Re: [PATCH v9 09/17] x86/split_lock: Handle #AC exception for split lock

From: Paolo Bonzini
Date: Wed Oct 16 2019 - 06:16:49 EST

Next message: Ben Dooks (Codethink): "[PATCH] fs/direct-io: include internal.h for sb_init_dio_done_wq"
Previous message: Lorenzo Pieralisi: "Re: [PATCH v2 1/6] dt-bindings: pci: Update iProc PCI binding for INTx support"
In reply to: Thomas Gleixner: "Re: [PATCH v9 09/17] x86/split_lock: Handle #AC exception for split lock"
Next in thread: Xiaoyao Li: "Re: [PATCH v9 09/17] x86/split_lock: Handle #AC exception for split lock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 16/10/19 11:47, Thomas Gleixner wrote:
> On Wed, 16 Oct 2019, Paolo Bonzini wrote:
>> Just never advertise split-lock
>> detection to guests. If the host has enabled split-lock detection,
>> trap #AC and forward it to the host handler---which would disable
>> split lock detection globally and reenter the guest.
>
> Which completely defeats the purpose.

Yes it does. But Sean's proposal, as I understand it, leads to the
guest receiving #AC when it wasn't expecting one. So for an old guest,
as soon as the guest kernel happens to do a split lock, it gets an
unexpected #AC and crashes and burns. And then, after much googling and
gnashing of teeth, people proceed to disable split lock detection.

(Old guests are the common case: you're a cloud provider and your
customers run old stuff; it's a workstation and you want to play that
game that requires an old version of Windows; etc.).

To save them the googling and gnashing of teeth, I guess we can do a
pr_warn_ratelimited on the first split lock encountered by a guest. (It
has to be ratelimited because userspace could create an arbitrary amount
of guests to spam the kernel logs). But the end result is the same,
split lock detection is disabled by the user.

The first alternative I thought of was:

- Remove KVM loading of MSR_TEST_CTRL, i.e. KVM *never* writes the CPU's
actual MSR_TEST_CTRL. KVM still emulates MSR_TEST_CTRL so that the
guest can do WRMSR and handle its own #AC faults, but KVM doesn't
change the value in hardware.

- trap #AC if the guest encounters a split lock while detection is
disabled, and then disable split-lock detection in the host.

But I discarded it because it still doesn't do anything for malicious
guests, which can trigger #AC as they prefer. And it makes things
_worse_ for sane guests, because they think split-lock detection is
enabled but they become vulnerable as soon as there is only one
malicious guest on the same machine.

In all of these cases, the common final result is that split-lock
detection is disabled on the host. So might as well go with the
simplest one and not pretend to virtualize something that (without core
scheduling) is obviously not virtualizable.

Thanks,

Paolo

> 1) Sane guest
>
> Guest kernel has #AC handler and you basically prevent it from
> detecting malicious user space and killing it. You also prevent #AC
> detection in the guest kernel which limits debugability.
>
> 2) Malicious guest
>
> Trigger #AC to disable the host detection and then carry out the DoS
> attack.

Next message: Ben Dooks (Codethink): "[PATCH] fs/direct-io: include internal.h for sb_init_dio_done_wq"
Previous message: Lorenzo Pieralisi: "Re: [PATCH v2 1/6] dt-bindings: pci: Update iProc PCI binding for INTx support"
In reply to: Thomas Gleixner: "Re: [PATCH v9 09/17] x86/split_lock: Handle #AC exception for split lock"
Next in thread: Xiaoyao Li: "Re: [PATCH v9 09/17] x86/split_lock: Handle #AC exception for split lock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]