From patchwork Fri Sep 6 22:18:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxim Levitsky X-Patchwork-Id: 13794802 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B9EE813D251 for ; Fri, 6 Sep 2024 22:18:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725661118; cv=none; b=o1lPuCRZDx0DJ4dcBmRAgu2sFzrjjfLw9isTGB+CSO8oAVxMl+EUAmrifNBEyLmmP6an9kwHfgX4hJwXYac4OisQ+UPqg69AmtQqDL9jwYV8SLy3UqMcliwxHnMQTD8aCJynxC+zhsSIPbVYdGcm2K15yHjQeG7cjLN5VqqYTNM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725661118; c=relaxed/simple; bh=oDnyoADLZxxoDCVd/HnrxeAvpVLH1ZwcrkNTr9tiixs=; h=From:To:Cc:Subject:Date:Message-Id:Content-Type:MIME-Version; b=alGLSFItQ9q8CIYggJ8yjzuVA5WfrLCzPYoeWOnVupC4QRe1zAckinnUBP4YzxZgiwgfi7XNsLAA9oT8rOimWHRwpzkZ/STFv0EySyHd7OzBZV57HwVjjBpXtri4RbpvdcSd1loKEYiUhlFKqzCNItQTXU7A+eaAd4SZOupA6+Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Ly0fUayQ; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Ly0fUayQ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1725661115; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=fPS3RfxI/ckV+ClTMJfETVTJewuiT7qYQwOs4/LgDPw=; b=Ly0fUayQvyF4jxE7Ra9B1aPC7vUYbEv/3SRl1shrDC3gdJ/BzOxDniw/XAzaIgfmFMafwu PLSayBcUOWupLeqSxYXlEc442Kbv8191BrGpJiiSg6LI387orjB/jpx+cYYRlZLoavdef6 jGI5AhiU/0cb0iaWROEWmXlYRzmlgUg= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-37-HiVZOmlkMNKEVfOjyRGsUQ-1; Fri, 06 Sep 2024 18:18:32 -0400 X-MC-Unique: HiVZOmlkMNKEVfOjyRGsUQ-1 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A28E619560B1; Fri, 6 Sep 2024 22:18:27 +0000 (UTC) Received: from starship.lan (unknown [10.22.65.51]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 1944E19560AA; Fri, 6 Sep 2024 22:18:24 +0000 (UTC) From: Maxim Levitsky To: kvm@vger.kernel.org Cc: Sean Christopherson , Thomas Gleixner , Paolo Bonzini , Ingo Molnar , Vitaly Kuznetsov , linux-kernel@vger.kernel.org, "H. Peter Anvin" , x86@kernel.org, Borislav Petkov , Dave Hansen , Maxim Levitsky Subject: [PATCH v4 0/4] Relax canonical checks on some arch msrs Date: Fri, 6 Sep 2024 18:18:20 -0400 Message-Id: <20240906221824.491834-1-mlevitsk@redhat.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Recently we came up upon a failure where likely the guest writes 0xff4547ceb1600000 to MSR_KERNEL_GS_BASE and later on, qemu sets this value via KVM_PUT_MSRS, and is rejected by the kernel, likely due to not being canonical in 4 level paging. One of the way to trigger this is to make the guest enter SMM, which causes paging to be disabled, which SMM bios re-enables but not the whole 5 level. MSR_KERNEL_GS_BASE on the other hand continues to contain old value. I did some reverse engineering and to my surprise I found out that both Intel and AMD indeed ignore CR4.LA57 when doing canonical checks on this and other msrs and/or other arch registers (like GDT base) which contain linear addresses. V2: addressed a very good feedback from Chao Gao. Thanks! V3: also fix the nested VMX, and also fix the MSR_IA32_SYSENTER_EIP / MSR_IA32_SYSENTER_ESP V4: - added PT and PEBS msrs - corrected emulation of SGDT/SIDT/STR/SLDT instructions - corrected canonical checks for TLB invalidation instructions Best regards, Maxim Levitsky Maxim Levitsky (4): KVM: x86: drop x86.h include from cpuid.h KVM: x86: implement emul_is_noncanonical_address using is_noncanonical_address KVM: x86: model canonical checks more precisely KVM: nVMX: fix canonical check of vmcs12 HOST_RIP arch/x86/kvm/cpuid.h | 1 - arch/x86/kvm/emulate.c | 15 ++++++----- arch/x86/kvm/kvm_emulate.h | 5 ++++ arch/x86/kvm/mmu.h | 1 + arch/x86/kvm/mmu/mmu.c | 2 +- arch/x86/kvm/vmx/hyperv.c | 1 + arch/x86/kvm/vmx/nested.c | 35 +++++++++++++++++--------- arch/x86/kvm/vmx/pmu_intel.c | 2 +- arch/x86/kvm/vmx/sgx.c | 5 ++-- arch/x86/kvm/vmx/vmx.c | 4 +-- arch/x86/kvm/x86.c | 13 +++++++--- arch/x86/kvm/x86.h | 49 ++++++++++++++++++++++++++++++++++-- 12 files changed, 102 insertions(+), 31 deletions(-)