Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp3010230rwd; Mon, 22 May 2023 07:28:56 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5yhAAFQVkmMQ5RrN+9fQ3dKtvXS6Om4mcSnEr1ZArpmn0ksJkMyvGxgxXxzGOQLDL6lpZ3 X-Received: by 2002:a17:903:1c8:b0:1ae:3dcd:30fc with SMTP id e8-20020a17090301c800b001ae3dcd30fcmr12285024plh.11.1684765736171; Mon, 22 May 2023 07:28:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684765736; cv=none; d=google.com; s=arc-20160816; b=YnKPH2M6FCVg1rgaKA005ALuifQ+QnIzQs7Hzu3kAQ62YwUMlkpesJNR1D10ossVtR 7brJuYrHSHp28K6n9QtvA1LKaj9Z8sbZsyYg93v7G0fSCEJhyLom5Ro7vgaGIwP7Bj6E sDNFNfN/Gs2l4FaZRVwL51Kl5oDZsoLY4zSgJewWCtftEABtSK+IkSDPLoSTcwr2EUIG 7E5FOhZvz+dGHkDBz2smX1G4IJxL5fnwqJCM2lihvaTdmXgUB4ZK2H/iBWMHQlgdgwV9 +J53oBcGGfFeHTmmlrdWvaWRiOwZM2rFSZLH+13HOvmm8mR5KqkKKn1o3x9vPrB1aO7w PHUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=E0vJS4vOoh/e3iehbrRUfAJdg2yyXdhw8VltZBuwvBk=; b=rxDto37rtMThElfGMm0yza5NydnCJuOoOVfVb21NW5LGaL5I6+IAOFyULxXwdJITpM sP7XkOleQr3luMhtibM6Djs/T6JasH1gmmWqx/lTtJgfjKifZdyLsVQuGXe8Of0xzdjP HVv0K8u0HXhQlIzFv5S/BE02gm8dpimeA0ixEv5IExBnDD5bdjuR8LueqRaIFmBj8FWq F6/wO5pY7GOr8CT5FdBDEbTqYS7dFcrR8xWSnRaS1LutjkBfkn1FyuDMe97ii40/xQop Rh814MF5DYTq3W0eb4a4HToMAyjVXKWVfF2azRZ+7bXxioJpClWdC4WEL3YdSYbaeR4n SWkA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=GWdBIjpG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z5-20020a170902834500b001ac78ac2c9csi601547pln.573.2023.05.22.07.28.41; Mon, 22 May 2023 07:28:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=GWdBIjpG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233795AbjEVOYY (ORCPT + 99 others); Mon, 22 May 2023 10:24:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50166 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233893AbjEVOXw (ORCPT ); Mon, 22 May 2023 10:23:52 -0400 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F746C1; Mon, 22 May 2023 07:23:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1684765431; x=1716301431; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=3XoNg7LuzDozHxXwwhSOHtm37An12NorEyX5vtfGYGs=; b=GWdBIjpGYcHr2PCw6X4ytZefGgSd+vRTS2wB2uJdbnb+eA0L0MSi3Cma gtz69vbtA3kB5s8P3sSeEcNVHEOZi7eBcpQHJZBpHDpzbxufglovD6Xx8 Apnl+Lnqs8n7W1cJTT51lbNujDYhqMhOqM+v2q3ga3z6fnteUs3nYjfLU x40Da4RmnE3yTVLpwsxwQOFknBTOPSJlWvF3sBxaqBo7hEK0QNnyyoMqD FpLAGajBJ7A/04SI2+khepXpwFRuWA0fkqYgyCOV/x6SrgpmbEwQFTxk5 iZ48IG2BlRpbGB69hmnaEWPJtZ6n9iM/gp20a1qzn8Zp3ZFXpyHGXsUiO A==; X-IronPort-AV: E=McAfee;i="6600,9927,10718"; a="356163233" X-IronPort-AV: E=Sophos;i="6.00,184,1681196400"; d="scan'208";a="356163233" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 May 2023 07:23:51 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10718"; a="773373063" X-IronPort-AV: E=Sophos;i="6.00,184,1681196400"; d="scan'208";a="773373063" Received: from ericasu-mobl.amr.corp.intel.com (HELO [10.209.49.107]) ([10.209.49.107]) by fmsmga004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 May 2023 07:23:50 -0700 Message-ID: <4ffbb2c3-8ed1-d419-16ca-b311867537be@intel.com> Date: Mon, 22 May 2023 07:23:49 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [PATCH] KVM: x86: Track supported ARCH_CAPABILITIES in kvm_caps Content-Language: en-US To: Sean Christopherson , Xiaoyao Li Cc: Chao Gao , kvm@vger.kernel.org, Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , linux-kernel@vger.kernel.org, Jim Mattson References: <20230506030435.80262-1-chao.gao@intel.com> From: Dave Hansen In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/18/23 10:33, Sean Christopherson wrote: > > 2. I'm pretty sure conditioning mmio_stale_data_clear on kvm_arch_has_assigned_device() > is a bug. AIUI, the vulnerability applies to _any_ MMIO accesses. Assigning > a device is necessary to let the device DMA into the guest, but it's not > necessary to let the guest access MMIO addresses, that's done purely via > memslots. Just to make sure we're all on the same page: KVM needs mitigations when real, hardware MMIO is exposed to the guest. None of this has anything to do with virtio or what guests _normally_ see as devices or MMIO. Right? But direct device assignment does that "real hardware MMIO" for sure because it's mapping parts of the PCI address space (which is all MMIO) into the guest. That's what the kvm_arch_has_assigned_device() check was going for. But I think you're also saying that, in the end, memory gets exposed to the guest by KVM userspace setting up a memslot. KVM userspace _could_ have mapped a piece of MMIO and could just pass that down to a guest without kvm_arch_has_assigned_device() being involved. That makes the kvm_arch_has_assigned_device() useless. In other words, all guests with kvm_arch_has_assigned_device() need mitigation. But there are potentially situations where the guest can see real hardware MMIO and yet also be !kvm_arch_has_assigned_device().