07-27 at 16:39 -0700, Isaku Yamahata wrote:
> > On Wed, Jul 20, 2022 at 05:13:08PM +1200,
> > Kai Huang <kai.huang@intel.com> wrote:
> > 
> > > On Tue, 2022-07-19 at 07:49 -0700, Isaku Yamahata wrote:
> > > > On Fri, Jul 08, 2022 at 02:23:43PM +1200,
> > > > Kai Huang <kai.huang@intel.com> wrote:
> > > > 
> > > > > On Mon, 2022-06-27 at 14:53 -0700, isaku.yamahata@intel.com wrote:
> > > > > > From: Isaku Yamahata <isaku.yamahata@intel.com>
> > > > > > 
> > > > > > To support TDX, KVM is enhanced to operate with #VE.  For TDX, KVM programs
> > > > > > to inject #VE conditionally and set #VE suppress bit in EPT entry.  For VMX
> > > > > > case, #VE isn't used.  If #VE happens for VMX, it's a bug.  To be
> > > > > > defensive (test that VMX case isn't broken), introduce option
> > > > > > ept_violation_ve_test and when it's set, set error.
> > > > > 
> > > > > I don't see why we need this patch.  It may be helpful during your test, but why
> > > > > do we need this patch for formal submission?
> > > > > 
> > > > > And for a normal guest, what prevents one vcpu from sending #VE IPI to another
> > > > > vcpu?
> > > > 
> > > > Paolo suggested it as follows.  Maybe it should be kernel config.
> > > > (I forgot to add suggested-by. I'll add it)
> > > > 
> > > > https://lore.kernel.org/lkml/84d56339-4a8a-6ddb-17cb-12074588ba9c@redhat.com/
> > > > 
> > > > > 
> > > 
> > > OK.  But can we assume a normal guest won't sending #VE IPI?
> > 
> > Theoretically nothing prevents that.  I wouldn't way "normal".
> > Anyway this is off by default.
> 
> I don't think whether it is on or off by default matters.

It matters in the sense that the module param is intended purely for testing, i.e.
there's zero reason to ever enable it in production.  That changes what is and
wasn't isn't a reasonable response to an unexpected #VE.

> If it can happen legitimately in the guest, it doesn't look right to print
> out something like below:
> 
> 	pr_err("VMEXIT due to unexpected #VE.\n");

Agreed.  In this particular case I think the right approach is to treat an
unexpected #VE as a fatal KVM bug.  Yes, disabling EPT violation #VEs would likely
allow the guest to live, but as above the module param should never be enabled in
production.  And if we get a #VE with the module param disabled, then KVM is truly
in the weeds and killing the VM is the safe option.

E.g. something like

diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 4fd25e1d6ec9..54b9cb56f6e2 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -5010,6 +5010,9 @@ static int handle_exception_nmi(struct kvm_vcpu *vcpu)
        if (is_invalid_opcode(intr_info))
                return handle_ud(vcpu);

+       if (KVM_BUG_ON(is_ve_fault(intr_info), vcpu->kvm))
+               return -EIO;
+
        error_code = 0;
        if (intr_info & INTR_INFO_DELIVER_CODE_MASK)
                error_code = vmcs_read32(VM_EXIT_INTR_ERROR_CODE);