Re: [PATCH 4/4] KVM: hyper-v: Advertise support for fast XMM hypercalls

From: Siddharth Chandrasekaran
Date: Fri Apr 09 2021 - 03:55:55 EST

Next message: Arnd Bergmann: "Re: [PATCH v2 16/21] ipmi: kcs_bmc: Add a "raw" character device interface"
Previous message: Herbert Xu: "Re: [PATCH] crypto: qat: Fix a double free in adf_create_ring"
In reply to: Vitaly Kuznetsov: "Re: [PATCH 4/4] KVM: hyper-v: Advertise support for fast XMM hypercalls"
Next in thread: Siddharth Chandrasekaran: "Re: [PATCH 4/4] KVM: hyper-v: Advertise support for fast XMM hypercalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 09, 2021 at 09:38:03AM +0200, Vitaly Kuznetsov wrote:
> Siddharth Chandrasekaran <sidcha@xxxxxxxxx> writes:
> > On Thu, Apr 08, 2021 at 04:44:23PM +0200, Vitaly Kuznetsov wrote:
> >> Siddharth Chandrasekaran <sidcha@xxxxxxxxx> writes:
> >> > On Thu, Apr 08, 2021 at 02:05:53PM +0200, Vitaly Kuznetsov wrote:
> >> >> Siddharth Chandrasekaran <sidcha@xxxxxxxxx> writes:
> >> >>
> >> >> > Now that all extant hypercalls that can use XMM registers (based on
> >> >> > spec) for input/outputs are patched to support them, we can start
> >> >> > advertising this feature to guests.
> >> >> >
> >> >> > Cc: Alexander Graf <graf@xxxxxxxxxx>
> >> >> > Cc: Evgeny Iakovlev <eyakovl@xxxxxxxxx>
> >> >> > Signed-off-by: Siddharth Chandrasekaran <sidcha@xxxxxxxxx>
> >> >> > ---
> >> >> > arch/x86/include/asm/hyperv-tlfs.h | 4 ++--
> >> >> > arch/x86/kvm/hyperv.c | 1 +
> >> >> > 2 files changed, 3 insertions(+), 2 deletions(-)
> >> >> >
> >> >> > diff --git a/arch/x86/include/asm/hyperv-tlfs.h b/arch/x86/include/asm/hyperv-tlfs.h
> >> >> > index e6cd3fee562b..1f160ef60509 100644
> >> >> > --- a/arch/x86/include/asm/hyperv-tlfs.h
> >> >> > +++ b/arch/x86/include/asm/hyperv-tlfs.h
> >> >> > @@ -49,10 +49,10 @@
> >> >> > /* Support for physical CPU dynamic partitioning events is available*/
> >> >> > #define HV_X64_CPU_DYNAMIC_PARTITIONING_AVAILABLE BIT(3)
> >> >> > /*
> >> >> > - * Support for passing hypercall input parameter block via XMM
> >> >> > + * Support for passing hypercall input and output parameter block via XMM
> >> >> > * registers is available
> >> >> > */
> >> >> > -#define HV_X64_HYPERCALL_PARAMS_XMM_AVAILABLE BIT(4)
> >> >> > +#define HV_X64_HYPERCALL_PARAMS_XMM_AVAILABLE BIT(4) | BIT(15)
> >> >>
> >> >> TLFS 6.0b states that there are two distinct bits for input and output:
> >> >>
> >> >> CPUID Leaf 0x40000003.EDX:
> >> >> Bit 4: support for passing hypercall input via XMM registers is available.
> >> >> Bit 15: support for returning hypercall output via XMM registers is available.
> >> >>
> >> >> and HV_X64_HYPERCALL_PARAMS_XMM_AVAILABLE is not currently used
> >> >> anywhere, I'd suggest we just rename
> >> >>
> >> >> HV_X64_HYPERCALL_PARAMS_XMM_AVAILABLE to HV_X64_HYPERCALL_XMM_INPUT_AVAILABLE
> >> >> and add HV_X64_HYPERCALL_XMM_OUTPUT_AVAILABLE (bit 15).
> >> >
> >> > That is how I had it initially; but then noticed that we would never
> >> > need to use either of them separately. So it seemed like a reasonable
> >> > abstraction to put them together.
> >> >
> >>
> >> Actually, we may. In theory, KVM userspace may decide to expose just
> >> one of these two to the guest as it is not obliged to copy everything
> >> from KVM_GET_SUPPORTED_HV_CPUID so we will need separate
> >> guest_cpuid_has() checks.
> >
> > Makes sense. I'll split them and add the checks.
> >
> >> (This reminds me of something I didn't see in your series:
> >> we need to check that XMM hypercall parameters support was actually
> >> exposed to the guest as it is illegal for a guest to use it otherwise --
> >> and we will likely need two checks, for input and output).
> >
> > We observed that Windows expects Hyper-V to support XMM params even if
> > we don't advertise this feature but if userspace wants to hide this
> > feature and the guest does it anyway, then it makes sense to treat it as
> > an illegal OP.
> >
>
> Out of pure curiosity, which Windows version behaves like that? And how
> does this work with KVM without your patches?

The guest is a Windows Server 2016 on which we are trying to enable VBS
and handle it through the VSM API. When VBS is enabled on the guest, it
starts using many other (new) hypercalls and some of them don't honor
the CPUID bits (4, 15) that indicate the presence of XMM params support.

> Sane KVM userspaces will certainly expose both XMM input and output
> capabilities together but having an ability to hide one or both of them
> may come handy while debugging.
>
> Also, we weren't enforcing the rule that enlightenments not exposed to
> the guest don't work, even the whole Hyper-V emulation interface was
> available to all guests who were smart enough to know how to enable it!
> I don't like this for two reasons: security (large attack surface) and
> the fact that someone 'smart' may decide to use Hyper-V emulation
> features on KVM as 'general purpose' features saying 'they're always
> available anyway', this risks becoming an ABI.
>
> Let's at least properly check if the feature was exposed to the guest
> for all new enlightenments.

Agreed.

~ Sid.

Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879

Next message: Arnd Bergmann: "Re: [PATCH v2 16/21] ipmi: kcs_bmc: Add a "raw" character device interface"
Previous message: Herbert Xu: "Re: [PATCH] crypto: qat: Fix a double free in adf_create_ring"
In reply to: Vitaly Kuznetsov: "Re: [PATCH 4/4] KVM: hyper-v: Advertise support for fast XMM hypercalls"
Next in thread: Siddharth Chandrasekaran: "Re: [PATCH 4/4] KVM: hyper-v: Advertise support for fast XMM hypercalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]