[SRU,Bionic,Cosmic,1/1] KVM: PPC: Book3S HV: Provide mode where all vCPUs on a core must be the same VM

Message ID 2867fad589f4f571e9ff885c24bc05a3bc7a9b11.1539288711.git.joseph.salisbury@canonical.com
State New
Headers show
Series
  • KVM: PPC: Book3S HV: Provide mode where all vCPUs on a core must be the same VM
Related show

Commit Message

Joseph Salisbury Oct. 11, 2018, 8:19 p.m.
From: Paul Mackerras <paulus@ozlabs.org>

BugLink: https://bugs.launchpad.net/bugs/1792957

This adds a mode where the vcore scheduling logic in HV KVM limits itself
to scheduling only virtual cores from the same VM on any given physical
core.  This is enabled via a new module parameter on the kvm-hv module
called "one_vm_per_core".  For this to work on POWER9, it is necessary to
set indep_threads_mode=N.  (On POWER8, hardware limitations mean that KVM
is never in independent threads mode, regardless of the indep_threads_mode
setting.)

Thus the settings needed for this to work are:

1. The host is in SMT1 mode.
2. On POWER8, the host is not in 2-way or 4-way static split-core mode.
3. On POWER9, the indep_threads_mode parameter is N.
4. The one_vm_per_core parameter is Y.

With these settings, KVM can run up to 4 vcpus on a core at the same
time on POWER9, or up to 8 vcpus on POWER8 (depending on the guest
threading mode), and will ensure that all of the vcpus belong to the
same VM.

This is intended for use in security-conscious settings where users are
concerned about possible side-channel attacks between threads which could
perhaps enable one VM to attack another VM on the same core, or the host.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
(cherry picked from commit aa2278644ae54ff762ce33f9c9563d759e9cca9f linux-next)
Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>

---
 arch/powerpc/kvm/book3s_hv.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Stefan Bader Oct. 12, 2018, 8:05 a.m. | #1
On 11.10.2018 22:19, Joseph Salisbury wrote:
> From: Paul Mackerras <paulus@ozlabs.org>
> 
> BugLink: https://bugs.launchpad.net/bugs/1792957
> 
> This adds a mode where the vcore scheduling logic in HV KVM limits itself
> to scheduling only virtual cores from the same VM on any given physical
> core.  This is enabled via a new module parameter on the kvm-hv module
> called "one_vm_per_core".  For this to work on POWER9, it is necessary to
> set indep_threads_mode=N.  (On POWER8, hardware limitations mean that KVM
> is never in independent threads mode, regardless of the indep_threads_mode
> setting.)
> 
> Thus the settings needed for this to work are:
> 
> 1. The host is in SMT1 mode.
> 2. On POWER8, the host is not in 2-way or 4-way static split-core mode.
> 3. On POWER9, the indep_threads_mode parameter is N.
> 4. The one_vm_per_core parameter is Y.
> 
> With these settings, KVM can run up to 4 vcpus on a core at the same
> time on POWER9, or up to 8 vcpus on POWER8 (depending on the guest
> threading mode), and will ensure that all of the vcpus belong to the
> same VM.
> 
> This is intended for use in security-conscious settings where users are
> concerned about possible side-channel attacks between threads which could
> perhaps enable one VM to attack another VM on the same core, or the host.
> 
> Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
> (cherry picked from commit aa2278644ae54ff762ce33f9c9563d759e9cca9f linux-next)
> Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> 
> ---
>  arch/powerpc/kvm/book3s_hv.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
> index dc9eb6b..0c8a655c 100644
> --- a/arch/powerpc/kvm/book3s_hv.c
> +++ b/arch/powerpc/kvm/book3s_hv.c
> @@ -103,6 +103,10 @@ static bool indep_threads_mode = true;
>  module_param(indep_threads_mode, bool, S_IRUGO | S_IWUSR);
>  MODULE_PARM_DESC(indep_threads_mode, "Independent-threads mode (only on POWER9)");
>  
> +static bool one_vm_per_core;
> +module_param(one_vm_per_core, bool, S_IRUGO | S_IWUSR);
> +MODULE_PARM_DESC(one_vm_per_core, "Only run vCPUs from the same VM on a core (requires indep_threads_mode=N)");
> +
>  #ifdef CONFIG_KVM_XICS
>  static struct kernel_param_ops module_param_ops = {
>  	.set = param_set_int,
> @@ -2449,6 +2453,10 @@ static bool can_dynamic_split(struct kvmppc_vcore *vc, struct core_info *cip)
>  	if (!cpu_has_feature(CPU_FTR_ARCH_207S))
>  		return false;
>  
> +	/* In one_vm_per_core mode, require all vcores to be from the same vm */
> +	if (one_vm_per_core && vc->kvm != cip->vc[0]->kvm)
> +		return false;
> +
>  	/* Some POWER9 chips require all threads to be in the same MMU mode */
>  	if (no_mixing_hpt_and_radix &&
>  	    kvm_is_radix(vc->kvm) != kvm_is_radix(cip->vc[0]->kvm))
>
Colin King Oct. 12, 2018, 9:20 a.m. | #2
On 11/10/18 21:19, Joseph Salisbury wrote:
> From: Paul Mackerras <paulus@ozlabs.org>
> 
> BugLink: https://bugs.launchpad.net/bugs/1792957
> 
> This adds a mode where the vcore scheduling logic in HV KVM limits itself
> to scheduling only virtual cores from the same VM on any given physical
> core.  This is enabled via a new module parameter on the kvm-hv module
> called "one_vm_per_core".  For this to work on POWER9, it is necessary to
> set indep_threads_mode=N.  (On POWER8, hardware limitations mean that KVM
> is never in independent threads mode, regardless of the indep_threads_mode
> setting.)
> 
> Thus the settings needed for this to work are:
> 
> 1. The host is in SMT1 mode.
> 2. On POWER8, the host is not in 2-way or 4-way static split-core mode.
> 3. On POWER9, the indep_threads_mode parameter is N.
> 4. The one_vm_per_core parameter is Y.
> 
> With these settings, KVM can run up to 4 vcpus on a core at the same
> time on POWER9, or up to 8 vcpus on POWER8 (depending on the guest
> threading mode), and will ensure that all of the vcpus belong to the
> same VM.
> 
> This is intended for use in security-conscious settings where users are
> concerned about possible side-channel attacks between threads which could
> perhaps enable one VM to attack another VM on the same core, or the host.
> 
> Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
> (cherry picked from commit aa2278644ae54ff762ce33f9c9563d759e9cca9f linux-next)
> Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
> 
> ---
>  arch/powerpc/kvm/book3s_hv.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
> index dc9eb6b..0c8a655c 100644
> --- a/arch/powerpc/kvm/book3s_hv.c
> +++ b/arch/powerpc/kvm/book3s_hv.c
> @@ -103,6 +103,10 @@ static bool indep_threads_mode = true;
>  module_param(indep_threads_mode, bool, S_IRUGO | S_IWUSR);
>  MODULE_PARM_DESC(indep_threads_mode, "Independent-threads mode (only on POWER9)");
>  
> +static bool one_vm_per_core;
> +module_param(one_vm_per_core, bool, S_IRUGO | S_IWUSR);
> +MODULE_PARM_DESC(one_vm_per_core, "Only run vCPUs from the same VM on a core (requires indep_threads_mode=N)");
> +
>  #ifdef CONFIG_KVM_XICS
>  static struct kernel_param_ops module_param_ops = {
>  	.set = param_set_int,
> @@ -2449,6 +2453,10 @@ static bool can_dynamic_split(struct kvmppc_vcore *vc, struct core_info *cip)
>  	if (!cpu_has_feature(CPU_FTR_ARCH_207S))
>  		return false;
>  
> +	/* In one_vm_per_core mode, require all vcores to be from the same vm */
> +	if (one_vm_per_core && vc->kvm != cip->vc[0]->kvm)
> +		return false;
> +
>  	/* Some POWER9 chips require all threads to be in the same MMU mode */
>  	if (no_mixing_hpt_and_radix &&
>  	    kvm_is_radix(vc->kvm) != kvm_is_radix(cip->vc[0]->kvm))
> 
Acked-by: Colin Ian King <colin.king@canonical.com>

Patch

diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
index dc9eb6b..0c8a655c 100644
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -103,6 +103,10 @@  static bool indep_threads_mode = true;
 module_param(indep_threads_mode, bool, S_IRUGO | S_IWUSR);
 MODULE_PARM_DESC(indep_threads_mode, "Independent-threads mode (only on POWER9)");
 
+static bool one_vm_per_core;
+module_param(one_vm_per_core, bool, S_IRUGO | S_IWUSR);
+MODULE_PARM_DESC(one_vm_per_core, "Only run vCPUs from the same VM on a core (requires indep_threads_mode=N)");
+
 #ifdef CONFIG_KVM_XICS
 static struct kernel_param_ops module_param_ops = {
 	.set = param_set_int,
@@ -2449,6 +2453,10 @@  static bool can_dynamic_split(struct kvmppc_vcore *vc, struct core_info *cip)
 	if (!cpu_has_feature(CPU_FTR_ARCH_207S))
 		return false;
 
+	/* In one_vm_per_core mode, require all vcores to be from the same vm */
+	if (one_vm_per_core && vc->kvm != cip->vc[0]->kvm)
+		return false;
+
 	/* Some POWER9 chips require all threads to be in the same MMU mode */
 	if (no_mixing_hpt_and_radix &&
 	    kvm_is_radix(vc->kvm) != kvm_is_radix(cip->vc[0]->kvm))