On 3/3/25 02:30, Yan Zhao wrote:
kvm->arch.has_protected_state = true;
kvm->arch.has_private_mem = true;
+ kvm->arch.disabled_quirks |= KVM_X86_QUIRK_EPT_IGNORE_GUEST_PAT;
Though the quirk is disabled by default in KVM in tdx_vm_init() for TDs, the
kvm->arch.disabled_quirks can be overwritten by a userspace specified value in
kvm_vm_ioctl_enable_cap().
"kvm->arch.disabled_quirks = cap->args[0] & kvm_caps.supported_quirks;"
So, when an old userspace tries to disable other quirks on this new KVM, it may
accidentally turn KVM_X86_QUIRK_EPT_IGNORE_GUEST_PAT into enabled for TDs, which
would cause SEPT being zapped when (de)attaching non-coherent devices.
Yeah, sorry about that - Xiaoyao also pointed it out and I should have
noticed it---or marked the patches as RFC which they were.
Could we force KVM_X86_QUIRK_EPT_IGNORE_GUEST_PAT to be disabled for TDs?
e.g.
tdx_vm_init
kvm->arch.always_disabled_quirks |= KVM_X86_QUIRK_EPT_IGNORE_GUEST_PAT;
static inline bool kvm_check_has_quirk(struct kvm *kvm, u64 quirk)
{
WARN_ON_ONCE(kvm->arch.always_disabled_quirk & kvm_caps.force_enabled_quirks);
u64 disabled_quirks = kvm->arch.always_disabled_quirk | kvm->arch.disabled_quirks;
return !(disabled_quirks & quirk) |
(kvm_caps.force_enabled_quirks & quirk);
}
We can change KVM_ENABLE_CAP(KVM_X86_DISABLE_QUIRKS), as well as
QUIRKS2, to use "|=" instead of "=".
While this is technically a change in the API, the current
implementation is just awful and I hope that no one is relying on it!
This way, the "always_disabled_quirks" are not needed.
If the "|=" idea doesn't work out I agree that
kvm->arch.always_disabled_quirk is needed.
Sending v3 shortly...
Paolo
