Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp20947319rwd; Thu, 29 Jun 2023 08:59:33 -0700 (PDT) X-Google-Smtp-Source: APBJJlE4yj0eo1uet6q5x01tl6314YX4DSrmcrRSf1lnmsCH7gtQLBcQgBNsTsXjy+3P2Vns7pwV X-Received: by 2002:a05:6a00:2389:b0:668:681f:ca98 with SMTP id f9-20020a056a00238900b00668681fca98mr376184pfc.27.1688054373337; Thu, 29 Jun 2023 08:59:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688054373; cv=none; d=google.com; s=arc-20160816; b=xym8RBDf3JSFyD5O2wShvxaoJhX3N1zDAzH5TMFmSdbHd+mIznWDYDW5FNeQ6yMjqq LhONBgOJ8ZoWcYs7VNuIWQl8LhC5Twk82fTjnzFUvmUsWn1zWhSWBb2saZQK6xVKrevs 1GgG7t+OkpMV1GQgnAQ2L3td3cnnBMpXVxuhqUZA2E125BLClvKgN7uCRxlvF58SP/OA uI9Q+6NoxIiJQefAGhV/dkmqflElFZxdEdXNQtUxW40P+nPFzBwMnO6T5S17vPLhOdF/ SYnVJwsdxrvQua5SM9DtInCKHTr0+CBsajvf3ycjGk5uY9JKG6M9Ml5PuDr1L7xsZDGt FnGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=3kyk0rokFAbkrgtc01xjyd4YqyaphcRK63ModOvOwcg=; fh=moJVYAvgr/cQIad1z4wTJhWHQorBFebVXOXlPbZCz/4=; b=PLo+UxZlGITCbkv1XtdXFYHn/D5utC6D4DefAwvp/4R+Ln3XMHOoU6WLKTxId95t9C aBnpE3k8flv+WmnhsiomMdygbMHYVfiCHi4nGxJ9qnrgfIjktMBGBqCnX6W2g/MGouhG lQ+hurWTrTyzEThFYOvCkN26EOKWNz1oAUK7n8HtrhC7fFahEfPR6Y+r55FqP4AshHwL Sl+KYsTOLg0hpEtFPSegVJ+38z0dO3Y9xc7sz0BTTNTYwhWAqHHBZkx2LMJcZl+n+LPC 1xV8eRnuC5Bi/a2xPziDOBszTBkJwi8/t81iy0nC0jGI7E0eJdaMtV6Xi+RvvJzWgwPd 0ecA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=5X+7dWLq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id fa24-20020a056a002d1800b006811bf554b8si2960754pfb.396.2023.06.29.08.59.19; Thu, 29 Jun 2023 08:59:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=5X+7dWLq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232427AbjF2PeB (ORCPT + 99 others); Thu, 29 Jun 2023 11:34:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55560 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232287AbjF2PeA (ORCPT ); Thu, 29 Jun 2023 11:34:00 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FD6019BA for ; Thu, 29 Jun 2023 08:33:59 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-565d1b86a64so6411707b3.3 for ; Thu, 29 Jun 2023 08:33:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1688052838; x=1690644838; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=3kyk0rokFAbkrgtc01xjyd4YqyaphcRK63ModOvOwcg=; b=5X+7dWLqWA+c5c/xZHCNYho35yEbDsgnfFTOb677nP9Eqd3EiyuJWdUXUIndMJZd6g 1ACBc9Qax2zAZUORZHVKSFoMLEBZc5IErMyHXbmqQ7dlZbY9iGhOCkWWh2a0qTTWdEN4 dCdbQ7mI8sYEds1L1nKER5UzFeOAsM2mm998PYc08qZZjva8xvFQ3Pq+wTgrEnYENB0x /+4atDdsU9iIIYUlOEc60GU0kWzVD8c6YdF1S7SE5IGScPMez0aBihHPX0BaEnpL0esK Qy+awD0S4Nh8jOeRtmVJDmTAGbj+GEP6+XfXgdd54Zb34y8abGXuvai3oxm5MAocPkFP vJfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688052838; x=1690644838; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3kyk0rokFAbkrgtc01xjyd4YqyaphcRK63ModOvOwcg=; b=J+sYFwzxkFwbaqpKnl5qJiW8+wqsSZdXb9WLVn/DRU7uTe7hiEr3b4saB9XmFgSxCL UdQKBlwkMtDsWMyDErfYbdDrM6AlUpQ4kNvd9zP1jMkmrqkSBCJpaNw+MNGbrPD7TOWV wcMhYl/H62m3ZeD2trdNmIHwjbvTnbTvqGJOCdnR3oc4B7fxk8Y1QYuqiCtxJ08obTuH HPmCeEEWuzKBuPjUnE8NBF7Z1yRHJeZSh819Zk5prnSUbI1FjdW0qsSVTnczOUs6TaxB +n3szkAVtk/rZAbxjsJhhC5jrOqZtyMwjsgwQsarPYE+xazIsoxupZ4G9HsTmOtAOrwW t/qQ== X-Gm-Message-State: AC+VfDxZ2Kdu9ENeqjUShWbDGRN4twUgQNzyyknH0tYZVnLrmSUXNPny 1Bvk94Ke5zEHxpp6eKE4MdC+dgIfLZs= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a81:4046:0:b0:55d:d5b1:c2bd with SMTP id m6-20020a814046000000b0055dd5b1c2bdmr10931805ywn.8.1688052838293; Thu, 29 Jun 2023 08:33:58 -0700 (PDT) Date: Thu, 29 Jun 2023 08:33:56 -0700 In-Reply-To: <5a9e57e3-0361-77f8-834f-edb8600483e1@linux.intel.com> Mime-Version: 1.0 References: <20230606091842.13123-1-binbin.wu@linux.intel.com> <20230606091842.13123-5-binbin.wu@linux.intel.com> <5a9e57e3-0361-77f8-834f-edb8600483e1@linux.intel.com> Message-ID: Subject: Re: [PATCH v9 4/6] KVM: x86: Introduce untag_addr() in kvm_x86_ops From: Sean Christopherson To: Binbin Wu Cc: Chao Gao , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, pbonzini@redhat.com, kai.huang@intel.com, David.Laight@aculab.com, robert.hu@linux.intel.com Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 29, 2023, Binbin Wu wrote: > On 6/29/2023 2:57 PM, Chao Gao wrote: > > On Thu, Jun 29, 2023 at 02:12:27PM +0800, Binbin Wu wrote: > > > > > + /* > > > > > + * Check LAM_U48 in cr3_ctrl_bits to avoid guest_cpuid_has(). > > > > > + * If not set, vCPU doesn't supports LAM. > > > > > + */ > > > > > + if (!(vcpu->arch.cr3_ctrl_bits & X86_CR3_LAM_U48) || > > > > This is unnecessary, KVM should never allow the LAM bits in CR3 to be set if LAM > > > > isn't supported. > > A corner case is: > > > > If EPT is enabled, CR3 writes are not trapped. then guests can set the > > LAM bits in CR3 if hardware supports LAM regardless whether or not guest > > enumerates LAM. Argh, that's a really obnoxious virtualization hole. > I recalled the main reason why I added the check. > It's used to avoid the following checking on CR3 & CR4, which may cause an > additional VMREAD. FWIW, that will (and should) be handled by kvm_get_active_lam_bits(). Hmm, though since CR4.LAM_SUP is a separate thing, that should probably be kvm_get_active_cr3_lam_bits(). > Also, about the virtualization hole, if guest can enable LAM bits in CR3 in > non-root mode without cause any problem, that means the hardware supports > LAM, should KVM continue to untag the address following CR3 setting? Hrm, no, KVM should honor the architecture. The virtualization hole is bad enough as it is, I don't want to KVM to actively make it worse. > Because skip untag the address probably will cause guest failure, and of > cause, this is the guest itself to blame. Yeah, guest's fault. The fact that it the guest won't get all the #GPs it should is unfortunate, but intercepting all writes to CR3 just to close the hole is sadly a really bad tradeoff. > But untag the address seems do no harm? In an of itself, not really. But I don't want to set the precedent in KVM that user LAM is supported regardless of guest CPUID. Another problem with the virtualization hole is that the guest will be able to induce VM-Fail when KVM is running on L1, because L0 will likely enforce the CR3 checks on VM-Enter but not intercept MOV CR3. I.e. the guest can get an illegal value into vmcs.GUEST_CR3. We could add code to explicitly detect that case to help triage such failures, but I don't know that it's worth the code, e.g. if (exit_reason.failed_vmentry) { if (boot_cpu_has(X86_FEATURE_LAM) && !guest_can_use(X86_FEATURE_LAM) && (kvm_read_cr3(vcpu) & (X86_CR3_LAM_U48 | X86_CR3_LAM_U57))) pr_warn_ratelimited("Guest abused LAM virtualization hole\n"); else dump_vmcs(vcpu); vcpu->run->exit_reason = KVM_EXIT_FAIL_ENTRY; vcpu->run->fail_entry.hardware_entry_failure_reason = exit_reason.full; vcpu->run->fail_entry.cpu = vcpu->arch.last_vmentry_cpu; return 0; }