| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Jul 2022 20:11:59 +0000
From: Sean Christopherson <seanjc@...gle.com>
To: Kai Huang <kai.huang@...el.com>
Cc: Isaku Yamahata <isaku.yamahata@...il.com>,
isaku.yamahata@...el.com, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, Paolo Bonzini <pbonzini@...hat.com>
Subject: Re: [PATCH v7 041/102] KVM: VMX: Introduce test mode related to EPT
violation VE
On Thu, Jul 28, 2022, Kai Huang wrote:
> On Wed, 2022-07-27 at 16:39 -0700, Isaku Yamahata wrote:
> > On Wed, Jul 20, 2022 at 05:13:08PM +1200,
> > Kai Huang <kai.huang@...el.com> wrote:
> >
> > > On Tue, 2022-07-19 at 07:49 -0700, Isaku Yamahata wrote:
> > > > On Fri, Jul 08, 2022 at 02:23:43PM +1200,
> > > > Kai Huang <kai.huang@...el.com> wrote:
> > > >
> > > > > On Mon, 2022-06-27 at 14:53 -0700, isaku.yamahata@...el.com wrote:
> > > > > > From: Isaku Yamahata <isaku.yamahata@...el.com>
> > > > > >
> > > > > > To support TDX, KVM is enhanced to operate with #VE. For TDX, KVM programs
> > > > > > to inject #VE conditionally and set #VE suppress bit in EPT entry. For VMX
> > > > > > case, #VE isn't used. If #VE happens for VMX, it's a bug. To be
> > > > > > defensive (test that VMX case isn't broken), introduce option
> > > > > > ept_violation_ve_test and when it's set, set error.
> > > > >
> > > > > I don't see why we need this patch. It may be helpful during your test, but why
> > > > > do we need this patch for formal submission?
> > > > >
> > > > > And for a normal guest, what prevents one vcpu from sending #VE IPI to another
> > > > > vcpu?
> > > >
> > > > Paolo suggested it as follows. Maybe it should be kernel config.
> > > > (I forgot to add suggested-by. I'll add it)
> > > >
> > > > https://lore.kernel.org/lkml/84d56339-4a8a-6ddb-17cb-12074588ba9c@redhat.com/
> > > >
> > > > >
> > >
> > > OK. But can we assume a normal guest won't sending #VE IPI?
> >
> > Theoretically nothing prevents that. I wouldn't way "normal".
> > Anyway this is off by default.
>
> I don't think whether it is on or off by default matters.
It matters in the sense that the module param is intended purely for testing, i.e.
there's zero reason to ever enable it in production. That changes what is and
wasn't isn't a reasonable response to an unexpected #VE.
> If it can happen legitimately in the guest, it doesn't look right to print
> out something like below:
>
> pr_err("VMEXIT due to unexpected #VE.\n");
Agreed. In this particular case I think the right approach is to treat an
unexpected #VE as a fatal KVM bug. Yes, disabling EPT violation #VEs would likely
allow the guest to live, but as above the module param should never be enabled in
production. And if we get a #VE with the module param disabled, then KVM is truly
in the weeds and killing the VM is the safe option.
E.g. something like
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 4fd25e1d6ec9..54b9cb56f6e2 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -5010,6 +5010,9 @@ static int handle_exception_nmi(struct kvm_vcpu *vcpu)
if (is_invalid_opcode(intr_info))
return handle_ud(vcpu);
+ if (KVM_BUG_ON(is_ve_fault(intr_info), vcpu->kvm))
+ return -EIO;
+
error_code = 0;
if (intr_info & INTR_INFO_DELIVER_CODE_MASK)
error_code = vmcs_read32(VM_EXIT_INTR_ERROR_CODE);
Powered by blists - more mailing lists