lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7f8a8ccbd0a8325b5a1e756d5c55a5fc5992908d.camel@redhat.com>
Date: Tue, 17 Dec 2024 20:13:45 -0500
From: Maxim Levitsky <mlevitsk@...hat.com>
To: Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini
 <pbonzini@...hat.com>,  Vitaly Kuznetsov <vkuznets@...hat.com>, Jarkko
 Sakkinen <jarkko@...nel.org>
Cc: kvm@...r.kernel.org, linux-sgx@...r.kernel.org, 
 linux-kernel@...r.kernel.org, Hou Wenlong <houwenlong.hwl@...group.com>, 
 Xiaoyao Li <xiaoyao.li@...el.com>, Kechen Lu <kechenl@...dia.com>, Oliver
 Upton <oliver.upton@...ux.dev>,  Binbin Wu <binbin.wu@...ux.intel.com>,
 Yang Weijiang <weijiang.yang@...el.com>, Robert Hoo
 <robert.hoo.linux@...il.com>
Subject: Re: [PATCH v3 00/57] KVM: x86: CPUID overhaul, fixes, and caching

On Wed, 2024-11-27 at 17:33 -0800, Sean Christopherson wrote:
> The super short TL;DR: snapshot all X86_FEATURE_* flags that KVM cares
> about so that all queries against guest capabilities are "fast", e.g. don't
> require manual enabling or judgment calls as to where a feature needs to be
> fast.
> 
> The guest_cpu_cap_* nomenclature follows the existing kvm_cpu_cap_*
> except for a few (maybe just one?) cases where guest cpu_caps need APIs
> that kvm_cpu_caps don't.  In theory, the similar names will make this
> approach more intuitive.
> 
> This series also adds more hardening, e.g. to assert at compile-time if a
> feature flag is passed to the wrong word.  It also sets the stage for even
> more hardening in the future, as tracking all KVM-supported features allows
> shoving known vs. used features into arrays at compile time, which can then
> be checked for consistency irrespective of hardware support.  E.g. allows
> detecting if KVM is checking a feature without advertising it to userspace.
> This extra hardening is future work; I have it mostly working, but it's ugly
> and requires a runtime check to process the generated arrays.
> 
> There are *multiple* potentially breaking changes in this series (in for a
> penny, in for a pound).  However, I don't expect any fallout for real world
> VMMs because the ABI changes either disallow things that couldn't possibly
> have worked in the first place, or are following in the footsteps of other
> behaviors, e.g. KVM advertises x2APIC, which is 100% dependent on an in-kernel
> local APIC.
> 
>  * Disallow stuffing CPUID-dependent guest CR4 features before setting guest
>    CPUID.
>  * Disallow KVM_CAP_X86_DISABLE_EXITS after vCPU creation
>  * Reject disabling of MWAIT/HLT interception when not allowed
>  * Advertise TSC_DEADLINE_TIMER in KVM_GET_SUPPORTED_CPUID.
>  * Advertise HYPERVISOR in KVM_GET_SUPPORTED_CPUID
> 
> Validated the flag rework by comparing the output of KVM_GET_SUPPORTED_CPUID
> (and the emulated version) at the beginning and end of the series, on AMD
> and Intel hosts that should support almost every feature known to KVM.
> 
> Maxim, I did my best to incorporate all of your feedback, and when we
> disagreed, I tried to find an approach that I we can hopefully both live
> with, at least until someone comes up with a better idea.
> 
> I _think_ the only suggestion that I "rejected" entirely is the existence
> of ALIASED_1_EDX_F.  I responded to the previous thread, definitely feel
> free to continue the conversation there (or here).
> 
> If I missed something you care strongly about, please holler!

Hi,

I did go over this patch series, I don't think I have anything to add,
there are still things I disagree, especially the F* macros, IMHO this
makes the code less readable.

So if you want to merge this, I won't object.

Thanks,
Best regards,
	Maxim Levitsky

> 
> v3:
>  - Collect more reviews.
>  - Too many to list.
>  
> v2:
>  - Collect a few reviews (though I dropped several due to the patches changing
>    significantly).
>  - Incorporate KVM's support into the vCPU's cpu_caps. [Maxim]
>  - A massive pile of new patches.
> 
> Sean Christopherson (57):
>   KVM: x86: Use feature_bit() to clear CONSTANT_TSC when emulating CPUID
>   KVM: x86: Limit use of F() and SF() to
>     kvm_cpu_cap_{mask,init_kvm_defined}()
>   KVM: x86: Do all post-set CPUID processing during vCPU creation
>   KVM: x86: Explicitly do runtime CPUID updates "after" initial setup
>   KVM: x86: Account for KVM-reserved CR4 bits when passing through CR4
>     on VMX
>   KVM: selftests: Update x86's set_sregs_test to match KVM's CPUID
>     enforcement
>   KVM: selftests: Assert that vcpu->cpuid is non-NULL when getting CPUID
>     entries
>   KVM: selftests: Refresh vCPU CPUID cache in __vcpu_get_cpuid_entry()
>   KVM: selftests: Verify KVM stuffs runtime CPUID OS bits on CR4 writes
>   KVM: x86: Move __kvm_is_valid_cr4() definition to x86.h
>   KVM: x86/pmu: Drop now-redundant refresh() during init()
>   KVM: x86: Drop now-redundant MAXPHYADDR and GPA rsvd bits from vCPU
>     creation
>   KVM: x86: Disallow KVM_CAP_X86_DISABLE_EXITS after vCPU creation
>   KVM: x86: Reject disabling of MWAIT/HLT interception when not allowed
>   KVM: x86: Drop the now unused KVM_X86_DISABLE_VALID_EXITS
>   KVM: selftests: Fix a bad TEST_REQUIRE() in x86's KVM PV test
>   KVM: selftests: Update x86's KVM PV test to match KVM's disabling
>     exits behavior
>   KVM: x86: Zero out PV features cache when the CPUID leaf is not
>     present
>   KVM: x86: Don't update PV features caches when enabling enforcement
>     capability
>   KVM: x86: Do reverse CPUID sanity checks in __feature_leaf()
>   KVM: x86: Account for max supported CPUID leaf when getting raw host
>     CPUID
>   KVM: x86: Unpack F() CPUID feature flag macros to one flag per line of
>     code
>   KVM: x86: Rename kvm_cpu_cap_mask() to kvm_cpu_cap_init()
>   KVM: x86: Add a macro to init CPUID features that are 64-bit only
>   KVM: x86: Add a macro to precisely handle aliased 0x1.EDX CPUID
>     features
>   KVM: x86: Handle kernel- and KVM-defined CPUID words in a single
>     helper
>   KVM: x86: #undef SPEC_CTRL_SSBD in cpuid.c to avoid macro collisions
>   KVM: x86: Harden CPU capabilities processing against out-of-scope
>     features
>   KVM: x86: Add a macro to init CPUID features that ignore host kernel
>     support
>   KVM: x86: Add a macro to init CPUID features that KVM emulates in
>     software
>   KVM: x86: Swap incoming guest CPUID into vCPU before massaging in
>     KVM_SET_CPUID2
>   KVM: x86: Clear PV_UNHALT for !HLT-exiting only when userspace sets
>     CPUID
>   KVM: x86: Remove unnecessary caching of KVM's PV CPUID base
>   KVM: x86: Always operate on kvm_vcpu data in cpuid_entry2_find()
>   KVM: x86: Move kvm_find_cpuid_entry{,_index}() up near
>     cpuid_entry2_find()
>   KVM: x86: Remove all direct usage of cpuid_entry2_find()
>   KVM: x86: Advertise TSC_DEADLINE_TIMER in KVM_GET_SUPPORTED_CPUID
>   KVM: x86: Advertise HYPERVISOR in KVM_GET_SUPPORTED_CPUID
>   KVM: x86: Rename "governed features" helpers to use "guest_cpu_cap"
>   KVM: x86: Replace guts of "governed" features with comprehensive
>     cpu_caps
>   KVM: x86: Initialize guest cpu_caps based on guest CPUID
>   KVM: x86: Extract code for generating per-entry emulated CPUID
>     information
>   KVM: x86: Treat MONTIOR/MWAIT as a "partially emulated" feature
>   KVM: x86: Initialize guest cpu_caps based on KVM support
>   KVM: x86: Avoid double CPUID lookup when updating MWAIT at runtime
>   KVM: x86: Drop unnecessary check that cpuid_entry2_find() returns
>     right leaf
>   KVM: x86: Update OS{XSAVE,PKE} bits in guest CPUID irrespective of
>     host support
>   KVM: x86: Update guest cpu_caps at runtime for dynamic CPUID-based
>     features
>   KVM: x86: Shuffle code to prepare for dropping guest_cpuid_has()
>   KVM: x86: Replace (almost) all guest CPUID feature queries with
>     cpu_caps
>   KVM: x86: Drop superfluous host XSAVE check when adjusting guest
>     XSAVES caps
>   KVM: x86: Add a macro for features that are synthesized into
>     boot_cpu_data
>   KVM: x86: Pull CPUID capabilities from boot_cpu_data only as needed
>   KVM: x86: Rename "SF" macro to "SCATTERED_F"
>   KVM: x86: Explicitly track feature flags that require vendor enabling
>   KVM: x86: Explicitly track feature flags that are enabled at runtime
>   KVM: x86: Use only local variables (no bitmask) to init kvm_cpu_caps
> 
>  Documentation/virt/kvm/api.rst                |  10 +-
>  arch/x86/include/asm/kvm_host.h               |  47 +-
>  arch/x86/kvm/cpuid.c                          | 967 ++++++++++++------
>  arch/x86/kvm/cpuid.h                          | 128 +--
>  arch/x86/kvm/governed_features.h              |  22 -
>  arch/x86/kvm/hyperv.c                         |   2 +-
>  arch/x86/kvm/lapic.c                          |   4 +-
>  arch/x86/kvm/mmu.h                            |   2 +-
>  arch/x86/kvm/mmu/mmu.c                        |   4 +-
>  arch/x86/kvm/pmu.c                            |   1 -
>  arch/x86/kvm/reverse_cpuid.h                  |  23 +-
>  arch/x86/kvm/smm.c                            |  10 +-
>  arch/x86/kvm/svm/nested.c                     |  22 +-
>  arch/x86/kvm/svm/pmu.c                        |   8 +-
>  arch/x86/kvm/svm/sev.c                        |  21 +-
>  arch/x86/kvm/svm/svm.c                        |  46 +-
>  arch/x86/kvm/svm/svm.h                        |   4 +-
>  arch/x86/kvm/vmx/hyperv.h                     |   2 +-
>  arch/x86/kvm/vmx/nested.c                     |  18 +-
>  arch/x86/kvm/vmx/pmu_intel.c                  |   4 +-
>  arch/x86/kvm/vmx/sgx.c                        |  14 +-
>  arch/x86/kvm/vmx/vmx.c                        |  61 +-
>  arch/x86/kvm/x86.c                            | 153 ++-
>  arch/x86/kvm/x86.h                            |   6 +-
>  include/uapi/linux/kvm.h                      |   4 -
>  .../selftests/kvm/include/x86_64/processor.h  |  18 +-
>  .../selftests/kvm/x86_64/kvm_pv_test.c        |  38 +-
>  .../selftests/kvm/x86_64/set_sregs_test.c     |  63 +-
>  28 files changed, 1017 insertions(+), 685 deletions(-)
>  delete mode 100644 arch/x86/kvm/governed_features.h
> 
> 
> base-commit: 4d911c7abee56771b0219a9fbf0120d06bdc9c14



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ