Re: [PATCH v6 5/7] KVM: x86: VMX: Prevent MSR passthrough when MSR access is denied

From: Alexander Graf
Date: Wed Sep 16 2020 - 15:46:15 EST

Next message: Lukas Bulwahn: "Re: [PATCH] MAINTAINERS: mark linux-samsung-soc list non-moderated"
Previous message: Mathieu Poirier: "[PATCH 00/16] coresight: next v5.9-rc5"
Next in thread: Aaron Lewis: "Re: [PATCH v6 5/7] KVM: x86: VMX: Prevent MSR passthrough when MSR access is denied"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 04.09.20 04:18, Aaron Lewis wrote:

+/*
+ * List of MSRs that can be directly passed to the guest.
+ * In addition to these x2apic and PT MSRs are handled specially.
+ */
+static u32 vmx_possible_passthrough_msrs[MAX_POSSIBLE_PASSGHROUGH_MSRS] = {

MAX_POSSIBLE_PASSGHROUGH_MSRS should be MAX_POSSIBLE_PASSTHROUGH_MSRS

Ouch. Thanks :).

+ MSR_IA32_SPEC_CTRL,
+ MSR_IA32_PRED_CMD,
+ MSR_IA32_TSC,
+ MSR_FS_BASE,
+ MSR_GS_BASE,
+ MSR_KERNEL_GS_BASE,
+ MSR_IA32_SYSENTER_CS,
+ MSR_IA32_SYSENTER_ESP,
+ MSR_IA32_SYSENTER_EIP,
+ MSR_CORE_C1_RES,
+ MSR_CORE_C3_RESIDENCY,
+ MSR_CORE_C6_RESIDENCY,
+ MSR_CORE_C7_RESIDENCY,
+};

Is there any reason not to construct this list on the fly? That could
help prevent the list from becoming stale over time if this is missed
when calls to vmx_disable_intercept_for_msr() are added.

The problem is that we have an upper bound of elements that we can store in the bitmap. We can either make that number arbitrary and then have really awkward failure modes or be incredibly picky instead.

I went for incredibly picky. If anything goes out of sync, like when someone adds an MSR to the list without changing MAX_POSSIBLE_PASSTHROUGH_MSRS, a call to vmx_{en,dis}able_intercept_for_msr() is done on an MSR that is not part of the list, we will abort early and in the former case already through the compiler.

If you can think of a good way to construct the list dynamically and still have a working bitmap of "desired" passthrough states, I'm all ears :).

+
/*
* These 2 parameters are used to config the controls for Pause-Loop Exiting:
* ple_gap: upper bound on the amount of time between two successive
@@ -622,6 +642,41 @@ static inline bool report_flexpriority(void)
return flexpriority_enabled;
}

One thing that seems to be missing is removing MSRs from the
permission bitmap or resetting the permission bitmap to its original
state before adding changes on top of it. This would be needed on
subsequent calls to kvm_vm_ioctl_set_msr_filter(). When that happens
the original changes made by KVM_REQ_MSR_FILTER_CHANGED need to be
backed out before applying the new set.

I'm not sure I follow. Subsequent calls to set_msr_filter() will invoke the "please reset the whole MSR passthrough bitmap to a consistent state" which will then reapply the in-kvm desired state through the bitmap and filter state on top on each of those.

Alex

Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879

Next message: Lukas Bulwahn: "Re: [PATCH] MAINTAINERS: mark linux-samsung-soc list non-moderated"
Previous message: Mathieu Poirier: "[PATCH 00/16] coresight: next v5.9-rc5"
Next in thread: Aaron Lewis: "Re: [PATCH v6 5/7] KVM: x86: VMX: Prevent MSR passthrough when MSR access is denied"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]