Received: by 2002:ab2:7407:0:b0:1f4:b336:87c4 with SMTP id e7csp85830lqn;
        Thu, 11 Apr 2024 14:57:24 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWUTINqyVKdcew8YnIR0MuJPxuinCawXbFyRJuyin7YauJfE49b7Xz8N9yLP2FfSs5Mr3TLLCMsRR/wBv4B9yOPbDbFLzGnEWvziZMQGA==
X-Google-Smtp-Source: AGHT+IEnkdvQ7eJfzn54m46RI9MIi4yhWtWBpg5DKcEARltrx84DaCOF35uLTa4UxmjjCieqb6OP
X-Received: by 2002:ac8:7f06:0:b0:436:5cfd:4bb2 with SMTP id f6-20020ac87f06000000b004365cfd4bb2mr1032650qtk.40.1712872644568;
        Thu, 11 Apr 2024 14:57:24 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1712872644; cv=pass;
        d=google.com; s=arc-20160816;
        b=xpS+7pOKtNKdxcwBVLhI2qgR73P54coA8DYWmujtNAP1SUj45ZU6L+Lv1lCcX1+Dr7
         JBxAgQCb+xAYhFaj9ACANZ7dH5eALCnYJxc/13Tvfw9uHr+LeDDnxUyGwbI78Cgy6I6C
         ChJ23YlmEsvs4JvdWd3Mg7rJGWtQsNaT+15VNhQbrwyeNIzLf5045G9grVJYcV+ZOK3P
         RKFJ9hQGexNyoFk4WjKjipbdq0w9fZ4p8HHpTvNGVCq+tjC+9pvlip02hEfCNsm0mbvq
         x+WYlb0Zwh7CFMC3WsMvNqM4Whm1/SPuLULpLvDKPpgTBOGZ1vYGqH3+qJv6iq0G6aCG
         6+OA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:dkim-signature;
        bh=LR5h6hXBJ1ddFZtXvkQC/6wTnyda1YJpe8L7WAUAxYY=;
        fh=7/7hGnylVbvGw7iTBs4VDBwD2ztostzFWRQXnaUVBy0=;
        b=oz76Gjgjl+ucM/Klfb/bijLnKUxfucqBvxC0iT9DKfIt73MAZ/a1lNLp18pHFq4LZD
         ATcJUJJXQx9fAaE2qsdxWxJg8eGDUAOAH4RFq7Oz07KB8FXqMCcMwV5xUwZk6Y9U6Pp8
         OYH8QY4qYxrWtUHuSXkfj9ywZ+Z/dgWPmXCLscaz4swx7ZhAEBDxyj01BLTDwj+nZFeo
         nbzNH1qt+TiT2o+Y23QDUxqcqc9o5r38dnyUnTmJp0MxoJIG3+3s3ERFFeHQM7Yuxqgo
         bD9dHMFwsJcSDlmDXKLghXZ1CQ66mDdNNhe0c+3uwACg7vqRkRP+vFU4SyEb8F2zeYD4
         Xjbg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=dv9A711f;
       arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com);
       spf=pass (google.com: domain of linux-kernel+bounces-141652-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-141652-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel+bounces-141652-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id g2-20020ac87d02000000b004364d7c8b1asi2356657qtb.725.2024.04.11.14.57.24
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 11 Apr 2024 14:57:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-141652-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=dv9A711f;
       arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com);
       spf=pass (google.com: domain of linux-kernel+bounces-141652-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-141652-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id E4E6B1C21641
	for <linux.lists.archive@gmail.com>; Thu, 11 Apr 2024 21:57:19 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id E25433D0D5;
	Thu, 11 Apr 2024 21:57:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="dv9A711f"
Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 550A536B08
	for <linux-kernel@vger.kernel.org>; Thu, 11 Apr 2024 21:57:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.42
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712872629; cv=none; b=OWRcM9LTEoOyayblI8hHqHR6kuvS50L7lh74JzelD2f+lvjF8ONg0KlMvYPoxTTy9Ew7KvcEAaz2TSEPpYBLXM3JucCT2WybIM6Ry1dhvASdsG6hIDWC+VwuVJPtmijbV7n8uePNwa2xnBYc/XE+r+D0ExO/RRPpXCEeJv8g/Aw=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712872629; c=relaxed/simple;
	bh=+ZmTzQByvFIOG43ztGwvq/MFcJJJ50PhnkFNQc1T7RQ=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=mciXQxfqHdg8YA+F95ZQ/sjx4wjW+3UziTk0hl2k316gBZmIZ5vK98Phg8+/bqTjZTyIy0YvgCG189vsnVm3KX8b3/xwWe07MRJTtXQuClwmbR1agcVeKXurZHsNNrXZo6xzb7xhrgL870vAiQoetTMx/gOdlva65GZ4WTssKO0=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=dv9A711f; arc=none smtp.client-ip=209.85.208.42
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com
Received: by mail-ed1-f42.google.com with SMTP id 4fb4d7f45d1cf-56e2e851794so1834a12.0
        for <linux-kernel@vger.kernel.org>; Thu, 11 Apr 2024 14:57:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1712872625; x=1713477425; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=LR5h6hXBJ1ddFZtXvkQC/6wTnyda1YJpe8L7WAUAxYY=;
        b=dv9A711fREYxTL8m8l4v9+v8CO9l0QnhzqLAgdlqF23uUDMk7Ydu8rD7iu2UGtL7rW
         T0MM2Qty/H2MnApG9JESzr8nALvZk38XFc0VgxcABuV8OneFjIAWFzBmhbIbbwpVv3e5
         eeDCysjON4DdK07axIaeO2MlAw91Z5QUmGyU8nQhB8ynM6IzD/Fmr9ejVPCOVu5ZBOm2
         jLAWDLADPH9H9K4weJMLypOWGMkql4AWoBNtGq2xT1vVhRQJTq0tAHiEIOWl4bSVXBoI
         u7w8DlBQ89mazwJp0p8nUGjvS/EfOzi7AXa7KyjSSM5Ia1+7D8wqXpOllylPlOGenAqH
         9gLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712872625; x=1713477425;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=LR5h6hXBJ1ddFZtXvkQC/6wTnyda1YJpe8L7WAUAxYY=;
        b=eQ3Kmdodtwx40+TbQY+pwQDVXuv6wz3xlolIW4FI+DwPX4rHamgZ1WwGOTMTCDtF0I
         SA4UHvvjGkDolo2ObMcqKjYUqXgrAHCMXW6CkLb7P0jLvSNgiE9gWSdJxcbL8ktcD9Ez
         OUTLM/oooidoYPfSjDRi1NG9JVBoiCnMjE+pJugLI/M5IQCgdtGPumeVj6hgH5BafyDI
         Y2l8ra+lxX9dOz7Q3bPgswHm9wpT1tRdt3z+SscEJXJkPAOgVvjdnzOjd91quBqgcE/k
         c0dPFi5IITR16PmWOJqIc29rCwYTknNJlhIzRnThDiZK71KRMqwKDKeixxkL9tZeZeBn
         PiKA==
X-Forwarded-Encrypted: i=1; AJvYcCV/iASV2ARo1EVK3fhC8FKJmHiCnyEkqMwUZhwvaAJIDa2UAnYSFh5NJ+Mc/P6MPhUrl7P2lYXKgmdKecEpuUnH/GTpsY/KFHTRXfzR
X-Gm-Message-State: AOJu0YzU/4wYZJcKRrfySAqREPZ0XR9JB37MfkPN0zGTvpvj3fz3ORo/
	RdCcENb14zSXjUEXQqGe8HPyLrxei3HiuLiyiiAd9KIVxofXfQVGvHZJGofMlopKjP64lWER7Mn
	Hjdc/l6b8tfE5TINbNiDXDkQIUiw1Sf4wzGTn
X-Received: by 2002:a50:ee9a:0:b0:56f:3a0b:8e05 with SMTP id
 f26-20020a50ee9a000000b0056f3a0b8e05mr60835edr.0.1712872624480; Thu, 11 Apr
 2024 14:57:04 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20240126085444.324918-1-xiong.y.zhang@linux.intel.com>
 <20240126085444.324918-25-xiong.y.zhang@linux.intel.com> <ZhhXxV3Z1UHLp1M1@google.com>
In-Reply-To: <ZhhXxV3Z1UHLp1M1@google.com>
From: Jim Mattson <jmattson@google.com>
Date: Thu, 11 Apr 2024 14:56:52 -0700
Message-ID: <CALMp9eQeOnySY2d3p=H=uvH+tt0tONazPiLC4NQ-ReFjszX_3g@mail.gmail.com>
Subject: Re: [RFC PATCH 24/41] KVM: x86/pmu: Zero out unexposed
 Counters/Selectors to avoid information leakage
To: Sean Christopherson <seanjc@google.com>
Cc: Xiong Zhang <xiong.y.zhang@linux.intel.com>, pbonzini@redhat.com, 
	peterz@infradead.org, mizhang@google.com, kan.liang@intel.com, 
	zhenyuw@linux.intel.com, dapeng1.mi@linux.intel.com, kvm@vger.kernel.org, 
	linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, 
	zhiyuan.lv@intel.com, eranian@google.com, irogers@google.com, 
	samantha.alt@intel.com, like.xu.linux@gmail.com, chao.gao@intel.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thu, Apr 11, 2024 at 2:36=E2=80=AFPM Sean Christopherson <seanjc@google.=
com> wrote:
>
> On Fri, Jan 26, 2024, Xiong Zhang wrote:
> > From: Mingwei Zhang <mizhang@google.com>
> >
> > Zero out unexposed counters/selectors because even though KVM intercept=
s
> > all accesses to unexposed PMU MSRs, it does pass through RDPMC instruct=
ion
> > which allows guest to read all GP counters and fixed counters. So, zero=
 out
> > unexposed counter values which might contain critical information for t=
he
> > host.
>
> This belongs in the previous patch, it's effectively a bug fix.  I apprec=
iate
> the push for finer granularity, but introducing a blatant bug and then im=
mediately
> fixing it goes too far.
>
> > Signed-off-by: Mingwei Zhang <mizhang@google.com>
> > ---
> >  arch/x86/kvm/vmx/pmu_intel.c | 16 ++++++++++++++++
> >  1 file changed, 16 insertions(+)
> >
> > diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.=
c
> > index f79bebe7093d..4b4da7f17895 100644
> > --- a/arch/x86/kvm/vmx/pmu_intel.c
> > +++ b/arch/x86/kvm/vmx/pmu_intel.c
> > @@ -895,11 +895,27 @@ static void intel_restore_pmu_context(struct kvm_=
vcpu *vcpu)
> >               wrmsrl(MSR_ARCH_PERFMON_EVENTSEL0 + i, pmc->eventsel);
> >       }
> >
> > +     /*
> > +      * Zero out unexposed GP counters/selectors to avoid information =
leakage
> > +      * since passthrough PMU does not intercept RDPMC.
>
> Zeroing the selectors is unnecessary.  KVM still intercepts MSR_CORE_PERF=
_GLOBAL_CTRL,
> so just ensure the PMCs that aren't exposed the guest are globally enable=
d.
>
> > +      */
> > +     for (i =3D pmu->nr_arch_gp_counters; i < kvm_pmu_cap.num_counters=
_gp; i++) {
> > +             wrmsrl(MSR_IA32_PMC0 + i, 0);
> > +             wrmsrl(MSR_ARCH_PERFMON_EVENTSEL0 + i, 0);
> > +     }
> > +
> >       wrmsrl(MSR_CORE_PERF_FIXED_CTR_CTRL, pmu->fixed_ctr_ctrl);
> >       for (i =3D 0; i < pmu->nr_arch_fixed_counters; i++) {
> >               pmc =3D &pmu->fixed_counters[i];
> >               wrmsrl(MSR_CORE_PERF_FIXED_CTR0 + i, pmc->counter);
> >       }
> > +
> > +     /*
> > +      * Zero out unexposed fixed counters to avoid information leakage
> > +      * since passthrough PMU does not intercept RDPMC.
>
> I would call out that RDPMC interception is all or nothing, i.e. KVM can'=
t
> selectively intercept _some_ PMCs, and the MSR bitmaps don't apply to RDP=
MC.

Yes. RDPMC must be intercepted, unless KVM knows that all possible
PMCs are passthrough. It must also be intercepted if
enable_vmware_backdoor is true.

> > +      */
> > +     for (i =3D pmu->nr_arch_fixed_counters; i < kvm_pmu_cap.num_count=
ers_fixed; i++)
> > +             wrmsrl(MSR_CORE_PERF_FIXED_CTR0 + i, 0);
> >  }
> >
> >  struct kvm_pmu_ops intel_pmu_ops __initdata =3D {
> > --
> > 2.34.1
> >