On 4/24/20 2:27 PM, Tom Lendacky wrote: > On 4/24/20 4:24 PM, Dave Hansen wrote: >> On 4/24/20 2:03 PM, Mike Stunes wrote: >>> I needed to allow RDTSC(P) from userspace and in early boot in order to >>> get userspace started properly. Patch below. >>> >>> --- >>> SEV-ES guests will need to execute rdtsc and rdtscp from userspace and >>> during early boot. Move the rdtsc(p) #VC handler into common code and >>> extend the #VC handlers. >> >> Do SEV-ES guests _always_ #VC on rdtsc(p)? > > Only if the hypervisor is intercepting those instructions. Ahh, so any instruction that can have an instruction intercept set potentially needs to be able to tolerate a #VC? Those instruction intercepts are under the control of the (untrusted relative to the guest) hypervisor, right? >From the main sev-es series: +#ifdef CONFIG_AMD_MEM_ENCRYPT +idtentry vmm_communication do_vmm_communication has_error_code=1 +#endif Since this is set as non-paranoid, that both limits the instructions that can be used in entry paths *and* limits the future architecture from being able add instructions that a current SEV-ES guest doesn't know about. Does SEV-ES have versioning so guests can tell if they might be subject to new interrupt intercepts for which they are not prepared? I didn't see anything obvious in section 15.35 of the manual. There's also a nugget in the manual that says: > Similarly, the hypervisor should avoid setting intercept bits for > events that would occur in the #VC handler (such as IRET). That's a fun point because it means that the (untrusted) hypervisor can cause endless faults. I *guess* we have mitigation for this with our stack guard pages, but it's still a bit nasty that the hypervisor can arbitrarily land a guest in the double-fault handler. It just all seems a bit weak for the hypervisor to be considered untrusted. But, it's _certainly_ a steep in the right direction from SEV.
