Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3621580rdh; Thu, 28 Sep 2023 18:36:54 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGd/BHYRBNc4XlkSMqaauwGZeoOm1UgiExmpbEHon9c3z+DfxFxc6hM+jfK5uI4Bk2L+do0 X-Received: by 2002:a05:6870:d0c1:b0:1d6:567b:79aa with SMTP id k1-20020a056870d0c100b001d6567b79aamr3034756oaa.56.1695951414477; Thu, 28 Sep 2023 18:36:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695951414; cv=none; d=google.com; s=arc-20160816; b=uW1v8cD6hzk1EkaoMElbC6zNLbLN2XThQhwe1sK3/1auTDbqXvRr+6XEuUNiN4Eh58 iOlltiDVAcq6TzAQYePT6n64oX8wKyprK9wyUZGI83yqSTmAFvCQKicOk5x+ygEZXmoz ymgnMRseToD6G+QX+xHQswmu0zxbJVDptiyVyCX7j+EXTAtv3ivgMGS6+1X07bUrLqeY iSUR8kb8a5Yp1N/o28KXVpSLy5y/L/x6WDIfFTQZpuFczU7X/G/xBeKij2GFfV5tMo5k i5WFV1u79K7rZF4aTZDcjbZzcoTdnFGJ4rucULxW2aJi2ggqYbC4P1dk958IRpy79zDF 7AIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=oxVsckeTfpWt0GdrQpPCp65O4AiQojudqmRoBvzRGxI=; fh=4GZkwQojzWKA353cibBrr4DLc3C/IGxxXURP9yfk81g=; b=beGC+bDHh8FAFIdGbE5DUjh+ojyjdYsBv5XcGgZqE/fYyxxN/Noq7K2rEhTw+KwziW g0fhfOMK1QDf33OwG2XRZ2MNlR/VJHCxBXwehA1e0YsH8fa/92kDy2+09Ui9OFvpL1lo n7oIw7E5EQNbUxzEH0/7+Wrz0UGG+EMPAzOkpjd8uLSBU0dfo8k4j7RtX3xEafIV9Lsa FmkZys33/OgUNhUenBOTIJmjZzpWl/estrtR/LT5QtYmmne/m2c2psyeYEqph2N2ucHT x9Ol8QADvbZsz6lhlQG9skW7qOMmxYl6TDZmF4+6yOgOxLwVxqcNKs6wOyxZifn4tNQW 8ZZg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=GFONEdUM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id i63-20020a638742000000b00578d0d070f7si662149pge.659.2023.09.28.18.36.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Sep 2023 18:36:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=GFONEdUM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 6E794826C61C; Thu, 28 Sep 2023 07:10:08 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232569AbjI1OJ5 (ORCPT + 99 others); Thu, 28 Sep 2023 10:09:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52254 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231576AbjI1OJz (ORCPT ); Thu, 28 Sep 2023 10:09:55 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C2A011F; Thu, 28 Sep 2023 07:09:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1695910194; x=1727446194; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=rWPUuNNdKXgrAPoDqjutOvUZaBIRMfIRRc8S+g1NzQo=; b=GFONEdUMERB3qHISMNyvF3/crvK2eLR+bKH6XHzoOQiTkkhiHwBjgWVb dUgBtslOjGSWhoc/A9/jkZHpQlc7//KeJUlESxr2E1t+0k5quTVW+2r1x C0CQDI/KdBv9KoN7XaIHuRcKdNhRfI6GDuNeLgvpaj8ZUHYeCQDNtd5M8 c24VXqwZj0PN9mmQPcFsweKqx+rKVXP4Wq9mGlhmPKRNYMHeFBfcrn4hQ EOCvKvQtTruPf/yzZ2YXloEMlWCd6p/HOgL5BMqm/ZSj3u7YF7IJVtPDs AoOitApO8NbCVAAXxzVszfizsfbHRkCl11tsX7tzPcznwHWHjJZVJIsGN g==; X-IronPort-AV: E=McAfee;i="6600,9927,10847"; a="468356756" X-IronPort-AV: E=Sophos;i="6.03,184,1694761200"; d="scan'208";a="468356756" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Sep 2023 07:09:53 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10847"; a="815243277" X-IronPort-AV: E=Sophos;i="6.03,184,1694761200"; d="scan'208";a="815243277" Received: from jveerasa-mobl.amr.corp.intel.com (HELO [10.255.231.134]) ([10.255.231.134]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Sep 2023 07:09:52 -0700 Message-ID: Date: Thu, 28 Sep 2023 07:09:52 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Re: [PATCH 2/5] KVM: x86: Constrain guest-supported xfeatures only at KVM_GET_XSAVE{2} Content-Language: en-US To: Sean Christopherson , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, Paolo Bonzini , Shuah Khan , Nathan Chancellor , Nick Desaulniers Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-kselftest@vger.kernel.org, llvm@lists.linux.dev, Tyler Stachecki , Leonardo Bras References: <20230928001956.924301-1-seanjc@google.com> <20230928001956.924301-3-seanjc@google.com> From: Dave Hansen In-Reply-To: <20230928001956.924301-3-seanjc@google.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.3 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Thu, 28 Sep 2023 07:10:08 -0700 (PDT) On 9/27/23 17:19, Sean Christopherson wrote: > Mask off xfeatures that aren't exposed to the guest only when saving guest > state via KVM_GET_XSAVE{2} instead of modifying user_xfeatures directly. > Preserving the maximal set of xfeatures in user_xfeatures restores KVM's > ABI for KVM_SET_XSAVE, which prior to commit ad856280ddea ("x86/kvm/fpu: > Limit guest user_xfeatures to supported bits of XCR0") allowed userspace > to load xfeatures that are supported by the host, irrespective of what > xfeatures are exposed to the guest. > > There is no known use case where userspace *intentionally* loads xfeatures > that aren't exposed to the guest, but the bug fixed by commit ad856280ddea > was specifically that KVM_GET_SAVE{2} would save xfeatures that weren't > exposed to the guest, e.g. would lead to userspace unintentionally loading > guest-unsupported xfeatures when live migrating a VM. > > Restricting KVM_SET_XSAVE to guest-supported xfeatures is especially > problematic for QEMU-based setups, as QEMU has a bug where instead of > terminating the VM if KVM_SET_XSAVE fails, QEMU instead simply stops > loading guest state, i.e. resumes the guest after live migration with > incomplete guest state, and ultimately results in guest data corruption. > > Note, letting userspace restore all host-supported xfeatures does not fix > setups where a VM is migrated from a host *without* commit ad856280ddea, > to a target with a subset of host-supported xfeatures. However there is > no way to safely address that scenario, e.g. KVM could silently drop the > unsupported features, but that would be a clear violation of KVM's ABI and > so would require userspace to opt-in, at which point userspace could > simply be updated to sanitize the to-be-loaded XSAVE state. Acked-by: Dave Hansen It's surprising (and nice) that this takes eliminates the !guest check in fpstate_realloc().