| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Aug 2017 18:07:56 -0400 (EDT)
From: Paolo Bonzini <pbonzini@...hat.com>
To: Janakarajan Natarajan <Janakarajan.Natarajan@....com>
Cc: Radim Krcmar <rkrcmar@...hat.com>, kvm@...r.kernel.org,
x86@...nel.org, linux-kernel@...r.kernel.org,
Joerg Roedel <joro@...tes.org>,
Andy Lutomirski <luto@...nel.org>,
Tony Luck <tony.luck@...el.com>, Borislav Petkov <bp@...e.de>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H . Peter Anvin" <hpa@...or.com>,
Yazen Ghannam <Yazen.Ghannam@....com>
Subject: Re: [PATCH 2/2] KVM: SVM: Enable Virtual GIF feature
----- Original Message -----
> From: "Janakarajan Natarajan" <Janakarajan.Natarajan@....com>
> To: "Radim Krcmar" <rkrcmar@...hat.com>
> Cc: kvm@...r.kernel.org, x86@...nel.org, linux-kernel@...r.kernel.org, "Paolo Bonzini" <pbonzini@...hat.com>, "Joerg
> Roedel" <joro@...tes.org>, "Andy Lutomirski" <luto@...nel.org>, "Tony Luck" <tony.luck@...el.com>, "Borislav Petkov"
> <bp@...e.de>, "Thomas Gleixner" <tglx@...utronix.de>, "Ingo Molnar" <mingo@...hat.com>, "H . Peter Anvin"
> <hpa@...or.com>, "Yazen Ghannam" <Yazen.Ghannam@....com>
> Sent: Thursday, August 17, 2017 12:04:10 AM
> Subject: Re: [PATCH 2/2] KVM: SVM: Enable Virtual GIF feature
>
> On 8/16/2017 2:53 PM, Radim Krcmar wrote:
> > 2017-08-16 10:54-0500, Janakarajan Natarajan:
> >> Enable the Virtual GIF feature. This is done by setting bit 25 at position
> >> 60h in the vmcb.
> >>
> >> With this feature enabled, the processor uses bit 9 at position 60h as the
> >> virtual GIF when executing STGI/CLGI instructions.
> >>
> >> Since the execution of STGI by the L1 hypervisor does not cause a return
> >> to
> >> the outermost (L0) hypervisor, the enable_irq_window and enable_nmi_window
> >> are modified.
> >>
> >> The IRQ and NMI windows will be opened even if GIF is not set, under the
> >> assumption that on resuming the L1 hypervisor the IRQ and NMI will be
> >> held pending until the processor executes the STGI instruction.
> >>
> >> Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@....com>
> >> ---
> >> diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
> >> @@ -4702,8 +4735,8 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
> >> == HF_NMI_MASK)
> >> return; /* IRET will cause a vm exit */
> >>
> >> - if ((svm->vcpu.arch.hflags & HF_GIF_MASK) == 0)
> >> - return; /* STGI will cause a vm exit */
> >> + if (!vgif_enabled(svm) && !gif_set(svm))
> >> + return; /* STGI will cause a vm exit or HW will set VGIF*/
> > Why don't we enable STGI interception to get notified that the window
> > has opened? (I doubt that single stepping would be faster ...)
>
> It would defeat the purpose of having vGIF - execute STGI/CLGI and not
> have a world-switch. Plus it would be like implementing the vGIF feature
> halfway, allowing only CLGI to take advantage of the hardware.
No, only enable the STGI intercept to enable the NMI window. Normally
you'd still run with free STGI.
This is because if you do not return here, you enter singlestepping mode
where each instruction causes a world switch.
Paolo
Powered by blists - more mailing lists