search for: nmi_complet

...> Oh gawd; so instead of improving the whole NMI situation, AMD went and > made it worse still ?!? Well, depends on how you want to see it. Under SEV-ES an IRET will not re-open the NMI window, but the guest has to tell the hypervisor explicitly when it is ready to receive new NMIs via the NMI_COMPLETE message. NMIs stay blocked even when an exception happens in the handler, so this could also be seen as a (slight) improvement. Regards, Joerg

...> Oh gawd; so instead of improving the whole NMI situation, AMD went and > made it worse still ?!? Well, depends on how you want to see it. Under SEV-ES an IRET will not re-open the NMI window, but the guest has to tell the hypervisor explicitly when it is ready to receive new NMIs via the NMI_COMPLETE message. NMIs stay blocked even when an exception happens in the handler, so this could also be seen as a (slight) improvement. Regards, Joerg

...tart to intercept IRET instructions when an NMI got > injected to find out when the NMI window is re-opened. But handling IRET > intercepts requires the hypervisor to access guest register state and is > not possible with SEV-ES. The specification under [1] solves this > problem with an NMI_COMPLETE message sent my the guest to the > hypervisor, upon which the hypervisor re-opens the NMI window for the > guest. > > This patch-set sends the NMI_COMPLETE message before the actual IRET, > while the kernel is still on a valid stack and kernel cr3. This opens > the NMI-window a...

...ad of improving the whole NMI situation, AMD went and > > made it worse still ?!? > > Well, depends on how you want to see it. Under SEV-ES an IRET will not > re-open the NMI window, but the guest has to tell the hypervisor > explicitly when it is ready to receive new NMIs via the NMI_COMPLETE > message. NMIs stay blocked even when an exception happens in the > handler, so this could also be seen as a (slight) improvement. > I don't get it. VT-x has a VMCS bit "Interruptibility state"."Blocking by NMI" that tracks the NMI masking state. Would it have...

...after the VMGEXIT but before the result is read. I suspect you can fix this by saving the GHCB at the beginning of do_nmi and restoring it at the end. This has the major caveat that it will not work if do_nmi comes from user mode and schedules, but I don?t believe this can happen. [0] Due to the NMI_COMPLETE catastrophe, there is a 100% chance that this happens.

...ypervisors usually start to intercept IRET instructions when an NMI got injected to find out when the NMI window is re-opened. But handling IRET intercepts requires the hypervisor to access guest register state and is not possible with SEV-ES. The specification under [1] solves this problem with an NMI_COMPLETE message sent my the guest to the hypervisor, upon which the hypervisor re-opens the NMI window for the guest. This patch-set sends the NMI_COMPLETE message before the actual IRET, while the kernel is still on a valid stack and kernel cr3. This opens the NMI-window a few instructions early, but th...

...ypervisors usually start to intercept IRET instructions when an NMI got injected to find out when the NMI window is re-opened. But handling IRET intercepts requires the hypervisor to access guest register state and is not possible with SEV-ES. The specification under [1] solves this problem with an NMI_COMPLETE message sent my the guest to the hypervisor, upon which the hypervisor re-opens the NMI window for the guest. This patch-set sends the NMI_COMPLETE message before the actual IRET, while the kernel is still on a valid stack and kernel cr3. This opens the NMI-window a few instructions early, but th...

...listed: - Rebased to v5.7-rc3 - Changes the #VC exception handler to use an IST stack. This includes a couple of additional patches to set up and map the IST stack, to make dumpstack aware of them and to fix a race with the NMI handler when shifting the #VC handlers IST entry. - The NMI_Complete message to the hypervisor the re-open the NMI window is now sent at the very beginning of do_nmi(). - The GHCB used in the pre-decompression code is now re-mapped encrypted and flushed from the cache before jumping to the decompressed kernel image. This is needed to make sure the run...

...listed: - Rebased to v5.7-rc3 - Changes the #VC exception handler to use an IST stack. This includes a couple of additional patches to set up and map the IST stack, to make dumpstack aware of them and to fix a race with the NMI handler when shifting the #VC handlers IST entry. - The NMI_Complete message to the hypervisor the re-open the NMI window is now sent at the very beginning of do_nmi(). - The GHCB used in the pre-decompression code is now re-mapped encrypted and flushed from the cache before jumping to the decompressed kernel image. This is needed to make sure the run...