Received: by 2002:ab2:3319:0:b0:1ef:7a0f:c32d with SMTP id i25csp829405lqc; Fri, 8 Mar 2024 12:58:50 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUbt4XDZYL0xTQeCu9WfV/ubgDkkotjJPdVCuOS6ickMgSZ3M0xAEaTgV+oGZIvTWK6zKoYQQsAEB4dNJtfzfpJpDZLVC+2Q/+1laNa8g== X-Google-Smtp-Source: AGHT+IEhShPUZzcf+mJ1jNN01aAgt5afTtKZzlydIUZIpzGgMeRxeaU8Ns1f8HdO+2Mj2wrwklkM X-Received: by 2002:a17:90b:3607:b0:29b:bbef:9134 with SMTP id ml7-20020a17090b360700b0029bbbef9134mr375058pjb.8.1709931530097; Fri, 08 Mar 2024 12:58:50 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709931530; cv=pass; d=google.com; s=arc-20160816; b=F7QPsmTGpiwSYucRJMUjFoLOE44CdAWFWWjMhTpSaxVAJLG7lAFRp7UENFPBUXqzQJ TFXnEHIt/JGrB2pVx0ha5UFkfHRgEHkNjrewajsrNM3y0NxMS6Wwm8d7DwwtnQGSMgkW dVfgd/2tsSzNztwIRLBl344DvZjdsOuPY/0ffq1o3NYiTxEEOLXBWfxTYRbIqED/9lU5 XkuxdnOvyJYvUZBV5uTPDJVtpNhIxvlJGIFj/Gx+mog2T9xR5FbhEF3fcHI6CX2fHCQz 4X+EWrxqhTj7BbZ3NaB6s9UcsJ4mxH+Ww9gZ3CE7tHestXPt32XSFsRwa5fEPJScYMxD yNRw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=UcbLHh3bzmf6DginQU9jkocJ+WdLV4QlVNWSWCGiBpU=; fh=Q7liF2P2QdbYGbyVd84cS6/8wyJMzuqtYUPHklyXcj8=; b=SQ14ihzFqLNyDA2cikNK/+p1ZpevWXxjHTtWHVWJhk1UvIuZ85NUwo4QnuGwwvCdFd xIMsAgRAey0MnTMowMpkQJqgQnMoTMnldutkJLlalh6KuzTuGP/yADwTNCzpqE+yx8kI mb+O4VHLbk9rezcaqaLqRvSH2x7TRQv1t6WHhDrIi3M5Se5v9ADOvYC7QlnyEnmKxB3y hBPKYNaLUdCEnOayzWALAtB+tga7hQd6DBVk256fuO9CQ8Z00QJABo82apymnMPXoTIR h/NnH30XB0T/br9gMS3Z5uWQ8O+2hyvKf6uEtRN3bhG5wWj4MvkgGnywo48AF+xTtYjn swRg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=fI0l4AwK; arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com dmarc=pass fromdomain=intel.com); spf=pass (google.com: domain of linux-kernel+bounces-97579-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-97579-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id mm7-20020a17090b358700b0029b67f9437csi290317pjb.10.2024.03.08.12.58.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 Mar 2024 12:58:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-97579-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=fI0l4AwK; arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com dmarc=pass fromdomain=intel.com); spf=pass (google.com: domain of linux-kernel+bounces-97579-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-97579-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id C6B1B2834E1 for ; Fri, 8 Mar 2024 20:58:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 978CE5F478; Fri, 8 Mar 2024 20:58:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="fI0l4AwK" Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D4E7F5E062; Fri, 8 Mar 2024 20:58:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.9 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709931521; cv=none; b=Ygx9+LN+d0zCvx8YuS0V4Us3YllorbZdwcp+/QjWZMTRkJ/s4N6l6JECasq3Bt/7TyBKJrjy6croES6NjkShDA8yMxmC58+h+AVuV0gTWfGTPmtx7ejdgoOJNCuY7Bx22xw9cLuLigv5IXVXDpVg/xj8nVm6Sfvika7P6n+ETE4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709931521; c=relaxed/simple; bh=ouGvOwjRtMXmy8kwxtlJZ9GeTTI+/olVPO7iYCKpTLo=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=P7/2jUZNM+bxzgH7B29hcWIDqvupRu1FlKq43VknVXOYuqL085ENjsX0TR8FErzcoe6MunpavLxHOcorwfgw1ELxFfTdvG54yznrLryp7TwH/MbRKKvOp3CtWdF4pO42UXydj8cva4HzUOQY0PN1XWwJX/aYzHJkOVMIhCZy7r4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=fI0l4AwK; arc=none smtp.client-ip=198.175.65.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1709931520; x=1741467520; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=ouGvOwjRtMXmy8kwxtlJZ9GeTTI+/olVPO7iYCKpTLo=; b=fI0l4AwKVCO2hP85BQV+LsVHsHI1kTsHHASM9acEYRwpBDKSnTdRplZQ ahQ9A7N4FbRrvT94Zb5vIyHxGCzJ+g1gD0Wl4itXYd3le58j9NqJgsKLP jrPOOsuhdM8hv61fO/i5BolTc6FZ+QqbWVnekYW4vHXqIJ9+x4GiBlnUj /JSRahRDtAUHAEmOB+3Uoa5Tt64/ogfx1RGS45EiX9R2xyUj4TM18kzgI kASjb1nNoKkh8OFrrI6v85a3Zaxez2yN2rD11PnNSibLvyWMF+beGkbUP 6XEGIv9g/W4W1lwuEOkg5PTl6LiD8VgyhaC/l4l0KC6AFRsZcJ2Ttgs+A g==; X-IronPort-AV: E=McAfee;i="6600,9927,11007"; a="27141048" X-IronPort-AV: E=Sophos;i="6.07,110,1708416000"; d="scan'208";a="27141048" Received: from fmviesa001.fm.intel.com ([10.60.135.141]) by orvoesa101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Mar 2024 12:58:39 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,110,1708416000"; d="scan'208";a="41542112" Received: from ls.sc.intel.com (HELO localhost) ([172.25.112.31]) by smtpauth.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Mar 2024 12:58:38 -0800 Date: Fri, 8 Mar 2024 12:58:38 -0800 From: Isaku Yamahata To: Chen Yu Cc: isaku.yamahata@intel.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, isaku.yamahata@gmail.com, Paolo Bonzini , erdemaktas@google.com, Sean Christopherson , Sagi Shahar , Kai Huang , chen.bo@intel.com, hang.yuan@intel.com, tina.zhang@intel.com, isaku.yamahata@linux.intel.com Subject: Re: [PATCH v19 080/130] KVM: TDX: restore host xsave state when exit from the guest TD Message-ID: <20240308205838.GA713729@ls.amr.corp.intel.com> References: <2894ed10014279f4b8caab582e3b7e7061b5dad3.1708933498.git.isaku.yamahata@intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: On Thu, Mar 07, 2024 at 04:32:16PM +0800, Chen Yu wrote: > On 2024-02-26 at 00:26:22 -0800, isaku.yamahata@intel.com wrote: > > From: Isaku Yamahata > > > > On exiting from the guest TD, xsave state is clobbered. Restore xsave > > state on TD exit. > > > > Signed-off-by: Isaku Yamahata > > --- > > v19: > > - Add EXPORT_SYMBOL_GPL(host_xcr0) > > > > v15 -> v16: > > - Added CET flag mask > > > > Signed-off-by: Isaku Yamahata > > --- > > arch/x86/kvm/vmx/tdx.c | 19 +++++++++++++++++++ > > arch/x86/kvm/x86.c | 1 + > > 2 files changed, 20 insertions(+) > > > > diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c > > index 9616b1aab6ce..199226c6cf55 100644 > > --- a/arch/x86/kvm/vmx/tdx.c > > +++ b/arch/x86/kvm/vmx/tdx.c > > @@ -2,6 +2,7 @@ > > #include > > #include > > > > +#include > > #include > > > > #include "capabilities.h" > > @@ -534,6 +535,23 @@ void tdx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) > > */ > > } > > > > +static void tdx_restore_host_xsave_state(struct kvm_vcpu *vcpu) > > +{ > > + struct kvm_tdx *kvm_tdx = to_kvm_tdx(vcpu->kvm); > > + > > + if (static_cpu_has(X86_FEATURE_XSAVE) && > > + host_xcr0 != (kvm_tdx->xfam & kvm_caps.supported_xcr0)) > > + xsetbv(XCR_XFEATURE_ENABLED_MASK, host_xcr0); > > + if (static_cpu_has(X86_FEATURE_XSAVES) && > > + /* PT can be exposed to TD guest regardless of KVM's XSS support */ > > + host_xss != (kvm_tdx->xfam & > > + (kvm_caps.supported_xss | XFEATURE_MASK_PT | TDX_TD_XFAM_CET))) > > + wrmsrl(MSR_IA32_XSS, host_xss); > > + if (static_cpu_has(X86_FEATURE_PKU) && > > + (kvm_tdx->xfam & XFEATURE_MASK_PKRU)) > > + write_pkru(vcpu->arch.host_pkru); > > +} > > Maybe one minor question regarding the pkru restore. In the non-TDX version > kvm_load_host_xsave_state(), it first tries to read the current setting > vcpu->arch.pkru = rdpkru(); if this setting does not equal to host_pkru, > it trigger the write_pkru on host. Does it mean we can also leverage that mechanism > in TDX to avoid 1 pkru write(I guess pkru write is costly than a read pkru)? Yes, that's the intention. When we set the PKRU feature for the guest, TDX module unconditionally initialize pkru. Do you have use case that wrpkru() (without rdpkru()) is better? -- Isaku Yamahata