Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp6604077rwr; Tue, 25 Apr 2023 00:33:37 -0700 (PDT) X-Google-Smtp-Source: AKy350Yyw6zWX3vcJoGR3z8uPnbxoZlXRYYcrvaaYNQwksBWbwkQUtirYq/vdGfrkShX53VD3OeG X-Received: by 2002:a17:902:d4c6:b0:1a1:cc5a:b04 with SMTP id o6-20020a170902d4c600b001a1cc5a0b04mr21161110plg.3.1682408016812; Tue, 25 Apr 2023 00:33:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682408016; cv=none; d=google.com; s=arc-20160816; b=DZmHkQDbNOOIVWuhqNNbkckOs3fXbqfyDTBtZKqwrk1Wd3IH+Dcjd7tkJAbxJRbwK/ 5rvuvFwBthy74pfKAkwE7/4V+dePFbWhU1fNAa18ZQ4a7YrQVl965fve/RwaRboKf8vT QOsR54EKKWKp6JXHX4CtNOit3V1pEfzB/sGEAgML+HZBQWGxglxapEydsmIPERb/pjf1 Fdy8nMjUN0uT9mK0PS2e2CP1s3LT6TkAYW37HlioSs+FL2p7UznZIuCkcnqn12/+UTPb yanNH8ie26PEp99+Riyg3dGpQBHCyN8XgeX/JQbe2fjr4My7eHBT8T9zEG2Y//+byP6L 4GGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=mVKb97pdZevVTrhAsRmbQN38v25HOlOeuoMiucaCn2M=; b=DlohhIAnxQ3oHlNv+C2REFRfZdXXJGr4ahu2/iwIojh1NuVMWddU1MYg6aoJt1rNLu un6dQwTokeYOWpC0gK4Gi75XTeEibMAryFLoOMVDH4n7NlKV+4MbLO2OhPFzOQl/5cRv RFWo/TxHR5745bCs81m9/YcUuVKXh20UxsTWmSaQwbbo8Sp85Gx9W1nLCM6odQWPb8Te 3TSRJZOPR2uD1Fqm4n6yMC/7DMq/urdF4WK5XnQvJRQayKLzqrXTNZrCTJ7/FAFPxNIK 0t4fFVBMj3qeWz69usTaqcl8BEkD+gG0RVXlEpHhcu3r/HdeNFgJPuVsQ4L8k7WSwG0g rVeA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=Huy4ajQ3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z17-20020a170903019100b0019aa8d665bdsi14410523plg.71.2023.04.25.00.33.25; Tue, 25 Apr 2023 00:33:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=Huy4ajQ3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233659AbjDYHdB (ORCPT + 99 others); Tue, 25 Apr 2023 03:33:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44936 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233181AbjDYHc1 (ORCPT ); Tue, 25 Apr 2023 03:32:27 -0400 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9CD7EC15E; Tue, 25 Apr 2023 00:31:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1682407897; x=1713943897; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=y/RZvHBERPsLIxfsgLVfCS8XF5HdzYTULcEBpzqy1jo=; b=Huy4ajQ3vFQLXlr6JVVjjqFFSoOZfxWFpz4uqAMJr4BWR3p3JQuOpVPx VtEXB7FKobYY51kwqUYK3XAiYLL7DILqwC8G9Btl7OOtdryjZH9h1qEML lE8qIeb0EKjpwTSKir4A1CaUMxke32JzyoralpN8qA9BhT6nuq4T8BT4X O8rAlkGnG3uNSifP5SASexWYP9zxZhHArGmL1PGNgh1n7CxKBfn/+o+Dd Hr4a2PY3m2iC2cUoJxurWsNDh5at6CUrYIW7K8z+H4USseIlWUK3px6Lf yE1Q49JNuXgMciJGx/RrkNbqDbaWIYdcREULTYou+tsLUzZKTrP7yuFH0 w==; X-IronPort-AV: E=McAfee;i="6600,9927,10690"; a="432951773" X-IronPort-AV: E=Sophos;i="5.99,224,1677571200"; d="scan'208";a="432951773" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Apr 2023 00:31:37 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10690"; a="670784623" X-IronPort-AV: E=Sophos;i="5.99,224,1677571200"; d="scan'208";a="670784623" Received: from zengguan-mobl1.ccr.corp.intel.com (HELO [10.238.0.183]) ([10.238.0.183]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Apr 2023 00:31:34 -0700 Message-ID: <1a66053c-8ece-8ffd-1e33-c301c53c4d45@intel.com> Date: Tue, 25 Apr 2023 15:31:28 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [PATCH 2/6] KVM: VMX: Add new ops in kvm_x86_ops for LASS violation check Content-Language: en-US To: "Gao, Chao" Cc: Paolo Bonzini , "Christopherson,, Sean" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , H Peter Anvin , "kvm@vger.kernel.org" , "x86@kernel.org" , "linux-kernel@vger.kernel.org" References: <20230420133724.11398-1-guang.zeng@intel.com> <20230420133724.11398-3-guang.zeng@intel.com> From: Zeng Guang In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-5.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/25/2023 11:10 AM, Gao, Chao wrote: > On Thu, Apr 20, 2023 at 09:37:20PM +0800, Zeng Guang wrote: >> +/* >> + * Determine whether an access to the linear address causes a LASS violation. >> + * LASS protection is only effective in long mode. As a prerequisite, caller >> + * should make sure VM running in long mode and invoke this api to do LASS >> + * violation check. > Could you place the comment above vmx_check_lass()? > > And for __vmx_check_lass(), just add: > > A variant of vmx_check_lass() without the check for long mode. > >> + */ >> +bool __vmx_check_lass(struct kvm_vcpu *vcpu, u64 access, u64 la, u64 flags) >> +{ >> + bool user_mode, user_as, rflags_ac; >> + >> + if (!!(flags & KVM_X86_EMULFLAG_SKIP_LASS) || >> + !kvm_is_cr4_bit_set(vcpu, X86_CR4_LASS)) >> + return false; >> + >> + WARN_ON_ONCE(!is_long_mode(vcpu)); >> + >> + user_as = !(la >> 63); >> + > >> + /* >> + * An access is a supervisor-mode access if CPL < 3 or if it implicitly >> + * accesses a system data structure. For implicit accesses to system >> + * data structure, the processor acts as if RFLAGS.AC is clear. >> + */ >> + if (access & PFERR_IMPLICIT_ACCESS) { >> + user_mode = false; >> + rflags_ac = false; >> + } else { >> + user_mode = vmx_get_cpl(vcpu) == 3; >> + if (!user_mode) >> + rflags_ac = !!(kvm_get_rflags(vcpu) & X86_EFLAGS_AC); >> + } >> + >> + if (user_mode != user_as) { > to reduce one level of indentation, how about: > > if (user_mode == user_as) > return false; > > /* > * Supervisor-mode _data_ accesses to user address space > * cause LASS violations only if SMAP is enabled. > */ > if (!user_mode && !(access & PFERR_FETCH_MASK)) { > return kvm_is_cr4_bit_set(vcpu, X86_CR4_SMAP) && !rflags_ac; > > return true; > Looks better. >> + /* >> + * Supervisor-mode _data_ accesses to user address space >> + * cause LASS violations only if SMAP is enabled. >> + */ >> + if (!user_mode && !(access & PFERR_FETCH_MASK)) { >> + return kvm_is_cr4_bit_set(vcpu, X86_CR4_SMAP) && >> + !rflags_ac; >> + } else { >> + return true; >> + } >> + } >> + >> + return false; >> +} >> + >> +static bool vmx_check_lass(struct kvm_vcpu *vcpu, u64 access, u64 la, u64 flags) >> +{ >> + return is_long_mode(vcpu) && __vmx_check_lass(vcpu, access, la, flags); > Why not request all callers to check if vcpu is in long mode? > > e.g., > return is_long_mode(vcpu) && static_call(kvm_x86_check_lass)(...); > > then you can rename __vmx_check_lass() to vmx_check_lass() and drop the > original one. By design, __vmx_check_lass() is standalone to be used for checking LASS violation only. In some cases, cpu mode is already identified prior to performing LASS protection. please refer to patch 4. So we provide two interfaces, vmx_check_lass() with cpu mode check wrapped for other modules usage, e.g. kvm emulator and __vmx_check_lass() dedicated for VMX. I would check the feasibility to re-organize code to be more optimal. Thanks. >> +} >> + >> static struct kvm_x86_ops vmx_x86_ops __initdata = { >> .name = "kvm_intel", >> >> @@ -8207,6 +8260,8 @@ static struct kvm_x86_ops vmx_x86_ops __initdata = { >> .complete_emulated_msr = kvm_complete_insn_gp, >> >> .vcpu_deliver_sipi_vector = kvm_vcpu_deliver_sipi_vector, >> + >> + .check_lass = vmx_check_lass, >> }; >> >> static unsigned int vmx_handle_intel_pt_intr(void) >> diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h >> index a3da84f4ea45..6569385a5978 100644 >> --- a/arch/x86/kvm/vmx/vmx.h >> +++ b/arch/x86/kvm/vmx/vmx.h >> @@ -433,6 +433,8 @@ void vmx_enable_intercept_for_msr(struct kvm_vcpu *vcpu, u32 msr, int type); >> u64 vmx_get_l2_tsc_offset(struct kvm_vcpu *vcpu); >> u64 vmx_get_l2_tsc_multiplier(struct kvm_vcpu *vcpu); >> >> +bool __vmx_check_lass(struct kvm_vcpu *vcpu, u64 access, u64 la, u64 flags); >> + > no one uses this function. You can defer exporting it to when the first > external caller is added. > >> static inline void vmx_set_intercept_for_msr(struct kvm_vcpu *vcpu, u32 msr, >> int type, bool value) >> { >> -- >> 2.27.0 >>