[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZmhaRr5Lr4pOHcm7@chao-email>
Date: Tue, 11 Jun 2024 22:08:06 +0800
From: Chao Gao <chao.gao@...el.com>
To: Sean Christopherson <seanjc@...gle.com>
CC: <kvm@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<daniel.sneddon@...ux.intel.com>, <pawan.kumar.gupta@...ux.intel.com>, "Zhang
Chen" <chen.zhang@...el.com>, Paolo Bonzini <pbonzini@...hat.com>, "Thomas
Gleixner" <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, "Borislav
Petkov" <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>,
<x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>
Subject: Re: [RFC PATCH v3 09/10] KVM: VMX: Advertise
MITI_CTRL_BHB_CLEAR_SEQ_S_SUPPORT
On Tue, Jun 11, 2024 at 06:34:49AM -0700, Sean Christopherson wrote:
>On Tue, Jun 11, 2024, Chao Gao wrote:
>> >I continue find all of this unpalatable. The guest tells KVM what software
>> >mitigations the guest is using, and then KVM is supposed to translate that into
>> >some hardware functionality? And merge that with userspace's own overrides?
>>
>> Yes. It is ugly. I will drop all Intel-defined stuff from KVM. Actually, I
>> wanted to punt to userspace ...
>>
>> >
>> >Blech.
>> >
>> >With KVM_CAP_FORCE_SPEC_CTRL, I don't see any reason for KVM to support the
>> >Intel-defined virtual MSRs. If the userspace VMM wants to play nice with the
>> >Intel-defined stuff, then userspace can advertise the MSRs and use an MSR filter
>> >to intercept and "emulate" the MSRs. They should be set-and-forget MSRs, so
>> >there's no need for KVM to handle them for performance reasons.
>>
>> ... I had this idea of implementing policy-related stuff in userspace, and I wrote
>> in the cover-letter:
>>
>> """
>> 1. the KVM<->userspace ABI defined in patch 1
>>
>> I am wondering if we can allow the userspace to configure the mask
>> and the shadow value during guest's lifetime and do it on a vCPU basis.
>> this way, in conjunction with "virtual MSRs" or any other interfaces,
>> the usespace can adjust hardware mitigations applied to the guest during
>> guest's lifetime e.g., for the best performance.
>> """
>
>Gah, sorry, I speed read the cover letter and didn't take the time to process that.
>
>> As said, this requires some tweaks to KVM_CAP_FORCE_SPEC_CTRL, such as making
>> the mask and shadow values adjustable and applicable on a per-vCPU basis. The
>> tweaks are not necessarily for Intel-defined virtual MSRs; if there were other
>> preferable interfaces, they could also benefit from these changes.
>>
>> Any objections to these tweaks to KVM_CAP_FORCE_SPEC_CTRL?
>
>Why does KVM_CAP_FORCE_SPEC_CTRL need to be per-vCPU? Won't the CPU bugs and
>mitigations be system-wide / VM-wide?
Because spec_ctrl is per-vCPU and Intel-defined virtual MSRs are also per-vCPU.
i.e., a guest __can__ configure different values to virtual MSRs on different
vCPUs even though a sane guest won't do this. If KVM doesn't want to rule out
the possibility of supporting Intel-defined virtual MSRs in userspace or any
other per-vCPU interfaces, KVM_CAP_FORCE_SPEC_CTRL needs to be per-vCPU.
implementation-wise, being per-vCPU is simpler because, otherwise, once userspace
adjusts the hardware mitigations to enforce, KVM needs to kick all vCPUs. This
will add more complexity.
And IMO, requiring guests to deploy same mitigations on vCPUs is an unnecessary
limitation.
Powered by blists - more mailing lists