lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250919005955.1366256-1-seanjc@google.com>
Date: Thu, 18 Sep 2025 17:59:46 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini <pbonzini@...hat.com>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH 0/9] KVM: VMX: EPTP cleanups and nVMX fixes

This started as a trivial series to cleanup KVM's handling of EPTPs in
anticipation of eliding TLB flushes on task migration[*], but then I made the
mistake of trying to test the nested_early_check change, and things snowballed.

Long story short, nested_early_check is obviously not being used as it's been
broken for years, and it's not adding value.  E.g. doesn't help us find KVM
bugs, and doesn't provide any meaningful protection for KVM (especially since
no one is using it).

So, I opted to fix nested_early_check, and then rip it out and replace it with
a param that can be enabled by developers/maintainers to find KVM bugs (which
in hindsight is what we should have done from the beginning).  I went through
the effort of fixing nested_early_check so that in the unlikely case someone
wants to resurrect it, they should have a working commit to jump back to.

[*] https://lore.kernel.org/all/aJKW9gTeyh0-pvcg@google.com

Sean Christopherson (9):
  KVM: VMX: Hoist construct_eptp() "up" in vmx.c
  KVM: nVMX: Hardcode dummy EPTP used for early nested consistency
    checks
  KVM: x86/mmu: Move "dummy root" helpers to spte.h
  KVM: VMX: Use kvm_mmu_page role to construct EPTP, not current vCPU
    state
  KVM: nVMX: Add consistency check for TPR_THRESHOLD[31:4]!=0 without
    VID
  KVM: nVMX: Add consistency check for TSC_MULTIPLIER=0
  KVM: nVMX: Stuff vmcs02.TSC_MULTIPLIER early on for nested early
    checks
  KVM: nVMX: Remove support for "early" consistency checks via hardware
  KVM: nVMX: Add an off-by-default module param to WARN on missed
    consistency checks

 arch/x86/kvm/mmu/mmu_internal.h |  10 --
 arch/x86/kvm/mmu/spte.h         |  10 ++
 arch/x86/kvm/vmx/nested.c       | 165 +++++++++++---------------------
 arch/x86/kvm/vmx/vmx.c          |  57 +++++++----
 arch/x86/kvm/vmx/vmx.h          |   1 -
 5 files changed, 105 insertions(+), 138 deletions(-)


base-commit: c8fbf7ceb2ae3f64b0c377c8c21f6df577a13eb4
-- 
2.51.0.470.ga7dc726c21-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ