lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251229111708.59402-1-khushit.shah@nutanix.com>
Date: Mon, 29 Dec 2025 11:17:05 +0000
From: Khushit Shah <khushit.shah@...anix.com>
To: seanjc@...gle.com, pbonzini@...hat.com, kai.huang@...el.com,
        dwmw2@...radead.org
Cc: mingo@...hat.com, x86@...nel.org, bp@...en8.de, hpa@...or.com,
        linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
        dave.hansen@...ux.intel.com, tglx@...utronix.de, jon@...anix.com,
        shaju.abraham@...anix.com, Khushit Shah <khushit.shah@...anix.com>
Subject: [PATCH v5 0/3] KVM: x86: Add userspace control for Suppress EOI Broadcast

Suppress EOI Broadcast (SEOIB) is an x2APIC feature that stops the local
APIC from broadcasting EOIs to I/O APICs.  When enabled, guests must
directly write to specific I/O APIC's EOI Register (available in I/O APIC
version 0x20+) to EOI the interrupt.

KVM has historically mishandled SEOIB support.  When x2APIC was introduced,
KVM advertised the feature without implementing the I/O APIC side (directed
EOI).  This flaw carried over to split IRQCHIP mode, where KVM always
advertised support but didn't actually honor the guest's decision to
suppress EOI broadcast, and kept broadcasting EOIs to userspace.

The broken behavior can cause interrupt storms on guests that perform I/O
APIC EOI well after LAPIC EOI (e.g. Windows with Credential Guard enabled).

KVM "fixed" in-kernel IRQCHIP by not advertising SEOIB support, but
split IRQCHIP was never fixed.  Rather than silently changing guest-visible
behavior, this series adds userspace control via KVM_CAP_X2APIC_API flags,
allowing VMMs to explicitly enable or disable SEOIB support.  When enabled
with in-kernel IRQCHIP, KVM uses I/O APIC version 0x20 which provides the
EOI Register for directed EOI.

The series maintains backward compatibility: if neither flag is set,
legacy behavior is preserved.  Modern VMMs should explicitly set either
KVM_X2APIC_ENABLE_SUPPRESS_EOI_BROADCAST or
KVM_X2APIC_DISABLE_SUPPRESS_EOI_BROADCAST.

Tested:
- No flags set: legacy quirky behavior preserved.
- ENABLE flag set: SEOIB advertised, in-kernel IRQCHIP uses I/O APIC
  version 0x20.
- DISABLE flag set: SEOIB not advertised.

Changes in v5:
- Split into 3-patch series (refactor, I/O APIC 0x20 support, userspace
  control)
- Extended to support in-kernel IRQCHIP mode.
- I/O APIC version 0x20 is used when enabling with in-kernel IRQCHIP

David Woodhouse (1):
  KVM: x86/ioapic: Implement support for I/O APIC version 0x20 with EOIR

Khushit Shah (2):
  KVM: x86: Refactor suppress EOI broadcast logic
  KVM: x86: Add x2APIC "features" to control EOI broadcast suppression

 Documentation/virt/kvm/api.rst  | 28 +++++++++++-
 arch/x86/include/asm/kvm_host.h |  7 +++
 arch/x86/include/uapi/asm/kvm.h |  6 ++-
 arch/x86/kvm/ioapic.c           | 43 ++++++++++++++++---
 arch/x86/kvm/ioapic.h           | 19 +++++----
 arch/x86/kvm/lapic.c            | 75 +++++++++++++++++++++++++++++----
 arch/x86/kvm/lapic.h            |  3 ++
 arch/x86/kvm/trace.h            | 17 ++++++++
 arch/x86/kvm/x86.c              | 15 ++++++-
 9 files changed, 186 insertions(+), 27 deletions(-)

-- 
2.39.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ