Re: [PATCH 2/2] KVM: VMX: Extend VMX's #AC handding

From: Xiaoyao Li
Date: Sat Feb 01 2020 - 12:02:32 EST

Next message: syzbot: "Re: general protection fault in path_openat"
Previous message: Masahiro Yamada: "[PATCH 2/2] kbuild: rename hostprogs-y/always to hostprogs/always-y"
Next in thread: Andy Lutomirski: "Re: [PATCH 2/2] KVM: VMX: Extend VMX's #AC handding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2/1/2020 5:33 AM, Andy Lutomirski wrote:

On Jan 31, 2020, at 1:04 PM, Sean Christopherson <sean.j.christopherson@xxxxxxxxx> wrote:

ïOn Fri, Jan 31, 2020 at 12:57:51PM -0800, Andy Lutomirski wrote:

On Jan 31, 2020, at 12:18 PM, Sean Christopherson <sean.j.christopherson@xxxxxxxxx> wrote:

This is essentially what I proposed a while back. KVM would allow enabling
split-lock #AC in the guest if and only if SMT is disabled or the enable bit
is per-thread, *or* the host is in "warn" mode (can live with split-lock #AC
being randomly disabled/enabled) and userspace has communicated to KVM that
it is pinning vCPUs.

How about covering the actual sensible case: host is set to fatal? In this
mode, the guest gets split lock detection whether it wants it or not. How do
we communicate this to the guest?

KVM doesn't advertise split-lock #AC to the guest and returns -EFAULT to the
userspace VMM if the guest triggers a split-lock #AC.

Effectively the same behavior as any other userspace process, just that KVM
explicitly returns -EFAULT instead of the process getting a SIGBUS.

Which helps how if the guest is actually SLD-aware?

I suppose we could make the argument that, if an SLD-aware guest gets #AC at CPL0, itâs a bug, but it still seems rather nicer to forward the #AC to the guest instead of summarily killing it.

If KVM does advertise split-lock detection to the guest, then kvm/host can know whether a guest is SLD-aware by checking guest's MSR_TEST_CTRL.SPLIT_LOCK_DETECT bit.

- If guest's MSR_TEST_CTRL.SPLIT_LOCK_DETECT is set, it indicates guest is SLD-aware so KVM forwards #AC to guest.

- If not set. It may be a old guest or a malicious guest or a guest without SLD support, and we cannot figure it out. So we have to kill the guest when host is SLD-fatal, and let guest survive when SLD-WARN for old sane buggy guest.

In a word, all the above is on the condition that KVM advertise split-lock detection to guest. But this patch doesn't do this. Maybe I should add that part in v2.

ISTM, on an SLD-fatal host with an SLD-aware guest, the host should tell the guest âhey, you may not do split locks â SLD is forced onâ and the guest should somehow acknowledge it so that it sees the architectural behavior instead of something we made up. Hence my suggestion.

Next message: syzbot: "Re: general protection fault in path_openat"
Previous message: Masahiro Yamada: "[PATCH 2/2] kbuild: rename hostprogs-y/always to hostprogs/always-y"
Next in thread: Andy Lutomirski: "Re: [PATCH 2/2] KVM: VMX: Extend VMX's #AC handding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]