| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Mar 2015 20:58:15 +0100
From: Stefan Bader <stefan.bader@...onical.com>
To: Paolo Bonzini <pbonzini@...hat.com>, kvm@...r.kernel.org,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Ben Hutchings <ben@...adent.org.uk>
Subject: Re: regression: nested: L1 3.15+ fails to load kvm-intel on L0 <3.10
On 18.03.2015 10:18, Paolo Bonzini wrote:
>
>
> On 18/03/2015 09:46, Stefan Bader wrote:
>>
>> Regardless of that, I wonder whether the below (this version untested) sound
>> acceptable for upstream? At least it would make debugging much simpler. :)
>>
>> --- a/arch/x86/kvm/vmx.c
>> +++ b/arch/x86/kvm/vmx.c
>> @@ -2953,8 +2953,11 @@ static __init int adjust_vmx_controls(u32 ctl_min, u32 ct
>> ctl |= vmx_msr_low; /* bit == 1 in low word ==> must be one */
>>
>> /* Ensure minimum (required) set of control bits are supported. */
>> - if (ctl_min & ~ctl)
>> + if (ctl_min & ~ctl) {
>> + printk(KERN_ERR "vmx: msr(%08x) does not match requirements. "
>> + "req=%08x cur=%08x\n", msr, ctl_min, ctl);
>> return -EIO;
>> + }
>>
>> *result = ctl;
>> return 0;
>
> Yes, this is nice. Maybe -ENODEV.
>
> Also, a minimal patch for Ubuntu would probably be:
>
> @@ -2850,7 +2851,7 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
> vmx_capability.ept, vmx_capability.vpid);
> }
>
> - min = 0;
> + min = VM_EXIT_SAVE_DEBUG_CONTROLS;
> #ifdef CONFIG_X86_64
> min |= VM_EXIT_HOST_ADDR_SPACE_SIZE;
> #endif
>
> but I don't think it's a good idea to add it to stable kernels.
Sorry, I got a bit confused on my assumptions. While the change above causes
guests to fail but the statement to say this is caused by host kernels before
this change was against better knowledge and wrong.
The actual range was hosts running 3.2 which (maybe not perfect but at least
well enough) allowed to use nested vmx for guest kernel <3.15 will break. But
running 3.13 on the host has no issues.
Comparing the rdmsr values of guests between those two host kernels, I found
that on 3.2 the exit control msr was very sparsely initialized. And looking at
the changes between 3.2 and 3.13 I found
commit 33fb20c39e98b90813b5ab2d9a0d6faa6300caca
Author: Jan Kiszka <jan.kiszka@...mens.com>
Date: Wed Mar 6 15:44:03 2013 +0100
KVM: nVMX: Fix content of MSR_IA32_VMX_ENTRY/EXIT_CTLS
This was added in 3.10. So the range of kernels affected <3.10 back to when
nested vmx became somewhat usable. For 3.2 Ben (and obviously us) would be
affected. Apart from that, I believe, it is only 3.4 which has an active
longterm. At least that change looks safer for stable as it sounds like
correcting things and not adding a feature. I was able to cherry-pick that into
a 3.2 kernel and then a 3.16 guest successfully can load the kvm-intel module
again, of course with the same shortcomings as before.
-Stefan
>
> Paolo
>
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists