On 20/10/20 12:52, Alexander Graf wrote:
>>
>> Yes, but the idea is that x2apic registers are always allowed, even
>> overriding default_allow, and therefore it makes no sense to have them
>> in a range. The patch is only making things fail early for userspace,
>> the policy is defined by Sean's patch.
>
> I don't think we should fail on the following:
>
> {
> default_allow: false,
> ranges: [
> {
> flags: KVM_MSR_FILTER_READ,
> nmsrs: 4096,
> base: 0,
> bitmap: { 1, 1, 1, 1, [...] },
> },
> {
> flags: KVM_MSR_FILTER_READ,
> nmsrs: 4096,
> base: 0xc0000000,
> bitmap: { 1, 1, 1, 1, [...] },
> },
> ],
> }
>
> as a way to say "everything in normal ranges is allowed, the rest please
> deflect". Or even just to set default policies with less ranges.
>
> Or to say it differently: Why can't we just check explicitly after
> setting up all filter lists whether x2apic MSRs are *denied*? If so,
> clear the filter and return -EINVAL.
Hmm, if you start looking at the bitmaps setting up default-deny
policies correctly is almost impossible :/ because you'd have to ensure
that you have at least one range covering the x2apic MSRs. I'll just
document that x2APIC MSRs ignore the filter.
Paolo
