Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp1535612rwi;
        Wed, 26 Oct 2022 17:12:18 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM5UedMB4YYaCyJkPHyy4v0wDfM4ihJb1njtGCrVMeMyIum7XP6j0j3InigYn5XZCTd//IWZ
X-Received: by 2002:a17:907:2c44:b0:7a9:6e50:4c42 with SMTP id hf4-20020a1709072c4400b007a96e504c42mr15003357ejc.768.1666829538344;
        Wed, 26 Oct 2022 17:12:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666829538; cv=none;
        d=google.com; s=arc-20160816;
        b=APtaLeiJMo2F24Nj24I5iu5zh/nG78LxDLWMvTbovO1VNpTE1LXnNbSesnTo6tEl4z
         ihYPLLg3vRsuwxUSueJsRaTrf9REWMa44q0qjc4ZvXek3t6JCZhNyHBlJ6l2SYzy6y5Z
         nraWsyF+egTPcKC9DI4m/jDeIPZueoYIofNGD0huX78dYUdy5B5e1tlxGrwD20OxAre4
         DYvC2LHLsdVdDQVJPr3uxjwiaOY4sS/0rVEjq0/QYSvw9y0306Np5RsfDydX0uaMgQHF
         e/3brW2iqw4IIRxK3gSf41kFrUfgzGzXMUXf68TlHNt2ngVHYorbj+l12gb9ndASB4es
         RfXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=DykrjrmepSXhAB59KHROk5+j8jll4Zt4dqxIX0w+lNU=;
        b=FdbrKVGmYNNW4YMnx0xZo8lGFaYE/NtCcQT2+oRJhiSO7F5MOckX86aVUuZEPYgYyD
         oXRzSydfgwiqEv0DmkQifivWST4gx5c4hXjzQF4Mwo+IV/MBw484F0JS7xq7DBDC+8NS
         K0Wc1DXLbQv/xABDA/0Tj7/pnWyqs6kDdTVuuJA5G3xsJQStk1H3ByLdkQWD6UKNy1VB
         huQhqp8DhZzYFK/eB+YfGPNBn/ZtSiy6elcpHE2PqHkADXKPSXX6eJJgsY5BF7iYzSfp
         mD6F6wUkeRjNrDiPyjsHkvnh/57vkA/DO7ZjLgV2NQmU+QalzIUW/8pTaRHjgiqRoXT4
         tqmg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=cWXI5Js3;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id v22-20020a056402349600b004488842d88esi76817edc.13.2022.10.26.17.11.53;
        Wed, 26 Oct 2022 17:12:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=cWXI5Js3;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234371AbiJZXU6 (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Wed, 26 Oct 2022 19:20:58 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58856 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234366AbiJZXUX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 26 Oct 2022 19:20:23 -0400
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 808C2B7F5F
        for <linux-kernel@vger.kernel.org>; Wed, 26 Oct 2022 16:18:42 -0700 (PDT)
Received: by mail-pl1-x630.google.com with SMTP id u6so15725522plq.12
        for <linux-kernel@vger.kernel.org>; Wed, 26 Oct 2022 16:18:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=DykrjrmepSXhAB59KHROk5+j8jll4Zt4dqxIX0w+lNU=;
        b=cWXI5Js33TTPrnksxPdTs73nn/8fEQFHd/tYfvNWJmB7nDn8rm9WPYpIT4Ea6hjg7/
         qahAgLtxOLkBB1nRbTbW9nbSbMTOe8WoMcRqMtFVmPkF6h4iSO8JnWMgk5T9B4ASFeMm
         4ZZcBNuZImY6Po2pbhaAKTjWlfAj/8SOmDp4MldvoMmgEPFxT3MLjevXZpS8XtgfjL+L
         p/jns5DZoWXm85vo40XjBkOqAOrfuT6SN5HCaFqGiFjK0LgdcxjbrP3lyiJDHbiRXSUp
         EHQNLk3M+H78toM4aHiTAI1xWa5GWCU1OHJLPw9gOQNGckV12p5q28qYPRo4bcGJp2hf
         W7MQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=DykrjrmepSXhAB59KHROk5+j8jll4Zt4dqxIX0w+lNU=;
        b=J1gYScV/peg1PiQKfWWOfFf4EXm2Nqhu/hNVLgmsAvRokqo99hd/O9uKq4R7g5obf7
         VSrUytUbH3DcDytuWJSk/xGBx5wc0LRkWAaMGkdbceAqSDCJIMMY3DP4VNXUQMvoHHMq
         ZwKYm12nSUw9KHJ0Ad3uTL5TJx6lt3hgD0Jg50DDSnWzrSednkzZq2cQdRQiLq/o8Y36
         RZa2w5L9wzsafKUH37SRUsDVxq+nk/LwEWqijhEudyeRz+7H74gfOrzR7LzTB6xCFK7G
         KxSpUdiniqw6ODl7uGvqpisFs/sCB9KYK/5Gg4nLQKOLTrXgtNOdbAD4EkqcnitMze5E
         nmQw==
X-Gm-Message-State: ACrzQf2M8xzhuw9Tl8MMSJ8svxbGYvFoCN+RgCwwvnlydCDvR1KmO1HR
        F40aYPH7HMFAwTra3h3wr4wbDg==
X-Received: by 2002:a17:90a:ad05:b0:212:c550:f0e9 with SMTP id r5-20020a17090aad0500b00212c550f0e9mr6932379pjq.246.1666826321864;
        Wed, 26 Oct 2022 16:18:41 -0700 (PDT)
Received: from google.com (7.104.168.34.bc.googleusercontent.com. [34.168.104.7])
        by smtp.gmail.com with ESMTPSA id f35-20020a17090a702600b0020087d7e778sm1561918pjk.37.2022.10.26.16.18.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 26 Oct 2022 16:18:41 -0700 (PDT)
Date:   Wed, 26 Oct 2022 23:18:38 +0000
From:   Sean Christopherson <seanjc@google.com>
To:     Vitaly Kuznetsov <vkuznets@redhat.com>
Cc:     kvm@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
        Wanpeng Li <wanpengli@tencent.com>,
        Jim Mattson <jmattson@google.com>,
        Maxim Levitsky <mlevitsk@redhat.com>,
        linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/4] KVM: nVMX: Invert 'unsupported by eVMCSv1' check
Message-ID: <Y1nAThjeMlMFFrAi@google.com>
References: <20221018101000.934413-1-vkuznets@redhat.com>
 <20221018101000.934413-3-vkuznets@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20221018101000.934413-3-vkuznets@redhat.com>
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,
        USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Oct 18, 2022, Vitaly Kuznetsov wrote:
> When a new feature gets implemented in KVM, EVMCS1_UNSUPPORTED_* defines
> need to be adjusted to avoid the situation when the feature is exposed
> to the guest but there's no corresponding eVMCS field[s] for it. This
> is not obvious and fragile.

Eh, either way is fragile, the only difference is what goes wrong when it breaks.

At the risk of making this overly verbose, what about requiring developers to
explicitly define whether or not a new control is support?  E.g. keep the
EVMCS1_UNSUPPORTED_* and then add compile-time assertions to verify that every
feature that is REQUIRED | OPTIONAL is SUPPORTED | UNSUPPORTED.

That way the eVMCS "supported" controls don't need to include the ALWAYSON
controls, and anytime someone adds a new control, they'll have to stop and think
about eVMCS.

I think we'll still want (need?) the runtime sanitization, but this might allow
catching at least some cases without needing to wait until a control actually gets
exposed.

E.g. possibly with more macro magic to reduce the boilerplate

diff --git a/arch/x86/kvm/vmx/evmcs.c b/arch/x86/kvm/vmx/evmcs.c
index d8b23c96d627..190932edcc02 100644
--- a/arch/x86/kvm/vmx/evmcs.c
+++ b/arch/x86/kvm/vmx/evmcs.c
@@ -422,6 +422,10 @@ void nested_evmcs_filter_control_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *
        u32 ctl_high = (u32)(*pdata >> 32);
        u32 unsupported_ctrls;
 
+       BUILD_BUG_ON((EVMCS1_SUPPORTED_PINCTRL | EVMCS1_UNSUPPORTED_PINCTRL) !=
+                    (KVM_REQUIRED_VMX_PIN_BASED_VM_EXEC_CONTROL |
+                     KVM_OPTIONAL_VMX_PIN_BASED_VM_EXEC_CONTROL));
+
        /*
         * Hyper-V 2016 and 2019 try using these features even when eVMCS
         * is enabled but there are no corresponding fields.
diff --git a/arch/x86/kvm/vmx/evmcs.h b/arch/x86/kvm/vmx/evmcs.h
index 6f746ef3c038..58d77afe9d57 100644
--- a/arch/x86/kvm/vmx/evmcs.h
+++ b/arch/x86/kvm/vmx/evmcs.h
@@ -48,6 +48,11 @@ DECLARE_STATIC_KEY_FALSE(enable_evmcs);
  */
 #define EVMCS1_UNSUPPORTED_PINCTRL (PIN_BASED_POSTED_INTR | \
                                    PIN_BASED_VMX_PREEMPTION_TIMER)
+#define EVMCS1_SUPPORTED_PINCTRL                                       \
+       (PIN_BASED_EXT_INTR_MASK |                                      \
+        PIN_BASED_NMI_EXITING |                                        \
+        PIN_BASED_VIRTUAL_NMIS)
+
 #define EVMCS1_UNSUPPORTED_EXEC_CTRL (CPU_BASED_ACTIVATE_TERTIARY_CONTROLS)
 #define EVMCS1_UNSUPPORTED_2NDEXEC                                     \
        (SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY |                         \