lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 5 Apr 2022 08:45:07 +0700
From:   Suravee Suthikulpanit <suravee.suthikulpanit@....com>
To:     Maxim Levitsky <mlevitsk@...hat.com>, linux-kernel@...r.kernel.org,
        kvm@...r.kernel.org
Cc:     pbonzini@...hat.com, seanjc@...gle.com, joro@...tes.org,
        jon.grimm@....com, wei.huang2@....com, terry.bowman@....com
Subject: Re: [RFCv2 PATCH 08/12] KVM: SVM: Adding support for configuring
 x2APIC MSRs interception

Hi Maxim,

On 3/24/22 10:19 PM, Maxim Levitsky wrote:
> I did some homework on this, and it looks mostly correct.
> 
> However I do wonder if we need that separation of svm_direct_access_msrs and
> direct_access_x2apic_msrs. I understand the peformance wise, the
> direct_access_msrs will get longer otherwise (but we don't have to allow
> all x2apic msr range, but only known x2apic registers which aren't that many).
> 
> One of the things that I see that*is*  broken (at least in theory) is nesting.
> 
> init_msrpm_offsets goes over direct_access_msrs and puts the offsets of corresponding
> bits in the hardware msr bitmap into the 'msrpm_offsets'
> 
> Then on nested VM entry the nested_svm_vmrun_msrpm uses this list to merge the nested
> and host MSR bitmaps.
> Without x2apic msrs, this means that if L1 chooses to allow L2 to access its x2apic msrs
> it won't work. It is not something that L1 would do often but still allowed to overall.
> 
> Honestly we need to write track the nested MSR bitmap to avoid updating it on each VM entry,
> then with this hot path eliminated, I don't think there are other places which update
> the msr interception often, and thus we could just put the x2apic msrs into the
> direct_access_msrs.
> 
> Best regards,
> 	Maxim Levitsky

Good point. I will fix this.

Suravee

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ