lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 26 May 2021 14:43:13 +0000
From:   Sean Christopherson <seanjc@...gle.com>
To:     "Liu, Jing2" <jing2.liu@...ux.intel.com>
Cc:     pbonzini@...hat.com, kvm@...r.kernel.org,
        linux-kernel@...r.kernel.org, jing2.liu@...el.com
Subject: Re: [PATCH RFC 4/7] kvm: x86: Add new ioctls for XSAVE extension

On Wed, May 26, 2021, Liu, Jing2 wrote:
> 
> On 5/25/2021 5:50 AM, Sean Christopherson wrote:
> > On Sun, Feb 07, 2021, Jing Liu wrote:
> > > The static xstate buffer kvm_xsave contains the extended register
> > > states, but it is not enough for dynamic features with large state.
> > > 
> > > Introduce a new capability called KVM_CAP_X86_XSAVE_EXTENSION to
> > > detect if hardware has XSAVE extension (XFD). Meanwhile, add two
> > > new ioctl interfaces to get/set the whole xstate using struct
> > > kvm_xsave_extension buffer containing both static and dynamic
> > > xfeatures. Reuse fill_xsave and load_xsave for both cases.
> > > 
> > > Signed-off-by: Jing Liu <jing2.liu@...ux.intel.com>
> > > ---
> > >   arch/x86/include/uapi/asm/kvm.h |  5 +++
> > >   arch/x86/kvm/x86.c              | 70 +++++++++++++++++++++++++--------
> > >   include/uapi/linux/kvm.h        |  8 ++++
> > >   3 files changed, 66 insertions(+), 17 deletions(-)
> > > 
> > > diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h
> > > index 89e5f3d1bba8..bf785e89a728 100644
> > > --- a/arch/x86/include/uapi/asm/kvm.h
> > > +++ b/arch/x86/include/uapi/asm/kvm.h
> > > @@ -362,6 +362,11 @@ struct kvm_xsave {
> > >   	__u32 region[1024];

Hold up a sec.  How big is the AMX data?  The existing size is 4096 bytes, not
1024 bytes.  IIRC, AMX is >4k, so we still need a new ioctl(), but we should be
careful to mentally adjust for the __u32 when mentioning the sizes.

> > >   };
> > > +/* for KVM_CAP_XSAVE_EXTENSION */
> > > +struct kvm_xsave_extension {
> > > +	__u32 region[3072];
> > Fool me once, shame on you (Intel).  Fool me twice, shame on me (KVM).
> > 
> > As amusing as kvm_xsave_really_extended would be, the required size should be
> > discoverable, not hardcoded.
> Thanks for reviewing the patch.  When looking at current kvm_xsave structure,
> I felt confusing about the static hardcoding of 1024 bytes, but failed to
> find clue for its final decision in 2010[1].

Simplicitly and lack of foresight :-)

> So we'd prefer to changing the way right? Please correct me if I misunderstood.

Sadly, we can't fix the existing ioctl() without breaking userspace.  But for
the new ioctl(), yes, its size should not be hardcoded.

> > Nothing prevents a hardware vendor from inventing a newfangled feature that
> > requires yet more space.  As an alternative to adding a dedicated
> > capability, can we leverage GET_SUPPORTED_CPUID, leaf CPUID.0xD,
> Yes, this is a good way to avoid a dedicated capability. Thanks for the
> suggestion.  Use 0xD.1.EBX for size of enabled xcr0|xss if supposing
> kvm_xsave cares both.
> > to enumerate the minimum required size and state
> For the state, an extreme case is using an old qemu as follows, but a
> new kvm with more future_featureZ supported. If hardware vendor arranges
> one by one, it's OK to use static state like X86XSaveArea(2) and
> get/set between userspace and kvm because it's non-compacted. If not,
> the state will not correct.
> So far it is OK, so I'm wondering if this would be an issue for now?

Oh, you're saying that, because kvm_xsave is non-compacted, future features may
overflow kvm_xsave simply because the architectural offset overflows 4096 bytes.

That should be a non-issue for old KVM/kernels, since the new features shouldn't
be enabled.  For new KVM, I think the right approach is to reject KVM_GET_XSAVE
and KVM_SET_XSAVE if the required size is greater than sizeof(struct kvm_xsave).
I.e. force userspace to either hide the features from the guest, or use
KVM_{G,S}ET_XSAVE2.

> X86XSaveArea2 {
>     ...
>     XSaveAVX
>     ...
>     AMX_XTILE;
>     future_featureX;
>     future_featureY;
> }
> 
> >   that the new ioctl() is available if the min size is greater than 1024?
> > Or is that unnecessarily convoluted...
> To enable a dynamic size kvm_xsave2(Thanks Jim's name suggestion), if things
> as follows are what we might want.
> /* for xstate large than 1024 */
> struct kvm_xsave2 {
>     int size; // size of the whole xstate
>     void *ptr; // xstate pointer
> }
> #define KVM_GET_XSAVE2   _IOW(KVMIO,  0xa4, struct kvm_xsave2)
> 
> Take @size together, so KVM need not fetch 0xd.1.ebx each time or a dedicated
> variable.

Yes, userspace needs to provide the size so that KVM doesn't unintentionally
overflow the buffer provided by userspace.  We might also want to hedge by adding
a flags?  Can't think of a use for it at the moment, though.

  struct kvm_xsave2 {
  	__u32 flags;
	__u32 size;
	__u8  state[0];
  };

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ