lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0f7dac2d-e964-467c-ad4c-cfdd2daa30f5@amd.com>
Date: Fri, 18 Oct 2024 17:06:56 +0700
From: "Suthikulpanit, Suravee" <suravee.suthikulpanit@....com>
To: Joao Martins <joao.m.martins@...cle.com>
Cc: pbonzini@...hat.com, seanjc@...gle.com, david.kaplan@....com,
 jon.grimm@....com, santosh.shukla@....com, linux-kernel@...r.kernel.org,
 kvm@...r.kernel.org
Subject: Re: [PATCH v2] KVM: SVM: Inhibit AVIC on SNP-enabled system without
 HvInUseWrAllowed feature

On 10/18/2024 4:57 PM, Joao Martins wrote:
> On 18/10/2024 09:50, Suravee Suthikulpanit wrote:
>> On SNP-enabled system, VMRUN marks AVIC Backing Page as in-use while
>> the guest is running for both secure and non-secure guest. Any hypervisor
>> write to the in-use vCPU's AVIC backing page (e.g. to inject an interrupt)
>> will generate unexpected #PF in the host.
>>
>> Currently, attempt to run AVIC guest would result in the following error:
>>
>>      BUG: unable to handle page fault for address: ff3a442e549cc270
>>      #PF: supervisor write access in kernel mode
>>      #PF: error_code(0x80000003) - RMP violation
>>      PGD b6ee01067 P4D b6ee02067 PUD 10096d063 PMD 11c540063 PTE 80000001149cc163
>>      SEV-SNP: PFN 0x1149cc unassigned, dumping non-zero entries in 2M PFN region: [0x114800 - 0x114a00]
>>      ...
>>
>> Newer AMD system is enhanced to allow hypervisor to modify the backing page
>> for non-secure guest on SNP-enabled system. This enhancement is available
>> when the CPUID Fn8000_001F_EAX bit 30 is set (HvInUseWrAllowed).
>>
>> This table describes AVIC support matrix w.r.t. SNP enablement:
>>
>>                 | Non-SNP system |     SNP system
>> -----------------------------------------------------
>>   Non-SNP guest |  AVIC Activate | AVIC Activate iff
>>                 |                | HvInuseWrAllowed=1
>> -----------------------------------------------------
>>       SNP guest |      N/A       |    Secure AVIC
>>                 |                |    x2APIC only
>>
>> Introduce APICV_INHIBIT_REASON_HVINUSEWR_NOT_ALLOWED to deactivate AVIC
>> when the feature is not available on SNP-enabled system.
>>
> I misread your first sentence in v1 wrt to non-secure guests -- but it's a lot
> more obvious now. If this was sort of a dynamic condition at runtime (like the
> other inhibits triggered by guest behavior or something that can change at
> runtime post-boot, or modparam) then the inhibit system would be best acquainted
> for preventing enabling AVIC on a per-vm basis. But it appears this is
> global-defined-at-boot that blocks any non-secure guest from using AVIC if we
> boot as an SNP-enabled host i.e. based on testing BSP-defined feature bits solely.
> 
> Your original proposal perhaps is better where you disable AVIC globally in
> avic_hardware_setup(). Apologies for (mistankenly) misleading you and wasting
> your time :/

Repost from v1 thread:

I was considering the APICV inhibit as well, and decided to go with 
disabling AVIC since it does not require additional 
APICV_INHIBIT_REASON_XXX flag, and we can simply disable AVIC support 
during kvm-amd driver initialization.

After rethink this, it is better to use per-VM APICv inhibition instead 
since certain AVIC data structures will be needed for secure AVIC 
support in the future.

Thanks,
Suravee

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ