From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 64BB3C4167B for ; Wed, 13 Dec 2023 17:30:20 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DA3FD6B0505; Wed, 13 Dec 2023 12:30:19 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D53F98D0049; Wed, 13 Dec 2023 12:30:19 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BF4B36B0507; Wed, 13 Dec 2023 12:30:19 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id AE1C46B0505 for ; Wed, 13 Dec 2023 12:30:19 -0500 (EST) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 89DBE16024B for ; Wed, 13 Dec 2023 17:30:18 +0000 (UTC) X-FDA: 81562483716.17.578737C Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) by imf26.hostedemail.com (Postfix) with ESMTP id A47E4140018 for ; Wed, 13 Dec 2023 17:30:15 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=Isqz2sUB; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf26.hostedemail.com: domain of 3Jup5ZQYKCBUDzv84x19916z.x97638FI-775Gvx5.9C1@flex--seanjc.bounces.google.com designates 209.85.219.202 as permitted sender) smtp.mailfrom=3Jup5ZQYKCBUDzv84x19916z.x97638FI-775Gvx5.9C1@flex--seanjc.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1702488615; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=x/vSOPRW34ZBEoGLP7AobDWeoYbZlEIfUFdS/cfIhTI=; b=LZaQjsSF0EtnBWKE9mpv9gnDBQbfIVbZM51oGcoAHi9cQ/bjLCOHwRygsbzE6LjN3w1tHV 1n/dGOCs2B7Fa1kEtMfU82WSCgr7JHSV+tULpqepMVQWCIbgWOCwwdK5/Rmu48EIVMIiMv v9y1ROP1Oie8PVo5+iaxsPClahKFyMg= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=Isqz2sUB; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf26.hostedemail.com: domain of 3Jup5ZQYKCBUDzv84x19916z.x97638FI-775Gvx5.9C1@flex--seanjc.bounces.google.com designates 209.85.219.202 as permitted sender) smtp.mailfrom=3Jup5ZQYKCBUDzv84x19916z.x97638FI-775Gvx5.9C1@flex--seanjc.bounces.google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1702488615; a=rsa-sha256; cv=none; b=f98JiH85+vFxEKS6x4m6TNVxF85voqb/Pt7OcnylNEISsjKmTrbqBSbrJpqDGrHCZ1qse0 yvsYZlm5Qtwg+QvjZLWg4XIQuPPVdAZ2Sv9xdw2hWZNbX62A93NmUis3ZmwlK8+0rfixOz 7xTevqC/5qHC/eJiIO6kVFm9klM+A1k= Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-db5416d0fccso4889084276.1 for ; Wed, 13 Dec 2023 09:30:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1702488614; x=1703093414; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=x/vSOPRW34ZBEoGLP7AobDWeoYbZlEIfUFdS/cfIhTI=; b=Isqz2sUBpiORtEc1XAXBySSx9fu8N9/ijKC9mrrGMWNw2mRLoWuSNZESn7af2Grig0 1HSPQD7ko88ymkt3hFceIxjoA5Q1tSUoHQQUwvS3e5NNQzqRYswyoI7nCr0ykkVh1x15 CGgsPugmv+hX3FY8YTXMM9BKioB+VtRgIK6aCFON/It3zYflJssTeWmIpuyCsg3MAEnX RjCUtNUnw+Q3wU3do6D7ee5VMnQAppNZEUug2MmABmMjv+v+a07zmw5MGEBzMuPdYElY /FTzHyF3bQxbJlouM2cPDI32uKw0f5ggXPjmJGxxeLv3awyoabdPt3baCvzjRQJxKNiv uqTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702488614; x=1703093414; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=x/vSOPRW34ZBEoGLP7AobDWeoYbZlEIfUFdS/cfIhTI=; b=gA0z0PVJzNq0GSPOSF62iL1CqUalgcFT/VEIdvI62Vi6u261is/Ui78la5PLOY5x3o rV3WZVHr+BRdzr7TvENTXAroVp5ZqQwQIA9QTch85ZHd7KdguTPWl8cujD1hxNEAN05z rik6pMIu00odtMe0inwejnG15l3BBWjV4aLan1zCyIkGUvkbDUXvxoF4o8gYsnsvAR4E Y0/mTY2S2ckW0A18ZxQLGwUQzhhyb6mvo5jmCVSnhCN8LWH0ULOGl71J/IOoNNbStO62 2ihyRmFfjBaKkgRL6AuRJ9BOhsFLyA4YjtMUIS0MKBJi5E+90fmZw4E1AUVFnyfE2pn3 Wi0g== X-Gm-Message-State: AOJu0YyMtvVTIe55uWo+sDqJ3rkjz0JsgZ/CSC2LuT2pHSFBW7eKJF4o cW0cGGpxNrz+Ogu3JUgWZpteLuHIL9Q= X-Google-Smtp-Source: AGHT+IFOP09PwT6lqIkFRJAMnbtTHRKLbaBMtetikxZWuMnGPaXYka0H53M769c+RQXX26fiZIa7/SXOFXE= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a05:6902:1812:b0:dbc:cc25:8ab with SMTP id cf18-20020a056902181200b00dbccc2508abmr23845ybb.4.1702488614570; Wed, 13 Dec 2023 09:30:14 -0800 (PST) Date: Wed, 13 Dec 2023 09:30:12 -0800 In-Reply-To: Mime-Version: 1.0 References: <20231016132819.1002933-1-michael.roth@amd.com> <20231016132819.1002933-4-michael.roth@amd.com> Message-ID: Subject: Re: [PATCH v10 03/50] KVM: SEV: Do not intercept accesses to MSR_IA32_XSS for SEV-ES guests From: Sean Christopherson To: Paolo Bonzini Cc: Michael Roth , kvm@vger.kernel.org, linux-coco@lists.linux.dev, linux-mm@kvack.org, linux-crypto@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org, tglx@linutronix.de, mingo@redhat.com, jroedel@suse.de, thomas.lendacky@amd.com, hpa@zytor.com, ardb@kernel.org, vkuznets@redhat.com, jmattson@google.com, luto@kernel.org, dave.hansen@linux.intel.com, slp@redhat.com, pgonda@google.com, peterz@infradead.org, srinivas.pandruvada@linux.intel.com, rientjes@google.com, dovmurik@linux.ibm.com, tobin@ibm.com, bp@alien8.de, vbabka@suse.cz, kirill@shutemov.name, ak@linux.intel.com, tony.luck@intel.com, marcorr@google.com, sathyanarayanan.kuppuswamy@linux.intel.com, alpergun@google.com, jarkko@kernel.org, ashish.kalra@amd.com, nikunj.dadhania@amd.com, pankaj.gupta@amd.com, liam.merwick@oracle.com, zhi.a.wang@intel.com, Alexey Kardashevskiy Content-Type: text/plain; charset="us-ascii" X-Rspam-User: X-Stat-Signature: re88sz3iwmscnf599uz9su9bpqa9afsf X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: A47E4140018 X-HE-Tag: 1702488615-225560 X-HE-Meta: U2FsdGVkX1+UFjeM1iqhkR7MUNPiRe6yiWhH+yoMiUSQVKQlxTkfIlRcvTdE8xNupeJNl15gQj1GPYJJOfqJPZszZx/udOGx6LM3PtK6cFK+9+cj+oWQyhIlEHFXECA90rQ22gLUL+2SFcz/IJ1OxqfBCqjgGOgNKD7nfC/+d/fzbeKAUc+6e36dfvmRxsq3FfuTyviqIkyj/af631wpI5uwTnppB4xptZ844Q9kojOAHjbL1TqiV8blDfNAXRzSMzXHwJXUT9XdGGKpmxr7OFQVfHkptpe18blGWFOXdcjPLLKkKqgy7fOEtWyXh3lgVHDjUW9anpDhqgzb11sJlJ/uXIFPKUhlGXtRqBXu/tpzlRS8nQZRM34gW3ApHjnWfL7TYEPyEOiH4xklTxcAZbAXngMUEHcnjjun8B2yiU/8YkJHbiy6rvOPgjx6NvhTPcrxyKpRnIIOeoyAwPgfGR704d7Ejl3Din4E0vBN0ophGjj52bxMt86IvQOtx6Fmo8IqBO+UTpQTYiaA4LfUDXno7V/VIhFLGrYEQkNirzdQLQlq1Qua4A23Z7ub70pJHo3+0IvJ78Ukj8OdYK+OQ3SEkaPNlXMlNVicDYRWUuZKltBx+oAxnZKpbsuONU0LAEodumVmJ70PSYPyPyFASsDxE3EYj5BEFmjbp7r7gdvbEA5x4SmbqaVHpjX2n9tx6ptSGEULkzEGo2QEkfs6MeT0k/iV+YNMCSNypeuLv82O3SUsGInL4FDzrK80/vJhK/s43asr5uvMbN3mUxq5D08hH/NHNnsBSjlj2NfO3XiQnASkY0Fte9xXrWtoaWGCthlvdxSmlHV2RN1hjmXiPjBxifw0VQfA6edA/Yqag4SOuvr4xFnk4M3MIp+veEdjWlUJg+NiDtcXe9st/qVO1s/p62/AxIVSeG/ty/klLHdDws2qHp324pj4NixdvVSps/r7U6mkAxvF+9OJlED Kh/kYz2z eTxYTmLou3e65aNXvwCVGAuZLylyjlXbBIQEptXvgLEZ5FGrHQbDPrtlGLxU24lz4XP74BAIfPouYUpEBcwoLoJLBxEqVJKMUIbUaaoSnmWSWTKponx0j67JiqFqyKjirqRnQRpUXJZ9QmJreGwNLKNNZ3wufUaeSKb1clT0zG/Zx/hmClXFaOMzuF4nG+c526e/gXmU3fMv800TvKHhAKSjkZJ1xFKvdC2VZMQA6oAtEhtc2WXurSKsSl+FyoDH1kyA4g6F8P/8zzIDJ71APAAaiPCti890Vk3j8RjO199INGUJCbrjx7+g5aUZ/C7MkzBI1LIJrT7jQGSLtY1L/8JKRRS4NYEBNsIEr7n8eYWKGJOtGJhtPHQDQm82EETtBbqzechm/5WvCSCOUOcXjFncB8FXiHlipdWuV3mEgx8yoKdDUNyl59nvyyWXuCefCA8qJTbqYp/TFeKMrLOLCHqSq2ONegjU2wcQsveaMjeLZlRWxNQBFjVl+oeGhUiKWVZD6j2LxurEAMXdXjRnYFni2jBF/VsDO3UcbG38zZcUeGT5MNjvCPfaKcqV8uSxH27JfAfwQhq3iNuuwpdi7gCatLESiw4VHmwPx7dsGyFbZvur4jpQeP1WcGvhnDOPKzp8K4gbXy3Nv5ahYbiypci/rDXn8AWdOWfG/Q17xGXzOPYYF8xPIx90VYjU01NZ3+X6CN/PnEJAtQSQZ278UlK6e5A== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000014, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Dec 13, 2023, Paolo Bonzini wrote: > On 10/16/23 15:27, Michael Roth wrote: > > Address this by disabling intercepts of MSR_IA32_XSS for SEV-ES guests > > if the host/guest configuration allows it. If the host/guest > > configuration doesn't allow for MSR_IA32_XSS, leave it intercepted so > > that it can be caught by the existing checks in > > kvm_{set,get}_msr_common() if the guest still attempts to access it. > > This is wrong, because it allows the guest to do untrapped writes to > MSR_IA32_XSS and therefore (via XRSTORS) to MSRs that the host might not > save or restore. > > If the processor cannot let the host validate writes to MSR_IA32_XSS, > KVM simply cannot expose XSAVES to SEV-ES (and SEV-SNP) guests. > > Because SVM doesn't provide a way to disable just XSAVES in the guest, > all that KVM can do is keep on trapping MSR_IA32_XSS (which the guest > shouldn't read or write to). In other words the crash on accesses to > MSR_IA32_XSS is not a bug but a feature (of the hypervisor, that > wants/needs to protect itself just as much as the guest wants to). > > The bug is that there is no API to tell userspace "do not enable this > and that CPUID for SEV guests", there is only the extremely limited > KVM_GET_SUPPORTED_CPUID system ioctl. > > For now, all we can do is document our wishes, with which userspace had > better comply. Please send a patch to QEMU that makes it obey. Discussed this early today with Paolo at PUCK and pointed out that (a) the CPU context switches the underlying state, (b) SVM doesn't allow intercepting *just* XSAVES, and (c) SNP's AP creation can bypass XSS interception. So while we all (all == KVM folks) agree that this is rather terrifying, e.g. gives KVM zero option if there is a hardware issue, it's "fine" to let the guest use XSAVES/XSS. See also https://lore.kernel.org/all/ZUQvNIE9iU5TqJfw@google.com