lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 26 Feb 2024 09:30:33 +0800
From: Xiaoyao Li <xiaoyao.li@...el.com>
To: Sean Christopherson <seanjc@...gle.com>,
 Paolo Bonzini <pbonzini@...hat.com>, Thomas Gleixner <tglx@...utronix.de>,
 Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
 Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
 Yi Lai <yi1.lai@...el.com>, Tao Su <tao1.su@...ux.intel.com>,
 Xudong Hao <xudong.hao@...el.com>
Subject: Re: [PATCH] x86/cpu: Add a VMX flag to enumerate 5-level EPT support
 to userspace

On 2/23/2024 9:35 AM, Sean Christopherson wrote:
> On Tue, 09 Jan 2024 16:23:40 -0800, Sean Christopherson wrote:
>> Add a VMX flag in /proc/cpuinfo, ept_5level, so that userspace can query
>> whether or not the CPU supports 5-level EPT paging.  EPT capabilities are
>> enumerated via MSR, i.e. aren't accessible to userspace without help from
>> the kernel, and knowing whether or not 5-level EPT is supported is sadly
>> necessary for userspace to correctly configure KVM VMs.
>>
>> When EPT is enabled, bits 51:49 of guest physical addresses are consumed
>> if and only if 5-level EPT is enabled.  For CPUs with MAXPHYADDR > 48, KVM
>> *can't* map all legal guest memory if 5-level EPT is unsupported, e.g.
>> creating a VM with RAM (or anything that gets stuffed into KVM's memslots)
>> above bit 48 will be completely broken.
>>
>> [...]
> 
> Applied to kvm-x86 vmx, with a massaged changelog to avoid presenting this as a
> bug fix (and finally fixed the 51:49=>51:48 goof):
> 
>      Add a VMX flag in /proc/cpuinfo, ept_5level, so that userspace can query
>      whether or not the CPU supports 5-level EPT paging.  EPT capabilities are
>      enumerated via MSR, i.e. aren't accessible to userspace without help from
>      the kernel, and knowing whether or not 5-level EPT is supported is useful
>      for debug, triage, testing, etc.
>      
>      For example, when EPT is enabled, bits 51:48 of guest physical addresses
>      are consumed by the CPU if and only if 5-level EPT is enabled.  For CPUs
>      with MAXPHYADDR > 48, KVM *can't* map all legal guest memory if 5-level
>      EPT is unsupported, making it more or less necessary to know whether or
>      not 5-level EPT is supported.
> 
> [1/1] x86/cpu: Add a VMX flag to enumerate 5-level EPT support to userspace
>        https://github.com/kvm-x86/linux/commit/b1a3c366cbc7

Do we need a new KVM CAP for this? This decides how to interact with old 
kernel without this patch. In that case, no ept_5level in /proc/cpuinfo, 
what should we do in the absence of ept_5level? treat it only 4 level 
EPT supported?



> --
> https://github.com/kvm-x86/linux/tree/next
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ