Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
Il 29/08/2014 02:13, Andy Lutomirski ha scritto: Hmm. Then, assuming that someone manages to allocate a cross-hypervisor MSR number for this, what am I supposed to do in the KVM code? Just make it available unconditionally? I don't see why that wouldn't work reliably, but it seems like an odd design. The odd part of it is what Gleb mentioned. Also, the one and only native feature flag I tested (rdtscp) actually does work: RDTSCP seems to send #UD if QEMU is passed -cpu host,-rdtscp. True, and I'm not sure why. There are a couple others. I was thinking more of things like SSE, AVX or DE (that affects the availability of a bit in CR4). Paolo -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
On Tue, Aug 26, 2014 at 04:58:34PM -0700, Andy Lutomirski wrote: hpa pointed out that the ABI that I chose (an MSR from the KVM range and a KVM cpuid bit) is unnecessarily KVM-specific. It would be nice to allocate an MSR that everyone involved can agree on and, rather than relying on a cpuid bit, just have the guest probe for the MSR. CPUID part allows feature to be disabled for machine compatibility purpose during migration. Of course interface can explicitly state that one successful use of the MSR does not mean that next use will not result in a #GP, but that doesn't sound very elegant and is different from any other MSR out there. -- Gleb. -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
On Aug 28, 2014 7:17 AM, Gleb Natapov g...@kernel.org wrote: On Tue, Aug 26, 2014 at 04:58:34PM -0700, Andy Lutomirski wrote: hpa pointed out that the ABI that I chose (an MSR from the KVM range and a KVM cpuid bit) is unnecessarily KVM-specific. It would be nice to allocate an MSR that everyone involved can agree on and, rather than relying on a cpuid bit, just have the guest probe for the MSR. CPUID part allows feature to be disabled for machine compatibility purpose during migration. Of course interface can explicitly state that one successful use of the MSR does not mean that next use will not result in a #GP, but that doesn't sound very elegant and is different from any other MSR out there. Is there a non-cpuid interface between QEMU and KVM for this? AFAICT, even turning off cpuid bits for things like async pf doesn't actually disable the MSRs (which is arguably an attack surface issue). --Andy -- Gleb. -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
Il 28/08/2014 18:22, Andy Lutomirski ha scritto: Is there a non-cpuid interface between QEMU and KVM for this? No. AFAICT, even turning off cpuid bits for things like async pf doesn't actually disable the MSRs (which is arguably an attack surface issue). No, it doesn't. You cannot disable instructions even if you hide CPUID bits, so KVM just extends this to MSRs (both native and paravirtual). It sometimes helps too, for example with a particular guest OS that does not necessary check CPUID for bits that are always present on Apple hardware... Paolo -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
On Thu, Aug 28, 2014 at 12:46 PM, Paolo Bonzini pbonz...@redhat.com wrote: Il 28/08/2014 18:22, Andy Lutomirski ha scritto: Is there a non-cpuid interface between QEMU and KVM for this? No. Hmm. Then, assuming that someone manages to allocate a cross-hypervisor MSR number for this, what am I supposed to do in the KVM code? Just make it available unconditionally? I don't see why that wouldn't work reliably, but it seems like an odd design. AFAICT, even turning off cpuid bits for things like async pf doesn't actually disable the MSRs (which is arguably an attack surface issue). No, it doesn't. You cannot disable instructions even if you hide CPUID bits, so KVM just extends this to MSRs (both native and paravirtual). It sometimes helps too, for example with a particular guest OS that does not necessary check CPUID for bits that are always present on Apple hardware... But I bet that no one assumes that KVM paravirt MSRs are available even if the feature bit isn't set. Also, the one and only native feature flag I tested (rdtscp) actually does work: RDTSCP seems to send #UD if QEMU is passed -cpu host,-rdtscp. --Andy -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
Il 27/08/2014 01:58, Andy Lutomirski ha scritto: hpa pointed out that the ABI that I chose (an MSR from the KVM range and a KVM cpuid bit) is unnecessarily KVM-specific. It would be nice to allocate an MSR that everyone involved can agree on and, rather than relying on a cpuid bit, just have the guest probe for the MSR. This leads to a few questions: 1. How do we allocate an MSR? (For background, this would be an MSR that either returns 64 bits of best-effort cryptographically secure random data or fails with #GP.) Ask Intel? :) 2. For KVM, what's the right way to allow QEMU to turn the feature on and off? Is this even necessary? KVM currently doesn't seem to allow QEMU to turn any of its MSRs off; it just allows QEMU to ask it to stop advertising support. Note that QEMU is not involved in the implementation of your feature, only in advertising it. You could look at CPUID at runtime, but that would mean teaching KVM to look for the KVMKVMKVM\0\0\0 signature in the CPUID data supplied by userspace. I don't think this is particularly useful. 3. QEMU people, can you please fix your RDMSR emulation to send #GP on failure? I can work around it for this MSR in the Linux code, but for Pete's sake... :( Sure, I will look at it. Though I expect it was done because of MSRs that are missing in QEMU (similar to how Linux doesn't #GP if compiled with pvops). Paolo -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
On 08/27/2014 12:00 AM, Paolo Bonzini wrote: Il 27/08/2014 01:58, Andy Lutomirski ha scritto: hpa pointed out that the ABI that I chose (an MSR from the KVM range and a KVM cpuid bit) is unnecessarily KVM-specific. It would be nice to allocate an MSR that everyone involved can agree on and, rather than relying on a cpuid bit, just have the guest probe for the MSR. This leads to a few questions: 1. How do we allocate an MSR? (For background, this would be an MSR that either returns 64 bits of best-effort cryptographically secure random data or fails with #GP.) Ask Intel? :) I'm going to poke around internally. Intel might as a matter of policy be reluctant to assign an MSR index specifically for software use, but I'll try to find out. -hpa -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
hpa pointed out that the ABI that I chose (an MSR from the KVM range and a KVM cpuid bit) is unnecessarily KVM-specific. It would be nice to allocate an MSR that everyone involved can agree on and, rather than relying on a cpuid bit, just have the guest probe for the MSR. This leads to a few questions: 1. How do we allocate an MSR? (For background, this would be an MSR that either returns 64 bits of best-effort cryptographically secure random data or fails with #GP.) 2. For KVM, what's the right way to allow QEMU to turn the feature on and off? Is this even necessary? KVM currently doesn't seem to allow QEMU to turn any of its MSRs off; it just allows QEMU to ask it to stop advertising support. 3. QEMU people, can you please fix your RDMSR emulation to send #GP on failure? I can work around it for this MSR in the Linux code, but for Pete's sake... :( Thanks, Andy -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html