| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 May 2024 22:25:20 +0200 From: Paolo Bonzini <pbonzini@...hat.com> To: Sean Christopherson <seanjc@...gle.com> Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 9/9] KVM: x86: Disable KVM_INTEL_PROVE_VE by default On Tue, May 21, 2024 at 8:18 PM Sean Christopherson <seanjc@...gle.com> wrote: > > - This should never be enabled in a production environment. > > + Note that #VE trapping appears to be buggy on some CPUs. > > I see where you're coming from, but I don't think "trapping" is much better, > e.g. it suggests there's something broken with the interception of #VEs. Ah, > the entire help text is weird. Yeah, I didn't want to say #VE is broken altogether - interception is where we saw issues, and #VE is used in production as far as I know (not just by TDX; at least Xen and maybe Hyper-V use it for anti-malware purposes?). Maybe "Note: there appear to be bugs in some CPUs that will trigger the WARN, in particular with eptad=0 and/or nested virtualization" covers all bases. Paolo > > This? > > config KVM_INTEL_PROVE_VE > bool "Verify guests do not receive unexpected EPT Violation #VEs" > depends on KVM_INTEL && EXPERT > help > Enable EPT Violation #VEs (when supported) for all VMs, to verify > that KVM's EPT management code will not incorrectly result in a #VE > (KVM is supposed to supress #VEs by default). Unexpected #VEs will > be intercepted by KVM and will trigger a WARN, but are otherwise > transparent to the guest. > > Note, EPT Violation #VE support appears to be buggy on some CPUs. > > This should never be enabled in a production environment! > > If unsure, say N. >
Powered by blists - more mailing lists