Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2231117rwd; Fri, 19 May 2023 02:52:59 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4KSK7/fgW17LuGoioAQ3cTfu1zxG8b+5NIDv+Tx9Zn7dmr6EQekIRpyG/j8BA5MJ/ZfSsr X-Received: by 2002:a17:90b:f18:b0:253:45cf:1654 with SMTP id br24-20020a17090b0f1800b0025345cf1654mr1676550pjb.9.1684489979116; Fri, 19 May 2023 02:52:59 -0700 (PDT) Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o8-20020a63a808000000b005342966f495si3461137pgf.717.2023.05.19.02.52.43; Fri, 19 May 2023 02:52:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=ZQonuVgU; arc=fail (signature failed); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231795AbjESJqK (ORCPT + 99 others); Fri, 19 May 2023 05:46:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47770 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230481AbjESJpt (ORCPT ); Fri, 19 May 2023 05:45:49 -0400 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ABD52171E; Fri, 19 May 2023 02:44:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1684489482; x=1716025482; h=date:from:to:cc:subject:message-id:references: in-reply-to:mime-version; bh=AXYXaH3uyjnxHsAJgFx3f4hq3JRuOCmStm/DkVKT1O0=; b=ZQonuVgU135hULnuRa80utfaH1cU7s6R/MN7dYZa6R+ut0kerKy0M3pK UVL2pkJ5shA6TP5j1N59xf4mgE2K4lEngjn3GwEBgPKzDIrZLlV/hGMiz 6xE4AY4Jnu7h3z4dSeIPO+CxP9Eg5ssLYRNPvgU7//aUsA0MtpheOjPef djzPnAmgBaQ5wGxahE3f2JCgMYwlMIaiacleR/D4HNdlh6VuJTI0VeEqv v5HsE9GACkKqUN9TxUy3YKsPa+u2iYQ6eAHmD+0rwuUIUeyu7RDn78ahG CMC40VT2aN8dRmCe8GjRS4gWj4q1ogEW55b5IZ2tOi/f0su+N3XN94OLP g==; X-IronPort-AV: E=McAfee;i="6600,9927,10714"; a="380541820" X-IronPort-AV: E=Sophos;i="6.00,176,1681196400"; d="scan'208";a="380541820" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 May 2023 02:44:14 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10714"; a="652991152" X-IronPort-AV: E=Sophos;i="6.00,176,1681196400"; d="scan'208";a="652991152" Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by orsmga003.jf.intel.com with ESMTP; 19 May 2023 02:44:13 -0700 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Fri, 19 May 2023 02:44:13 -0700 Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23 via Frontend Transport; Fri, 19 May 2023 02:44:13 -0700 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.104) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.23; Fri, 19 May 2023 02:44:13 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Id5fcdar771mBR4S5llpp1YpcEUcZcxzrbXIFDDaB9XgITUAqCL6e9jve95BhIVf2m9lrSYiiFWFcg9rXZiZ6mOTyfZ36RXpd6TqebM9EH3QLlWbgx0/Bv7mOupro9cWkwv8Gt6ChrqPHDtM9+385UvkWs8eJWfUSMA2CorW2UdyiSdtQhyxrr+2bGV7cE3PUXzkJoZue9+NPZsFU8FGabNr29GNahHjzFMyyRI74V2Rao+GJzxE3Yzc22l6LT3rq5x7mPIlC4k5Zrgad4oa1GCm5ekBTfsbKRLdK/gmr2ectyVotniNniwKyOVLOoNDUD9rsQJ/MdxppK5BzAzokw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qG+P8eFuJ3wNFgTjA8Sc0WUnOt9RxtOJUs1EHSGH/Ts=; b=PkHm7cZk3rLKWS1M8LpltsUH9FqvZ2YBLXGht5usFyym0AvC29J2dQBwPhTxtlgLOVi+aJJS6s4F9KIwL/7fuH2K53VcA74TfKh+r8NGJyro/bk6n68cMlld4bAxc3Hbj9dGJyGhw8liKed/1pb3K1+otoP3RfdOfP/i0MUcLcbhrij4ELBRhBSPFKKdOen8HrSkltS3EdEaqXmk8oCK0ApAPON01bq9M03vpEXjYCwqrNJclSfbHTMYolFVo1Wlwq0w8yPaOkhlWcBqfvJjsz6CxXL/Qhb0Xga2S9tzOlkI+/wex8cTcYGy9dTluQhxZ81TgMhC8LQTcrUTurunVw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; Received: from PH8PR11MB6780.namprd11.prod.outlook.com (2603:10b6:510:1cb::11) by CH3PR11MB8344.namprd11.prod.outlook.com (2603:10b6:610:17f::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.21; Fri, 19 May 2023 09:44:10 +0000 Received: from PH8PR11MB6780.namprd11.prod.outlook.com ([fe80::b4cb:1f70:7e2a:c4f5]) by PH8PR11MB6780.namprd11.prod.outlook.com ([fe80::b4cb:1f70:7e2a:c4f5%2]) with mapi id 15.20.6411.019; Fri, 19 May 2023 09:44:10 +0000 Date: Fri, 19 May 2023 17:43:58 +0800 From: Chao Gao To: Xiaoyao Li CC: , Jiaan Lu , Zhang Chen , Sean Christopherson , "Paolo Bonzini" , Thomas Gleixner , "Ingo Molnar" , Borislav Petkov , Dave Hansen , , "H. Peter Anvin" , Subject: Re: [RFC PATCH v2 02/11] KVM: x86: Advertise CPUID.7.2.EDX and RRSBA_CTRL support Message-ID: References: <20230414062545.270178-1-chao.gao@intel.com> <20230414062545.270178-3-chao.gao@intel.com> <9c75663c-6363-34e7-8341-d8f719365768@intel.com> <11b515b3-bb5a-bea1-ad01-caffdd151bf6@intel.com> Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: X-ClientProxiedBy: SG2PR06CA0241.apcprd06.prod.outlook.com (2603:1096:4:ac::25) To PH8PR11MB6780.namprd11.prod.outlook.com (2603:10b6:510:1cb::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH8PR11MB6780:EE_|CH3PR11MB8344:EE_ X-MS-Office365-Filtering-Correlation-Id: cbccc9bd-f100-47ed-ec05-08db584d981c X-LD-Processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DIcoC8H4ls4HOqZs6ANB8HX6NuakL9qkrZmGoujw2lUFoNBTDWDZ7DS7JOxj+asWQBZbDxvidjPuq1E4hWV4KyeWBtfEFL5AALzkXHj9zqAJ786ibWPcl3Bli1FHXQumseG97PmUrCPJZlHPC0OxNx2GnDJUQYBTJa489sC9V6ftNc40kyJUzPl5bUnpx7KQ+Q2nW4h9DQ06m6BXY4o1UTbDVY2e3G6AQpotU046Eroks0gzJD2iNzkQUmQHxOsgbAb/D35TWR7Nv+Yd0ihdgwOgUbIMWblZI2PmuWdKwU3UVTySESd+0e67gaF94SoMpJvb8cAftgvzwE0MrsdIjppHYVyD2r38vbhf1jDFtz9/UFA58BEduNhLMY+4jFT1TkvZmv5uhMgbzvbdjkisM765USXKsdbPPyG2IgpVc5gUSWOZYDo6oJh+EhnUxurxU7eS50V1hmYEvbPc5B2D41UMEa7/vJyF76i7BtkSzDqVfHrrA2YXum5GCo5mH5CxJdVWVb4lv97xxrLx54eempqFU6oNgBWg1QwZy0+tlbsQ1rcJuyWLDDuOeyNNkX0rmss4Ovwn3PapibLuYuY6i7J3uzMkZsPXrn6hsf+dfI0= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH8PR11MB6780.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(7916004)(376002)(396003)(366004)(346002)(136003)(39860400002)(451199021)(6512007)(9686003)(6506007)(2906002)(66476007)(53546011)(6862004)(7416002)(8936002)(8676002)(6666004)(83380400001)(44832011)(26005)(186003)(41300700001)(5660300002)(66556008)(66946007)(316002)(6636002)(4326008)(6486002)(82960400001)(86362001)(33716001)(38100700002)(478600001)(54906003)(67856001);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?uGjgcocYCxAPUNxB5R7aOYWSXe/Cvjor+yrpt7DkkIyHfMYwkzQspSFMPxwv?= =?us-ascii?Q?GIQ2ENm+6/CuI/BMTuIeZMLaTlBLsBT1J6eWgwHe9uphK/Kz1klP4sv4NF07?= =?us-ascii?Q?PZM9/6UzFQHOj9TKfFCEGvjh7xr3cs6B/CeyVr+LCAzG68GOKy93eGy25oMD?= =?us-ascii?Q?JDJvmS64PCTy8hoUBt/htye3Fyst2iP/mtrx9XGpYqd0bHN38ivrQJ8lo5SR?= =?us-ascii?Q?Kc0/IvqTbvwm7dHaEgP/ni1AtYjfOo5fQA0PttM3Hj9EP5b2mL9dahL4aQD7?= =?us-ascii?Q?/os99emIZEvQM8D5HPcVbQ0Jo7Rj1EYt3L23X9SO4cliLExXvn7YpWs5TMZ4?= =?us-ascii?Q?SaAnHdw5wqLeoxFZcQn1VvnjGJ3vCvT/5HP75coELg9pL8TdzDunTlnkaaVs?= =?us-ascii?Q?qj68u6Tqxprp66GgGwaQMYNwbGGvVmdVRY1znA6ztPNH/rsKIn5mqZPl49pe?= =?us-ascii?Q?5ZdZGCeeadMVNwse4J7IXAQRAqW4+NW0//dJiTjvXQnFllAAVWbSRame+d39?= =?us-ascii?Q?V4iSYQvLMoWe3EJ3ejp47gzuy2uT83B36R8zrFjstozTgz0RLXWTVmzyjj8j?= =?us-ascii?Q?kBHIZSVyzC0J0y1u48LUNWW+HjwyfYEDMsWYJK4RCk/nwgoTf5sRw7n4NwiC?= =?us-ascii?Q?lhUo0e0bg6afKjsh/XsUi8Fx2mImrq0YDiAvp4TYTNKiZt6Jy8oLkAiaXPLF?= =?us-ascii?Q?Dzbx92qagPhv7eekF4rz2uDO1abAcUQsV8u7gftfqA7ijn/lHuZsP17Hrhpn?= =?us-ascii?Q?ztTy+Mi4GR+CZk7UyBsRMjUhJiPH8kcsuX2FDd5tx5ca5WLuBi0MN0IzmiRD?= =?us-ascii?Q?/PCFCOPrjh8MVoLr5EeHWp2okybs/7yyNJNBnbk5rognJAlxZWLbCQ+4xBFB?= =?us-ascii?Q?7BjgjprS+lvMGOadvYxcUOqnfJv/Sooc9p/oLdEc/UBUysdGiQ/VWBonrZkV?= =?us-ascii?Q?bm2FvbdTAWDvFBjvPwFsZatjZU8t9dE3NtOxPsojHn9Ct3d5slP5QhTPELgT?= =?us-ascii?Q?I5LVq6RFyBt9ptbutwBewLGo/qL6wUYvnJlQbF5rPr48kNAhCeZ9ePQRNokE?= =?us-ascii?Q?ANHoMH2ZniUVNqdTOaIwIHkkA94yXKDKETyNru9Dncn/tSNDRS2/fdlO5Bwn?= =?us-ascii?Q?voDTj8Qu2NfX9Q+HdSeaiv1XpIiUgCC3eiKrxoYNh6Xi7xlInIS6qoLaIoby?= =?us-ascii?Q?lOTpfnPiTl3ulPbZ+cILxMwzCW4A0qMNhMzdg8vEKO1+h5zLTn+80TsV+frP?= =?us-ascii?Q?r++EPcObzPzxCZmKlottHuIXowuEXiFuUr+egER8VBtLQ8rUZpLL+4cSrDZQ?= =?us-ascii?Q?dXwsrL3137FuKV6Z+Y78o8vdcWLii67sjvtIDY5VbqPQ/ZE4tE4Vihf651GT?= =?us-ascii?Q?xgKNFv+0zQKj4ZMbzV9yfDL8ht4clHM0usGYjHuo1jjiHAdukV0sCLPlHr7q?= =?us-ascii?Q?R2Qnv78TAbMPLh4wsU30t8Nf2M+23qlRngc8OlPPPJC087Ri0m4iRJYokL8m?= =?us-ascii?Q?zOvHgEstGf0J/WuVwx1N2HGGhMh2vO3vf8ed29Bd23eODx0/myMBOs0IVTpH?= =?us-ascii?Q?wAaiIm+KO6cJdhlarI6MEZt0+7RwbFZrlcbLSwWI?= X-MS-Exchange-CrossTenant-Network-Message-Id: cbccc9bd-f100-47ed-ec05-08db584d981c X-MS-Exchange-CrossTenant-AuthSource: PH8PR11MB6780.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 May 2023 09:44:09.6318 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: tTNVymZ/1wQKi04ADD0DvVbQNxMoItDPNBAxadNVWbLozzkfu333crIqVc2QTICNJVgsmyC12TDH0qXEGtArMw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR11MB8344 X-OriginatorOrg: intel.com X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 18, 2023 at 05:50:17PM +0800, Xiaoyao Li wrote: >On 5/16/2023 5:09 PM, Chao Gao wrote: >> On Tue, May 16, 2023 at 03:03:15PM +0800, Xiaoyao Li wrote: >> > On 5/16/2023 11:01 AM, Chao Gao wrote: >> > > On Tue, May 16, 2023 at 10:22:22AM +0800, Xiaoyao Li wrote: >> > > > > > I think we need to fix this bug at first. >> > > > > >> > > > > I have no idea how to fix the "bug" without intercepting the MSR. The >> > > > > performance penalty makes me think intercepting the MSR is not a viable >> > > > > solution. >> > > > >> > > > I thought correctness always takes higher priority over performance. >> > > >> > > It is generally true. however, there are situations where we should make >> > > trade-offs between correctness and other factors (like performance): >> > > >> > > E.g., instructions without control bits, to be 100% compliant with CPU >> > > spec, in theory, VMMs can trap/decode every instruction and inject #UD >> > > if a guest tries to use some instructions it shouldn't. >> > >> > This is the virtualization hole. IMHO, they are different things. >> >> what are the differences between? >> 1. Executing some unsupported instructions should cause #UD. But this is allowed >> in a KVM guest. >> 2. Setting some reserved bits in SPEC_CTRL MSR should cause #GP. But this is >> allowed in a KVM guest. > >The difference is that for virtualization hole, there is no way but intercept >and decode every instruction if we want the correctness. It's a disaster. > >But for MSR virtualization, we do have an option and we don't need to trap >every instruction. MSR interception is the designated mechanism to correctly >and elegantly virtualize the MSR. The gains in this two cases are similar: some operations in guest are prevented. But the costs on performance are not. So, how do you draw the line when we can sacrafice correctness for performance? > >> > >> > Pass through MSR_IA32_SPEC_CTRL was introduced in commit d28b387fb74d >> > ("KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL"). At that time there >> > was only a few bits defined, and the changelog called out that >> > >> > No attempt is made to handle STIBP here, intentionally. Filtering >> > STIBP may be added in a future patch, which may require trapping all >> > writes if we don't want to pass it through directly to the guest. >> > >> > Per my undesrstanding, it implied that we need to re-visit it when more bits >> > added instead of following the pass-through design siliently. >> >> I don't object to re-visiting the design. My point is that to prevent guests from >> setting RRSBA_CTRL/BHI_CTRL when they are not advertised isn't a strong >> justfication for intercepting the MSR. STIBP and other bits (except IBRS) have >> the same problem. And the gain of fixing this is too small. >> >> If passing through the SPEC_CTRL MSR to guests might cause security issues, I >> would agree to intercept accesses to the MSR. > >I never buy it. How to interpret the security? If the user wants to hide one >feature from guest but KVM allows it when KVM does have a reasonable way to >hide it. Does it violate the security? I would say no. By "security", I mean guest becomes vulnerable to some issues or guest attacks host or guest can access unauthorized data. I tried to say that if the value of intercepting IA32_SPEC_CTRL outweighs the perform penalty, it makes sense to do that. I guess the decision has been made when enabling STIBP and it means people care more about performance than preventing guests from setting STIBP.