lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 5 Apr 2016 20:26:53 +0700
From:	Suravee Suthikulpanit <Suravee.Suthikulpanit@....com>
To:	Paolo Bonzini <pbonzini@...hat.com>, <rkrcmar@...hat.com>,
	<joro@...tes.org>, <bp@...en8.de>, <gleb@...nel.org>,
	<alex.williamson@...hat.com>
CC:	<kvm@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
	<wei@...hat.com>, <sherry.hurwitz@....com>
Subject: Re: [PART1 RFC v3 07/12] svm: Add interrupt injection via AVIC

Hi Paolo,

On 3/18/16 17:22, Paolo Bonzini wrote:
>
>
> On 18/03/2016 07:09, Suravee Suthikulpanit wrote:
>> This patch introduces a new mechanism to inject interrupt using AVIC.
>> Since VINTR is not supported when enable AVIC, we need to inject
>> interrupt via APIC backing page instead.
>>
>> This patch also adds support for AVIC doorbell, which is used by
>> KVM to signal a running vcpu to check IRR for injected interrupts.
>>
>> Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@....com>
>
> Looks good, but I think it breaks nested virtualization.  See below.
>
>> [...]
>> @@ -2877,8 +2895,10 @@ static int clgi_interception(struct vcpu_svm *svm)
>>   	disable_gif(svm);
>>
>>   	/* After a CLGI no interrupts should come */
>> -	svm_clear_vintr(svm);
>> -	svm->vmcb->control.int_ctl &= ~V_IRQ_MASK;
>> +	if (!svm_vcpu_avic_enabled(svm)) {
>> +		svm_clear_vintr(svm);
>> +		svm->vmcb->control.int_ctl &= ~V_IRQ_MASK;
>> +	}
>
> This is for nested virtualization.  Unless you support nested AVIC, the
> L2 guest should run without AVIC (i.e. IsRunning should be false) and
> use the old VINTR mechanism.

I see. I am not planning to supported nested AVIC at the L2 level for 
the moment. If it is alright, I would like to get the basic AVIC and 
IOMMU in first (unless you have a different opinion).

In that case, I think I should also make sure to not expose AVIC CPUID 
to the guest VM.

>> [...]
>> @@ -3904,6 +3942,9 @@ static void enable_irq_window(struct kvm_vcpu *vcpu)
>>   	 * get that intercept, this function will be called again though and
>>   	 * we'll get the vintr intercept.
>>   	 */
>> +	if (svm_vcpu_avic_enabled(svm))
>> +		return;
>
> Same here.

If I make change so that we do not expose the AVIC CPUID to the L1 
guest, then the L1 KVM driver should not be setting up AVIC for the L2 
vcpus. And, in this case, the svm_vcpu_avic_enabled(svm) should return 
false. I've not tested with nested VM. I will give that a try.

Thanks,
Suravee

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ