[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <af4c78c1-ccd5-4c4d-92de-564a44fa815b@intel.com>
Date: Thu, 11 Apr 2024 10:13:14 -0700
From: Dave Hansen <dave.hansen@...el.com>
To: Sean Christopherson <seanjc@...gle.com>, Xi Ruoyao <xry111@...111.site>
Cc: Dave Hansen <dave.hansen@...ux.intel.com>,
Michael Kelley <mhklinux@...look.com>,
Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
Andy Lutomirski <luto@...nel.org>, Peter Zijlstra <peterz@...radead.org>,
Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>, "H. Peter Anvin" <hpa@...or.com>,
x86@...nel.org, linux-kernel@...r.kernel.org,
Andrew Cooper <andrew.cooper3@...rix.com>
Subject: Re: [PATCH v7 2/2] x86/mm: Don't disable INVLPG if the kernel is
running on a hypervisor
On 4/11/24 09:22, Sean Christopherson wrote:
> In other words, simply checking HYPERVISOR *might* be safe, but it might not.
> If we wanted to be paranoid, this could also check X86_FEATURE_VMX, which also
> doesn't guarantee VMX non-root mode and would unnecessarily restrict PCID usage
> to setups that allow nested VMX, but AFAIK there aren't any hypervisors which
> fully emulate VMX.
X86_FEATURE_HYPERVISOR is most commonly used for vulnerabilities to see
if the data coming out of CPUID is likely to be garbage or not. I think
that's the most important thing to focus on.
It's arguable that x86_match_cpu() itself should just have a:
/*
* Don't even waste our time when running under a hypervisor.
* They lie.
*/
if (boot_cpu_bas(X86_FEATURE_HYPERVISOR))
return NULL;
(well, it should probably actually be in the for() loop because folks
might be looking for an X86_FEATURE_* that is set by software or derived
from actually agreed-upon host<->guest ABI, but you get my point...)
If the hypervisor is duplicitous enough to keep X86_FEATURE_HYPERVISOR
from getting set, then the hypervisor gets to clean up the mess. The
kernel can just wash its hands of the whole thing.
So, there are two broad cases and a few sub-cases:
1. "Nice" hypervisor. Kernel sees X86_FEATURE_HYPERVISOR and knows that
x86_match_cpu() and invlpg_miss_ids[] are irrelevant because:
1a. It is running in VMX non-root mode and is not vulnerable, or
1b. CPUID is a lie and x86_match_cpu() is meaningless, or
1c. The kernel is in ring3 and can't execute INVLPG anyway. Whatever
is running in ring0 will have to deal with it.
2. X86_FEATURE_HYPERVISOR is unset.
2a. "Mean" hypervisor. All bets are off anyway.
2b. Actual bare metal. Actually look for the bug.
I _think_ I'm OK with skipping the mitigation in all of the #1 cases and
applying it in both of the #2 cases. I don't think that checking for
VMX makes it much better.
Am I missing anything?
Powered by blists - more mailing lists