Re: [PATCH RFC] KVM: x86: tell guests if the exposed SMT topology is trustworthy

[Peter Zijlstra]

On Wed, Nov 06, 2019 at 12:51:30AM +0100, Paolo Bonzini wrote:
> On 05/11/19 21:02, Peter Zijlstra wrote:
> > On Tue, Nov 05, 2019 at 05:17:37PM +0100, Vitaly Kuznetsov wrote:
> >> Virtualized guests may pick a different strategy to mitigate hardware
> >> vulnerabilities when it comes to hyper-threading: disable SMT completely,
> >> use core scheduling, or, for example, opt in for STIBP. Making the
> >> decision, however, requires an extra bit of information which is currently
> >> missing: does the topology the guest see match hardware or if it is 'fake'
> >> and two vCPUs which look like different cores from guest's perspective can
> >> actually be scheduled on the same physical core. Disabling SMT or doing
> >> core scheduling only makes sense when the topology is trustworthy.
> >>
> >> Add two feature bits to KVM: KVM_FEATURE_TRUSTWORTHY_SMT with the meaning
> >> that KVM_HINTS_TRUSTWORTHY_SMT bit answers the question if the exposed SMT
> >> topology is actually trustworthy. It would, of course, be possible to get
> >> away with a single bit (e.g. 'KVM_FEATURE_FAKE_SMT') and not lose backwards
> >> compatibility but the current approach looks more straightforward.
> > 
> > The only way virt topology can make any sense what so ever is if the
> > vcpus are pinned to physical CPUs.
> 
> This is a subset of the requirements for "trustworthy" SMT.  You can have:
> 
> - vCPUs pinned to two threads in the same core and exposed as multiple
> cores in the guest

Why the .... would one do anything like that?

> - vCPUs from different guests pinned to two threads in the same core
> 
> and that would be okay as far as KVM_HINTS_REALTIME is concerned, but
> would still allow exploitation of side-channels, respectively within the
> VM and between VMs.

Hardly, RT really rather would not have SMT. SMT is pretty crap for
determinism.