| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Nov 2010 19:21:52 +0100 From: "Roedel, Joerg" <Joerg.Roedel@....com> To: Avi Kivity <avi@...hat.com> CC: Marcelo Tosatti <mtosatti@...hat.com>, "kvm@...r.kernel.org" <kvm@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: [PATCH 0/9] KVM: Make the instruction emulator aware of Nested Virtualization On Thu, Nov 25, 2010 at 10:15:43AM -0500, Avi Kivity wrote: > On 11/25/2010 01:46 PM, Roedel, Joerg wrote: > Eventually the emulator will be used outside kvm. We don't want to tie > the two together. Does any user outside of KVM care about nested virtualization? > All that's needed is to read the svm chapter in the AMD manual; you > don't need to understand kvm or out nested svm implementation. On the > other hand, some information needs to be encoded in the emulator (the > order of the intercept check vs exception check) or we need to duplicate > checks. We also do a split decode. Is that person also required to read through the 500 pages of VMX documentation when nested VMX gets merged? > So they get special treatment. Decode bits are for the general case. > > Let's see: > > CRx/DRx checks - need group mechanism extension, can use decode bits The CRx writes are mostly special because exceptions for validity of the values written take precedence over the intercept. Implementing these checks also requires to put the intercept check into the kvm_set_crX functions, which, by themselves, needs to be reworked in an SVM specific way for this. > Selective CR0 - special Needs to be handled in the write-cr0 path > LIDT/SIDT/LGDT/SGDT/LLDT/SLDT/LTR/STR - decode bits Check for a valid address before the intercept check. Thus special too. > RDTSC/RDPMC/CPUID - decode bits RDTSC and RDPMC check all exceptions before the intercept too. > PUSHF/POPF/RSM/IRET/INTn - decode bits, + flag to check before exceptions Should work with decode-bits. > INVD /HLT/INVLPG/INVLPGA - decode bits Exceptions are only caused on cpl > 0 and take precedence over the intercept. Should work with decode bits. > VMRUN/VMLOAD/VMSAVE/VMMCALL/STGI/CLGI/SKINIT - decode bits (VMMCALL > preempts exceptions) VMRUN/VMLOAD/VMSAVE need to check rax for a valid physical address before the intercept is taken. All SVM instructions are not allowed in real-mode which needs to be checkd too. The realmode-check may be generic but with the address check this is harder. So at least VMRUN/VMLOAD/VMSAVE are special too. Further the SVM instructions are not implemented in the emulator at all (like some other instructions which can be intercepted). Proper emulation of these instructions would require new callbacks. > RDTSCP/ICEBP/WBINVD/MONITOR/MWAIT - decode bits RDTSCP needs special handling like RDTSC. MONITOR is special too because it checks all exceptions before the intercept. All this can be done, but I doubt the result will look better or is better maintainable than the current the solution in this patch-set. Joerg -- AMD Operating System Research Center Advanced Micro Devices GmbH Einsteinring 24 85609 Dornach General Managers: Alberto Bozzo, Andrew Bowd Registration: Dornach, Landkr. Muenchen; Registerger. Muenchen, HRB Nr. 43632 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists