lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8b53fc19-c3cc-d11f-37e3-70fc0639878d@intel.com>
Date:   Tue, 24 Aug 2021 23:35:51 +0800
From:   Xiaoyao Li <xiaoyao.li@...el.com>
To:     Sean Christopherson <seanjc@...gle.com>
Cc:     Paolo Bonzini <pbonzini@...hat.com>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Wanpeng Li <wanpengli@...cent.com>,
        Jim Mattson <jmattson@...gle.com>,
        Joerg Roedel <joro@...tes.org>, kvm@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 4/5] KVM: VMX: Disallow PT MSRs accessing if PT is not
 exposed to guest

On 8/24/2021 10:20 PM, Sean Christopherson wrote:
> On Tue, Aug 24, 2021, Xiaoyao Li wrote:
>> Per SDM, it triggers #GP for all the accessing of PT MSRs, if
>> X86_FEATURE_INTEL_PT is not available.
>>
>> Signed-off-by: Xiaoyao Li <xiaoyao.li@...el.com>
>> ---
>>   arch/x86/kvm/vmx/vmx.c | 20 ++++++++++++++------
>>   1 file changed, 14 insertions(+), 6 deletions(-)
>>
>> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
>> index 4a70a6d2f442..1bbc4d84c623 100644
>> --- a/arch/x86/kvm/vmx/vmx.c
>> +++ b/arch/x86/kvm/vmx/vmx.c
>> @@ -1010,9 +1010,16 @@ static unsigned long segment_base(u16 selector)
>>   static inline bool pt_can_write_msr(struct vcpu_vmx *vmx)
>>   {
>>   	return vmx_pt_mode_is_host_guest() &&
>> +	       guest_cpuid_has(&vmx->vcpu, X86_FEATURE_INTEL_PT) &&
>>   	       !(vmx->pt_desc.guest.ctl & RTIT_CTL_TRACEEN);
>>   }
>>   
>> +static inline bool pt_can_read_msr(struct kvm_vcpu *vcpu)
>> +{
>> +	return vmx_pt_mode_is_host_guest() &&
>> +	       guest_cpuid_has(vcpu, X86_FEATURE_INTEL_PT);
>> +}
>> +
>>   static inline bool pt_output_base_valid(struct kvm_vcpu *vcpu, u64 base)
>>   {
>>   	/* The base must be 128-byte aligned and a legal physical address. */
>> @@ -1849,24 +1856,24 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
>>   							&msr_info->data);
>>   		break;
>>   	case MSR_IA32_RTIT_CTL:
>> -		if (!vmx_pt_mode_is_host_guest())
>> +		if (!pt_can_read_msr(vcpu))
> 
> These all need to provide exemptions for accesses from the host.  KVM allows
> access to MSRs that are not exposed to the guest so long as all the other checks
> pass. 

Not all the MSRs are allowed to be accessed from host regardless of 
whether it's exposed to guest. e.g., MSR_IA32_TSC_ADJUST, it checks 
guest CPUID first.

For me, for those PT MSRs, I cannot think of any reason that 
host/userspace would access them without PT being exposed to guest.

On the other hand, since this patch indeed breaks the existing userspace 
VMM who accesses those MSRs without checking guest CPUID.

So I will follow your advice to allow the host_initiated case in next 
version.

> Same for the next patch.

Sorry, I don't know how it matters next patch.

> Easiest thing is probably to pass in @msr_info to the helpers and do the check
> there.
> 
>>   			return 1;
>>   		msr_info->data = vmx->pt_desc.guest.ctl;
>>   		break;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ