On Sat, 27 Apr 2019, Xiaoyao Li wrote:
On Thu, 2019-04-25 at 09:42 +0200, Thomas Gleixner wrote:?
But the way more interesting question is why are you exposing the MSR and
the bit to the guest at all if the host has split lock detection enabled?
That does not make any sense as you basically allow the guest to switch it
off and then launch a slowdown attack. If the host has it enabled, then a
guest has to be treated like any other process and the #AC trap has to be
caught by the hypervisor which then kills the guest.
Only if the host has split lock detection disabled, then you can expose it
and allow the guest to turn it on and handle it on its own.
Indeed, if we use split lock detection for protection purpose, when host
has it enabled we should directly pass it to guest and forbid guest from
disabling it. And only when host disables split lock detection, we can
expose it and allow the guest to turn it on.
If it is used for protection purpose, then it should follow what you said and
this feature needs to be disabled by default. Because there are split lock
issues in old/current kernels and BIOS. That will cause the existing guest
booting failure and killed due to those split lock.
If it is only used for debug purpose, I think it might be OK to enable this
feature by default and make it indepedent between host and guest?
No. It does not make sense.
So I think how to handle this feature between host and guest depends on how we
use it? Once you give me a decision, I will follow it in next version.
As I said: The host kernel makes the decision.
If the host kernel has it enabled then the guest is not allowed to change
it. If the guest triggers an #AC it will be killed.
If the host kernel has it disabled then the guest can enable it for it's