Re: [PATCH] KVM: VMX: Forbid userspace MSR filters for x2APIC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 20.10.20 12:34, Paolo Bonzini wrote:

On 20/10/20 11:48, Alexander Graf wrote:

     count: 1,
     default_allow: false,
     ranges: [
         {
             flags: KVM_MSR_FILTER_READ,
             nmsrs: 1,
             base: MSR_EFER,
             bitmap: { 1 },
         },
     ],
}

That filter would set all x2apic registers to "deny", but would not be
caught by the code above. Conversely, a range that explicitly allows
x2apic ranges with default_allow=0 would be rejected by this patch.

Yes, but the idea is that x2apic registers are always allowed, even
overriding default_allow, and therefore it makes no sense to have them
in a range.  The patch is only making things fail early for userspace,
the policy is defined by Sean's patch.

I don't think we should fail on the following:

{
    default_allow: false,
    ranges: [
        {
            flags: KVM_MSR_FILTER_READ,
            nmsrs: 4096,
            base: 0,
            bitmap: { 1, 1, 1, 1, [...] },
        },
        {
            flags: KVM_MSR_FILTER_READ,
            nmsrs: 4096,
            base: 0xc0000000,
            bitmap: { 1, 1, 1, 1, [...] },
        },
    ],
}

as a way to say "everything in normal ranges is allowed, the rest please deflect". Or even just to set default policies with less ranges.

Or to say it differently: Why can't we just check explicitly after setting up all filter lists whether x2apic MSRs are *denied*? If so, clear the filter and return -EINVAL.

That still leaves the case where x2apic is not handled in-kernel, but I'm perfectly happy to ignore that one as "user space should not care" :).


Alex



Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879






[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux