[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [PATCH v13 24/35] x86/fred: Add a NMI entry stub for FRED
- To: "H. Peter Anvin" <hpa@xxxxxxxxx>, "linux-doc@xxxxxxxxxxxxxxx" <linux-doc@xxxxxxxxxxxxxxx>, "linux-kernel@xxxxxxxxxxxxxxx" <linux-kernel@xxxxxxxxxxxxxxx>, "linux-edac@xxxxxxxxxxxxxxx" <linux-edac@xxxxxxxxxxxxxxx>, "linux-hyperv@xxxxxxxxxxxxxxx" <linux-hyperv@xxxxxxxxxxxxxxx>, "kvm@xxxxxxxxxxxxxxx" <kvm@xxxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: "Li, Xin3" <xin3.li@xxxxxxxxx>
- Date: Fri, 15 Dec 2023 18:37:27 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=57mVtHS5ImLBrxXuVvgmhfYm11vBOdhv05t5OuHc7xk=; b=T2EEcwutH2gvbJDCwfbX2hXRA3920YMaREhEIzG6LW6voeb+/3iJrZdff4tkp1ZBfQEywkvzRAHWf8T16q+u9yp+Q9xMrMfmvoGjD1dY1BUNoxneyWtXy9JWa805xAcHouhILrjXwgFxoed7vBqgc6kipIY+2LyBJg6KODXBB5NgRpD8UQ38onpWJQ+Qy2LrZ87dTeZhsGAsjDuAUCaebT8cnlOLKu+SzMmB9OWXvZj8r2dt75dBv1jSC02CMOQuV8st18uoWBNa+ydbVCaBFnWEzADQKHwuxi2h5Cm/pRtIPHH6UwFyE6VEh8VooIQ63kEbBX/ejemVdlnfF1BgNg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Okneq/NGkR5c6tC+dLAZpOle37kELLiXj5W7rocoaj7El6zsbwCnZuQwADyigFoWJs5T+W9ezjxSGOhgcjb3xebodoAUtybQ4hrN2C1D3hJzqmN+rScuI1UcaznmN20XPx1DvKZFjVFL76cWCPdPqydxl6C1KDBeIP7BQJAkDzeTU+zK4Khr/LkO5D+LYq7xa0Iq8D2IEc+J0fZhCEZF71yahX32HUGGzzxvrWrusgF4qT24RYuK72owxt7KsKAAMX1JZuaimZybo4WjR4G/zNazrpj8xEjch9h5SqHE6Vm16Fp6LcyxuJVJ33d89oza1/LdhhgXDe0BDvYMj1Vo6Q==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
- Cc: "tglx@xxxxxxxxxxxxx" <tglx@xxxxxxxxxxxxx>, "mingo@xxxxxxxxxx" <mingo@xxxxxxxxxx>, "bp@xxxxxxxxx" <bp@xxxxxxxxx>, "dave.hansen@xxxxxxxxxxxxxxx" <dave.hansen@xxxxxxxxxxxxxxx>, "x86@xxxxxxxxxx" <x86@xxxxxxxxxx>, "Lutomirski, Andy" <luto@xxxxxxxxxx>, "pbonzini@xxxxxxxxxx" <pbonzini@xxxxxxxxxx>, "seanjc@xxxxxxxxxx" <seanjc@xxxxxxxxxx>, "peterz@xxxxxxxxxxxxx" <peterz@xxxxxxxxxxxxx>, "jgross@xxxxxxxx" <jgross@xxxxxxxx>, "Shankar, Ravi V" <ravi.v.shankar@xxxxxxxxx>, "mhiramat@xxxxxxxxxx" <mhiramat@xxxxxxxxxx>, "andrew.cooper3@xxxxxxxxxx" <andrew.cooper3@xxxxxxxxxx>, "jiangshanlai@xxxxxxxxx" <jiangshanlai@xxxxxxxxx>, "nik.borisov@xxxxxxxx" <nik.borisov@xxxxxxxx>, "Kang, Shan" <shan.kang@xxxxxxxxx>
- Delivery-date: Fri, 15 Dec 2023 18:37:47 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHaJ21um304Ih/3wke5WdAmrxBB47Cpo3eAgAEUIxA=
- Thread-topic: [PATCH v13 24/35] x86/fred: Add a NMI entry stub for FRED
> So we have recently discovered an overlooked interaction with VT-x.
> Immediately before VMENTER and after VMEXIT, CR2 is live with the
> *guest* CR2. Regardless of if the guest uses FRED or not, this is guest
> state and SHOULD NOT be corrupted. Furthermore, host state MUST NOT leak
> into the guest.
>
> NMIs are blocked on VMEXIT if the cause was an NMI, but not for other
> reasons, so a NMI coming in during this window that then #PFs could
> corrupt the guest CR2.
I add a comment to vmx_vcpu_enter_exit() in
https://lore.kernel.org/kvm/20231108183003.5981-1-xin3.li@xxxxxxxxx/T/#m29616c02befc04305085b1cbac64df916364626a
for this.
>
> Intel is exploring ways to close this hole, but for schedule reasons, it
> will not be available at the same time as the first implementation of
> FRED. Therefore, as a workaround, it turns out that the FRED NMI stub
> *will*, unfortunately, have to save and restore CR2 after all when (at
> least) Intel KVM is in use.
>
> Note that this is airtight: it does add a performance penalty to the NMI
> path (two read CR2 in the common case of no #PF), but there is no gap
> during which a bad CR2 value could be introduced in the guest, no matter
> in which sequence the events happen.
>
> In theory the performance penalty could be further reduced by
> conditionalizing this on the NMI happening in the critical region in the
> KVM code, but it seems to be pretty far from necessary to me.
We should keep the following code in the FRED NMI handler, right?
{
...
this_cpu_write(nmi_cr2, read_cr2());
...
if (unlikely(this_cpu_read(nmi_cr2) != read_cr2()))
write_cr2(this_cpu_read(nmi_cr2));
...
}
> This obviously was an unfortunate oversight on our part, but the
> workaround is simple and doesn't affect any non-NMI paths.
>
> > +
> > + if (IS_ENABLED(CONFIG_SMP) &&
> arch_cpu_is_offline(smp_processor_id()))
> > + return;
> > +
>
> This is cut & paste from elsewhere in the NMI code, but I believe the
> IS_ENABLED() is unnecessary (not to mention ugly): smp_processor_id()
> should always return zero on UP, and arch_cpu_is_offline() reduces to
> !(cpu == 0), so this is a statically true condition on UP.
Ah, good point!
|