| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250211025828.3072076-12-binbin.wu@linux.intel.com> Date: Tue, 11 Feb 2025 10:58:22 +0800 From: Binbin Wu <binbin.wu@...ux.intel.com> To: pbonzini@...hat.com, seanjc@...gle.com, kvm@...r.kernel.org Cc: rick.p.edgecombe@...el.com, kai.huang@...el.com, adrian.hunter@...el.com, reinette.chatre@...el.com, xiaoyao.li@...el.com, tony.lindgren@...el.com, isaku.yamahata@...el.com, yan.y.zhao@...el.com, chao.gao@...el.com, linux-kernel@...r.kernel.org, binbin.wu@...ux.intel.com Subject: [PATCH v2 11/17] KVM: TDX: Enforce KVM_IRQCHIP_SPLIT for TDX guests Enforce KVM_IRQCHIP_SPLIT for TDX guests to disallow in-kernel I/O APIC while in-kernel local APIC is needed. APICv is always enabled by TDX module and TDX Module doesn't allow the hypervisor to modify the EOI-bitmap, i.e. all EOIs are accelerated and never trigger exits. Level-triggered interrupts and other things depending on EOI VM-Exit can't be faithfully emulated in KVM. Also, the lazy check of pending APIC EOI for RTC edge-triggered interrupts, which was introduced as a workaround when EOI cannot be intercepted, doesn't work for TDX either because kvm_apic_pending_eoi() checks vIRR and vISR, but both values are invisible in KVM. If the guest induces generation of a level-triggered interrupt, the VMM is left with the choice of dropping the interrupt, sending it as-is, or converting it to an edge-triggered interrupt. Ditto for KVM. All of those options will make the guest unhappy. There's no architectural behavior KVM can provide that's better than sending the interrupt and hoping for the best. Signed-off-by: Binbin Wu <binbin.wu@...ux.intel.com> --- TDX interrupts v2: - New added. --- arch/x86/kvm/vmx/tdx.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c index bd349e3d4089..4b3251680d43 100644 --- a/arch/x86/kvm/vmx/tdx.c +++ b/arch/x86/kvm/vmx/tdx.c @@ -13,6 +13,7 @@ #include "mmu/spte.h" #include "common.h" #include "posted_intr.h" +#include "irq.h" #include <trace/events/kvm.h> #include "trace.h" @@ -663,8 +664,12 @@ int tdx_vcpu_create(struct kvm_vcpu *vcpu) if (kvm_tdx->state != TD_STATE_INITIALIZED) return -EIO; - /* TDX module mandates APICv, which requires an in-kernel local APIC. */ - if (!lapic_in_kernel(vcpu)) + /* + * TDX module mandates APICv, which requires an in-kernel local APIC. + * Disallow an in-kernel I/O APIC, because level-triggered interrupts + * and thus the I/O APIC as a whole can't be faithfully emulated in KVM. + */ + if (!irqchip_split(vcpu->kvm)) return -EINVAL; fpstate_set_confidential(&vcpu->arch.guest_fpu); -- 2.46.0
Powered by blists - more mailing lists