Received: by 2002:ab2:7988:0:b0:1f4:b336:87c4 with SMTP id g8csp111457lqj; Thu, 11 Apr 2024 11:14:49 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUiVBQl/PdsCVq2t1fEnt1d5hoejt2qcGVT6GP0UFfaJXVeVnN5VEUdiF8/YkHlBbqYIyIVmHSisV+yJG83eeUgbeEx3a0WzGVaYYrKzw== X-Google-Smtp-Source: AGHT+IHYt+IHN1kxciMdWcqOjTXjFgeUQ3gL/ayLco14bNiLzVAD0dy0mGoUtloKyG803N2zIIh/ X-Received: by 2002:a19:915b:0:b0:515:d4bc:1c08 with SMTP id y27-20020a19915b000000b00515d4bc1c08mr278386lfj.38.1712859288953; Thu, 11 Apr 2024 11:14:48 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712859288; cv=pass; d=google.com; s=arc-20160816; b=tS4AxmiOhTJZBLliVz4F4kVN7gUiVJ/I9u9t1rJOrSKuBvdniexJEnPxmI42/26+Uu 01Hv63TygicvZOaoiEDadYlWhMg4rZ1htbAi+r6nwQqnKx/b1bxEYXL6nslyoD83Ln67 TZ+gnN72g7u7aIpWBwsrBeRIfuEPAsvQJDCGXC7hWBt9Uopy/ZkV5MboAcv6dKehXjPA 8GQdKESgwEkkvldnEMxCWEYFl9CkQmNzHAqRsquCywNJNTt+BWiXVKG9N6I90iIgQJhI Opj2PKXZjgL2RSfZdSrVcIKYYr+tr4PP1hZJ4KHNBp8Ppvfa8SXjvc5xZ2Aa8oo763Td SjTQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:date:message-id :dkim-signature; bh=3bDy2+sVoDJ3ujFyoq4moLw0aNPSni5puUN8Niy7WR8=; fh=zHTnVBLKMxYBQ1uI9esgstaCcdiurrCg179Zpo3qgnE=; b=0l8ltXCxAi6ysJGYDzi7pkCd67DBBp3+fqwh66k17pOOB11ygkfY6O+iCauXcIFjgm bteHQ81YpbmTi0QFZBTd5i7mtkTQC5nMprEIHDzpfM92btGyU4KptzPueQ3pKX5wLXz2 VHT0OXOPsaveAlt8BBx8VaONC3xb65uPiu+GtXgJ6yICq/7m0MUogw8ZOxVJVh2UVcGz vcPW6OZkKUNOi2w2ZzO1kO0W3GSbuxpiBMIWn7CH71KlAQkk0fRTcD6Cq1zpNMyLwYAJ w64sH2ZpqYnD0hegJSJrnt9sdyCMbZHfIR8jzzhc4f0N3SeTk/4X9CMDWFxDmf85eeUB ktpA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=CFq7Wfze; arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com dmarc=pass fromdomain=intel.com); spf=pass (google.com: domain of linux-kernel+bounces-141386-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-141386-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id dr8-20020a170907720800b00a5198d85cbfsi1015115ejc.403.2024.04.11.11.14.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Apr 2024 11:14:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-141386-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=CFq7Wfze; arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com dmarc=pass fromdomain=intel.com); spf=pass (google.com: domain of linux-kernel+bounces-141386-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-141386-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 47AC41F24E45 for ; Thu, 11 Apr 2024 18:13:47 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 63A531E5A96; Thu, 11 Apr 2024 17:13:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="CFq7Wfze" Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 02AC71DDD12 for ; Thu, 11 Apr 2024 17:13:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.13 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712855598; cv=none; b=AzctTpfaIBFERRK7wWAoGRcGDoMqWKTBpo9MIkPrZQLJbLg0YhRqB85yjDm3wgmtt0gHGcdE0u9Qvib89BsWsVs8790Cy2bxxVKvFGKAxeH0QztiDdF18qJiQInGNzGA/tkXb8DNu2GOvnfYCNF1eWmmWRtytDU6qmIIGL99Xao= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712855598; c=relaxed/simple; bh=JuCX7IDbA2E8+R/QgSHb55hwJv7782KYpQqi83nOWZc=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=XIEz8toRfdh0rqMF11by0s6uTNZyFHPTr+66Yw3RG9LTDb4nxG8miTfUPzZxcTu2idmeIiOHxdJydidMxEHCuZwtDs855ME5HUGsrfJOJxhiW0ITPMxHssPuE/qHQsktyMDGBKJQr4qpMZS7eD4ZGhNp725SBIz2ofqqUFB7g34= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=CFq7Wfze; arc=none smtp.client-ip=198.175.65.13 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1712855597; x=1744391597; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=JuCX7IDbA2E8+R/QgSHb55hwJv7782KYpQqi83nOWZc=; b=CFq7Wfze45bUBUoWoaWaEtIgU2Ico8boaoA4hzHjh6kA4XSUIF7rfs5z qYXMc8yDWdT0cziFHL612YFQdm6K3SAoh35glW+Vc7/j0B3UZFYTg1gmW mjMgvm84ANLW8KHhVVlewwLxvEAnfxrautOrYPL7c01x6wZxphV6PyI5v O+cvrv+LMAbQbInb5/sVyfuqWJZFRu9It/t2tmYClCseJc/BwVC/uif9v 7ZMCuc6na4doQq6hrWwoyuCO5mq+Zfm+cdnFmGkao9IS3tqy6r7esvIE8 B1FB6ZZVLFGPYRpW4wDXAiW8duf+QXTA6uUXX0/pQ5CinuFfwMfM7K60c Q==; X-CSE-ConnectionGUID: ofDVySbnR4aSuQiG35STpg== X-CSE-MsgGUID: HWZh/aF9RzCe73MamyExzw== X-IronPort-AV: E=McAfee;i="6600,9927,11041"; a="19434544" X-IronPort-AV: E=Sophos;i="6.07,193,1708416000"; d="scan'208";a="19434544" Received: from fmviesa008.fm.intel.com ([10.60.135.148]) by orvoesa105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Apr 2024 10:13:16 -0700 X-CSE-ConnectionGUID: AgNcAFEbT+6zyznhlNsBrQ== X-CSE-MsgGUID: uJC+gPvsTkO3luzeB2Y5Ig== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,193,1708416000"; d="scan'208";a="21050440" Received: from tgrabows-mobl.amr.corp.intel.com (HELO [10.209.89.64]) ([10.209.89.64]) by fmviesa008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Apr 2024 10:13:15 -0700 Message-ID: Date: Thu, 11 Apr 2024 10:13:14 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v7 2/2] x86/mm: Don't disable INVLPG if the kernel is running on a hypervisor To: Sean Christopherson , Xi Ruoyao Cc: Dave Hansen , Michael Kelley , Pawan Gupta , Andy Lutomirski , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , x86@kernel.org, linux-kernel@vger.kernel.org, Andrew Cooper References: <20240411144322.14585-1-xry111@xry111.site> <20240411144322.14585-2-xry111@xry111.site> Content-Language: en-US From: Dave Hansen Autocrypt: addr=dave.hansen@intel.com; keydata= xsFNBE6HMP0BEADIMA3XYkQfF3dwHlj58Yjsc4E5y5G67cfbt8dvaUq2fx1lR0K9h1bOI6fC oAiUXvGAOxPDsB/P6UEOISPpLl5IuYsSwAeZGkdQ5g6m1xq7AlDJQZddhr/1DC/nMVa/2BoY 2UnKuZuSBu7lgOE193+7Uks3416N2hTkyKUSNkduyoZ9F5twiBhxPJwPtn/wnch6n5RsoXsb ygOEDxLEsSk/7eyFycjE+btUtAWZtx+HseyaGfqkZK0Z9bT1lsaHecmB203xShwCPT49Blxz VOab8668QpaEOdLGhtvrVYVK7x4skyT3nGWcgDCl5/Vp3TWA4K+IofwvXzX2ON/Mj7aQwf5W iC+3nWC7q0uxKwwsddJ0Nu+dpA/UORQWa1NiAftEoSpk5+nUUi0WE+5DRm0H+TXKBWMGNCFn c6+EKg5zQaa8KqymHcOrSXNPmzJuXvDQ8uj2J8XuzCZfK4uy1+YdIr0yyEMI7mdh4KX50LO1 pmowEqDh7dLShTOif/7UtQYrzYq9cPnjU2ZW4qd5Qz2joSGTG9eCXLz5PRe5SqHxv6ljk8mb ApNuY7bOXO/A7T2j5RwXIlcmssqIjBcxsRRoIbpCwWWGjkYjzYCjgsNFL6rt4OL11OUF37wL QcTl7fbCGv53KfKPdYD5hcbguLKi/aCccJK18ZwNjFhqr4MliQARAQABzUVEYXZpZCBDaHJp c3RvcGhlciBIYW5zZW4gKEludGVsIFdvcmsgQWRkcmVzcykgPGRhdmUuaGFuc2VuQGludGVs LmNvbT7CwXgEEwECACIFAlQ+9J0CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGg1 lTBwyZKwLZUP/0dnbhDc229u2u6WtK1s1cSd9WsflGXGagkR6liJ4um3XCfYWDHvIdkHYC1t MNcVHFBwmQkawxsYvgO8kXT3SaFZe4ISfB4K4CL2qp4JO+nJdlFUbZI7cz/Td9z8nHjMcWYF IQuTsWOLs/LBMTs+ANumibtw6UkiGVD3dfHJAOPNApjVr+M0P/lVmTeP8w0uVcd2syiaU5jB aht9CYATn+ytFGWZnBEEQFnqcibIaOrmoBLu2b3fKJEd8Jp7NHDSIdrvrMjYynmc6sZKUqH2 I1qOevaa8jUg7wlLJAWGfIqnu85kkqrVOkbNbk4TPub7VOqA6qG5GCNEIv6ZY7HLYd/vAkVY E8Plzq/NwLAuOWxvGrOl7OPuwVeR4hBDfcrNb990MFPpjGgACzAZyjdmYoMu8j3/MAEW4P0z F5+EYJAOZ+z212y1pchNNauehORXgjrNKsZwxwKpPY9qb84E3O9KYpwfATsqOoQ6tTgr+1BR CCwP712H+E9U5HJ0iibN/CDZFVPL1bRerHziuwuQuvE0qWg0+0SChFe9oq0KAwEkVs6ZDMB2 P16MieEEQ6StQRlvy2YBv80L1TMl3T90Bo1UUn6ARXEpcbFE0/aORH/jEXcRteb+vuik5UGY 5TsyLYdPur3TXm7XDBdmmyQVJjnJKYK9AQxj95KlXLVO38lczsFNBFRjzmoBEACyAxbvUEhd GDGNg0JhDdezyTdN8C9BFsdxyTLnSH31NRiyp1QtuxvcqGZjb2trDVuCbIzRrgMZLVgo3upr MIOx1CXEgmn23Zhh0EpdVHM8IKx9Z7V0r+rrpRWFE8/wQZngKYVi49PGoZj50ZEifEJ5qn/H Nsp2+Y+bTUjDdgWMATg9DiFMyv8fvoqgNsNyrrZTnSgoLzdxr89FGHZCoSoAK8gfgFHuO54B lI8QOfPDG9WDPJ66HCodjTlBEr/Cwq6GruxS5i2Y33YVqxvFvDa1tUtl+iJ2SWKS9kCai2DR 3BwVONJEYSDQaven/EHMlY1q8Vln3lGPsS11vSUK3QcNJjmrgYxH5KsVsf6PNRj9mp8Z1kIG qjRx08+nnyStWC0gZH6NrYyS9rpqH3j+hA2WcI7De51L4Rv9pFwzp161mvtc6eC/GxaiUGuH BNAVP0PY0fqvIC68p3rLIAW3f97uv4ce2RSQ7LbsPsimOeCo/5vgS6YQsj83E+AipPr09Caj 0hloj+hFoqiticNpmsxdWKoOsV0PftcQvBCCYuhKbZV9s5hjt9qn8CE86A5g5KqDf83Fxqm/ vXKgHNFHE5zgXGZnrmaf6resQzbvJHO0Fb0CcIohzrpPaL3YepcLDoCCgElGMGQjdCcSQ+Ci FCRl0Bvyj1YZUql+ZkptgGjikQARAQABwsFfBBgBAgAJBQJUY85qAhsMAAoJEGg1lTBwyZKw l4IQAIKHs/9po4spZDFyfDjunimEhVHqlUt7ggR1Hsl/tkvTSze8pI1P6dGp2XW6AnH1iayn yRcoyT0ZJ+Zmm4xAH1zqKjWplzqdb/dO28qk0bPso8+1oPO8oDhLm1+tY+cOvufXkBTm+whm +AyNTjaCRt6aSMnA/QHVGSJ8grrTJCoACVNhnXg/R0g90g8iV8Q+IBZyDkG0tBThaDdw1B2l asInUTeb9EiVfL/Zjdg5VWiF9LL7iS+9hTeVdR09vThQ/DhVbCNxVk+DtyBHsjOKifrVsYep WpRGBIAu3bK8eXtyvrw1igWTNs2wazJ71+0z2jMzbclKAyRHKU9JdN6Hkkgr2nPb561yjcB8 sIq1pFXKyO+nKy6SZYxOvHxCcjk2fkw6UmPU6/j/nQlj2lfOAgNVKuDLothIxzi8pndB8Jju KktE5HJqUUMXePkAYIxEQ0mMc8Po7tuXdejgPMwgP7x65xtfEqI0RuzbUioFltsp1jUaRwQZ MTsCeQDdjpgHsj+P2ZDeEKCbma4m6Ez/YWs4+zDm1X8uZDkZcfQlD9NldbKDJEXLIjYWo1PH hYepSffIWPyvBMBTW2W5FRjJ4vLRrJSUoEfJuPQ3vW9Y73foyo/qFoURHO48AinGPZ7PC7TF vUaNOTjKedrqHkaOcqB185ahG2had0xnFsDPlx5y In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 4/11/24 09:22, Sean Christopherson wrote: > In other words, simply checking HYPERVISOR *might* be safe, but it might not. > If we wanted to be paranoid, this could also check X86_FEATURE_VMX, which also > doesn't guarantee VMX non-root mode and would unnecessarily restrict PCID usage > to setups that allow nested VMX, but AFAIK there aren't any hypervisors which > fully emulate VMX. X86_FEATURE_HYPERVISOR is most commonly used for vulnerabilities to see if the data coming out of CPUID is likely to be garbage or not. I think that's the most important thing to focus on. It's arguable that x86_match_cpu() itself should just have a: /* * Don't even waste our time when running under a hypervisor. * They lie. */ if (boot_cpu_bas(X86_FEATURE_HYPERVISOR)) return NULL; (well, it should probably actually be in the for() loop because folks might be looking for an X86_FEATURE_* that is set by software or derived from actually agreed-upon host<->guest ABI, but you get my point...) If the hypervisor is duplicitous enough to keep X86_FEATURE_HYPERVISOR from getting set, then the hypervisor gets to clean up the mess. The kernel can just wash its hands of the whole thing. So, there are two broad cases and a few sub-cases: 1. "Nice" hypervisor. Kernel sees X86_FEATURE_HYPERVISOR and knows that x86_match_cpu() and invlpg_miss_ids[] are irrelevant because: 1a. It is running in VMX non-root mode and is not vulnerable, or 1b. CPUID is a lie and x86_match_cpu() is meaningless, or 1c. The kernel is in ring3 and can't execute INVLPG anyway. Whatever is running in ring0 will have to deal with it. 2. X86_FEATURE_HYPERVISOR is unset. 2a. "Mean" hypervisor. All bets are off anyway. 2b. Actual bare metal. Actually look for the bug. I _think_ I'm OK with skipping the mitigation in all of the #1 cases and applying it in both of the #2 cases. I don't think that checking for VMX makes it much better. Am I missing anything?