lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <09F33B66-1750-43FB-B97F-5BC3DF42B356@nutanix.com>
Date: Tue, 13 May 2025 01:59:21 +0000
From: Jon Kohler <jon@...anix.com>
To: Sean Christopherson <seanjc@...gle.com>
CC: "pbonzini@...hat.com" <pbonzini@...hat.com>,
        "tglx@...utronix.de"
	<tglx@...utronix.de>,
        "mingo@...hat.com" <mingo@...hat.com>, "bp@...en8.de"
	<bp@...en8.de>,
        "dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
        "x86@...nel.org" <x86@...nel.org>, "hpa@...or.com" <hpa@...or.com>,
        "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
        "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>,
        Alexander Grest
	<Alexander.Grest@...rosoft.com>,
        Nicolas Saenz Julienne <nsaenz@...zon.es>,
        "Madhavan T . Venkataraman" <madvenka@...ux.microsoft.com>,
        Mickaël Salaün <mic@...ikod.net>,
        Tao Su
	<tao1.su@...ux.intel.com>, Xiaoyao Li <xiaoyao.li@...el.com>,
        Zhao Liu
	<zhao1.liu@...el.com>
Subject: Re: [RFC PATCH 00/18] KVM: VMX: Introduce Intel Mode-Based Execute
 Control (MBEC)



> On May 12, 2025, at 5:46 PM, Sean Christopherson <seanjc@...gle.com> wrote:
> 
> !-------------------------------------------------------------------|
>  CAUTION: External Email
> 
> |-------------------------------------------------------------------!
> 
> On Thu, Mar 13, 2025, Jon Kohler wrote:
>> ## Summary
>> This series introduces support for Intel Mode-Based Execute Control
>> (MBEC) to KVM and nested VMX virtualization, aiming to significantly
>> reduce VMexits and improve performance for Windows guests running with
>> Hypervisor-Protected Code Integrity (HVCI).
> 
> ...
> 
>> ## Testing
>> Initial testing has been on done on 6.12-based code with:
>>  Guests
>>    - Windows 11 24H2 26100.2894
>>    - Windows Server 2025 24H2 26100.2894
>>    - Windows Server 2022 W1H2 20348.825
>>  Processors:
>>    - Intel Skylake 6154
>>    - Intel Sapphire Rapids 6444Y
> 
> This series needs testcases, and lots of 'em.  A short list off the top of my head:
> 
> - New KVM-Unit-Test (KUT) ept_access_xxx testcases to verify KVM does the right
>   thing with respect to user and supervisor code fetches when MBEC is:
> 
>     1. Supported and Enabled
>     2. Supported but Disabled
>     3. Unsupported
> 
> - KUT testcases to verify VMLAUNCH/VMRESUME consistency checks.
> 
> - KUT testcases to verify KVM treats WRITABLE+USER_EXEC as an illegal combination,
>   i.e. that MBEC doesn't affect the W=1,R=0 behavior.
> 
> The access tests in particular absolutely need to be provided along with the next
> version.  Unless I'm missing something, this RFC implementation is buggy throughout
> due to tracking MBEC on a per-vCPU basis, and all of those bugs should be exposed
> by even relative basic testcases.

Thanks for the review, Sean. I’ll work on rebasing my patches from 6.12 to latest
and incorporating the feedback across the board.

On the KUT side, good news is I already have most of that done-ish, so I’ll tune
them up when I get the next rev of the series, and send them both out together.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ