On Tue, Apr 28, 2020 at 09:55:12AM +0200, Joerg Roedel wrote: > On Mon, Apr 27, 2020 at 10:37:41AM -0700, Andy Lutomirski wrote: > > I have a somewhat serious question: should we use IST for #VC at all? > > As I understand it, Rome and Naples make it mandatory for hypervisors > > to intercept #DB, which means that, due to the MOV SS mess, it's sort > > of mandatory to use IST for #VC. But Milan fixes the #DB issue, so, > > if we're running under a sufficiently sensible hypervisor, we don't > > need IST for #VC. > > The reason for #VC being IST is not only #DB, but also SEV-SNP. SNP adds > page ownership tracking between guest and host, so that the hypervisor > can't remap guest pages without the guest noticing. > > If there is a violation of ownership, which can happen at any memory > access, there will be a #VC exception to notify the guest. And as this > can happen anywhere, for example on a carefully crafted stack page set > by userspace before doing SYSCALL, the only robust choice for #VC is to > use IST. So what happens if this #VC triggers on the first access to the #VC stack, because the malicious host has craftily mucked with only the #VC IST stack page? Or on the NMI IST stack, then we get #VC in NMI before the NMI can fix you up. AFAICT all of that is non-recoverable.
