| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220330174621.1567317-1-bgardon@google.com>
Date: Wed, 30 Mar 2022 10:46:10 -0700
From: Ben Gardon <bgardon@...gle.com>
To: linux-kernel@...r.kernel.org, kvm@...r.kernel.org
Cc: Paolo Bonzini <pbonzini@...hat.com>, Peter Xu <peterx@...hat.com>,
Sean Christopherson <seanjc@...gle.com>,
David Matlack <dmatlack@...gle.com>,
Jim Mattson <jmattson@...gle.com>,
David Dunn <daviddunn@...gle.com>,
Jing Zhang <jingzhangos@...gle.com>,
Junaid Shahid <junaids@...gle.com>,
Ben Gardon <bgardon@...gle.com>
Subject: [PATCH v3 00/11] KVM: x86: Add a cap to disable NX hugepages on a VM
Given the high cost of NX hugepages in terms of TLB performance, it may
be desirable to disable the mitigation on a per-VM basis. In the case of public
cloud providers with many VMs on a single host, some VMs may be more trusted
than others. In order to maximize performance on critical VMs, while still
providing some protection to the host from iTLB Multihit, allow the mitigation
to be selectively disabled.
Disabling NX hugepages on a VM is relatively straightforward, but I took this
as an opportunity to add some NX hugepages test coverage and clean up selftests
infrastructure a bit.
This series was tested with the new selftest and the rest of the KVM selftests
on an Intel Haswell machine.
The following tests failed, but I do not believe that has anything to do with
this series:
userspace_io_test
vmx_nested_tsc_scaling_test
vmx_preemption_timer_test
Changelog:
v1->v2:
Dropped the complicated memslot refactor in favor of Ricardo Koller's
patch with a similar effect.
Incorporated David Dunn's feedback and reviewed by tag: shortened waits
to speed up test.
v2->v3:
Incorporated a suggestion from David on how to build the NX huge pages
test.
Fixed a build breakage identified by David.
Dropped the per-vm nx_huge_pages field in favor of simply checking the
global + per-VM disable override.
Documented the new capability
Separated out the commit to test disabling NX huge pages
Removed permission check when checking if the disable NX capability is
supported.
Added test coverage for the permission check.
Ben Gardon (10):
KVM: selftests: Dump VM stats in binary stats test
KVM: selftests: Test reading a single stat
KVM: selftests: Add memslot parameter to elf_load
KVM: selftests: Improve error message in vm_phy_pages_alloc
KVM: selftests: Add NX huge pages test
KVM: x86/MMU: Factor out updating NX hugepages state for a VM
KVM: x86/MMU: Allow NX huge pages to be disabled on a per-vm basis
KVM: x86: Fix errant brace in KVM capability handling
KVM: x86/MMU: Require reboot permission to disable NX hugepages
selftests: KVM: Test disabling NX hugepages on a VM
Ricardo Koller (1):
KVM: selftests: Add vm_alloc_page_table_in_memslot library function
Documentation/virt/kvm/api.rst | 13 +
arch/x86/include/asm/kvm_host.h | 2 +
arch/x86/kvm/mmu.h | 10 +-
arch/x86/kvm/mmu/mmu.c | 17 +-
arch/x86/kvm/mmu/spte.c | 7 +-
arch/x86/kvm/mmu/spte.h | 3 +-
arch/x86/kvm/mmu/tdp_mmu.c | 3 +-
arch/x86/kvm/x86.c | 17 +-
include/uapi/linux/kvm.h | 1 +
tools/testing/selftests/kvm/Makefile | 7 +-
.../selftests/kvm/include/kvm_util_base.h | 10 +
.../selftests/kvm/kvm_binary_stats_test.c | 6 +
tools/testing/selftests/kvm/lib/elf.c | 13 +-
tools/testing/selftests/kvm/lib/kvm_util.c | 230 +++++++++++++++++-
.../kvm/lib/x86_64/nx_huge_pages_guest.S | 45 ++++
.../selftests/kvm/x86_64/nx_huge_pages_test.c | 178 ++++++++++++++
.../kvm/x86_64/nx_huge_pages_test.sh | 25 ++
17 files changed, 561 insertions(+), 26 deletions(-)
create mode 100644 tools/testing/selftests/kvm/lib/x86_64/nx_huge_pages_guest.S
create mode 100644 tools/testing/selftests/kvm/x86_64/nx_huge_pages_test.c
create mode 100755 tools/testing/selftests/kvm/x86_64/nx_huge_pages_test.sh
--
2.35.1.1021.g381101b075-goog
Powered by blists - more mailing lists