1. Patchew
  2. linux
  3. [PATCH 0/2] Improve KVM_SET_TSC_KHZ handling for CoCo VMs
  4. View patch

[PATCH 1/2] KVM: x86: Reject KVM_SET_TSC_KHZ vCPU ioctl for TSC protected guest

Kai Huang posted 2 patches 3 months ago
There is a newer version of this series
[PATCH 1/2] KVM: x86: Reject KVM_SET_TSC_KHZ vCPU ioctl for TSC protected guest
Posted by Kai Huang 3 months ago 
Reject KVM_SET_TSC_KHZ vCPU ioctl if guest's TSC is protected and not
changeable by KVM.

For such TSC protected guests, e.g. TDX guests, typically the TSC is
configured once at VM level before any vCPU are created and remains
unchanged during VM's lifetime.  KVM provides the KVM_SET_TSC_KHZ VM
scope ioctl to allow the userspace VMM to configure the TSC of such VM.
After that the userspace VMM is not supposed to call the KVM_SET_TSC_KHZ
vCPU scope ioctl anymore when creating the vCPU.

The de facto userspace VMM Qemu does this for TDX guests.  The upcoming
SEV-SNP guests with Secure TSC should follow.

Note this could be a break of ABI.  But for now only TDX guests are TSC
protected and only Qemu supports TDX, thus in practice this should not
break any existing userspace.

Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Kai Huang <kai.huang@intel.com>
---
 arch/x86/kvm/x86.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 2806f7104295..699ca5e74bba 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6186,6 +6186,10 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
 		u32 user_tsc_khz;
 
 		r = -EINVAL;
+
+		if (vcpu->arch.guest_tsc_protected)
+			goto out;
+
 		user_tsc_khz = (u32)arg;
 
 		if (kvm_caps.has_tsc_control &&
-- 
2.50.0
Re: [PATCH 1/2] KVM: x86: Reject KVM_SET_TSC_KHZ vCPU ioctl for TSC protected guest
Posted by Nikunj A. Dadhania 3 months ago 

On 7/9/2025 11:07 AM, Kai Huang wrote:
> Reject KVM_SET_TSC_KHZ vCPU ioctl if guest's TSC is protected and not
> changeable by KVM.
> 
> For such TSC protected guests, e.g. TDX guests, typically the TSC is
> configured once at VM level before any vCPU are created and remains
> unchanged during VM's lifetime.  KVM provides the KVM_SET_TSC_KHZ VM
> scope ioctl to allow the userspace VMM to configure the TSC of such VM.
> After that the userspace VMM is not supposed to call the KVM_SET_TSC_KHZ
> vCPU scope ioctl anymore when creating the vCPU.
> 
> The de facto userspace VMM Qemu does this for TDX guests.  The upcoming
> SEV-SNP guests with Secure TSC should follow.
> 
> Note this could be a break of ABI.  But for now only TDX guests are TSC
> protected and only Qemu supports TDX, thus in practice this should not
> break any existing userspace.
> 
> Suggested-by: Sean Christopherson <seanjc@google.com>
> Signed-off-by: Kai Huang <kai.huang@intel.com>

Need to add this in Documentation/virt/kvm/api.rst as well, saying that
for TDX and SecureTSC enabled SNP guests, KVM_SET_TSC_KHZ vCPU ioctl is
not valid.

> ---
>  arch/x86/kvm/x86.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 2806f7104295..699ca5e74bba 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -6186,6 +6186,10 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
>  		u32 user_tsc_khz;
>  
>  		r = -EINVAL;
> +
> +		if (vcpu->arch.guest_tsc_protected)
> +			goto out;
> +
>  		user_tsc_khz = (u32)arg;
>  
>  		if (kvm_caps.has_tsc_control &&

Regards
Nikunj
Re: [PATCH 1/2] KVM: x86: Reject KVM_SET_TSC_KHZ vCPU ioctl for TSC protected guest
Posted by Huang, Kai 2 months, 4 weeks ago 
On Wed, 2025-07-09 at 14:09 +0530, Nikunj A. Dadhania wrote:
> 
> On 7/9/2025 11:07 AM, Kai Huang wrote:
> > Reject KVM_SET_TSC_KHZ vCPU ioctl if guest's TSC is protected and not
> > changeable by KVM.
> > 
> > For such TSC protected guests, e.g. TDX guests, typically the TSC is
> > configured once at VM level before any vCPU are created and remains
> > unchanged during VM's lifetime.  KVM provides the KVM_SET_TSC_KHZ VM
> > scope ioctl to allow the userspace VMM to configure the TSC of such VM.
> > After that the userspace VMM is not supposed to call the KVM_SET_TSC_KHZ
> > vCPU scope ioctl anymore when creating the vCPU.
> > 
> > The de facto userspace VMM Qemu does this for TDX guests.  The upcoming
> > SEV-SNP guests with Secure TSC should follow.
> > 
> > Note this could be a break of ABI.  But for now only TDX guests are TSC
> > protected and only Qemu supports TDX, thus in practice this should not
> > break any existing userspace.
> > 
> > Suggested-by: Sean Christopherson <seanjc@google.com>
> > Signed-off-by: Kai Huang <kai.huang@intel.com>
> 
> Need to add this in Documentation/virt/kvm/api.rst as well, saying that
> for TDX and SecureTSC enabled SNP guests, KVM_SET_TSC_KHZ vCPU ioctl is
> not valid.
> 
> 

Good point.  Thanks for bringing it up.

I will add below to the doc unless someone has comments?

I'll probably split the doc diff into two parts and merge each to the
respective code change patch, since the change to the doc contains change
to both vm ioctl and vcpu ioctl.

Btw, I think I'll not mention Secure TSC enabled SEV-SNP guests for now
because it is not in upstream yet.  But I tried to make the text in a way
that could be easily extended to cover Secure TSC guests.

diff --git a/Documentation/virt/kvm/api.rst
b/Documentation/virt/kvm/api.rst
index 43ed57e048a8..ad61bcba3791 100644
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -2006,7 +2006,13 @@ frequency is KHz.
 
 If the KVM_CAP_VM_TSC_CONTROL capability is advertised, this can also
 be used as a vm ioctl to set the initial tsc frequency of subsequently
-created vCPUs.
+created vCPUs.  It must be called before any vCPU is created.
+
+For TSC protected CoCo VMs where TSC is configured once at VM scope and
+remains unchanged during VM's lifetime, the VM ioctl should be used to
+configure the TSC and the vCPU ioctl fails.
+
+Example of such CoCo VMs: TDX guests.
Re: [PATCH 1/2] KVM: x86: Reject KVM_SET_TSC_KHZ vCPU ioctl for TSC protected guest
Posted by Nikunj A Dadhania 2 months, 4 weeks ago 
"Huang, Kai" <kai.huang@intel.com> writes:

> On Wed, 2025-07-09 at 14:09 +0530, Nikunj A. Dadhania wrote:
>> 
>> On 7/9/2025 11:07 AM, Kai Huang wrote:
>> > Reject KVM_SET_TSC_KHZ vCPU ioctl if guest's TSC is protected and not
>> > changeable by KVM.
>> > 
>> > For such TSC protected guests, e.g. TDX guests, typically the TSC is
>> > configured once at VM level before any vCPU are created and remains
>> > unchanged during VM's lifetime.  KVM provides the KVM_SET_TSC_KHZ VM
>> > scope ioctl to allow the userspace VMM to configure the TSC of such VM.
>> > After that the userspace VMM is not supposed to call the KVM_SET_TSC_KHZ
>> > vCPU scope ioctl anymore when creating the vCPU.
>> > 
>> > The de facto userspace VMM Qemu does this for TDX guests.  The upcoming
>> > SEV-SNP guests with Secure TSC should follow.
>> > 
>> > Note this could be a break of ABI.  But for now only TDX guests are TSC
>> > protected and only Qemu supports TDX, thus in practice this should not
>> > break any existing userspace.
>> > 
>> > Suggested-by: Sean Christopherson <seanjc@google.com>
>> > Signed-off-by: Kai Huang <kai.huang@intel.com>
>> 
>> Need to add this in Documentation/virt/kvm/api.rst as well, saying that
>> for TDX and SecureTSC enabled SNP guests, KVM_SET_TSC_KHZ vCPU ioctl is
>> not valid.
>> 
>> 
>
> Good point.  Thanks for bringing it up.
>
> I will add below to the doc unless someone has comments?
>
> I'll probably split the doc diff into two parts and merge each to the
> respective code change patch, since the change to the doc contains change
> to both vm ioctl and vcpu ioctl.
>
> Btw, I think I'll not mention Secure TSC enabled SEV-SNP guests for now
> because it is not in upstream yet.  But I tried to make the text in a way
> that could be easily extended to cover Secure TSC guests.

Sure, I can add that later.

>
> diff --git a/Documentation/virt/kvm/api.rst
> b/Documentation/virt/kvm/api.rst
> index 43ed57e048a8..ad61bcba3791 100644
> --- a/Documentation/virt/kvm/api.rst
> +++ b/Documentation/virt/kvm/api.rst
> @@ -2006,7 +2006,13 @@ frequency is KHz.
>  
>  If the KVM_CAP_VM_TSC_CONTROL capability is advertised, this can also
>  be used as a vm ioctl to set the initial tsc frequency of subsequently
> -created vCPUs.
> +created vCPUs.  It must be called before any vCPU is created.

s/It/The VM Scope ioctl/

> +
> +For TSC protected CoCo VMs where TSC is configured once at VM scope
> and

s/CoCo/Confidential Computing (CoCo)/
s/TSC is/TSC frequency is/

> +remains unchanged during VM's lifetime, the VM ioctl should be used to
> +configure the TSC and the vCPU ioctl fails.

s/TSC/TSC frequency/

s/vcpu ioctl fails/vcpu ioctl is not supported/

> +
> +
> +Example of such CoCo VMs: TDX guests.

Regards
Nikunj
Re: [PATCH 1/2] KVM: x86: Reject KVM_SET_TSC_KHZ vCPU ioctl for TSC protected guest
Posted by Huang, Kai 2 months, 3 weeks ago 
On Fri, 2025-07-11 at 06:22 +0000, Nikunj A Dadhania wrote:
> "Huang, Kai" <kai.huang@intel.com> writes:
> 
> > On Wed, 2025-07-09 at 14:09 +0530, Nikunj A. Dadhania wrote:
> > > 
> > > On 7/9/2025 11:07 AM, Kai Huang wrote:
> > > > Reject KVM_SET_TSC_KHZ vCPU ioctl if guest's TSC is protected and not
> > > > changeable by KVM.
> > > > 
> > > > For such TSC protected guests, e.g. TDX guests, typically the TSC is
> > > > configured once at VM level before any vCPU are created and remains
> > > > unchanged during VM's lifetime.  KVM provides the KVM_SET_TSC_KHZ VM
> > > > scope ioctl to allow the userspace VMM to configure the TSC of such VM.
> > > > After that the userspace VMM is not supposed to call the KVM_SET_TSC_KHZ
> > > > vCPU scope ioctl anymore when creating the vCPU.
> > > > 
> > > > The de facto userspace VMM Qemu does this for TDX guests.  The upcoming
> > > > SEV-SNP guests with Secure TSC should follow.
> > > > 
> > > > Note this could be a break of ABI.  But for now only TDX guests are TSC
> > > > protected and only Qemu supports TDX, thus in practice this should not
> > > > break any existing userspace.
> > > > 
> > > > Suggested-by: Sean Christopherson <seanjc@google.com>
> > > > Signed-off-by: Kai Huang <kai.huang@intel.com>
> > > 
> > > Need to add this in Documentation/virt/kvm/api.rst as well, saying that
> > > for TDX and SecureTSC enabled SNP guests, KVM_SET_TSC_KHZ vCPU ioctl is
> > > not valid.
> > > 
> > > 
> > 
> > Good point.  Thanks for bringing it up.
> > 
> > I will add below to the doc unless someone has comments?
> > 
> > I'll probably split the doc diff into two parts and merge each to the
> > respective code change patch, since the change to the doc contains change
> > to both vm ioctl and vcpu ioctl.
> > 
> > Btw, I think I'll not mention Secure TSC enabled SEV-SNP guests for now
> > because it is not in upstream yet.  But I tried to make the text in a way
> > that could be easily extended to cover Secure TSC guests.
> 
> Sure, I can add that later.
> 
> > 
> > diff --git a/Documentation/virt/kvm/api.rst
> > b/Documentation/virt/kvm/api.rst
> > index 43ed57e048a8..ad61bcba3791 100644
> > --- a/Documentation/virt/kvm/api.rst
> > +++ b/Documentation/virt/kvm/api.rst
> > @@ -2006,7 +2006,13 @@ frequency is KHz.
> >  
> >  If the KVM_CAP_VM_TSC_CONTROL capability is advertised, this can also
> >  be used as a vm ioctl to set the initial tsc frequency of subsequently
> > -created vCPUs.
> > +created vCPUs.  It must be called before any vCPU is created.
> 
> s/It/The VM Scope ioctl/

OK.  I'll use "The vm ioctl", though, to make it consistent with the
previous sentence.

> 
> > +
> > +For TSC protected CoCo VMs where TSC is configured once at VM scope
> > and
> 
> s/CoCo/Confidential Computing (CoCo)/
> s/TSC is/TSC frequency is/

OK.

> 
> > +remains unchanged during VM's lifetime, the VM ioctl should be used to
> > +configure the TSC and the vCPU ioctl fails.
> 
> s/TSC/TSC frequency/
> 
> s/vcpu ioctl fails/vcpu ioctl is not supported/

OK.

> 
> > +
> > +
> > +Example of such CoCo VMs: TDX guests.
> 
> Regards
> Nikunj
Re: [PATCH 1/2] KVM: x86: Reject KVM_SET_TSC_KHZ vCPU ioctl for TSC protected guest
Posted by Xiaoyao Li 3 months ago 
On 7/9/2025 1:37 PM, Kai Huang wrote:
> Reject KVM_SET_TSC_KHZ vCPU ioctl if guest's TSC is protected and not
> changeable by KVM.
> 
> For such TSC protected guests, e.g. TDX guests, typically the TSC is
> configured once at VM level before any vCPU are created and remains
> unchanged during VM's lifetime.  KVM provides the KVM_SET_TSC_KHZ VM
> scope ioctl to allow the userspace VMM to configure the TSC of such VM.
> After that the userspace VMM is not supposed to call the KVM_SET_TSC_KHZ
> vCPU scope ioctl anymore when creating the vCPU.
> 
> The de facto userspace VMM Qemu does this for TDX guests.  The upcoming
> SEV-SNP guests with Secure TSC should follow.
> 
> Note this could be a break of ABI.  But for now only TDX guests are TSC
> protected and only Qemu supports TDX, thus in practice this should not
> break any existing userspace.
> 
> Suggested-by: Sean Christopherson <seanjc@google.com>
> Signed-off-by: Kai Huang <kai.huang@intel.com>

Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>

> ---
>   arch/x86/kvm/x86.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 2806f7104295..699ca5e74bba 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -6186,6 +6186,10 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
>   		u32 user_tsc_khz;
>   
>   		r = -EINVAL;

I wondered if -EPERM is more appropriate. But I search the KVM files and 
find the KVM convention is to return -EINVAL.

> +		if (vcpu->arch.guest_tsc_protected)
> +			goto out;
> +
>   		user_tsc_khz = (u32)arg;
>   
>   		if (kvm_caps.has_tsc_control &&

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.