Re: [PATCH v8 08/11] x86/tdx: Wire up KVM hypercalls

From: Sean Christopherson
Date: Fri Nov 05 2021 - 16:59:25 EST

Next message: Peter Zijlstra: "Re: [RFC][PATCH 15/22] x86,vmx: Remove .fixup usage"
Previous message: Namhyung Kim: "[PATCH v4] perf evsel: Fix missing exclude_{host,guest} setting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Oct 04, 2021, Kuppuswamy Sathyanarayanan wrote:
> [Isaku Yamahata: proposed KVM VENDOR string]

...

> diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h
> index 458a564dd4c2..ebb97e082376 100644
> --- a/arch/x86/include/asm/tdx.h
> +++ b/arch/x86/include/asm/tdx.h
> @@ -6,8 +6,9 @@
> #include <linux/cpufeature.h>
> #include <linux/types.h>
>
> -#define TDX_CPUID_LEAF_ID 0x21
> -#define TDX_HYPERCALL_STANDARD 0
> +#define TDX_CPUID_LEAF_ID 0x21
> +#define TDX_HYPERCALL_STANDARD 0
> +#define TDX_HYPERCALL_VENDOR_KVM 0x4d564b2e584454 /* TDX.KVM */

...

> +#if defined(CONFIG_KVM_GUEST) && defined(CONFIG_INTEL_TDX_GUEST)
> +static inline long tdx_kvm_hypercall(unsigned int nr, unsigned long p1,
> + unsigned long p2, unsigned long p3,
> + unsigned long p4)
> +{
> + struct tdx_hypercall_output out;
> + u64 err;
> +
> + err = __tdx_hypercall(TDX_HYPERCALL_VENDOR_KVM, nr, p1, p2,
> + p3, p4, &out);

Why use a magic string? There are already mechanisms for the host to announce
itself to the guest, i.e. the guest shouldn't be attempting these hypercalls unless
it knows it's running on KVM (or something that implements KVM's ABI, whatever
that may be).

The only use case I can think of is to support multiple flavors of hypercalls in
the VMM, e.g. to let KVM support both KVM and Hyper-V hypercalls when KVM is
masquerading as Hyper-V, but this magic value alone isn't sufficient.

And if there is a future where KVM wants to support multiple sets of hypercalls,
using the entire 64-bit GPR for a magic value is unnecessary and wasteful, e.g.
it requires an overside MOV imm, reg.

Why not use a single high bit? Actually, looking at KVM's set of hypercalls,
the guest can literally pass @nr as is. The GHCI defines all non-zero values as
vendor owned, i.e. this needs to ensure only that @nr is non-zero. For whatever
reason, perhaps to avoid false positives if the guest forgets to fill the value,
KVM's hypercalls start at '1'.

Regardless of what is stuffed into r10 for the TDVMCALL, if it's anything other
than KVM's raw hypercall number, it absolutely must go into
include/uapi/linux/kvm_para.h and it should be done as a standalone commit,
because what you're proposing here is effectively committing KVM to supporting
an ABI. That is not remotely clear from the changelog.

Next message: Peter Zijlstra: "Re: [RFC][PATCH 15/22] x86,vmx: Remove .fixup usage"
Previous message: Namhyung Kim: "[PATCH v4] perf evsel: Fix missing exclude_{host,guest} setting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]