[v7,48/52] i386/tdx: Fetch and validate CPUID of TD guest

Message ID	20250124132048.3229049-49-xiaoyao.li@intel.com (mailing list archive)
State	New
Headers	show Return-Path: <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org> From: Xiaoyao Li <xiaoyao.li@intel.com> To: Paolo Bonzini <pbonzini@redhat.com>, =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= <berrange@redhat.com>, =?utf-8?q?Phil?= =?utf-8?q?ippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>, Igor Mammedov <imammedo@redhat.com> Cc: Zhao Liu <zhao1.liu@intel.com>, "Michael S. Tsirkin" <mst@redhat.com>, Eric Blake <eblake@redhat.com>, Markus Armbruster <armbru@redhat.com>, Peter Maydell <peter.maydell@linaro.org>, Marcelo Tosatti <mtosatti@redhat.com>, Huacai Chen <chenhuacai@kernel.org>, Rick Edgecombe <rick.p.edgecombe@intel.com>, Francesco Lavra <francescolavra.fl@gmail.com>, xiaoyao.li@intel.com, qemu-devel@nongnu.org, kvm@vger.kernel.org Subject: [PATCH v7 48/52] i386/tdx: Fetch and validate CPUID of TD guest Date: Fri, 24 Jan 2025 08:20:44 -0500 Message-Id: <20250124132048.3229049-49-xiaoyao.li@intel.com> In-Reply-To: <20250124132048.3229049-1-xiaoyao.li@intel.com> References: <20250124132048.3229049-1-xiaoyao.li@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=198.175.65.13; envelope-from=xiaoyao.li@intel.com; helo=mgamail.intel.com X-Spam_score_int: -63 X-Spam_score: -6.4 X-Spam_bar: ------ X-Spam_report: (-6.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-2.996, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Series	QEMU TDX support \| expand [v7,00/52] QEMU TDX support [v7,01/52] * HACK * linux-headers: Update headers to pull in TDX API changes [v7,02/52] i386: Introduce tdx-guest object [v7,03/52] i386/tdx: Implement tdx_kvm_type() for TDX [v7,04/52] i386/tdx: Implement tdx_kvm_init() to initialize TDX VM context [v7,05/52] i386/tdx: Get tdx_capabilities via KVM_TDX_CAPABILITIES [v7,06/52] i386/tdx: Introduce is_tdx_vm() helper and cache tdx_guest object [v7,07/52] kvm: Introduce kvm_arch_pre_create_vcpu() [v7,08/52] i386/tdx: Initialize TDX before creating TD vcpus [v7,09/52] i386/tdx: Add property sept-ve-disable for tdx-guest object [v7,10/52] i386/tdx: Make sept_ve_disable set by default [v7,11/52] i386/tdx: Wire CPU features up with attributes of TD guest [v7,12/52] i386/tdx: Validate TD attributes [v7,13/52] i386/tdx: Set APIC bus rate to match with what TDX module enforces [v7,14/52] i386/tdx: Implement user specified tsc frequency [v7,15/52] i386/tdx: load TDVF for TD guest [v7,16/52] i386/tdvf: Introduce function to parse TDVF metadata [v7,17/52] i386/tdx: Parse TDVF metadata for TDX VM [v7,18/52] i386/tdx: Don't initialize pc.rom for TDX VMs [v7,19/52] i386/tdx: Track mem_ptr for each firmware entry of TDVF [v7,20/52] i386/tdx: Track RAM entries for TDX VM [v7,21/52] headers: Add definitions from UEFI spec for volumes, resources, etc... [v7,22/52] i386/tdx: Setup the TD HOB list [v7,23/52] i386/tdx: Add TDVF memory via KVM_TDX_INIT_MEM_REGION [v7,24/52] i386/tdx: Call KVM_TDX_INIT_VCPU to initialize TDX vcpu [v7,25/52] i386/tdx: Finalize TDX VM [v7,26/52] i386/tdx: Enable user exit on KVM_HC_MAP_GPA_RANGE [v7,27/52] i386/tdx: Handle KVM_SYSTEM_EVENT_TDX_FATAL [v7,28/52] i386/tdx: Wire TDX_REPORT_FATAL_ERROR with GuestPanic facility [v7,29/52] i386/cpu: introduce x86_confidential_guest_cpu_instance_init() [v7,30/52] i386/tdx: implement tdx_cpu_instance_init() [v7,31/52] i386/cpu: Introduce enable_cpuid_0x1f to force exposing CPUID 0x1f [v7,32/52] i386/tdx: Force exposing CPUID 0x1f [v7,33/52] i386/tdx: Set kvm_readonly_mem_enabled to false for TDX VM [v7,34/52] i386/tdx: Disable SMM for TDX VMs [v7,35/52] i386/tdx: Disable PIC for TDX VMs [v7,36/52] i386/tdx: Don't synchronize guest tsc for TDs [v7,37/52] i386/tdx: Only configure MSR_IA32_UCODE_REV in kvm_init_msrs() for TDs [v7,38/52] i386/apic: Skip kvm_apic_put() for TDX [v7,39/52] cpu: Don't set vcpu_dirty when guest_state_protected [v7,40/52] i386/cgs: Rename mask_cpuid_features() to adjust_cpuid_features() [v7,41/52] i386/tdx: Implement adjust_cpuid_features() for TDX [v7,42/52] i386/tdx: Apply TDX fixed0 and fixed1 information to supported CPUIDs [v7,43/52] i386/tdx: Mask off CPUID bits by unsupported TD Attributes [v7,44/52] i386/cpu: Move CPUID_XSTATE_XSS_MASK to header file and introduce CPUID_XSTATE_MASK [v7,45/52] i386/tdx: Mask off CPUID bits by unsupported XFAM [v7,46/52] i386/tdx: Mark the configurable bit not reported by KVM as unsupported [v7,47/52] i386/cgs: Introduce x86_confidential_guest_check_features() [v7,48/52] i386/tdx: Fetch and validate CPUID of TD guest [v7,49/52] i386/tdx: Don't treat SYSCALL as unavailable [v7,50/52] i386/tdx: Make invtsc default on [v7,51/52] i386/tdx: Validate phys_bits against host value [v7,52/52] docs: Add TDX documentation

Message ID

20250124132048.3229049-49-xiaoyao.li@intel.com (mailing list archive)

State

New

Headers

From: Xiaoyao Li <xiaoyao.li@intel.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= <berrange@redhat.com>, =?utf-8?q?Phil?=
	=?utf-8?q?ippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Igor Mammedov <imammedo@redhat.com>
Cc: Zhao Liu <zhao1.liu@intel.com>, "Michael S. Tsirkin" <mst@redhat.com>,
 Eric Blake <eblake@redhat.com>, Markus Armbruster <armbru@redhat.com>,
 Peter Maydell <peter.maydell@linaro.org>,
 Marcelo Tosatti <mtosatti@redhat.com>, Huacai Chen <chenhuacai@kernel.org>,
 Rick Edgecombe <rick.p.edgecombe@intel.com>,
 Francesco Lavra <francescolavra.fl@gmail.com>, xiaoyao.li@intel.com,
 qemu-devel@nongnu.org, kvm@vger.kernel.org
Subject: [PATCH v7 48/52] i386/tdx: Fetch and validate CPUID of TD guest
Date: Fri, 24 Jan 2025 08:20:44 -0500
Message-Id: <20250124132048.3229049-49-xiaoyao.li@intel.com>
In-Reply-To: <20250124132048.3229049-1-xiaoyao.li@intel.com>
References: <20250124132048.3229049-1-xiaoyao.li@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=198.175.65.13;
 envelope-from=xiaoyao.li@intel.com;
 helo=mgamail.intel.com
X-Spam_score_int: -63
X-Spam_score: -6.4
X-Spam_bar: ------
X-Spam_report: (-6.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-2.996,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, RCVD_IN_DNSWL_MED=-2.3,
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org

Series

QEMU TDX support | expand

Commit Message

Xiaoyao Li Jan. 24, 2025, 1:20 p.m. UTC

Use KVM_TDX_GET_CPUID to get the CPUIDs that are managed and enfored
by TDX module for TD guest. Check QEMU's configuration against the
fetched data.

Print wanring  message when 1. a feature is not supported but requested
by QEMU or 2. QEMU doesn't want to expose a feature while it is enforced
enabled.

- If cpu->enforced_cpuid is not set, prints the warning message of both
1) and 2) and tweak QEMU's configuration.

- If cpu->enforced_cpuid is set, quit if any case of 1) or 2).

Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 target/i386/cpu.c     | 33 ++++++++++++++-
 target/i386/cpu.h     |  7 +++
 target/i386/kvm/tdx.c | 99 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 137 insertions(+), 2 deletions(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index f1330627adbb..a948fd0bd674 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -5482,8 +5482,8 @@  static bool x86_cpu_have_filtered_features(X86CPU *cpu)
     return false;
 }
 
-static void mark_unavailable_features(X86CPU *cpu, FeatureWord w, uint64_t mask,
-                                      const char *verbose_prefix)
+void mark_unavailable_features(X86CPU *cpu, FeatureWord w, uint64_t mask,
+                               const char *verbose_prefix)
 {
     CPUX86State *env = &cpu->env;
     FeatureWordInfo *f = &feature_word_info[w];
@@ -5510,6 +5510,35 @@  static void mark_unavailable_features(X86CPU *cpu, FeatureWord w, uint64_t mask,
     }
 }
 
+void mark_forced_on_features(X86CPU *cpu, FeatureWord w, uint64_t mask,
+                             const char *verbose_prefix)
+{
+    CPUX86State *env = &cpu->env;
+    FeatureWordInfo *f = &feature_word_info[w];
+    int i;
+
+    if (!cpu->force_features) {
+        env->features[w] |= mask;
+    }
+
+    cpu->forced_on_features[w] |= mask;
+
+    if (!verbose_prefix) {
+        return;
+    }
+
+    for (i = 0; i < 64; ++i) {
+        if ((1ULL << i) & mask) {
+            g_autofree char *feat_word_str = feature_word_description(f);
+            warn_report("%s: %s%s%s [bit %d]",
+                        verbose_prefix,
+                        feat_word_str,
+                        f->feat_names[i] ? "." : "",
+                        f->feat_names[i] ? f->feat_names[i] : "", i);
+        }
+    }
+}
+
 static void x86_cpuid_version_get_family(Object *obj, Visitor *v,
                                          const char *name, void *opaque,
                                          Error **errp)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index a4c0531262ce..eb79daa0bf9f 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -2155,6 +2155,9 @@  struct ArchCPU {
     /* Features that were filtered out because of missing host capabilities */
     FeatureWordArray filtered_features;
 
+    /* Features that are forced enabled by underlying hypervisor, e.g., TDX */
+    FeatureWordArray forced_on_features;
+
     /* Enable PMU CPUID bits. This can't be enabled by default yet because
      * it doesn't have ABI stability guarantees, as it passes all PMU CPUID
      * bits returned by GET_SUPPORTED_CPUID (that depend on host CPU and kernel
@@ -2466,6 +2469,10 @@  void cpu_set_apic_feature(CPUX86State *env);
 void host_cpuid(uint32_t function, uint32_t count,
                 uint32_t *eax, uint32_t *ebx, uint32_t *ecx, uint32_t *edx);
 bool cpu_has_x2apic_feature(CPUX86State *env);
+void mark_unavailable_features(X86CPU *cpu, FeatureWord w, uint64_t mask,
+                               const char *verbose_prefix);
+void mark_forced_on_features(X86CPU *cpu, FeatureWord w, uint64_t mask,
+                             const char *verbose_prefix);
 
 static inline bool x86_has_cpuid_0x1f(X86CPU *cpu)
 {
diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c
index 2b9a47020934..f6a4f3322e61 100644
--- a/target/i386/kvm/tdx.c
+++ b/target/i386/kvm/tdx.c
@@ -727,6 +727,104 @@  static uint32_t tdx_adjust_cpuid_features(X86ConfidentialGuest *cg,
     return value;
 }
 
+static struct kvm_cpuid2 *tdx_fetch_cpuid(CPUState *cpu)
+{
+    struct kvm_cpuid2 *fetch_cpuid;
+    int size = KVM_MAX_CPUID_ENTRIES;
+    Error *local_err = NULL;
+    int r;
+
+    do {
+        error_free(local_err);
+        local_err = NULL;
+
+        fetch_cpuid = g_malloc0(sizeof(*fetch_cpuid) +
+                                sizeof(struct kvm_cpuid_entry2) * size);
+        fetch_cpuid->nent = size;
+        r = tdx_vcpu_ioctl(cpu, KVM_TDX_GET_CPUID, 0, fetch_cpuid, &local_err);
+        if (r == -E2BIG) {
+            g_free(fetch_cpuid);
+            size = fetch_cpuid->nent;
+        }
+    } while (r == -E2BIG);
+
+    if (r < 0) {
+        error_report_err(local_err);
+        return NULL;
+    }
+
+    return fetch_cpuid;
+}
+
+static int tdx_check_features(X86ConfidentialGuest *cg, CPUState *cs)
+{
+    uint64_t actual, requested, unavailable, forced_on;
+    g_autofree struct kvm_cpuid2 *fetch_cpuid;
+    const char *forced_on_prefix = NULL;
+    const char *unav_prefix = NULL;
+    struct kvm_cpuid_entry2 *entry;
+    X86CPU *cpu = X86_CPU(cs);
+    CPUX86State *env = &cpu->env;
+    FeatureWordInfo *wi;
+    FeatureWord w;
+    bool mismatch = false;
+
+    fetch_cpuid = tdx_fetch_cpuid(cs);
+    if (!fetch_cpuid) {
+        return -1;
+    }
+
+    if (cpu->check_cpuid || cpu->enforce_cpuid) {
+        unav_prefix = "TDX doesn't support requested feature";
+        forced_on_prefix = "TDX forcibly sets the feature";
+    }
+
+    for (w = 0; w < FEATURE_WORDS; w++) {
+        wi = &feature_word_info[w];
+        actual = 0;
+
+        switch (wi->type) {
+        case CPUID_FEATURE_WORD:
+            entry = cpuid_find_entry(fetch_cpuid, wi->cpuid.eax, wi->cpuid.ecx);
+            if (!entry) {
+                /*
+                 * If KVM doesn't report it means it's totally configurable
+                 * by QEMU
+                 */
+                continue;
+            }
+
+            actual = cpuid_entry_get_reg(entry, wi->cpuid.reg);
+            break;
+        case MSR_FEATURE_WORD:
+            /*
+             * TODO:
+             * validate MSR features when KVM has interface report them.
+             */
+            continue;
+        }
+
+        requested = env->features[w];
+        unavailable = requested & ~actual;
+        mark_unavailable_features(cpu, w, unavailable, unav_prefix);
+        if (unavailable) {
+            mismatch = true;
+        }
+
+        forced_on = actual & ~requested;
+        mark_forced_on_features(cpu, w, forced_on, forced_on_prefix);
+        if (forced_on) {
+            mismatch = true;
+        }
+    }
+
+    if (cpu->enforce_cpuid && mismatch) {
+        return -1;
+    }
+
+    return 0;
+}
+
 static int tdx_validate_attributes(TdxGuest *tdx, Error **errp)
 {
     if ((tdx->attributes & ~tdx_caps->supported_attrs)) {
@@ -1087,4 +1185,5 @@  static void tdx_guest_class_init(ObjectClass *oc, void *data)
     x86_klass->kvm_type = tdx_kvm_type;
     x86_klass->cpu_instance_init = tdx_cpu_instance_init;
     x86_klass->adjust_cpuid_features = tdx_adjust_cpuid_features;
+    x86_klass->check_features = tdx_check_features;
 }

[v7,48/52] i386/tdx: Fetch and validate CPUID of TD guest

Commit Message

Patch