| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0f7dac2d-e964-467c-ad4c-cfdd2daa30f5@amd.com> Date: Fri, 18 Oct 2024 17:06:56 +0700 From: "Suthikulpanit, Suravee" <suravee.suthikulpanit@....com> To: Joao Martins <joao.m.martins@...cle.com> Cc: pbonzini@...hat.com, seanjc@...gle.com, david.kaplan@....com, jon.grimm@....com, santosh.shukla@....com, linux-kernel@...r.kernel.org, kvm@...r.kernel.org Subject: Re: [PATCH v2] KVM: SVM: Inhibit AVIC on SNP-enabled system without HvInUseWrAllowed feature On 10/18/2024 4:57 PM, Joao Martins wrote: > On 18/10/2024 09:50, Suravee Suthikulpanit wrote: >> On SNP-enabled system, VMRUN marks AVIC Backing Page as in-use while >> the guest is running for both secure and non-secure guest. Any hypervisor >> write to the in-use vCPU's AVIC backing page (e.g. to inject an interrupt) >> will generate unexpected #PF in the host. >> >> Currently, attempt to run AVIC guest would result in the following error: >> >> BUG: unable to handle page fault for address: ff3a442e549cc270 >> #PF: supervisor write access in kernel mode >> #PF: error_code(0x80000003) - RMP violation >> PGD b6ee01067 P4D b6ee02067 PUD 10096d063 PMD 11c540063 PTE 80000001149cc163 >> SEV-SNP: PFN 0x1149cc unassigned, dumping non-zero entries in 2M PFN region: [0x114800 - 0x114a00] >> ... >> >> Newer AMD system is enhanced to allow hypervisor to modify the backing page >> for non-secure guest on SNP-enabled system. This enhancement is available >> when the CPUID Fn8000_001F_EAX bit 30 is set (HvInUseWrAllowed). >> >> This table describes AVIC support matrix w.r.t. SNP enablement: >> >> | Non-SNP system | SNP system >> ----------------------------------------------------- >> Non-SNP guest | AVIC Activate | AVIC Activate iff >> | | HvInuseWrAllowed=1 >> ----------------------------------------------------- >> SNP guest | N/A | Secure AVIC >> | | x2APIC only >> >> Introduce APICV_INHIBIT_REASON_HVINUSEWR_NOT_ALLOWED to deactivate AVIC >> when the feature is not available on SNP-enabled system. >> > I misread your first sentence in v1 wrt to non-secure guests -- but it's a lot > more obvious now. If this was sort of a dynamic condition at runtime (like the > other inhibits triggered by guest behavior or something that can change at > runtime post-boot, or modparam) then the inhibit system would be best acquainted > for preventing enabling AVIC on a per-vm basis. But it appears this is > global-defined-at-boot that blocks any non-secure guest from using AVIC if we > boot as an SNP-enabled host i.e. based on testing BSP-defined feature bits solely. > > Your original proposal perhaps is better where you disable AVIC globally in > avic_hardware_setup(). Apologies for (mistankenly) misleading you and wasting > your time :/ Repost from v1 thread: I was considering the APICV inhibit as well, and decided to go with disabling AVIC since it does not require additional APICV_INHIBIT_REASON_XXX flag, and we can simply disable AVIC support during kvm-amd driver initialization. After rethink this, it is better to use per-VM APICv inhibition instead since certain AVIC data structures will be needed for secure AVIC support in the future. Thanks, Suravee
Powered by blists - more mailing lists