Re: [PATCH] KVM: VMX: Forbid userspace MSR filters for x2APIC

[Alexander Graf]

On 20.10.20 12:34, Paolo Bonzini wrote:
> On 20/10/20 11:48, Alexander Graf wrote:
> >      count: 1,
> >      default_allow: false,
> >      ranges: [
> >          {
> >              flags: KVM_MSR_FILTER_READ,
> >              nmsrs: 1,
> >              base: MSR_EFER,
> >              bitmap: { 1 },
> >          },
> >      ],
> > }
> >
> > That filter would set all x2apic registers to "deny", but would not be
> > caught by the code above. Conversely, a range that explicitly allows
> > x2apic ranges with default_allow=0 would be rejected by this patch.
>
> Yes, but the idea is that x2apic registers are always allowed, even
> overriding default_allow, and therefore it makes no sense to have them
> in a range.  The patch is only making things fail early for userspace,
> the policy is defined by Sean's patch.

I don't think we should fail on the following:

{
    default_allow: false,
    ranges: [
        {
            flags: KVM_MSR_FILTER_READ,
            nmsrs: 4096,
            base: 0,
            bitmap: { 1, 1, 1, 1, [...] },
        },
        {
            flags: KVM_MSR_FILTER_READ,
            nmsrs: 4096,
            base: 0xc0000000,
            bitmap: { 1, 1, 1, 1, [...] },
        },
    ],
}

as a way to say "everything in normal ranges is allowed, the rest please 
deflect". Or even just to set default policies with less ranges.

Or to say it differently: Why can't we just check explicitly after 
setting up all filter lists whether x2apic MSRs are *denied*? If so, 
clear the filter and return -EINVAL.

That still leaves the case where x2apic is not handled in-kernel, but 
I'm perfectly happy to ignore that one as "user space should not care" :).


Alex



Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879