lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 20 Oct 2017 10:58:32 +0200
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     "Kang, Luwei" <luwei.kang@...el.com>,
        "kvm@...r.kernel.org" <kvm@...r.kernel.org>
Cc:     "rkrcmar@...hat.com" <rkrcmar@...hat.com>,
        "tglx@...utronix.de" <tglx@...utronix.de>,
        "mingo@...hat.com" <mingo@...hat.com>,
        "hpa@...or.com" <hpa@...or.com>, "x86@...nel.org" <x86@...nel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Chao Peng <chao.p.peng@...ux.intel.com>
Subject: Re: [PATCH 0/9] Intel Processor Trace virtulization enabling

On 20/10/2017 02:22, Kang, Luwei wrote:
> HI Paolo, Thanks for your clarify. Have understood. So, we should set
> "use GPA for processor tracing" in any way( if we can do it) even in
> system mode. There don't have problem in no nested but have problem
> in nested if not set this bit. Still talking with  hardware designer
> but please don't expect it can be change in SDM or hardware(fail
> vmentry if they are not respected) soon.

No change in hardware is needed.

What I'm asking for is to define a bit in some architectural MSR such
that, _if the bit is 1_, you must have one of:

- RTIT_CTL = 0

- enable EPT = 0

- enable EPT = use GPA for processor tracing = 1, RTIT_CTL != 0

or vmentry would fail.

If the bit is 1 and RTIT_CTL = 0 and enable EPT = 1 and use GPA for
processor tracing = 0, the hypervisor must trap RTIT_CTL writes or
behavior is undefined.

Processors would just set it to 0 and have absolutely no change in behavior.

> So, can we enable it in L1
> guest only first?  I think it is not worth to disable EPT for L1 to
> enable intel PT. what is your opinion?

Yes, we can enable it.  But since KVM sets IA32_VMX_MISC[14]=0, your
patches must forbid enabling processor trace during VMX operation.

(In fact, another source of complexity is that we'd have to write the
VMPTRLD packet ourselves to the guest's processor trace buffer).

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ