diff mbox series

[v13,24/35] x86/fred: Add a NMI entry stub for FRED

Message ID	20231205105030.8698-25-xin3.li@intel.com
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; From: Xin Li <xin3.li@intel.com> To: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-edac@vger.kernel.org, linux-hyperv@vger.kernel.org, kvm@vger.kernel.org, xen-devel@lists.xenproject.org Cc: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, luto@kernel.org, pbonzini@redhat.com, seanjc@google.com, peterz@infradead.org, jgross@suse.com, ravi.v.shankar@intel.com, mhiramat@kernel.org, andrew.cooper3@citrix.com, jiangshanlai@gmail.com, nik.borisov@suse.com, shan.kang@intel.com Subject: [PATCH v13 24/35] x86/fred: Add a NMI entry stub for FRED Date: Tue, 5 Dec 2023 02:50:13 -0800 Message-ID: <20231205105030.8698-25-xin3.li@intel.com> In-Reply-To: <20231205105030.8698-1-xin3.li@intel.com> References: <20231205105030.8698-1-xin3.li@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	x86: enable FRED for x86-64 \| [v13,00/35] x86: enable FRED for x86-64 [v13,01/35] x86/cpufeatures,opcode,msr: Add the WRMSRNS instruction support [v13,02/35] x86/entry: Remove idtentry_sysvec from entry_{32,64}.S [v13,03/35] x86/trapnr: Add event type macros to <asm/trapnr.h> [v13,04/35] Documentation/x86/64: Add a documentation for FRED [v13,05/35] x86/fred: Add Kconfig option for FRED (CONFIG_X86_FRED) [v13,06/35] x86/cpufeatures: Add the CPU feature bit for FRED [v13,07/35] x86/fred: Disable FRED support if CONFIG_X86_FRED is disabled [v13,08/35] x86/fred: Disable FRED by default in its early stage [v13,09/35] x86/opcode: Add ERET[US] instructions to the x86 opcode map [v13,10/35] x86/objtool: Teach objtool about ERET[US] [v13,11/35] x86/cpu: Add X86_CR4_FRED macro [v13,12/35] x86/cpu: Add MSR numbers for FRED configuration [v13,13/35] x86/ptrace: Cleanup the definition of the pt_regs structure [v13,14/35] x86/ptrace: Add FRED additional information to the pt_regs structure [v13,15/35] x86/fred: Add a new header file for FRED definitions [v13,16/35] x86/fred: Reserve space for the FRED stack frame [v13,17/35] x86/fred: Update MSR_IA32_FRED_RSP0 during task switch [v13,18/35] x86/fred: Disallow the swapgs instruction when FRED is enabled [v13,19/35] x86/fred: No ESPFIX needed when FRED is enabled [v13,20/35] x86/fred: Allow single-step trap and NMI when starting a new task [v13,21/35] x86/fred: Make exc_page_fault() work for FRED [v13,22/35] x86/idtentry: Incorporate definitions/declarations of the FRED entries [v13,23/35] x86/fred: Add a debug fault entry stub for FRED [v13,24/35] x86/fred: Add a NMI entry stub for FRED [v13,25/35] x86/fred: Add a machine check entry stub for FRED [v13,26/35] x86/fred: FRED entry/exit and dispatch code [v13,27/35] x86/traps: Add sysvec_install() to install a system interrupt handler [v13,28/35] x86/fred: Let ret_from_fork_asm() jmp to asm_fred_exit_user when FRED is enabled [v13,29/35] x86/fred: Fixup fault on ERETU by jumping to fred_entrypoint_user [v13,30/35] x86/entry/calling: Allow PUSH_AND_CLEAR_REGS being used beyond actual entry code [v13,31/35] x86/entry: Add fred_entry_from_kvm() for VMX to handle IRQ/NMI [v13,32/35] KVM: VMX: Call fred_entry_from_kvm() for IRQ/NMI handling [v13,33/35] x86/syscall: Split IDT syscall setup code into idt_syscall_init() [v13,34/35] x86/fred: Add FRED initialization functions [v13,35/35] x86/fred: Invoke FRED initialization code to enable FRED

Commit Message

Li, Xin3 Dec. 5, 2023, 10:50 a.m. UTC

  From: "H. Peter Anvin (Intel)" <hpa@zytor.com>

On a FRED system, NMIs nest both with themselves and faults, transient
information is saved into the stack frame, and NMI unblocking only
happens when the stack frame indicates that so should happen.

Thus, the NMI entry stub for FRED is really quite small...

Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Tested-by: Shan Kang <shan.kang@intel.com>
Signed-off-by: Xin Li <xin3.li@intel.com>
---
 arch/x86/kernel/nmi.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

Comments

H. Peter Anvin Dec. 15, 2023, 1:51 a.m. UTC | #1

So we have recently discovered an overlooked interaction with VT-x. 
Immediately before VMENTER and after VMEXIT, CR2 is live with the 
*guest* CR2. Regardless of if the guest uses FRED or not, this is guest 
state and SHOULD NOT be corrupted. Furthermore, host state MUST NOT leak 
into the guest.

NMIs are blocked on VMEXIT if the cause was an NMI, but not for other 
reasons, so a NMI coming in during this window that then #PFs could 
corrupt the guest CR2.

Intel is exploring ways to close this hole, but for schedule reasons, it 
will not be available at the same time as the first implementation of 
FRED. Therefore, as a workaround, it turns out that the FRED NMI stub 
*will*, unfortunately, have to save and restore CR2 after all when (at 
least) Intel KVM is in use.

Note that this is airtight: it does add a performance penalty to the NMI 
path (two read CR2 in the common case of no #PF), but there is no gap 
during which a bad CR2 value could be introduced in the guest, no matter 
in which sequence the events happen.

In theory the performance penalty could be further reduced by 
conditionalizing this on the NMI happening in the critical region in the 
KVM code, but it seems to be pretty far from necessary to me.

This obviously was an unfortunate oversight on our part, but the 
workaround is simple and doesn't affect any non-NMI paths.

	-hpa

On 12/5/23 02:50, Xin Li wrote:
> +
> +	if (IS_ENABLED(CONFIG_SMP) && arch_cpu_is_offline(smp_processor_id()))
> +		return;
> +

This is cut & paste from elsewhere in the NMI code, but I believe the 
IS_ENABLED() is unnecessary (not to mention ugly): smp_processor_id() 
should always return zero on UP, and arch_cpu_is_offline() reduces to 
!(cpu == 0), so this is a statically true condition on UP.

	-hpa

Li, Xin3 Dec. 15, 2023, 6:37 p.m. UTC | #2

> So we have recently discovered an overlooked interaction with VT-x.
> Immediately before VMENTER and after VMEXIT, CR2 is live with the
> *guest* CR2. Regardless of if the guest uses FRED or not, this is guest
> state and SHOULD NOT be corrupted. Furthermore, host state MUST NOT leak
> into the guest.
> 
> NMIs are blocked on VMEXIT if the cause was an NMI, but not for other
> reasons, so a NMI coming in during this window that then #PFs could
> corrupt the guest CR2.

I add a comment to vmx_vcpu_enter_exit() in
https://lore.kernel.org/kvm/20231108183003.5981-1-xin3.li@intel.com/T/#m29616c02befc04305085b1cbac64df916364626a
for this.

> 
> Intel is exploring ways to close this hole, but for schedule reasons, it
> will not be available at the same time as the first implementation of
> FRED. Therefore, as a workaround, it turns out that the FRED NMI stub
> *will*, unfortunately, have to save and restore CR2 after all when (at
> least) Intel KVM is in use.
> 
> Note that this is airtight: it does add a performance penalty to the NMI
> path (two read CR2 in the common case of no #PF), but there is no gap
> during which a bad CR2 value could be introduced in the guest, no matter
> in which sequence the events happen.
> 
> In theory the performance penalty could be further reduced by
> conditionalizing this on the NMI happening in the critical region in the
> KVM code, but it seems to be pretty far from necessary to me.

We should keep the following code in the FRED NMI handler, right?

{
...
	this_cpu_write(nmi_cr2, read_cr2());
...
	if (unlikely(this_cpu_read(nmi_cr2) != read_cr2()))
		write_cr2(this_cpu_read(nmi_cr2));
...
}

> This obviously was an unfortunate oversight on our part, but the
> workaround is simple and doesn't affect any non-NMI paths.
> 
> > +
> > +	if (IS_ENABLED(CONFIG_SMP) &&
> arch_cpu_is_offline(smp_processor_id()))
> > +		return;
> > +
> 
> This is cut & paste from elsewhere in the NMI code, but I believe the
> IS_ENABLED() is unnecessary (not to mention ugly): smp_processor_id()
> should always return zero on UP, and arch_cpu_is_offline() reduces to
> !(cpu == 0), so this is a statically true condition on UP.

Ah, good point!

diff mbox series

Patch

diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
index 17e955ab69fe..56350d839e44 100644
--- a/arch/x86/kernel/nmi.c
+++ b/arch/x86/kernel/nmi.c
@@ -35,6 +35,7 @@ 
 #include <asm/nospec-branch.h>
 #include <asm/microcode.h>
 #include <asm/sev.h>
+#include <asm/fred.h>
 
 #define CREATE_TRACE_POINTS
 #include <trace/events/nmi.h>
@@ -651,6 +652,33 @@  void nmi_backtrace_stall_check(const struct cpumask *btp)
 
 #endif
 
+#ifdef CONFIG_X86_FRED
+/*
+ * With FRED, CR2/DR6 is pushed to #PF/#DB stack frame during FRED
+ * event delivery, i.e., there is no problem of transient states.
+ * And NMI unblocking only happens when the stack frame indicates
+ * that so should happen.
+ *
+ * Thus, the NMI entry stub for FRED is really straightforward and
+ * as simple as most exception handlers. As such, #DB is allowed
+ * during NMI handling.
+ */
+DEFINE_FREDENTRY_NMI(exc_nmi)
+{
+	irqentry_state_t irq_state;
+
+	if (IS_ENABLED(CONFIG_SMP) && arch_cpu_is_offline(smp_processor_id()))
+		return;
+
+	irq_state = irqentry_nmi_enter(regs);
+
+	inc_irq_stat(__nmi_count);
+	default_do_nmi(regs);
+
+	irqentry_nmi_exit(regs, irq_state);
+}
+#endif
+
 void stop_nmi(void)
 {
 	ignore_nmis++;