| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <76E7FF2E-D430-41BD-9270-62761AC836B2@nutanix.com>
Date: Tue, 23 Dec 2025 04:17:28 +0000
From: Jon Kohler <jon@...anix.com>
To: Sean Christopherson <seanjc@...gle.com>
CC: "pbonzini@...hat.com" <pbonzini@...hat.com>,
"tglx@...utronix.de"
<tglx@...utronix.de>,
"mingo@...hat.com" <mingo@...hat.com>, "bp@...en8.de"
<bp@...en8.de>,
"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
"x86@...nel.org" <x86@...nel.org>, "hpa@...or.com" <hpa@...or.com>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>,
Alexander Grest
<Alexander.Grest@...rosoft.com>,
Nicolas Saenz Julienne <nsaenz@...zon.es>,
"Madhavan T . Venkataraman" <madvenka@...ux.microsoft.com>,
Mickaël Salaün <mic@...ikod.net>,
Tao Su
<tao1.su@...ux.intel.com>, Xiaoyao Li <xiaoyao.li@...el.com>,
Zhao Liu
<zhao1.liu@...el.com>
Subject: Re: [RFC PATCH 00/18] KVM: VMX: Introduce Intel Mode-Based Execute
Control (MBEC)
> On May 12, 2025, at 5:46 PM, Sean Christopherson <seanjc@...gle.com> wrote:
>
> On Thu, Mar 13, 2025, Jon Kohler wrote:
>> ## Summary
>> This series introduces support for Intel Mode-Based Execute Control
>> (MBEC) to KVM and nested VMX virtualization, aiming to significantly
>> reduce VMexits and improve performance for Windows guests running with
>> Hypervisor-Protected Code Integrity (HVCI).
>
> ...
>
>> ## Testing
>> Initial testing has been on done on 6.12-based code with:
>> Guests
>> - Windows 11 24H2 26100.2894
>> - Windows Server 2025 24H2 26100.2894
>> - Windows Server 2022 W1H2 20348.825
>> Processors:
>> - Intel Skylake 6154
>> - Intel Sapphire Rapids 6444Y
>
> This series needs testcases, and lots of 'em. A short list off the top of my head:
Lots is right, for the EPT suite, this added 1600 individual tests according to the
summary at the end of the suite, not counting the VMLAUNCH/VMRESUME from the VMX
suite.
Starting -> SUMMARY: 7788 tests
Current -> SUMMARY: 9425 tests
>
> - New KVM-Unit-Test (KUT) ept_access_xxx testcases to verify KVM does the right
> thing with respect to user and supervisor code fetches when MBEC is:
>
> 1. Supported and Enabled
> 2. Supported but Disabled
> 3. Unsupported
>
> - KUT testcases to verify VMLAUNCH/VMRESUME consistency checks.
>
> - KUT testcases to verify KVM treats WRITABLE+USER_EXEC as an illegal combination,
> i.e. that MBEC doesn't affect the W=1,R=0 behavior.
>
> The access tests in particular absolutely need to be provided along with the next
> version. Unless I'm missing something, this RFC implementation is buggy throughout
> due to tracking MBEC on a per-vCPU basis, and all of those bugs should be exposed
> by even relative basic testcases.
Greetings from December (yikes!). Coming back around on this, I’ve gotten to
rebase the entire series on 6.18 and incorporate all (or just about all)
comments/feedback from this RFC series into a v1 series there.
I’ve also extended KUT test cases as suggested (or at least I believe I’ve got
them all covered, happy to take feedback if I missed something). They are mostly
working, but as you’ll see in the series I’ll send out there (and the mirror link
below), there are four commits that I’m having trouble with, and I’d appreciate
some help. I’m probably missing something painfully silly.
V1 series will be out to LKML shortly, but in the mean time, GitHub mirrors for
all components are here:
https://github.com/JonKohler/qemu/tree/mbec-v1
https://github.com/JonKohler/linux/tree/mbec-v1-6.18
https://github.com/JonKohler/kvm-unit-tests/tree/mbec-v1
Powered by blists - more mailing lists