Re: [RFC PATCH v2 02/11] KVM: x86: Advertise CPUID.7.2.EDX and RRSBA_CTRL support

From: Xiaoyao Li
Date: Thu May 18 2023 - 05:50:30 EST

Next message: Jonathan Cameron: "Re: [PATCH 3/3] tools/testing/cxl: Document test configurations"
Previous message: Konrad Dybcio: "Re: [PATCH] mmc: sdhci-msm: Disable broken 64-bit DMA on MSM8916"
In reply to: Chao Gao: "Re: [RFC PATCH v2 02/11] KVM: x86: Advertise CPUID.7.2.EDX and RRSBA_CTRL support"
Next in thread: Chao Gao: "Re: [RFC PATCH v2 02/11] KVM: x86: Advertise CPUID.7.2.EDX and RRSBA_CTRL support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/16/2023 5:09 PM, Chao Gao wrote:

On Tue, May 16, 2023 at 03:03:15PM +0800, Xiaoyao Li wrote:

On 5/16/2023 11:01 AM, Chao Gao wrote:

On Tue, May 16, 2023 at 10:22:22AM +0800, Xiaoyao Li wrote:

I think we need to fix this bug at first.

I have no idea how to fix the "bug" without intercepting the MSR. The
performance penalty makes me think intercepting the MSR is not a viable
solution.

I thought correctness always takes higher priority over performance.

It is generally true. however, there are situations where we should make
trade-offs between correctness and other factors (like performance):

E.g., instructions without control bits, to be 100% compliant with CPU
spec, in theory, VMMs can trap/decode every instruction and inject #UD
if a guest tries to use some instructions it shouldn't.

This is the virtualization hole. IMHO, they are different things.

what are the differences between?
1. Executing some unsupported instructions should cause #UD. But this is allowed
in a KVM guest.
2. Setting some reserved bits in SPEC_CTRL MSR should cause #GP. But this is
allowed in a KVM guest.

The difference is that for virtualization hole, there is no way but intercept and decode every instruction if we want the correctness. It's a disaster.

But for MSR virtualization, we do have an option and we don't need to trap every instruction. MSR interception is the designated mechanism to correctly and elegantly virtualize the MSR.

Pass through MSR_IA32_SPEC_CTRL was introduced in commit d28b387fb74d
("KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL"). At that time there
was only a few bits defined, and the changelog called out that

No attempt is made to handle STIBP here, intentionally. Filtering
STIBP may be added in a future patch, which may require trapping all
writes if we don't want to pass it through directly to the guest.

Per my undesrstanding, it implied that we need to re-visit it when more bits
added instead of following the pass-through design siliently.

I don't object to re-visiting the design. My point is that to prevent guests from
setting RRSBA_CTRL/BHI_CTRL when they are not advertised isn't a strong
justfication for intercepting the MSR. STIBP and other bits (except IBRS) have
the same problem. And the gain of fixing this is too small.

If passing through the SPEC_CTRL MSR to guests might cause security issues, I
would agree to intercept accesses to the MSR.

I never buy it. How to interpret the security? If the user wants to hide one feature from guest but KVM allows it when KVM does have a reasonable way to hide it. Does it violate the security?

Next message: Jonathan Cameron: "Re: [PATCH 3/3] tools/testing/cxl: Document test configurations"
Previous message: Konrad Dybcio: "Re: [PATCH] mmc: sdhci-msm: Disable broken 64-bit DMA on MSM8916"
In reply to: Chao Gao: "Re: [RFC PATCH v2 02/11] KVM: x86: Advertise CPUID.7.2.EDX and RRSBA_CTRL support"
Next in thread: Chao Gao: "Re: [RFC PATCH v2 02/11] KVM: x86: Advertise CPUID.7.2.EDX and RRSBA_CTRL support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]