lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Jul 2022 16:12:44 -0700 From: Jim Mattson <jmattson@...gle.com> To: Sean Christopherson <seanjc@...gle.com> Cc: Vitaly Kuznetsov <vkuznets@...hat.com>, kvm@...r.kernel.org, Paolo Bonzini <pbonzini@...hat.com>, Anirudh Rayabharam <anrayabh@...ux.microsoft.com>, Wanpeng Li <wanpengli@...cent.com>, Maxim Levitsky <mlevitsk@...hat.com>, linux-hyperv@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2 22/28] KVM: VMX: Clear controls obsoleted by EPT at runtime, not setup On Thu, Jul 7, 2022 at 2:39 PM Sean Christopherson <seanjc@...gle.com> wrote: > > On Thu, Jul 07, 2022, Jim Mattson wrote: > > On Thu, Jul 7, 2022 at 12:30 PM Sean Christopherson <seanjc@...gle.com> wrote: > > > > > > On Thu, Jul 07, 2022, Vitaly Kuznetsov wrote: > > > > Jim Mattson <jmattson@...gle.com> writes: > > > > > > > > > On Wed, Jun 29, 2022 at 8:07 AM Vitaly Kuznetsov <vkuznets@...hat.com> wrote: > > > > >> > > > > >> From: Sean Christopherson <seanjc@...gle.com> > > > > >> > > > > >> Clear the CR3 and INVLPG interception controls at runtime based on > > > > >> whether or not EPT is being _used_, as opposed to clearing the bits at > > > > >> setup if EPT is _supported_ in hardware, and then restoring them when EPT > > > > >> is not used. Not mucking with the base config will allow using the base > > > > >> config as the starting point for emulating the VMX capability MSRs. > > > > >> > > > > >> Signed-off-by: Sean Christopherson <seanjc@...gle.com> > > > > >> Signed-off-by: Vitaly Kuznetsov <vkuznets@...hat.com> > > > > > Nit: These controls aren't "obsoleted" by EPT; they're just no longer > > > > > required. > > Actually, they're still required if unrestricted guest isn't supported. > > > > Isn't that the definition of "obsolete"? They're "no longer in use" when KVM > > > enables EPT. > > > > There are still reasons to use them aside from shadow page table > > maintenance. For example, malware analysis may be interested in > > intercepting CR3 changes to track process context (and to > > enable/disable costly monitoring). EPT doesn't render these events > > "obsolete," because you can't intercept these events using EPT. > > Fair enough, I was using "EPT" in the "KVM is using EPT" sense. But even that's > wrong as KVM intercepts CR3 accesses when EPT is enabled, but unrestricted guest > is disabled and the guest disables paging. MOV-to-CR3 is also a required intercept for allow_smaller_maxphyaddr, when the guest is in PAE mode. So, that one, at least, isn't anywhere near obsolete. :-) > Vitaly, since the CR3 fields are still technically "needed", maybe just be > explicit? > > KVM: VMX: Adjust CR3/INVPLG interception for EPT=y at runtime, not setup
Powered by blists - more mailing lists