Hi Zhao,
On 24/4/25 08:33, Zhao Liu wrote:
Hi Markus,
This is for security purposes, and can restrict Guest users from
accessing certain sensitive hardware information on the Host via perf or
PMU counter.
When a PMU event is blocked by KVM, Guest users can't get the
corresponding event count via perf/PMU counter.
EMM, if ‘system’ refers to the QEMU part, then QEMU is responsible
for checking the format and passing the list to KVM.
Thanks,
Zhao
This helped some, thanks. To make sure I got it:
KVM can restrict the guest's access to the PMU. This is either a
whitelist (guest can access exactly what's on this list), or a blacklist
(guest can access exactly what's not this list).
Yes! The "action" field controls if it's a "whitelist" (allow) or
"blacklist" (deny).
And "access" means Guest could get the event count, if "no access", then
Guest would get nothing.
For example, if we set a the whitelist ony for the event (select: 0xc4,
umask: 0) in QEMU:
pmu='{"qom-type":"kvm-pmu-filter","id":"f0","action":"allow","events":[{"format":"x86-select-umask","select":196,"umask":0}]}'
then in Guest, this command tries to get count of 2 events:
perf stat -e cpu/event=0xc4,name=branches/,cpu/event=0xc5,name=branch-misses/
sleep 1
Since another event (select: 0xc5, umask: 0) is not on whitelist, its
"access" is blocked by KVM, so user would get the result like:
Performance counter stats for 'sleep 1':
348709 branches
0 branch-misses
1.015962921 seconds time elapsed
0.000000000 seconds user
0.015195000 seconds sys
The "allowed" event has the normal output, and the result of "denied"
event is zero.
QEMU's kvm-pmu-filter object provides an interface to this KVM feature.
Yes!
KVM takes "raw" list entries: an entry is a number, and the number's
meaning depends on the architecture.
Yes, and meaning also depends on format. masked-entry format has special
meaning (with a flag).
The kvm-pmu-filter object can take such entries, and passes them to
straight to KVM.
On x86, we commonly use two slightly higher level formats: select &
umask, and masked. The kvm-pmu-filter object can take entries in either
format, and maps them to "raw".
Correct?
Yes, Markus, you're right! (And sorry for late reply.)
And "raw" format as a lower level format can be used for other arches
(e.g., ARM).
Since you provide the ability to use a raw format, are we sure other
accelerators will never be interested in such PMU filtering?
I'm pretty sure HVF could benefit of it (whether we implement it there
is another story).
What do you think about adding this as a generic accelerator feature.
If a particular accel doesn't support it and we ask to filter, we simply
report an error.
