lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <82D7661F83C1A047AF7DC287873BF1E167E1C475@SHSMSX101.ccr.corp.intel.com>
Date:   Thu, 19 Oct 2017 05:54:49 +0000
From:   "Kang, Luwei" <luwei.kang@...el.com>
To:     Paolo Bonzini <pbonzini@...hat.com>,
        "kvm@...r.kernel.org" <kvm@...r.kernel.org>
CC:     "rkrcmar@...hat.com" <rkrcmar@...hat.com>,
        "tglx@...utronix.de" <tglx@...utronix.de>,
        "mingo@...hat.com" <mingo@...hat.com>,
        "hpa@...or.com" <hpa@...or.com>, "x86@...nel.org" <x86@...nel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Chao Peng <chao.p.peng@...ux.intel.com>
Subject: RE: [PATCH 0/9] Intel Processor Trace virtulization enabling

> >>>> Nested virtualization is interesting.  We would like the nested
> >>>> hypervisor to be forced to set the "use GPA for processor tracing"
> >>>> secondary execution control whenever "enable EPT" is set and
> >>>> RTIT_CTL is nonzero.  There is no way to encode that in
> >>>> IA32_VMX_PROCBASED_CTLS2, however.  It would be nice if Intel could
> >>>> reserve a bit in IA32_VMX_EPT_VPID_CAP for KVM to express that
> >>>> constraint.
> >>>
> >>> Do you mean if nested hypervisor get the capability of "Guest PT use
> >>> GPA" and EPT has enable. Highly recommend nested hypervisor set "
> >>> Guest PT use GPA " as well.
> >>
> >> Well, it's required more than recommended.  However, it's only required if "enable EPT" is set and RTIT_CTL is nonzero.
> >>
> >>> If nested hypervisor is also KVM, "use GPA for processor tracing"
> >>> will be set for sure. But other hypervisor may not do that. So, we'd
> >>> better add a flag in IA32_VMX_EPT_VPID_CAP to express that constraint.
> >>
> >> Correct.  The constraint would be:
> >>
> >> * RTIT_CTL on entry is zero if EPT is disabled
> >>
> >> * RTIT_CTL on entry is zero if EPT is enabled and "Guest PT uses GPA"
> >> is zero
> >>
> >> Maybe IA32_VMX_EPT_VPID_CAP is not the best place.  I'll let Intel decide that.
> >
> > Get it. I have feedback to hardware architect. I hope it can be applied but it may need wait a long time.
> 
> Note that the hardware need not do anything.  However it would be nice if the SDM can define a bit _for the hypervisors_ to
> enforce the above constraint and fail vmentry if they are not respected.
> 

Hi Paolo,
    Thanks for your response. I have a question want to ask for you. As you mentioned in previous mail " We would like the nested hypervisor to be forced to set the "use GPA for processor tracing"". 
    Is there have any problem if we don't set "use GPA for processor tracing" in nested hypervisor? If yes, what should we do? In patch 9, I pass though PT MSRs ( IA32_RTIT_* ) to guest.

Thanks,
Luwei Kang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ