| Message ID | 20220421072958.16375-1-chenyi.qiang@intel.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Introduce Notify VM exit | expand |
Kindly ping for the comments. On 4/21/2022 3:29 PM, Chenyi Qiang wrote: > Virtual machines can exploit Intel ISA characterstics to cause > functional denial of service to the VMM. This series introduces a new > feature named Notify VM exit, which can help mitigate such kind of > attacks. > > Patch 1: An extension of KVM_SET_VCPU_EVENTS ioctl to inject a > synthesized shutdown event from user space. This is also a fix for other > synthesized triple fault, e.g. the RSM patch or nested_vmx_abort(), > which could get lost when exit to userspace to do migrate. > > Patch 2: A selftest about get/set triple fault event. > > Patch 3: The main patch to enable Notify VM exit. > > --- > Change logs: > v5 -> v6 > - Do some changes in document. > - Add a selftest about get/set triple fault event. (Sean) > - extend the argument to include both the notify window and some flags > when enabling KVM_CAP_X86_BUS_LOCK_EXIT CAP. (Sean) > - Change to use KVM_VCPUEVENT_VALID_TRIPE_FAULT in flags field and add > pending_triple_fault field in struct kvm_vcpu_events, which allows > userspace to make/clear triple fault request. (Sean) > - Add a flag in kvm_x86_ops to avoid the kvm_has_notify_vmexit global > varialbe and its export.(Sean) > - v5: https://lore.kernel.org/lkml/20220318074955.22428-1-chenyi.qiang@intel.com/ > > v4 -> v5 > - rename KVM_VCPUEVENTS_SHUTDOWN to KVM_VCPUEVENTS_TRIPLE_FAULT. Make it > bidirection and add it to get_vcpu_events. (Sean) > - v4: https://lore.kernel.org/all/20220310084001.10235-1-chenyi.qiang@intel.com/ > > v3 -> v4 > - Change this feature to per-VM scope. (Jim) > - Once VM_CONTEXT_INVALID set in exit_qualification, exit to user space > notify this fatal case, especially the notify VM exit happens in L2. > (Jim) > - extend KVM_SET_VCPU_EVENTS to allow user space to inject a shutdown > event. (Jim) > - A minor code changes. > - Add document for the new KVM capability. > - v3: https://lore.kernel.org/lkml/20220223062412.22334-1-chenyi.qiang@intel.com/ > > v2 -> v3 > - add a vcpu state notify_window_exits to record the number of > occurence as well as a pr_warn output. (Sean) > - Add the handling in nested VM to prevent L1 bypassing the restriction > through launching a L2. (Sean) > - Only kill L2 when L2 VM is context invalid, synthesize a > EXIT_REASON_TRIPLE_FAULT to L1 (Sean) > - To ease the current implementation, make module parameter > notify_window read-only. (Sean) > - Disable notify window exit by default. > - v2: https://lore.kernel.org/lkml/20210525051204.1480610-1-tao3.xu@intel.com/ > > v1 -> v2 > - Default set notify window to 0, less than 0 to disable. > - Add more description in commit message. > --- > > Chenyi Qiang (2): > KVM: X86: Save&restore the triple fault request > KVM: selftests: Add a test to get/set triple fault event > > Tao Xu (1): > KVM: VMX: Enable Notify VM exit > > Documentation/virt/kvm/api.rst | 55 +++++++++++ > arch/x86/include/asm/kvm_host.h | 9 ++ > arch/x86/include/asm/vmx.h | 7 ++ > arch/x86/include/asm/vmxfeatures.h | 1 + > arch/x86/include/uapi/asm/kvm.h | 4 +- > arch/x86/include/uapi/asm/vmx.h | 4 +- > arch/x86/kvm/vmx/capabilities.h | 6 ++ > arch/x86/kvm/vmx/nested.c | 8 ++ > arch/x86/kvm/vmx/vmx.c | 48 +++++++++- > arch/x86/kvm/x86.c | 33 ++++++- > arch/x86/kvm/x86.h | 5 + > include/uapi/linux/kvm.h | 10 ++ > tools/testing/selftests/kvm/.gitignore | 1 + > tools/testing/selftests/kvm/Makefile | 1 + > .../kvm/x86_64/triple_fault_event_test.c | 96 +++++++++++++++++++ > 15 files changed, 280 insertions(+), 8 deletions(-) > create mode 100644 tools/testing/selftests/kvm/x86_64/triple_fault_event_test.c >
On 4/21/22 09:29, Chenyi Qiang wrote: > Virtual machines can exploit Intel ISA characterstics to cause > functional denial of service to the VMM. This series introduces a new > feature named Notify VM exit, which can help mitigate such kind of > attacks. > > Patch 1: An extension of KVM_SET_VCPU_EVENTS ioctl to inject a > synthesized shutdown event from user space. This is also a fix for other > synthesized triple fault, e.g. the RSM patch or nested_vmx_abort(), > which could get lost when exit to userspace to do migrate. > > Patch 2: A selftest about get/set triple fault event. > > Patch 3: The main patch to enable Notify VM exit. Chenyi, can you send v7 for inclusion? Paolo > --- > Change logs: > v5 -> v6 > - Do some changes in document. > - Add a selftest about get/set triple fault event. (Sean) > - extend the argument to include both the notify window and some flags > when enabling KVM_CAP_X86_BUS_LOCK_EXIT CAP. (Sean) > - Change to use KVM_VCPUEVENT_VALID_TRIPE_FAULT in flags field and add > pending_triple_fault field in struct kvm_vcpu_events, which allows > userspace to make/clear triple fault request. (Sean) > - Add a flag in kvm_x86_ops to avoid the kvm_has_notify_vmexit global > varialbe and its export.(Sean) > - v5: https://lore.kernel.org/lkml/20220318074955.22428-1-chenyi.qiang@intel.com/ > > v4 -> v5 > - rename KVM_VCPUEVENTS_SHUTDOWN to KVM_VCPUEVENTS_TRIPLE_FAULT. Make it > bidirection and add it to get_vcpu_events. (Sean) > - v4: https://lore.kernel.org/all/20220310084001.10235-1-chenyi.qiang@intel.com/ > > v3 -> v4 > - Change this feature to per-VM scope. (Jim) > - Once VM_CONTEXT_INVALID set in exit_qualification, exit to user space > notify this fatal case, especially the notify VM exit happens in L2. > (Jim) > - extend KVM_SET_VCPU_EVENTS to allow user space to inject a shutdown > event. (Jim) > - A minor code changes. > - Add document for the new KVM capability. > - v3: https://lore.kernel.org/lkml/20220223062412.22334-1-chenyi.qiang@intel.com/ > > v2 -> v3 > - add a vcpu state notify_window_exits to record the number of > occurence as well as a pr_warn output. (Sean) > - Add the handling in nested VM to prevent L1 bypassing the restriction > through launching a L2. (Sean) > - Only kill L2 when L2 VM is context invalid, synthesize a > EXIT_REASON_TRIPLE_FAULT to L1 (Sean) > - To ease the current implementation, make module parameter > notify_window read-only. (Sean) > - Disable notify window exit by default. > - v2: https://lore.kernel.org/lkml/20210525051204.1480610-1-tao3.xu@intel.com/ > > v1 -> v2 > - Default set notify window to 0, less than 0 to disable. > - Add more description in commit message. > --- > > Chenyi Qiang (2): > KVM: X86: Save&restore the triple fault request > KVM: selftests: Add a test to get/set triple fault event > > Tao Xu (1): > KVM: VMX: Enable Notify VM exit > > Documentation/virt/kvm/api.rst | 55 +++++++++++ > arch/x86/include/asm/kvm_host.h | 9 ++ > arch/x86/include/asm/vmx.h | 7 ++ > arch/x86/include/asm/vmxfeatures.h | 1 + > arch/x86/include/uapi/asm/kvm.h | 4 +- > arch/x86/include/uapi/asm/vmx.h | 4 +- > arch/x86/kvm/vmx/capabilities.h | 6 ++ > arch/x86/kvm/vmx/nested.c | 8 ++ > arch/x86/kvm/vmx/vmx.c | 48 +++++++++- > arch/x86/kvm/x86.c | 33 ++++++- > arch/x86/kvm/x86.h | 5 + > include/uapi/linux/kvm.h | 10 ++ > tools/testing/selftests/kvm/.gitignore | 1 + > tools/testing/selftests/kvm/Makefile | 1 + > .../kvm/x86_64/triple_fault_event_test.c | 96 +++++++++++++++++++ > 15 files changed, 280 insertions(+), 8 deletions(-) > create mode 100644 tools/testing/selftests/kvm/x86_64/triple_fault_event_test.c >
On 5/24/2022 3:30 AM, Paolo Bonzini wrote: > On 4/21/22 09:29, Chenyi Qiang wrote: >> Virtual machines can exploit Intel ISA characterstics to cause >> functional denial of service to the VMM. This series introduces a new >> feature named Notify VM exit, which can help mitigate such kind of >> attacks. >> >> Patch 1: An extension of KVM_SET_VCPU_EVENTS ioctl to inject a >> synthesized shutdown event from user space. This is also a fix for other >> synthesized triple fault, e.g. the RSM patch or nested_vmx_abort(), >> which could get lost when exit to userspace to do migrate. >> >> Patch 2: A selftest about get/set triple fault event. >> >> Patch 3: The main patch to enable Notify VM exit. > > Chenyi, can you send v7 for inclusion? > > Paolo > Hi Paolo v7 is sent out at https://lore.kernel.org/lkml/20220524135624.22988-1-chenyi.qiang@intel.com/ >> --- >> Change logs: >> v5 -> v6 >> - Do some changes in document. >> - Add a selftest about get/set triple fault event. (Sean) >> - extend the argument to include both the notify window and some flags >> when enabling KVM_CAP_X86_BUS_LOCK_EXIT CAP. (Sean) >> - Change to use KVM_VCPUEVENT_VALID_TRIPE_FAULT in flags field and add >> pending_triple_fault field in struct kvm_vcpu_events, which allows >> userspace to make/clear triple fault request. (Sean) >> - Add a flag in kvm_x86_ops to avoid the kvm_has_notify_vmexit global >> varialbe and its export.(Sean) >> - v5: >> https://lore.kernel.org/lkml/20220318074955.22428-1-chenyi.qiang@intel.com/ >> >> >> v4 -> v5 >> - rename KVM_VCPUEVENTS_SHUTDOWN to KVM_VCPUEVENTS_TRIPLE_FAULT. Make it >> bidirection and add it to get_vcpu_events. (Sean) >> - v4: >> https://lore.kernel.org/all/20220310084001.10235-1-chenyi.qiang@intel.com/ >> >> >> v3 -> v4 >> - Change this feature to per-VM scope. (Jim) >> - Once VM_CONTEXT_INVALID set in exit_qualification, exit to user space >> notify this fatal case, especially the notify VM exit happens in L2. >> (Jim) >> - extend KVM_SET_VCPU_EVENTS to allow user space to inject a shutdown >> event. (Jim) >> - A minor code changes. >> - Add document for the new KVM capability. >> - v3: >> https://lore.kernel.org/lkml/20220223062412.22334-1-chenyi.qiang@intel.com/ >> >> >> v2 -> v3 >> - add a vcpu state notify_window_exits to record the number of >> occurence as well as a pr_warn output. (Sean) >> - Add the handling in nested VM to prevent L1 bypassing the restriction >> through launching a L2. (Sean) >> - Only kill L2 when L2 VM is context invalid, synthesize a >> EXIT_REASON_TRIPLE_FAULT to L1 (Sean) >> - To ease the current implementation, make module parameter >> notify_window read-only. (Sean) >> - Disable notify window exit by default. >> - v2: >> https://lore.kernel.org/lkml/20210525051204.1480610-1-tao3.xu@intel.com/ >> >> v1 -> v2 >> - Default set notify window to 0, less than 0 to disable. >> - Add more description in commit message. >> --- >> >> Chenyi Qiang (2): >> KVM: X86: Save&restore the triple fault request >> KVM: selftests: Add a test to get/set triple fault event >> >> Tao Xu (1): >> KVM: VMX: Enable Notify VM exit >> >> Documentation/virt/kvm/api.rst | 55 +++++++++++ >> arch/x86/include/asm/kvm_host.h | 9 ++ >> arch/x86/include/asm/vmx.h | 7 ++ >> arch/x86/include/asm/vmxfeatures.h | 1 + >> arch/x86/include/uapi/asm/kvm.h | 4 +- >> arch/x86/include/uapi/asm/vmx.h | 4 +- >> arch/x86/kvm/vmx/capabilities.h | 6 ++ >> arch/x86/kvm/vmx/nested.c | 8 ++ >> arch/x86/kvm/vmx/vmx.c | 48 +++++++++- >> arch/x86/kvm/x86.c | 33 ++++++- >> arch/x86/kvm/x86.h | 5 + >> include/uapi/linux/kvm.h | 10 ++ >> tools/testing/selftests/kvm/.gitignore | 1 + >> tools/testing/selftests/kvm/Makefile | 1 + >> .../kvm/x86_64/triple_fault_event_test.c | 96 +++++++++++++++++++ >> 15 files changed, 280 insertions(+), 8 deletions(-) >> create mode 100644 >> tools/testing/selftests/kvm/x86_64/triple_fault_event_test.c >> >