Received: by 2002:a05:7412:b101:b0:e2:908c:2ebd with SMTP id az1csp2658197rdb; Wed, 15 Nov 2023 07:09:36 -0800 (PST) X-Google-Smtp-Source: AGHT+IEjs/LI4nHPPXmJhFY8Gsbcbexu18tqrDo8txvUhJq9P1yDdOZZf+92VMS9qHGZgjOGTr0i X-Received: by 2002:a05:6a20:dca0:b0:174:210c:34b0 with SMTP id ky32-20020a056a20dca000b00174210c34b0mr9931543pzb.0.1700060976620; Wed, 15 Nov 2023 07:09:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700060976; cv=none; d=google.com; s=arc-20160816; b=vYQzvtLCMppoa3kOHb7ZlUjuogJWbbq9Z/hrVOD/kymKJWuNmKTWJ/3U+efr5+u/3w UHf//zgl8MV51kxmk9r4QMmN45NNbMh0fbOsZs/njxat+GbucMlW3F6A5Jo3u4xKjGs+ tg6Amw7iW2Oqm7/q1plCGOBHon137lL7WS3iZXt1WHHnNIIPiuyBH5A6aRJ4Ts7Y7bz4 mz+30kLHnsFUfk87LD2jqh82TDhoPr6ZCvn8CSyPcfC3DE+5fkfJNJWzxIVNoKuKRaMR 75+q8Vq5p68j8mzsKuw678svo4FHcGcM0LQ972lA4+VSOiLEwMD9+KI4dUZX/O4Hj/Pm Y6Mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=r39GnHM5bN5YuWeX4taddVxZqZSztKdXAkWyIoY43Wo=; fh=1A0zpe8G+t1w1/PseO+VlhAiF5L3RTJKCwHjdQXRnI0=; b=N8yt7rn7cSQNGvZC+V8WL1xtYKiT5Co4SbA6mLAlAzPtcTLGTlEuIS7yI1sXGsa+ZQ 0S9AMVJZnTB6SZ7vd42ySADTeq90QryoWkrX3j7tkc7PkqsyjqRTR/pp69PA3DxlgbTk ATl4goG2fbgZkk4t0LcyyDz6sKeo1aSvvqXcZU2sddUgF3uYc4oL2ntkuu10mWNBg+ty yPpdLVBGEATOSmcSoT9P5UGfMFoSkACzOWUHeEgWBHzmQ0jKe6a1uvQ93QbGVx3EgaBR 9gW4pfASMf2mlKMmvA2f+FdSP1spFeAPmS8U+rLbvcqMldw4Ai5E8mesgTk7KC+LoIjG 1XdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=2Y16O+5x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id g8-20020a63fa48000000b005b3b889619asi9877349pgk.606.2023.11.15.07.09.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Nov 2023 07:09:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=2Y16O+5x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id E930A810EC12; Wed, 15 Nov 2023 07:09:33 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344364AbjKOPJW (ORCPT + 99 others); Wed, 15 Nov 2023 10:09:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38944 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343952AbjKOPJV (ORCPT ); Wed, 15 Nov 2023 10:09:21 -0500 Received: from mail-pl1-x649.google.com (mail-pl1-x649.google.com [IPv6:2607:f8b0:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C92FAB8 for ; Wed, 15 Nov 2023 07:09:18 -0800 (PST) Received: by mail-pl1-x649.google.com with SMTP id d9443c01a7336-1cc56cc8139so11196505ad.0 for ; Wed, 15 Nov 2023 07:09:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1700060958; x=1700665758; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=r39GnHM5bN5YuWeX4taddVxZqZSztKdXAkWyIoY43Wo=; b=2Y16O+5x6Jbce4BxgT6Z+vMDFfRVva3mDQMtTO8/W8t1P7qw1vD94TYr+BBFGmIKih DyDpJtVwhFkXNRfI//1ZLFHNljMLI+4bdT3KT4P2AjPsKdt3qPIADeVNkRyEkY2lhT6W UMju58oifU4eAzkVzDciUHmUJbDVe042sVpmV/ngmjOZgT3DAJ0u9c8O8qgVTBp+J+km Gio6YnCprERGaujNjkVN106T0QmBsuaaBlWCRYzzymbBUoSF1R7SyhH5xUCY6rKtiqdL +g5vixlaY2uocmpuDaGNFcLh/aawLjRgJCz9H3IeNQBBaUPPavGedswcUErYK+Rr4vfa sMRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700060958; x=1700665758; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=r39GnHM5bN5YuWeX4taddVxZqZSztKdXAkWyIoY43Wo=; b=jPm4OnBPzDGaINxYij/WMMdQTxtMfSw4kWt0bssR+CS/YuzJNyerSrytw23jHImCU6 LSZQDMcobGslJIzQGK4k3caIrEN8Pc5fhf2LFQru+Y38GWmf+ChcOpj+JRqNcqHu3few wPohV4dfkPAkluKcoxU8JDpYcEOsjVyjgFGDgkV/ILP5AxJRGxg4AS2IGKxQe2UWbApg ph1jgXsI9QpXE0JjkZQoZTfjyIpkI+aQ552iSGM39Bmpdo81zdybNEsS5GBN6yFJn/+N JJ/f/QV5ZgvLpJlM5jbKgqgjXNe9mrcrmUOkqo7YLn2gmj2cwtg5FRDuO1FJncHgrWyd yGqw== X-Gm-Message-State: AOJu0YwNE+Dxl1m+RKy6/uaCnEe1QxU+5WdBNpR0xwlcQdvc4/PJ8mby s6Dc6mypNOdgCGA1tbtK46KG7W9qBeQ= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a17:903:4292:b0:1cc:166f:91c8 with SMTP id ju18-20020a170903429200b001cc166f91c8mr1456351plb.1.1700060958209; Wed, 15 Nov 2023 07:09:18 -0800 (PST) Date: Wed, 15 Nov 2023 07:09:15 -0800 In-Reply-To: <9395d416-cc5c-536d-641e-ffd971b682d1@gmail.com> Mime-Version: 1.0 References: <20231110235528.1561679-1-seanjc@google.com> <20231110235528.1561679-7-seanjc@google.com> <9395d416-cc5c-536d-641e-ffd971b682d1@gmail.com> Message-ID: Subject: Re: [PATCH 6/9] KVM: x86: Update guest cpu_caps at runtime for dynamic CPUID-based features From: Sean Christopherson To: Robert Hoo Cc: Paolo Bonzini , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Maxim Levitsky Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 15 Nov 2023 07:09:34 -0800 (PST) On Wed, Nov 15, 2023, Robert Hoo wrote: > On 11/14/2023 9:48 PM, Sean Christopherson wrote: > > On Mon, Nov 13, 2023, Robert Hoo wrote: > ... > > > u32 *caps = vcpu->arch.cpu_caps; > > > and update guest_cpu_cap_set(), guest_cpu_cap_clear(), > > > guest_cpu_cap_change() and guest_cpu_cap_restrict() to pass in > > > vcpu->arch.cpu_caps instead of vcpu, since all of them merely refer to vcpu > > > cap, rather than whole vcpu info. > > > > No, because then every caller would need extra code to pass > > vcpu->cpu_caps, > > Emm, I don't understand this. I tried to modified and compiled, all need to > do is simply substitute "vcpu" with "vcpu->arch.cpu_caps" in calling. (at > the end is my diff based on this patch set) Yes, and I'm saying that guest_cpu_cap_restrict(vcpu, X86_FEATURE_PAUSEFILTER); guest_cpu_cap_restrict(vcpu, X86_FEATURE_PFTHRESHOLD); guest_cpu_cap_restrict(vcpu, X86_FEATURE_VGIF); guest_cpu_cap_restrict(vcpu, X86_FEATURE_VNMI); is harder to read and write than this guest_cpu_cap_restrict(vcpu->arch.cpu_caps, X86_FEATURE_PAUSEFILTER); guest_cpu_cap_restrict(vcpu->arch.cpu_caps, X86_FEATURE_PFTHRESHOLD); guest_cpu_cap_restrict(vcpu->arch.cpu_caps, X86_FEATURE_VGIF); guest_cpu_cap_restrict(vcpu->arch.cpu_caps, X86_FEATURE_VNMI); a one-time search-replace is easy, but the extra boilerplate has a non-zero cost for every future developer/reader. > > and passing 'u32 *' provides less type safety than 'struct kvm_vcpu *'. > > That tradeoff isn't worth making this one path slightly easier to read. > > My point is also from vulnerability, long term, since as a principle, we'd > better pass in param/info to a function of its necessity. Attempting to apply the principle of least privilege to low level C helpers is nonsensical. E.g. the helper can trivially get at the owning vcpu via container_of() (well, if not for typeof assertions not playing nice with arrays, but open coding container_of() is also trivial and illustrates the point). struct kvm_vcpu_arch *arch = (void *)caps - offsetof(struct kvm_vcpu_arch, cpu_caps); struct kvm_vcpu *vcpu = container_of(arch, struct kvm_vcpu, arch); if (!kvm_cpu_cap_has(x86_feature)) guest_cpu_cap_clear(vcpu, x86_feature); And the intent behind that principle is to improve security/robustness; what I'm saying is that passing in a 'u32 *" makes the overall implementation _less_ robust, as it opens up the possibilities of passing in an unsafe/incorrect pointer. E.g. a well-intentioned, not _that_ obviously broken example is: guest_cpu_cap_restrict(&vcpu->arch.cpu_caps[CPUID_1_ECX], X86_FEATURE_XSAVE); > e.g. cpuid_entry2_find(). The main reason cpuid_entry2_find() exists is because KVM checks the incoming array provided by KVM_SET_CPUID2, which is also the reason why __kvm_update_cpuid_runtime() takes an @entries array instead of just @vcpu.