Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Date:   Mon, 19 Dec 2022 17:14:00 +0000
From:   Sean Christopherson <seanjc@google.com>
To:     Chao Gao <chao.gao@intel.com>
Cc:     Zhang Chen <chen.zhang@intel.com>, x86@kernel.org,
        linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
        Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
        Paolo Bonzini <pbonzini@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Borislav Petkov <bp@alien8.de>, Ingo Molnar <mingo@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [RFC PATCH 5/9] x86/bugs: Use Virtual MSRs to request hardware
 mitigations
Message-ID: <Y6Cb2OrkQ8X3IvW5@google.com>
References: <20221210160046.2608762-1-chen.zhang@intel.com>
 <20221210160046.2608762-6-chen.zhang@intel.com>
 <Y5oviY0471JytWPo@google.com>
 <Y6BtcutjgcgE8dsv@gao-cwp>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Y6BtcutjgcgE8dsv@gao-cwp>
Precedence: bulk

On Mon, Dec 19, 2022, Chao Gao wrote:
> On Wed, Dec 14, 2022 at 08:18:17PM +0000, Sean Christopherson wrote:
> > To me, this looks like Intel is foisting a paravirt interface on KVM and other
> > hypervisors without collaborating with said hypervisors' developers and maintainers.
> >
> >I get that some of the mitigations are vendor specific, but things like RETPOLINE
> >aren't vendor specific.  I haven't followed all of the mitigation stuff very
> >closely, but I wouldn't be surprised if there are mitigations now or in the future
> >that are common across architectures, e.g. arm64 and x86-64.  Intel doing its own
> >thing means AMD and arm64 will likely follow suit, and suddenly KVM is supporting
> >multiple paravirt interfaces for very similar things, without having any control
> >over the APIs.  That's all kinds of backwards.
> 
> But if the interface is defined by KVM rather than Intel, it will likely end up
> with different interfaces for different VMMs, then Linux guest needs to support
> all of them. And KVM needs to implement Hyper-V's and Xen's interface to support
> Hyper-V enlightened and Xen enlightened guest. This is a _real_ problem and
> complicates KVM/Linux in a similar way as multiple paravirt interfaces.

I never said the PV interfaces should be defined by KVM.  I 100% agree that any
one hypervisor defining its own interface will suffer the same problem.

I think having a PV interface for coordinating mitigations between host and guest
is a great idea.  What I don't like is tying the interface to "hardware" and defining
the interface without even trying to collaborate with others.

> The use case of this paravirt interface is specific to Intel CPU microarchitecture.

Well yeah, because the interface was designed only to work for Intel CPUs.

> Supporting multiple paravirt interfaces may not happen in the near future if there
> is no use case for AMD and arm64.

I'll take that bet.  The vast majority of problems that are solved by PV interfaces
are common to all architectures and vendors, e.g. steal time, PV spinlocks, async
page faults, directed yield, confidential VMs (GHCB vs. GHCI), etc.  I highly doubt
Intel is the only hardware vendor that will ever benefit from paravirtualizing
mitigations.