On Fri, Dec 12, 2025, Yosry Ahmed wrote:
On Fri, Dec 12, 2025 at 10:32:23AM -0800, Sean Christopherson wrote:
On Tue, Dec 09, 2025, Yosry Ahmed wrote:
Do I keep that as-is, or do you prefer that I also sanitize these fields when copying to the cache in nested_copy_vmcb_control_to_cache()?
I don't think I follow. What would the sanitization look like? Note, I don't think we need to completely sanitize _every_ field. The key fields are ones where KVM consumes and/or acts on the field.
Patch 12 currently sanitizes what is copied from VMCB12 to VMCB02 for int_vector, int_state, and event_inj in nested_vmcb02_prepare_control():
@@ -890,9 +893,9 @@ static void nested_vmcb02_prepare_control(struct vcpu_svm *svm, (svm->nested.ctl.int_ctl & int_ctl_vmcb12_bits) | (vmcb01->control.int_ctl & int_ctl_vmcb01_bits);
- vmcb02->control.int_vector = svm->nested.ctl.int_vector;
- vmcb02->control.int_state = svm->nested.ctl.int_state;
- vmcb02->control.event_inj = svm->nested.ctl.event_inj;
- vmcb02->control.int_vector = svm->nested.ctl.int_vector & SVM_INT_VECTOR_MASK;
- vmcb02->control.int_state = svm->nested.ctl.int_state & SVM_INTERRUPT_SHADOW_MASK;
- vmcb02->control.event_inj = svm->nested.ctl.event_inj & ~SVM_EVTINJ_RESERVED_BITS; vmcb02->control.event_inj_err = svm->nested.ctl.event_inj_err;
My question was: given this:
I want to solidify sanitizing the cache as standard behavior
Do you prefer that I move this sanitization when copying from L1's VMCB12 to the cached VMCB12 in nested_copy_vmcb_control_to_cache()?
Hmm, good question. Probably? If the main motivation for sanitizing is to guard against effectively exposing new features unintentionally via vmcs12, then it seems like the safest option is to ensure the "bad" bits are _never_ set in KVM-controlled state.
I initially made it part of nested_vmcb02_prepare_control() as it already filters what to pick from the VMCB12 for some other related fields like int_ctl based on what features are exposed to the guest.