lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Z4aX1NjuxeCJd1XY@google.com>
Date: Tue, 14 Jan 2025 08:59:00 -0800
From: Sean Christopherson <seanjc@...gle.com>
To: Binbin Wu <binbin.wu@...ux.intel.com>
Cc: pbonzini@...hat.com, kvm@...r.kernel.org, rick.p.edgecombe@...el.com, 
	kai.huang@...el.com, adrian.hunter@...el.com, reinette.chatre@...el.com, 
	xiaoyao.li@...el.com, tony.lindgren@...ux.intel.com, isaku.yamahata@...el.com, 
	yan.y.zhao@...el.com, chao.gao@...el.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 12/16] KVM: TDX: Inhibit APICv for TDX guest

On Tue, Jan 14, 2025, Binbin Wu wrote:
> On 1/14/2025 1:16 AM, Sean Christopherson wrote:
> > On Mon, Jan 13, 2025, Binbin Wu wrote:
> > > Summary about APICv inhibit reasons:
> > > APICv could still be disabled runtime in some corner case, e.g,
> > > APICV_INHIBIT_REASON_PHYSICAL_ID_ALIASED due to memory allocation failure.
> > > After checking enable_apicv in tdx_bringup(), apic->apicv_active is
> > > initialized as true in kvm_create_lapic().  If APICv is inhibited due to any
> > > reason runtime, the refresh_apicv_exec_ctrl() callback could be used to check
> > > if APICv is disabled for TDX, if APICv is disabled, bug the VM.
> > I _think_ this is a non-issue, and that KVM could do KVM_BUG_ON() if APICv is
> > inihibited by kvm_recalculate_apic_map() for a TDX VM.  x2APIC is mandatory
> > (KVM_APIC_MODE_MAP_DISABLED and "APIC_ID modified" impossible), KVM emulates
> > APIC_ID as read-only for x2APIC mode (physical aliasing impossible), and LDR is
> > read-only for x2APIC (logical aliasing impossible).
> 
> For logical aliasing, according to the KVM code, it's only relevant to
> AMD's AVIC. It's not set in VMX_REQUIRED_APICV_INHIBITS.

Ah, right.

> Is the reason AVIC using logical-id-addressing while APICv using
> physical-id-addressing for IPI virtualization?

Ya, more or less.  AVIC supports virtualizing both physical and logical IPIs,
APICv only supports physical.

> > To ensure no physical aliasing, KVM would need to require KVM_CAP_X2APIC_API be
> > enabled, but that should probably be required for TDX no matter what.
> There is no physical aliasing when APIC is in x2apic mode, vcpu_id is used
> anyway.

Yeah, ignore this, I misremembered the effects of KVM_CAP_X2APIC_API.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ