[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZBI62RUnMB3ppRqO@google.com>
Date: Wed, 15 Mar 2023 14:38:33 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Mathias Krause <minipli@...ecurity.net>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
Paolo Bonzini <pbonzini@...hat.com>
Subject: Re: [PATCH v3 2/6] KVM: VMX: Avoid retpoline call for control
register caused exits
On Wed, Feb 01, 2023, Mathias Krause wrote:
> Complement commit 4289d2728664 ("KVM: retpolines: x86: eliminate
> retpoline from vmx.c exit handlers") and avoid a retpoline call for
> control register accesses as well.
>
> This speeds up guests that make heavy use of it, like grsecurity
> kernels toggling CR0.WP to implement kernel W^X.
I would rather drop this patch for VMX and instead unconditionally make CR0.WP
guest owned when TDP (EPT) is enabled, i.e. drop the module param from patch 6.
> Signed-off-by: Mathias Krause <minipli@...ecurity.net>
> ---
>
> Meanwhile I got my hands on a AMD system and while doing a similar change
> for SVM gives a small measurable win (1.1% faster for grsecurity guests),
Mostly out of curiosity...
Is the 1.1% roughly aligned with the gains for VMX? If VMX sees a significantly
larger improvement, any idea why SVM doesn't benefit as much? E.g. did you double
check that the kernel was actually using RETPOLINE?
> it would provide nothing for other guests, as the change I was testing was
> specifically targeting CR0 caused exits.
>
> A more general approach would instead cover CR3 and, maybe, CR4 as well.
> However, that would require a lot more exit code compares, likely
> vanishing the gains in the general case. So this tweak is VMX only.
I don't think targeting on CR0 exits is a reason to not do this for SVM. With
NPT enabled, CR3 isn't intercepted, and CR4 exits should be very rare. If the
performance benefits are marginal (I don't have a good frame of reference for the
1.1%), then _that's_ a good reason to leave SVM alone. But not giving CR3 and CR4
priority is a non-issue.
> arch/x86/kvm/vmx/vmx.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> index c788aa382611..c8198c8a9b55 100644
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
> @@ -6538,6 +6538,8 @@ static int __vmx_handle_exit(struct kvm_vcpu *vcpu, fastpath_t exit_fastpath)
> return handle_external_interrupt(vcpu);
> else if (exit_reason.basic == EXIT_REASON_HLT)
> return kvm_emulate_halt(vcpu);
> + else if (exit_reason.basic == EXIT_REASON_CR_ACCESS)
> + return handle_cr(vcpu);
> else if (exit_reason.basic == EXIT_REASON_EPT_MISCONFIG)
> return handle_ept_misconfig(vcpu);
> #endif
> --
> 2.39.1
>
Powered by blists - more mailing lists