[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20201102173130.GC21563@linux.intel.com>
Date: Mon, 2 Nov 2020 09:31:32 -0800
From: Sean Christopherson <sean.j.christopherson@...el.com>
To: Andy Lutomirski <luto@...capital.net>
Cc: Tao Xu <tao3.xu@...el.com>, Paolo Bonzini <pbonzini@...hat.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Wanpeng Li <wanpengli@...cent.com>,
Jim Mattson <jmattson@...gle.com>,
Joerg Roedel <joro@...tes.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
"H. Peter Anvin" <hpa@...or.com>, X86 ML <x86@...nel.org>,
kvm list <kvm@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Xiaoyao Li <xiaoyao.li@...el.com>
Subject: Re: [PATCH] KVM: VMX: Enable Notify VM exit
On Mon, Nov 02, 2020 at 08:43:30AM -0800, Andy Lutomirski wrote:
> On Sun, Nov 1, 2020 at 10:14 PM Tao Xu <tao3.xu@...el.com> wrote:
> > 2. Another patch to disable interception of #DB and #AC when notify
> > VM-Exiting is enabled.
>
> Whoa there.
>
> A VM control that says "hey, CPU, if you messed up and livelocked for
> a long time, please break out of the loop" is not a substitute for
> fixing the livelocks. So I don't think you get do disable
> interception of #DB and #AC.
I think that can be incorporated into a module param, i.e. let the platform
owner decide which tool(s) they want to use to mitigate the legacy architecture
flaws.
> I also think you should print a loud warning
I'm not so sure on this one, e.g. userspace could just spin up a new instance
if its malicious guest and spam the kernel log.
> and have some intelligent handling when this new exit triggers.
We discussed something similar in the context of the new bus lock VM-Exit. I
don't know that it makes sense to try and add intelligence into the kernel.
In many use cases, e.g. clouds, the userspace VMM is trusted (inasmuch as
userspace can be trusted), while the guest is completely untrusted. Reporting
the error to userspace and letting the userspace stack take action is likely
preferable to doing something fancy in the kernel.
Tao, this patch should probably be tagged RFC, at least until we can experiment
with the threshold on real silicon. KVM and kernel behavior may depend on the
accuracy of detecting actual attacks, e.g. if we can set a threshold that has
zero false negatives and near-zero false postives, then it probably makes sense
to be more assertive in how such VM-Exits are reported and logged.
Powered by blists - more mailing lists