Message ID | 20230721030352.72414-10-weijiang.yang@intel.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Enable CET Virtualization | expand |
On Thu, Jul 20, 2023 at 11:03:41PM -0400, Yang Weijiang wrote: >+static inline bool is_shadow_stack_msr(struct kvm_vcpu *vcpu, remove @vcpu since it isn't used. And I think it is better to accept an MSR index than struct msr_data because whether a MSR is a shadow stack MSR is entirely decided by the MSR index; other fields in the struct msr_data are irrelevant. >+ struct msr_data *msr) >+{ >+ return msr->index == MSR_IA32_PL0_SSP || >+ msr->index == MSR_IA32_PL1_SSP || >+ msr->index == MSR_IA32_PL2_SSP || >+ msr->index == MSR_IA32_PL3_SSP || >+ msr->index == MSR_IA32_INT_SSP_TAB || >+ msr->index == MSR_KVM_GUEST_SSP; >+} >+ >+static bool kvm_cet_is_msr_accessible(struct kvm_vcpu *vcpu, >+ struct msr_data *msr) >+{ >+ >+ /* >+ * This function cannot work without later CET MSR read/write >+ * emulation patch. Probably you should consider merging the "later" patch into this one. Then you can get rid of this comment and make this patch easier for review ... > int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) > { > u32 msr = msr_info->index; >@@ -3982,6 +4023,35 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) > vcpu->arch.guest_fpu.xfd_err = data; > break; > #endif >+#define CET_IBT_MASK_BITS GENMASK_ULL(63, 2) bit9:6 are reserved even if IBT is supported. >@@ -12131,6 +12217,7 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) > > vcpu->arch.cr3 = 0; > kvm_register_mark_dirty(vcpu, VCPU_EXREG_CR3); >+ memset(vcpu->arch.cet_s_ssp, 0, sizeof(vcpu->arch.cet_s_ssp)); ... this begs the question: where other MSRs are reset. I suppose U_CET/PL3_SSP are handled when resetting guest FPU. But how about S_CET and INT_SSP_TAB? there is no answer in this patch.
On 7/26/2023 3:33 PM, Chao Gao wrote: > On Thu, Jul 20, 2023 at 11:03:41PM -0400, Yang Weijiang wrote: >> +static inline bool is_shadow_stack_msr(struct kvm_vcpu *vcpu, > remove @vcpu since it isn't used. And I think it is better to accept > an MSR index than struct msr_data because whether a MSR is a shadow > stack MSR is entirely decided by the MSR index; other fields in the > struct msr_data are irrelevant. Yes, I should have removed it, thanks! > >> + struct msr_data *msr) >> +{ >> + return msr->index == MSR_IA32_PL0_SSP || >> + msr->index == MSR_IA32_PL1_SSP || >> + msr->index == MSR_IA32_PL2_SSP || >> + msr->index == MSR_IA32_PL3_SSP || >> + msr->index == MSR_IA32_INT_SSP_TAB || >> + msr->index == MSR_KVM_GUEST_SSP; >> +} >> + >> +static bool kvm_cet_is_msr_accessible(struct kvm_vcpu *vcpu, >> + struct msr_data *msr) >> +{ >> + >> + /* >> + * This function cannot work without later CET MSR read/write >> + * emulation patch. > Probably you should consider merging the "later" patch into this one. > Then you can get rid of this comment and make this patch easier for > review ... Which later patch you mean? If you mean [13/20] KVM:VMX: Emulate read and write to CET MSRs, then I intentionally separate these two, this one is for CET MSR common checks and operations, the latter is specific to VMX, and add the above comments in case someone is bisecting the patches and happens to split at this patch, then it would faulted and take some actions. >> int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) >> { >> u32 msr = msr_info->index; >> @@ -3982,6 +4023,35 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) >> vcpu->arch.guest_fpu.xfd_err = data; >> break; >> #endif >> +#define CET_IBT_MASK_BITS GENMASK_ULL(63, 2) > bit9:6 are reserved even if IBT is supported. Yes, as IBT is only available on Intel platforms, I move the handling of bit 9:6 to VMX related patch. Here's the common check in case IBT is not available. > >> @@ -12131,6 +12217,7 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) >> >> vcpu->arch.cr3 = 0; >> kvm_register_mark_dirty(vcpu, VCPU_EXREG_CR3); >> + memset(vcpu->arch.cet_s_ssp, 0, sizeof(vcpu->arch.cet_s_ssp)); > ... this begs the question: where other MSRs are reset. I suppose > U_CET/PL3_SSP are handled when resetting guest FPU. But how about S_CET > and INT_SSP_TAB? there is no answer in this patch. I think the related guest VMCS fields(S_CET/INT_SSP_TAB/SSP) should be reset to 0 in vmx_vcpu_reset(), do you think so?
On Wed, Jul 26, 2023 at 04:26:06PM +0800, Yang, Weijiang wrote: >> > + /* >> > + * This function cannot work without later CET MSR read/write >> > + * emulation patch. >> Probably you should consider merging the "later" patch into this one. >> Then you can get rid of this comment and make this patch easier for >> review ... > >Which later patch you mean? If you mean [13/20] KVM:VMX: Emulate read and >write to CET MSRs, > >then I intentionally separate these two, this one is for CET MSR common >checks and operations, > >the latter is specific to VMX, and add the above comments in case someone is The problem of this organization is the handling of S_CET, SSP, INT_SSP_TABLE MSR is incomplete in this patch. I think a better organization is to either merge this patch and patch 13, or move all changes related to S_CET, SSP, INT_SSP_TABLE into patch 13? e.g., case MSR_IA32_U_CET: - case MSR_IA32_S_CET: if (!kvm_cet_is_msr_accessible(vcpu, msr_info)) return 1; if ((!guest_can_use(vcpu, X86_FEATURE_SHSTK) && (data & CET_SHSTK_MASK_BITS)) || (!guest_can_use(vcpu, X86_FEATURE_IBT) && (data & CET_IBT_MASK_BITS))) return 1; - if (msr == MSR_IA32_U_CET) - kvm_set_xsave_msr(msr_info); kvm_set_xsave_msr(msr_info); break; - case MSR_KVM_GUEST_SSP: - case MSR_IA32_PL0_SSP ... MSR_IA32_INT_SSP_TAB: case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP: if (!kvm_cet_is_msr_accessible(vcpu, msr_info)) return 1; if (is_noncanonical_address(data, vcpu)) return 1; if (!IS_ALIGNED(data, 4)) return 1; if (msr == MSR_IA32_PL0_SSP || msr == MSR_IA32_PL1_SSP || msr == MSR_IA32_PL2_SSP) { vcpu->arch.cet_s_ssp[msr - MSR_IA32_PL0_SSP] = data; } else if (msr == MSR_IA32_PL3_SSP) { kvm_set_xsave_msr(msr_info); } break; BTW, shouldn't bit2:0 of MSR_KVM_GUEST_SSP be 0? i.e., for MSR_KVM_GUEST_SSP, the alignment check should be IS_ALIGNED(data, 8). >bisecting > >the patches and happens to split at this patch, then it would faulted and >take some actions. I am not sure what kind of issue you are worrying about. In my understanding, KVM hasn't advertised the support of IBT and SHSTK, so, kvm_cpu_cap_has(X86_FEATURE_SHSTK/IBT) will always return false. and then kvm_cet_is_msr_accessible() is guaranteed to return false. If there is any issue in your mind, you can fix it or reorganize your patches to avoid the issue. To me, adding a comment and a warning is not a good solution. > >> > int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) >> > { >> > u32 msr = msr_info->index; >> > @@ -3982,6 +4023,35 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) >> > vcpu->arch.guest_fpu.xfd_err = data; >> > break; >> > #endif >> > +#define CET_IBT_MASK_BITS GENMASK_ULL(63, 2) >> bit9:6 are reserved even if IBT is supported. > >Yes, as IBT is only available on Intel platforms, I move the handling of bit >9:6 to VMX related patch. IIUC, bits 9:6 are not reserved for IBT. I don't get how IBT availability affects the handling of bits 9:6. > >Here's the common check in case IBT is not available. > >> >> > @@ -12131,6 +12217,7 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) >> > >> > vcpu->arch.cr3 = 0; >> > kvm_register_mark_dirty(vcpu, VCPU_EXREG_CR3); >> > + memset(vcpu->arch.cet_s_ssp, 0, sizeof(vcpu->arch.cet_s_ssp)); >> ... this begs the question: where other MSRs are reset. I suppose >> U_CET/PL3_SSP are handled when resetting guest FPU. But how about S_CET >> and INT_SSP_TAB? there is no answer in this patch. > >I think the related guest VMCS fields(S_CET/INT_SSP_TAB/SSP) should be reset >to 0 in vmx_vcpu_reset(), > >do you think so? Yes, looks good.
On 7/26/2023 9:46 PM, Chao Gao wrote: > On Wed, Jul 26, 2023 at 04:26:06PM +0800, Yang, Weijiang wrote: >>>> + /* >>>> + * This function cannot work without later CET MSR read/write >>>> + * emulation patch. >>> Probably you should consider merging the "later" patch into this one. >>> Then you can get rid of this comment and make this patch easier for >>> review ... >> Which later patch you mean? If you mean [13/20] KVM:VMX: Emulate read and >> write to CET MSRs, >> >> then I intentionally separate these two, this one is for CET MSR common >> checks and operations, >> >> the latter is specific to VMX, and add the above comments in case someone is > The problem of this organization is the handling of S_CET, SSP, INT_SSP_TABLE > MSR is incomplete in this patch. I think a better organization is to either > merge this patch and patch 13, or move all changes related to S_CET, SSP, > INT_SSP_TABLE into patch 13? e.g., Yes, I'm thinking of merging this patch with patch 13 to make it complete, thanks for the suggestion! > > case MSR_IA32_U_CET: > - case MSR_IA32_S_CET: > if (!kvm_cet_is_msr_accessible(vcpu, msr_info)) > return 1; > if ((!guest_can_use(vcpu, X86_FEATURE_SHSTK) && > (data & CET_SHSTK_MASK_BITS)) || > (!guest_can_use(vcpu, X86_FEATURE_IBT) && > (data & CET_IBT_MASK_BITS))) > return 1; > - if (msr == MSR_IA32_U_CET) > - kvm_set_xsave_msr(msr_info); > kvm_set_xsave_msr(msr_info); > break; > - case MSR_KVM_GUEST_SSP: > - case MSR_IA32_PL0_SSP ... MSR_IA32_INT_SSP_TAB: > case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP: > if (!kvm_cet_is_msr_accessible(vcpu, msr_info)) > return 1; > if (is_noncanonical_address(data, vcpu)) > return 1; > if (!IS_ALIGNED(data, 4)) > return 1; > if (msr == MSR_IA32_PL0_SSP || msr == MSR_IA32_PL1_SSP || > msr == MSR_IA32_PL2_SSP) { > vcpu->arch.cet_s_ssp[msr - MSR_IA32_PL0_SSP] = data; > } else if (msr == MSR_IA32_PL3_SSP) { > kvm_set_xsave_msr(msr_info); > } > break; > > > > BTW, shouldn't bit2:0 of MSR_KVM_GUEST_SSP be 0? i.e., for MSR_KVM_GUEST_SSP, > the alignment check should be IS_ALIGNED(data, 8). The check for GUEST_SSP should be consistent with that of PLx_SSPs, otherwise there would be issues, maybe I need to change the alignment check as : #ifdef CONFIG_X86_64 if (!IS_ALIGNED(data, 8)) return 1; #else if (!IS_ALIGNED(data, 4)) return 1; #endif > >> bisecting >> >> the patches and happens to split at this patch, then it would faulted and >> take some actions. > I am not sure what kind of issue you are worrying about. In my understanding, > KVM hasn't advertised the support of IBT and SHSTK, so, > kvm_cpu_cap_has(X86_FEATURE_SHSTK/IBT) will always return false. and then > kvm_cet_is_msr_accessible() is guaranteed to return false. > > If there is any issue in your mind, you can fix it or reorganize your patches to > avoid the issue. To me, adding a comment and a warning is not a good solution. I will reorganize the patches and merge the code in this patch to patch 13. > >>>> int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) >>>> { >>>> u32 msr = msr_info->index; >>>> @@ -3982,6 +4023,35 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) >>>> vcpu->arch.guest_fpu.xfd_err = data; >>>> break; >>>> #endif >>>> +#define CET_IBT_MASK_BITS GENMASK_ULL(63, 2) >>> bit9:6 are reserved even if IBT is supported. >> Yes, as IBT is only available on Intel platforms, I move the handling of bit >> 9:6 to VMX related patch. > IIUC, bits 9:6 are not reserved for IBT. I don't get how IBT availability > affects the handling of bits 9:6. I handle it in this way, when IBT is not available all bits 63:2 should be handled as reserved. When IBT is available, additional checks for bits 9:6 should be enforced. > >> Here's the common check in case IBT is not available. >> >>>> @@ -12131,6 +12217,7 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) >>>> >>>> vcpu->arch.cr3 = 0; >>>> kvm_register_mark_dirty(vcpu, VCPU_EXREG_CR3); >>>> + memset(vcpu->arch.cet_s_ssp, 0, sizeof(vcpu->arch.cet_s_ssp)); >>> ... this begs the question: where other MSRs are reset. I suppose >>> U_CET/PL3_SSP are handled when resetting guest FPU. But how about S_CET >>> and INT_SSP_TAB? there is no answer in this patch. >> I think the related guest VMCS fields(S_CET/INT_SSP_TAB/SSP) should be reset >> to 0 in vmx_vcpu_reset(), >> >> do you think so? > Yes, looks good.
>> - case MSR_KVM_GUEST_SSP: >> - case MSR_IA32_PL0_SSP ... MSR_IA32_INT_SSP_TAB: >> case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP: >> if (!kvm_cet_is_msr_accessible(vcpu, msr_info)) >> return 1; >> if (is_noncanonical_address(data, vcpu)) >> return 1; >> if (!IS_ALIGNED(data, 4)) >> return 1; >> if (msr == MSR_IA32_PL0_SSP || msr == MSR_IA32_PL1_SSP || >> msr == MSR_IA32_PL2_SSP) { >> vcpu->arch.cet_s_ssp[msr - MSR_IA32_PL0_SSP] = data; >> } else if (msr == MSR_IA32_PL3_SSP) { >> kvm_set_xsave_msr(msr_info); >> } >> break; >> >> >> >> BTW, shouldn't bit2:0 of MSR_KVM_GUEST_SSP be 0? i.e., for MSR_KVM_GUEST_SSP, >> the alignment check should be IS_ALIGNED(data, 8). > >The check for GUEST_SSP should be consistent with that of PLx_SSPs, otherwise >there would be issues OK. I had the question because Gil said in a previous email: IDT event delivery, when changing to rings 0-2 will load SSP from the MSR corresponding to the new ring. These transitions check that bits 2:0 of the new value are all zero and will generate a nested fault if any of those bits are set. (Far CALL using a call gate also checks this if changing CPL.) it sounds to me, at least for CPL0-2, SSP (or the synethic MSR_KVM_GUEST_SSP) should be 8-byte aligned. Otherwise, there will be a nested fault when trying to load SSP. I might be overly cautious. No objection to do IS_ALIGNED(data, 4) for SSP.
On Thu, Jul 27, 2023, Chao Gao wrote: > >> - case MSR_KVM_GUEST_SSP: > >> - case MSR_IA32_PL0_SSP ... MSR_IA32_INT_SSP_TAB: > >> case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP: > >> if (!kvm_cet_is_msr_accessible(vcpu, msr_info)) > >> return 1; > >> if (is_noncanonical_address(data, vcpu)) > >> return 1; > >> if (!IS_ALIGNED(data, 4)) > >> return 1; > >> if (msr == MSR_IA32_PL0_SSP || msr == MSR_IA32_PL1_SSP || > >> msr == MSR_IA32_PL2_SSP) { > >> vcpu->arch.cet_s_ssp[msr - MSR_IA32_PL0_SSP] = data; > >> } else if (msr == MSR_IA32_PL3_SSP) { > >> kvm_set_xsave_msr(msr_info); > >> } > >> break; > >> > >> > >> > >> BTW, shouldn't bit2:0 of MSR_KVM_GUEST_SSP be 0? i.e., for MSR_KVM_GUEST_SSP, > >> the alignment check should be IS_ALIGNED(data, 8). > > > >The check for GUEST_SSP should be consistent with that of PLx_SSPs, otherwise > >there would be issues > > OK. I had the question because Gil said in a previous email: > > IDT event delivery, when changing to rings 0-2 will load SSP from the > MSR corresponding to the new ring. These transitions check that bits > 2:0 of the new value are all zero and will generate a nested fault if > any of those bits are set. (Far CALL using a call gate also checks this > if changing CPL.) > > it sounds to me, at least for CPL0-2, SSP (or the synethic > MSR_KVM_GUEST_SSP) should be 8-byte aligned. Otherwise, there will be a > nested fault when trying to load SSP. Yes, but that's the guest's problem. KVM's responsibility is purely to faithfully emulate hardware, which in this case means requiring that bits 1:0 be cleared on the WRMSR. *Architecturally*, software is allowed to set bit 2, and only if/when the vCPU consumes the "bad" value by transitioning to the relevant CPL will the CPU generate a fault.
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index 20bbcd95511f..69cbc9d9b277 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -805,6 +805,7 @@ struct kvm_vcpu_arch { u64 xcr0; u64 guest_supported_xcr0; u64 guest_supported_xss; + u64 cet_s_ssp[3]; struct kvm_pio_request pio; void *pio_data; diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h index b1658c0de847..7791a19b88ba 100644 --- a/arch/x86/kvm/cpuid.h +++ b/arch/x86/kvm/cpuid.h @@ -232,4 +232,14 @@ static __always_inline bool guest_pv_has(struct kvm_vcpu *vcpu, return vcpu->arch.pv_cpuid.features & (1u << kvm_feature); } +/* + * FIXME: When the "KVM-governed" enabling patchset is merge, rebase this + * series on top of that and replace this one with the helper merged. + */ +static __always_inline bool guest_can_use(struct kvm_vcpu *vcpu, + unsigned int feature) +{ + return kvm_cpu_cap_has(feature) && guest_cpuid_has(vcpu, feature); +} + #endif diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 59e961a88b75..7a3753c05c09 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -3628,6 +3628,47 @@ static bool kvm_is_msr_to_save(u32 msr_index) return false; } +static inline bool is_shadow_stack_msr(struct kvm_vcpu *vcpu, + struct msr_data *msr) +{ + return msr->index == MSR_IA32_PL0_SSP || + msr->index == MSR_IA32_PL1_SSP || + msr->index == MSR_IA32_PL2_SSP || + msr->index == MSR_IA32_PL3_SSP || + msr->index == MSR_IA32_INT_SSP_TAB || + msr->index == MSR_KVM_GUEST_SSP; +} + +static bool kvm_cet_is_msr_accessible(struct kvm_vcpu *vcpu, + struct msr_data *msr) +{ + + /* + * This function cannot work without later CET MSR read/write + * emulation patch. + */ + WARN_ON_ONCE(1); + + if (is_shadow_stack_msr(vcpu, msr)) { + if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK)) + return false; + + if (msr->index == MSR_KVM_GUEST_SSP) + return msr->host_initiated; + + return msr->host_initiated || + guest_cpuid_has(vcpu, X86_FEATURE_SHSTK); + } + + if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) && + !kvm_cpu_cap_has(X86_FEATURE_IBT)) + return false; + + return msr->host_initiated || + guest_cpuid_has(vcpu, X86_FEATURE_IBT) || + guest_cpuid_has(vcpu, X86_FEATURE_SHSTK); +} + int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) { u32 msr = msr_info->index; @@ -3982,6 +4023,35 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) vcpu->arch.guest_fpu.xfd_err = data; break; #endif +#define CET_IBT_MASK_BITS GENMASK_ULL(63, 2) +#define CET_SHSTK_MASK_BITS GENMASK(1, 0) + case MSR_IA32_U_CET: + case MSR_IA32_S_CET: + if (!kvm_cet_is_msr_accessible(vcpu, msr_info)) + return 1; + if ((!guest_can_use(vcpu, X86_FEATURE_SHSTK) && + (data & CET_SHSTK_MASK_BITS)) || + (!guest_can_use(vcpu, X86_FEATURE_IBT) && + (data & CET_IBT_MASK_BITS))) + return 1; + if (msr == MSR_IA32_U_CET) + kvm_set_xsave_msr(msr_info); + break; + case MSR_KVM_GUEST_SSP: + case MSR_IA32_PL0_SSP ... MSR_IA32_INT_SSP_TAB: + if (!kvm_cet_is_msr_accessible(vcpu, msr_info)) + return 1; + if (is_noncanonical_address(data, vcpu)) + return 1; + if (!IS_ALIGNED(data, 4)) + return 1; + if (msr == MSR_IA32_PL0_SSP || msr == MSR_IA32_PL1_SSP || + msr == MSR_IA32_PL2_SSP) { + vcpu->arch.cet_s_ssp[msr - MSR_IA32_PL0_SSP] = data; + } else if (msr == MSR_IA32_PL3_SSP) { + kvm_set_xsave_msr(msr_info); + } + break; default: if (kvm_pmu_is_valid_msr(vcpu, msr)) return kvm_pmu_set_msr(vcpu, msr_info); @@ -4052,7 +4122,9 @@ static int get_msr_mce(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, bool host) int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) { - switch (msr_info->index) { + u32 msr = msr_info->index; + + switch (msr) { case MSR_IA32_PLATFORM_ID: case MSR_IA32_EBL_CR_POWERON: case MSR_IA32_LASTBRANCHFROMIP: @@ -4087,7 +4159,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) case MSR_K7_PERFCTR0 ... MSR_K7_PERFCTR3: case MSR_P6_PERFCTR0 ... MSR_P6_PERFCTR1: case MSR_P6_EVNTSEL0 ... MSR_P6_EVNTSEL1: - if (kvm_pmu_is_valid_msr(vcpu, msr_info->index)) + if (kvm_pmu_is_valid_msr(vcpu, msr)) return kvm_pmu_get_msr(vcpu, msr_info); msr_info->data = 0; break; @@ -4138,7 +4210,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) case MSR_MTRRcap: case MTRRphysBase_MSR(0) ... MSR_MTRRfix4K_F8000: case MSR_MTRRdefType: - return kvm_mtrr_get_msr(vcpu, msr_info->index, &msr_info->data); + return kvm_mtrr_get_msr(vcpu, msr, &msr_info->data); case 0xcd: /* fsb frequency */ msr_info->data = 3; break; @@ -4160,7 +4232,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) msr_info->data = kvm_get_apic_base(vcpu); break; case APIC_BASE_MSR ... APIC_BASE_MSR + 0xff: - return kvm_x2apic_msr_read(vcpu, msr_info->index, &msr_info->data); + return kvm_x2apic_msr_read(vcpu, msr, &msr_info->data); case MSR_IA32_TSC_DEADLINE: msr_info->data = kvm_get_lapic_tscdeadline_msr(vcpu); break; @@ -4254,7 +4326,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) case MSR_IA32_MCG_STATUS: case MSR_IA32_MC0_CTL ... MSR_IA32_MCx_CTL(KVM_MAX_MCE_BANKS) - 1: case MSR_IA32_MC0_CTL2 ... MSR_IA32_MCx_CTL2(KVM_MAX_MCE_BANKS) - 1: - return get_msr_mce(vcpu, msr_info->index, &msr_info->data, + return get_msr_mce(vcpu, msr, &msr_info->data, msr_info->host_initiated); case MSR_IA32_XSS: if (!msr_info->host_initiated && @@ -4285,7 +4357,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) case HV_X64_MSR_TSC_EMULATION_STATUS: case HV_X64_MSR_TSC_INVARIANT_CONTROL: return kvm_hv_get_msr_common(vcpu, - msr_info->index, &msr_info->data, + msr, &msr_info->data, msr_info->host_initiated); case MSR_IA32_BBL_CR_CTL3: /* This legacy MSR exists but isn't fully documented in current @@ -4338,8 +4410,22 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) msr_info->data = vcpu->arch.guest_fpu.xfd_err; break; #endif + case MSR_IA32_U_CET: + case MSR_IA32_S_CET: + case MSR_KVM_GUEST_SSP: + case MSR_IA32_PL0_SSP ... MSR_IA32_INT_SSP_TAB: + if (!kvm_cet_is_msr_accessible(vcpu, msr_info)) + return 1; + if (msr == MSR_IA32_PL0_SSP || msr == MSR_IA32_PL1_SSP || + msr == MSR_IA32_PL2_SSP) { + msr_info->data = + vcpu->arch.cet_s_ssp[msr - MSR_IA32_PL0_SSP]; + } else if (msr == MSR_IA32_U_CET || msr == MSR_IA32_PL3_SSP) { + kvm_get_xsave_msr(msr_info); + } + break; default: - if (kvm_pmu_is_valid_msr(vcpu, msr_info->index)) + if (kvm_pmu_is_valid_msr(vcpu, msr)) return kvm_pmu_get_msr(vcpu, msr_info); /* @@ -4347,7 +4433,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) * to-be-saved, even if an MSR isn't fully supported. */ if (msr_info->host_initiated && - kvm_is_msr_to_save(msr_info->index)) { + kvm_is_msr_to_save(msr)) { msr_info->data = 0; break; } @@ -12131,6 +12217,7 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) vcpu->arch.cr3 = 0; kvm_register_mark_dirty(vcpu, VCPU_EXREG_CR3); + memset(vcpu->arch.cet_s_ssp, 0, sizeof(vcpu->arch.cet_s_ssp)); /* * CR0.CD/NW are set on RESET, preserved on INIT. Note, some versions diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h index 6e6292915f8c..09dd35a79ff3 100644 --- a/arch/x86/kvm/x86.h +++ b/arch/x86/kvm/x86.h @@ -549,4 +549,22 @@ int kvm_sev_es_string_io(struct kvm_vcpu *vcpu, unsigned int size, unsigned int port, void *data, unsigned int count, int in); +/* + * Guest xstate MSRs have been loaded in __msr_io(), disable preemption before + * access the MSRs to avoid MSR content corruption. + */ +static inline void kvm_get_xsave_msr(struct msr_data *msr_info) +{ + kvm_fpu_get(); + rdmsrl(msr_info->index, msr_info->data); + kvm_fpu_put(); +} + +static inline void kvm_set_xsave_msr(struct msr_data *msr_info) +{ + kvm_fpu_get(); + wrmsrl(msr_info->index, msr_info->data); + kvm_fpu_put(); +} + #endif
Add unified handling for AMD/Intel's SHSTK MSRs, and leave IBT related handling in VMX specific code. Guest supervisor SSPs are handled specially because they are loaded into HW registers only when the SSPs are used by guest. Currently, AMD doesn't support IBT, so move related handling in VMX specific code. Signed-off-by: Yang Weijiang <weijiang.yang@intel.com> --- arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/cpuid.h | 10 ++++ arch/x86/kvm/x86.c | 103 +++++++++++++++++++++++++++++--- arch/x86/kvm/x86.h | 18 ++++++ 4 files changed, 124 insertions(+), 8 deletions(-)