Re: x86/bugs: KVM: Add support for SRSO_MSR_FIX, back for moar

From: Patrick Bellasi
Date: Thu May 01 2025 - 11:03:48 EST

Next message: syzbot: "[syzbot] [net?] WARNING in nsim_fib_event_nb"
Previous message: Peter Zijlstra: "Re: [PATCH RFC v3 0/8] kernel-hacking: introduce CONFIG_NO_AUTO_INLINE"
In reply to: Sean Christopherson: "Re: x86/bugs: KVM: Add support for SRSO_MSR_FIX, back for moar"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Wed, Apr 30, 2025 at 04:33:19PM -0700, Sean Christopherson wrote:
> > Eww. That's quite painful, and completely disallowing enable_virt_on_load is
> > undesirable, e.g. for use cases where the host is (almost) exclusively running
> > VMs.
>
> I wanted to stay generic... :-)
>
> > Best idea I have is to throw in the towel on getting fancy, and just maintain a
> > dedicated count in SVM.
> >
> > Alternatively, we could plumb an arch hook into kvm_create_vm() and kvm_destroy_vm()
> > that's called when KVM adds/deletes a VM from vm_list, and key off vm_list being
> > empty. But that adds a lot of boilerplate just to avoid a mutex+count.
>
> FWIW, that was Tom's idea.

FWIW, this could be helpful for ASI as well going forward, i.e. the set of ASI
driven mitigations could be different whether there are VMs on a system or not,
because the attack vectors are different.

So, having a first class and properly defined mechanisms to know if there are
effectively VMs running on a system would be generically convenient.

But maybe that's something we can work on later on?

Best,
Patrick

Next message: syzbot: "[syzbot] [net?] WARNING in nsim_fib_event_nb"
Previous message: Peter Zijlstra: "Re: [PATCH RFC v3 0/8] kernel-hacking: introduce CONFIG_NO_AUTO_INLINE"
In reply to: Sean Christopherson: "Re: x86/bugs: KVM: Add support for SRSO_MSR_FIX, back for moar"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]