lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 23 Oct 2017 08:01:52 +0000
From:   "Kang, Luwei" <luwei.kang@...el.com>
To:     Paolo Bonzini <pbonzini@...hat.com>,
        "kvm@...r.kernel.org" <kvm@...r.kernel.org>
CC:     "rkrcmar@...hat.com" <rkrcmar@...hat.com>,
        "tglx@...utronix.de" <tglx@...utronix.de>,
        "mingo@...hat.com" <mingo@...hat.com>,
        "hpa@...or.com" <hpa@...or.com>, "x86@...nel.org" <x86@...nel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Chao Peng <chao.p.peng@...ux.intel.com>
Subject: RE: [PATCH 0/9] Intel Processor Trace virtulization enabling

> > HI Paolo, Thanks for your clarify. Have understood. So, we should set
> > "use GPA for processor tracing" in any way( if we can do it) even in
> > system mode. There don't have problem in no nested but have problem in
> > nested if not set this bit. Still talking with  hardware designer but
> > please don't expect it can be change in SDM or hardware(fail vmentry
> > if they are not respected) soon.
> 
> No change in hardware is needed.
> 
> What I'm asking for is to define a bit in some architectural MSR such that, _if the bit is 1_, you must have one of:
> 
> - RTIT_CTL = 0
> 
> - enable EPT = 0
> 
> - enable EPT = use GPA for processor tracing = 1, RTIT_CTL != 0
> 
> or vmentry would fail.
> 
> If the bit is 1 and RTIT_CTL = 0 and enable EPT = 1 and use GPA for processor tracing = 0, the hypervisor must trap RTIT_CTL writes
> or behavior is undefined.
> 
> Processors would just set it to 0 and have absolutely no change in behavior.
> 

Get it. Will update with you when hardware designer have any response.

> > So, can we enable it in L1
> > guest only first?  I think it is not worth to disable EPT for L1 to
> > enable intel PT. what is your opinion?
> 
> Yes, we can enable it.  But since KVM sets IA32_VMX_MISC[14]=0, your patches must forbid enabling processor trace during VMX
> operation.

L1 hypervisor can't  get the capability of " TraceEn can be set in VMX operation (IA32_VMX_MISC[bit 14] is 0)" and set it to 0.
We need to trap whether L1 hypervisor have enable VMXON, and forbid enable PT when vmxon. Is that right? Or have something else?

Thanks,
Luwei Kang

> 
> (In fact, another source of complexity is that we'd have to write the VMPTRLD packet ourselves to the guest's processor trace
> buffer).
> 
> Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ