On 10/16/2019 11:37 PM, Paolo Bonzini wrote:
On 16/10/19 16:43, Thomas Gleixner wrote:
N | #AC | #AC enabled | SMT | Ctrl | Guest | Action
R | available | on host | | exposed | #AC |
--|-----------|-------------|-----|---------|-------|---------------------
| | | | | |
0 | N | x | x | N | x | None
| | | | | |
1 | Y | N | x | N | x | None
So far so good.
2 | Y | Y | x | Y | Y | Forward to guest
3 | Y | Y | N | Y | N | A) Store in vCPU and
| | | | | | toggle on VMENTER/EXIT
| | | | | |
| | | | | | B) SIGBUS or KVM exit code
(2) is problematic for the SMT=y case, because of what happens when #AC
is disabled on the host---safe guests can start to be susceptible to
DoS.
For (3), which is the SMT=n case,, the behavior is the same independent of
guest #AC.
So I would change these two lines to:
2 | Y | Y | Y | N | x | On first guest #AC,
| | | | | | disable globally on host.
| | | | | |
3 | Y | Y | N | Y | x | Switch MSR_TEST_CTRL on
| | | | | | enter/exit, plus:
| | | | | | A) #AC forwarded to guest.
| | | | | | B) SIGBUS or KVM exit code
I just want to get confirmed that in (3), we should split into 2 case:
a) if host has it enabled, still apply the constraint that guest is
forcibly enabled? so we don't switch MSR_TEST_CTL.
b) if host has it disabled, we can switch MSR_TEST_CTL on enter/exit.
