Re: [RFC PATCH v2 24/69] KVM: x86: Introduce "protected guest" concept and block disallowed ioctls

From: Xiaoyao Li
Date: Tue Nov 09 2021 - 20:46:01 EST

Next message: David Rientjes: "Re: [PATCH] mm/slab_common: use WARN() if cache still has objects on destroy"
Previous message: kernel test robot: "[dhowells-fs:folio 53/90] mm/util.c:1081:6: error: no previous prototype for 'flush_dcache_folio'"
In reply to: Paolo Bonzini: "Re: [RFC PATCH v2 24/69] KVM: x86: Introduce "protected guest" concept and block disallowed ioctls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/10/2021 1:15 AM, Paolo Bonzini wrote:

On 11/9/21 14:37, Xiaoyao Li wrote:

Tom,

I think what you did in this commit is not so correct. It just silently ignores the ioctls insteaf of returning an error to userspace to tell this IOCTL is not invalid to this VM. E.g., for kvm_arch_vcpu_ioctl_get_fpu(), QEMU just gets it succesful with fpu being all zeros.

Yes, it's a "cop out" that removes the need for more complex changes in QEMU.

I think for the get/set registers ioctls KVM_GET/SET_{REGS,SREGS,FPU,XSAVE,XCRS} we need to consider SEV-ES backwards compatibility. This means, at least for now, only apply the restriction to TDX (using a bool-returning function, see the review for 28/69).

For SMM, MCE, vCPU events and for kvm_valid/dirty_regs, it can be done as in this patch.

thank you Paolo,

I will go with this direction.

Next message: David Rientjes: "Re: [PATCH] mm/slab_common: use WARN() if cache still has objects on destroy"
Previous message: kernel test robot: "[dhowells-fs:folio 53/90] mm/util.c:1081:6: error: no previous prototype for 'flush_dcache_folio'"
In reply to: Paolo Bonzini: "Re: [RFC PATCH v2 24/69] KVM: x86: Introduce "protected guest" concept and block disallowed ioctls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]