On Thu, Oct 06, 2022, Kalra, Ashish wrote: > For the MMU invalidation notifiers we are going to make two changes > currently: > > 1). Use clflush/clflushopt instead of wbinvd_on_all_cpus() for range <= 2MB. IMO, this isn't worth pursuing, to the point where I might object to this code being added upstream. Avoiding WBINVD for the mmu_notifiers doesn't prevent a malicious userspace from using SEV-induced WBINVD to effectively DoS the host, e.g. userspace can simply ADD+DELETE memslots, or mprotect() chunks > 2mb. Using clfushopt also effectively puts a requirement on mm/ that the notifiers be invoked _before_ PTEs are modified in the primary MMU, otherwise KVM may not be able to resolve the VA=>PFN, or even worse, resolve the wrong PFN. And no sane VMM should be modifying userspace mappings that cover SEV guest memory at any reasonable rate. In other words, switching to CLFUSHOPT for SEV+SEV-ES VMs is effectively a band-aid for the NUMA balancing issue. A far better solution for NUMA balancing would be to pursue a fix for the underlying problem, e.g. disable NUMA balancing entirely for SEV/SEV-ES VMs. That might already be doable from userspace by manipulating memory policy, and if not there's a WIP patch[*] that would make it trivial for the userspace VMM to disable NUMA balancing. As for guarding against DoS, /dev/sev should really be locked down so that only sufficiently privileged users can create SEV VMs. [*] https://lore.kernel.org/all/20220929064359.46932-1-ligang.bdlg@xxxxxxxxxxxxx
