From patchwork Thu Jun 15 06:37:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Kardashevskiy X-Patchwork-Id: 13280747 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27F75EB64D9 for ; Thu, 15 Jun 2023 06:41:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244175AbjFOGlP (ORCPT ); Thu, 15 Jun 2023 02:41:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50152 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237380AbjFOGki (ORCPT ); Thu, 15 Jun 2023 02:40:38 -0400 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2070.outbound.protection.outlook.com [40.107.243.70]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3BD2A30E2; Wed, 14 Jun 2023 23:39:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cr+a/3bx+y3DXFkpY2rKZhd5A7ufr1jKNcrsn2cqcSuCbIk7kvCoNYk0ucvFTBXHNjWrcj2dQZRnvl90zyVbKzYgZaLX4jjIJ0/VCJfvWufOl3DuODXWcS8KxYjJLjvcZwPF58wrMftPQTljePbh8u9qvCLBNcb5V/9SefRu+STvaez4dFNzGI6FQgN5DECWu9adqn5ZZmEMFcBoW68xgB19tIxSXY3J+a8jOWb2DrOkkE8sGCVw/LKbCHb/oBMSOWdXBXyYmrGE/YiMV+mY9rwF7Y+k6dSD4uzuyV8aCwgg/A2eg7AAZ8/dzif0HaaCq9hY2TRi3qy1/AIFdP5JVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NQtpljWj04odF38uw1ZtZlDi8mKa6LhE6k+ISPBx0MU=; b=LuWN/fFQMAQuKkfRJ2XmJXDhRWLJA1X6QQ5YjqvJvi+NxHMHuEKlzpXyZnL7k5aQuMXIi1A+1l8zNrVcJpkhylR9Zn5OcAodFKgYu51RuNg0eJWN79jmXZCevnj3EOyxjhakM//L1gPwc86PY/24BWKySUX7/P2d+w6ko9OZdOmXQixO4ReB7a5B++TXkTdJKgqWZSv+fgvFthCc5vyIvZWYF0Eh3IlGcE78Z1XG6upDyH4EJZes8UC9rDuESYqAi7rBy/oyGuN7TclDAZBLOP4MHoaKfQxmNbDFoElYALJHRXTCug8go6MeW8xLmm+jjIwnV9oBjCyw22GPNCUgow== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NQtpljWj04odF38uw1ZtZlDi8mKa6LhE6k+ISPBx0MU=; b=dL2xiM+d57IBqXEYzy884QtTcelYHbc10Ez5RRWeudJ53atZEhmZSvSEYPXgwBUyWgpJ0FoVXsbXeKlTciFgbQD3Q/xjWyOivPt39CJd4g857kmBF8GCPnfHsdOKcVljIloCXyMH5/RHAorDi/HSZZJmC7JSQbIuwAFVVqn5p4Q= Received: from DS7P222CA0004.NAMP222.PROD.OUTLOOK.COM (2603:10b6:8:2e::14) by MN6PR12MB8590.namprd12.prod.outlook.com (2603:10b6:208:47c::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6477.29; Thu, 15 Jun 2023 06:39:25 +0000 Received: from CY4PEPF0000EE3D.namprd03.prod.outlook.com (2603:10b6:8:2e:cafe::fb) by DS7P222CA0004.outlook.office365.com (2603:10b6:8:2e::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6477.38 via Frontend Transport; Thu, 15 Jun 2023 06:39:25 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by CY4PEPF0000EE3D.mail.protection.outlook.com (10.167.242.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.6500.27 via Frontend Transport; Thu, 15 Jun 2023 06:39:25 +0000 Received: from aiemdeew.1.ozlabs.ru (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 15 Jun 2023 01:39:20 -0500 From: Alexey Kardashevskiy To: CC: , , Tom Lendacky , Sean Christopherson , "Alexey Kardashevskiy" , Carlos Bilbao , "Santosh Shukla" Subject: [PATCH kernel 1/9] KVM: SEV: move set_dr_intercepts/clr_dr_intercepts from the header Date: Thu, 15 Jun 2023 16:37:49 +1000 Message-ID: <20230615063757.3039121-2-aik@amd.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230615063757.3039121-1-aik@amd.com> References: <20230615063757.3039121-1-aik@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000EE3D:EE_|MN6PR12MB8590:EE_ X-MS-Office365-Filtering-Correlation-Id: 8c1ffd1c-650d-497c-69c1-08db6d6b42cb X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ivBkzBRVUPgBsiXoiBpOSM7CM24nJItxbPbDuKs4K4zmsknlovZMTMjPPYuU1biGs/Q6vYj3/Q1G0Cu/QP/ye0XDlToZtmdZz39of1T1fMF8ep0+KfchnxFtWz7pvTRKpBd9zDmumMnCeZx4xutpiwFWE70dknrzePyisMFfiqhPB0V/6SGBF/dZUM04pYSfmrYF2VnHuZKFsvOP8tA1yfarPIp0GO73RqAlGlZHZdrT7vSKXPfmXJwT9mKRFN5xebvpFpmmOwViiljtPx+xlTD6QpzM5P9H2cLoB6ldu5tAMTCP3KScaAZXtQEUqePXdft/LcSev+BqTIn/OFNkRmN9YILUNTy4WIu9BXEVe7j0lSp03GVI6+U4K0yLjR6aN4noZCBFK815wF9ml17QlSRR/a/rEdfldHarGac1Qm614xsSGquwm2wkadNrLvgIEhTTYExn6s7kaHwu3KEwKBK2L4A8rlvgKz7Rg13ZWoLLgoQxiP4lkjRbG6Co/ydzUuCT7Vf68jA6naBlZjQgUxPCS+pKfGQV/FPlrrzKreAmygZL/DdWnANIYy/RCB90gnLgmh+cBrBRKAvoKIRzrGFAP1Ci9TkMHBruUR0EB5ExMgeylavZP5wzbbQCq+zsGwC4qYz4S9QSa7yhPqYC/AOr9RxAUR2RJpBeGdXq/iXByRky2T2OaVgWuy3xtUArCbiJhQULVw3E33TNUrj/yUqx8vMDVD6tN2aeSt/HQ0p92D4UlgVs/YT4ZyxKD6pwesrz5qjpxone8BjFlaY/mg== X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(136003)(346002)(376002)(396003)(39860400002)(451199021)(40470700004)(46966006)(36840700001)(82310400005)(40460700003)(316002)(6666004)(8676002)(41300700001)(82740400003)(26005)(83380400001)(81166007)(5660300002)(1076003)(36860700001)(356005)(8936002)(40480700001)(36756003)(426003)(336012)(6916009)(70586007)(70206006)(4326008)(478600001)(16526019)(186003)(54906003)(47076005)(2906002)(2616005)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2023 06:39:25.1518 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 8c1ffd1c-650d-497c-69c1-08db6d6b42cb X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EE3D.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN6PR12MB8590 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Static functions set_dr_intercepts() and clr_dr_intercepts() are only called from SVM so move them to .c. No functional change intended. Signed-off-by: Alexey Kardashevskiy Reviewed-by: Carlos Bilbao Reviewed-by: Tom Lendacky Reviewed-by: Santosh Shukla --- Changes: v5: * new in the series --- arch/x86/kvm/svm/svm.h | 42 -------------------- arch/x86/kvm/svm/svm.c | 42 ++++++++++++++++++++ 2 files changed, 42 insertions(+), 42 deletions(-) diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index f44751dd8d5d..a99f97a86c59 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -405,48 +405,6 @@ static inline bool vmcb12_is_intercept(struct vmcb_ctrl_area_cached *control, u3 return test_bit(bit, (unsigned long *)&control->intercepts); } -static inline void set_dr_intercepts(struct vcpu_svm *svm) -{ - struct vmcb *vmcb = svm->vmcb01.ptr; - - if (!sev_es_guest(svm->vcpu.kvm)) { - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR0_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR1_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR2_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR3_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR4_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR5_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR6_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR0_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR1_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR2_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR3_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR4_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR5_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR6_WRITE); - } - - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE); - - recalc_intercepts(svm); -} - -static inline void clr_dr_intercepts(struct vcpu_svm *svm) -{ - struct vmcb *vmcb = svm->vmcb01.ptr; - - vmcb->control.intercepts[INTERCEPT_DR] = 0; - - /* DR7 access must remain intercepted for an SEV-ES guest */ - if (sev_es_guest(svm->vcpu.kvm)) { - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE); - } - - recalc_intercepts(svm); -} - static inline void set_exception_intercept(struct vcpu_svm *svm, u32 bit) { struct vmcb *vmcb = svm->vmcb01.ptr; diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 54089f990c8f..980faf460bfe 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -690,6 +690,48 @@ static int svm_cpu_init(int cpu) } +static void set_dr_intercepts(struct vcpu_svm *svm) +{ + struct vmcb *vmcb = svm->vmcb01.ptr; + + if (!sev_es_guest(svm->vcpu.kvm)) { + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR0_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR1_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR2_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR3_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR4_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR5_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR6_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR0_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR1_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR2_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR3_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR4_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR5_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR6_WRITE); + } + + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE); + + recalc_intercepts(svm); +} + +static void clr_dr_intercepts(struct vcpu_svm *svm) +{ + struct vmcb *vmcb = svm->vmcb01.ptr; + + vmcb->control.intercepts[INTERCEPT_DR] = 0; + + /* DR7 access must remain intercepted for an SEV-ES guest */ + if (sev_es_guest(svm->vcpu.kvm)) { + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE); + } + + recalc_intercepts(svm); +} + static int direct_access_msr_slot(u32 msr) { u32 i; From patchwork Thu Jun 15 06:37:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Kardashevskiy X-Patchwork-Id: 13280748 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C0BCCEB64D9 for ; Thu, 15 Jun 2023 06:42:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244185AbjFOGmj (ORCPT ); Thu, 15 Jun 2023 02:42:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243772AbjFOGl6 (ORCPT ); Thu, 15 Jun 2023 02:41:58 -0400 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2059.outbound.protection.outlook.com [40.107.244.59]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 64A5C295A; Wed, 14 Jun 2023 23:40:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XA4f2b3IA47RyNUyfovZa7F5Tak/AnPb6N46+OQaBpKplCqrKRE+Y9ep4lb4+c+7hC00B1JgUm9F1Dwv8xklTgLqb9BM5QSg81aqsrQXyGdPGchkPBUg+EYc/iohX5L6owY+8xzObeql4xiUm7QuGEhZiwIMpD/cvxN2BR9f9ZQhFsWuCDYT999pLU3JOtfjMLBs4mb8byuuKe0s7nNon/M2WtWxjuSKsFvz/OJZL4FuB5NIxnXvFw3cTVxTsCGTPqaWeScAs59WubZYhqG3lY6EClXn/zujYz/9qFQ2XtBiwOrqK/8Pqb4Ck7Nf7dckwK5HK6DgybqwzBaNLtj1GA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Kg9ib5I2Q/AaylL0JdrHW3hj8l/+c1ryN29MYDwuu90=; b=bMgfxZVm8GDBgnXpRZlDPtnGvGNE6WiKx1Xse07O3RQna6PEMM53CdJ35Yqnn/qpEHqR8d9fPXmwSMG1FhUJDAAfOeGNmvsx9n6eRpIVP9oAXy9HcNQlxARtWGyMrSILglKdtGAOWxYjOY5lZOsNE96uptv//EMgKsEpImJjkGukS4bHsF9l6+ggEKgMnlaoTkd3Rn3bQ7Z4I4nfpSZ3IdnET3v950QRrSU0x7gR/nF0BeMCw0Muua0L/4kAh8KYw0s/peJBcmZkMAWvWSdGRBNaWlMfBdvEjf7in6tFcq3M9fadlvUbMG/V+7XL5j6ox1JcEf8QPSD9Q/2PQ/Z/lQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Kg9ib5I2Q/AaylL0JdrHW3hj8l/+c1ryN29MYDwuu90=; b=3dvlK/6KwfIPaA0iJREn3QU2T7ElqbHvS2GVkRbcXwipl1ccOwHwgm/FHIPzpk1oNSzQiZ3yVSS4Cf/hXPtwyCmUsv/F4NU86K++CxyB072QCYAfgHkQw0tpfELVIa1cxab+1jMblPmpyEY3+fuEnxVUp0gMpFbgL1oGEcRlqgs= Received: from SN7PR04CA0221.namprd04.prod.outlook.com (2603:10b6:806:127::16) by IA1PR12MB8587.namprd12.prod.outlook.com (2603:10b6:208:450::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6477.37; Thu, 15 Jun 2023 06:40:26 +0000 Received: from SN1PEPF000252A1.namprd05.prod.outlook.com (2603:10b6:806:127:cafe::c1) by SN7PR04CA0221.outlook.office365.com (2603:10b6:806:127::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6500.25 via Frontend Transport; Thu, 15 Jun 2023 06:40:25 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by SN1PEPF000252A1.mail.protection.outlook.com (10.167.242.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.6500.27 via Frontend Transport; Thu, 15 Jun 2023 06:40:25 +0000 Received: from aiemdeew.1.ozlabs.ru (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 15 Jun 2023 01:39:44 -0500 From: Alexey Kardashevskiy To: CC: , , Tom Lendacky , Sean Christopherson , "Alexey Kardashevskiy" , Carlos Bilbao , "Santosh Shukla" Subject: [PATCH kernel 2/9] KVM: SEV: Move SEV's GP_VECTOR intercept setup to SEV Date: Thu, 15 Jun 2023 16:37:50 +1000 Message-ID: <20230615063757.3039121-3-aik@amd.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230615063757.3039121-1-aik@amd.com> References: <20230615063757.3039121-1-aik@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN1PEPF000252A1:EE_|IA1PR12MB8587:EE_ X-MS-Office365-Filtering-Correlation-Id: 08c00c44-2178-4d7c-6c06-08db6d6b66d1 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DERoq9eeBEF0iybZ1GP1zQW+Jji0EWcvqqegcwSdxNXl5h8wN2XjWKgQxjEk6xV2N4XOVfeQJk8aY+n6QBsAdEled77iivoZLXaUTxHKdCe451TZBA5qQQ8AWEg06iIyFCUxIoI7GX/cem4kJ/3+BXaQy4S0uMq083dWTSBfoFPNPff8QGm/MwFGPPekjQzhbo5k1uwz1NTQ4w+TeTlykqtSRrlQU0QQU6cH+oWolD9/8lmvgxKu2Cl8S4F7xgHU5FHptncDAUjGtQfSmNkt5yEa2hSVDqRbnGhaUBvxciyIEfFOfuqSvLfqu8KYBwH347A6F04Vm7j13pK2rHRB8rfVKz54EN+w4LR0gghwxze+nCAKNbGOhBLzgHsetQ2kXLuYwP/37K+RSnanCPD4Dd520WPatqg6a/G/rWD4lCzF1ei9jgxLRM83lH+XXMN0l7MZa/k1fCRqZKkFiyLheM4JOXsM7DTblh5oRYmtOtvrHr4NRRCU5eryzoUl2SICODIQprBEbajnJVnGBvcwYhOzVlWBhjaksL0Eo5a6fcgKE4goyf58U5vjfYvB1tbhDdpy7C4L4lCiJP0035czKBY0/noNJuojnYqBnUpEO+mJJVzqKdDuaID0SkQ7Y7/h1+P3i37KiC5oRdcvtUto61PflrnmrBLo8q3V8pnjZJE9WKXsCIrlZsmpSqSXdpspz75SjJiYG62RDPRthigr/6QkpJZkBzxivJGWZb8WCJDnEzONhf5aZzrQHteu4OGWkHIb62r1mg3qvuFE+9AOgA== X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(39860400002)(346002)(136003)(376002)(396003)(451199021)(46966006)(40470700004)(36840700001)(8676002)(8936002)(2906002)(82310400005)(82740400003)(5660300002)(70586007)(316002)(70206006)(6916009)(356005)(81166007)(4326008)(41300700001)(36860700001)(47076005)(83380400001)(2616005)(54906003)(426003)(336012)(36756003)(16526019)(186003)(478600001)(1076003)(26005)(40480700001)(6666004)(40460700003)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2023 06:40:25.6361 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 08c00c44-2178-4d7c-6c06-08db6d6b66d1 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF000252A1.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR12MB8587 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Currently SVM setup is done sequentially in init_vmcb() -> sev_init_vmcb() -> sev_es_init_vmcb() and tries keeping SVM/SEV/SEV-ES bits separated. One of the exceptions is #GP intercept which init_vmcb() skips setting for SEV guests and then sev_es_init_vmcb() needlessly clears it. Remove the SEV check from init_vmcb(). Clear the #GP intercept in sev_init_vmcb(). SEV-ES will use the SEV setting. No functional change intended. Suggested-by: Sean Christopherson Signed-off-by: Alexey Kardashevskiy Reviewed-by: Carlos Bilbao Reviewed-by: Tom Lendacky Reviewed-by: Santosh Shukla --- Changes: v5: * new in the series --- arch/x86/kvm/svm/sev.c | 9 ++++++--- arch/x86/kvm/svm/svm.c | 5 ++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 69ae5e1b3120..c03bd063aecf 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2971,9 +2971,6 @@ static void sev_es_init_vmcb(struct vcpu_svm *svm) svm_set_intercept(svm, TRAP_CR4_WRITE); svm_set_intercept(svm, TRAP_CR8_WRITE); - /* No support for enable_vmware_backdoor */ - clr_exception_intercept(svm, GP_VECTOR); - /* Can't intercept XSETBV, HV can't modify XCR0 directly */ svm_clr_intercept(svm, INTERCEPT_XSETBV); @@ -2999,6 +2996,12 @@ void sev_init_vmcb(struct vcpu_svm *svm) svm->vmcb->control.nested_ctl |= SVM_NESTED_CTL_SEV_ENABLE; clr_exception_intercept(svm, UD_VECTOR); + /* + * Don't intercept #GP for SEV guests, e.g. for the VMware backdoor, as + * KVM can't decrypt guest memory to decode the faulting instruction. + */ + clr_exception_intercept(svm, GP_VECTOR); + if (sev_es_guest(svm->vcpu.kvm)) sev_es_init_vmcb(svm); } diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 980faf460bfe..9c1b191aed4b 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -1256,10 +1256,9 @@ static void init_vmcb(struct kvm_vcpu *vcpu) * Guest access to VMware backdoor ports could legitimately * trigger #GP because of TSS I/O permission bitmap. * We intercept those #GP and allow access to them anyway - * as VMware does. Don't intercept #GP for SEV guests as KVM can't - * decrypt guest memory to decode the faulting instruction. + * as VMware does. */ - if (enable_vmware_backdoor && !sev_guest(vcpu->kvm)) + if (enable_vmware_backdoor) set_exception_intercept(svm, GP_VECTOR); svm_set_intercept(svm, INTERCEPT_INTR); From patchwork Thu Jun 15 06:37:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Kardashevskiy X-Patchwork-Id: 13280749 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67FCDEB64DC for ; Thu, 15 Jun 2023 06:43:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244049AbjFOGnB (ORCPT ); Thu, 15 Jun 2023 02:43:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50022 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244066AbjFOGmT (ORCPT ); Thu, 15 Jun 2023 02:42:19 -0400 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on20603.outbound.protection.outlook.com [IPv6:2a01:111:f400:7eaa::603]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39BED2D5A; Wed, 14 Jun 2023 23:40:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=i2JHHOxAY7DSxY0YTfC29pE0o8LlxooTiQbXYkDg8XQOBf6+sf4rnJl637z6A7KkZPzhkrdAMmByy5OAgDVWaAigQF+OPtbX9FJ/lIKZi2WQNbsd/Vczb4Ur9hX/EEh54PsyNjjCXBc+zDYa6sLDW1xnQpGjAzBX8miTPRqxvp+U2sDI0SACMDzqIhsxqCSg4sWp0l1X7XlQ4svVPXr+OlIttgDoiJ3CcO7WHe7jwTDwHxJRHnNxQM+ZDPMdFqEhMuYZOXnMjHq/PagtoKfx4PR2K4ntoYHp1pgIxYJbmgURaa8Se0HQT7z9hlm8D19inO8TZLLvYpEVyVubeFa+2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ySSvHF+Kt6SA8jUjxcgvyZ9/NMqnoIUJuAV194EDdUI=; b=bzSBDPbhylSG59jtlGtbmV5mJ7ubsJm9N2sxX6fedWC4rTy9IOGKLE/8kxvtEhWX339pvU+6SGywPHeUNKWp6kNemg1wRWdZuXgAVdBTh+Q+IoI7zVA6WQErc8otG2e5inG7MTfPcs7EmfdZM1dq6TsfEjRy3CMMDDXOzDOc1xTaq85/6+jerVrLO8TyFyXqu2iNFYixbPGmSeMwhGbl/1k750WsnnbfNxycOGEIQjc+SR0JbfqYlPicwaLQz4LVUeEklV85CTKWq7igeTS8Ly/t4JoC9F23QzFrALo+GhJbCubdLIR79xSCXd9vnZVJc3s0N7QIbpt3UUZIy8fZ7g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ySSvHF+Kt6SA8jUjxcgvyZ9/NMqnoIUJuAV194EDdUI=; b=RQnliIUwBvie59Y7J/3NUoP9qJF7MbggDGB+YCPvM94FptBYZyT77oJsaWegoBNI23BAUwJKGV8KHY/c1OYpSyQelzzAfP+59rTeKIHAKfee9sYaL+W/pAV+MQwjR7mA+aHikPciZYc6GubMArlKLOyupu33U/BSPSOV55wUbbg= Received: from SN7P222CA0006.NAMP222.PROD.OUTLOOK.COM (2603:10b6:806:124::19) by DM4PR12MB6637.namprd12.prod.outlook.com (2603:10b6:8:bb::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6477.29; Thu, 15 Jun 2023 06:40:44 +0000 Received: from SN1PEPF0002529D.namprd05.prod.outlook.com (2603:10b6:806:124:cafe::1e) by SN7P222CA0006.outlook.office365.com (2603:10b6:806:124::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6477.38 via Frontend Transport; Thu, 15 Jun 2023 06:40:44 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by SN1PEPF0002529D.mail.protection.outlook.com (10.167.242.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.6500.27 via Frontend Transport; Thu, 15 Jun 2023 06:40:43 +0000 Received: from aiemdeew.1.ozlabs.ru (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 15 Jun 2023 01:40:40 -0500 From: Alexey Kardashevskiy To: CC: , , Tom Lendacky , Sean Christopherson , "Alexey Kardashevskiy" Subject: [PATCH kernel 3/9] KVM: SVM: Rewrite sev_es_prepare_switch_to_guest()'s comment about swap types Date: Thu, 15 Jun 2023 16:37:51 +1000 Message-ID: <20230615063757.3039121-4-aik@amd.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230615063757.3039121-1-aik@amd.com> References: <20230615063757.3039121-1-aik@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN1PEPF0002529D:EE_|DM4PR12MB6637:EE_ X-MS-Office365-Filtering-Correlation-Id: a708e515-c8ff-450b-ac7e-08db6d6b71ba X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: M4nUhyx5QltgfzH0eTbyHPuqcGWGQQQ66AA+oYERzxVUUsiLMXGGR5tUusrOG+3ZbYLBzbKUC5Zalz5eEkYWDTgLF0q662NttxjyNV5qboA1LH6xxHCDYAUVHqw3kxTIH4aTZvlHGYIoJob5RH3ifo60CnRSW+m2TLe5wr2K4ltbWYRO24UiZrbkWJmbQDN/8EbJBz0L1BArUBiASbcNIgj+OolMdTzf3eSbJF/MZW6nRZLeNSNJ9YRyhMojEONAIJ9f6eaUPafIRYzIhV4B+QzmIdLxDvmUYm/l4IXBEz/ZOqt1GezsJe4R08xBBICG95WlUbJAUz3+QVBbVSUTDo/AOBmJ6wyvDfPMQNmbrKEq/8ypl1wsXdyGWiVomTeIMpopRpIs553cOPVhkf+eRLZx+XUljcNJ/96JNWCisIvhw6dHJiOVHZZFr2AGx8ipvYS2oM8+rMP3CKENTZoncByVoT/ElBmjjz4T62P7DGSLc85cr1gd/mzf19qVatUlPBGEGiVVUudxf2IYLuu0WVKvOFVLVLY+jg9V6sQzWSQhRi2vpiN1LQuK609Ztrsm92Xa2sDStz0eDeBh9/ROR6GPnXyMbB6KMY4ie5GP8pghrljHa+Uyt4iXFH3LLRW66yo/+AiS7SlA+hQ/eVLcgkIEOwxuMGOqeZKvmVbYMJCO/4oblxJCdvqCRmoCvWahaW+vzVLA7zmbHWM0ewABrfQjDw8Tt9uPCxuxqZgpxK+pShwbvs+loUT63Gg+NuVwOLf3iK/6RpGQ3Y39N3UvyA== X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(39860400002)(136003)(396003)(346002)(376002)(451199021)(46966006)(40470700004)(36840700001)(36756003)(47076005)(478600001)(4326008)(6666004)(6916009)(54906003)(70206006)(316002)(70586007)(356005)(8676002)(5660300002)(82310400005)(40480700001)(8936002)(41300700001)(2616005)(2906002)(82740400003)(426003)(186003)(26005)(81166007)(1076003)(83380400001)(16526019)(36860700001)(336012)(40460700003)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2023 06:40:43.9419 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: a708e515-c8ff-450b-ac7e-08db6d6b71ba X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF0002529D.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB6637 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org From: Sean Christopherson Rewrite the comment(s) in sev_es_prepare_switch_to_guest() to explain the swap types employed by the CPU for SEV-ES guests, i.e. to explain why KVM needs to save a seemingly random subset of host state, and to provide a decoder for the APM's Type-A/B/C terminology. Signed-off-by: Sean Christopherson Signed-off-by: Alexey Kardashevskiy --- Changes: v6: * new to the series --- arch/x86/kvm/svm/sev.c | 25 ++++++++++++-------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index c03bd063aecf..36fe2fcb4698 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3020,19 +3020,24 @@ void sev_es_vcpu_reset(struct vcpu_svm *svm) void sev_es_prepare_switch_to_guest(struct sev_es_save_area *hostsa) { /* - * As an SEV-ES guest, hardware will restore the host state on VMEXIT, - * of which one step is to perform a VMLOAD. KVM performs the - * corresponding VMSAVE in svm_prepare_guest_switch for both - * traditional and SEV-ES guests. + * All host state for SEV-ES guests is categorized into three swap types + * based on how it is handled by hardware during a world switch: + * + * A: VMRUN: Host state saved in host save area + * VMEXIT: Host state loaded from host save area + * + * B: VMRUN: Host state _NOT_ saved in host save area + * VMEXIT: Host state loaded from host save area + * + * C: VMRUN: Host state _NOT_ saved in host save area + * VMEXIT: Host state initialized to default(reset) values + * + * Manually save type-B state, i.e. state that is loaded by VMEXIT but + * isn't saved by VMRUN, that isn't already saved by VMSAVE (performed + * by common SVM code). */ - - /* XCR0 is restored on VMEXIT, save the current host value */ hostsa->xcr0 = xgetbv(XCR_XFEATURE_ENABLED_MASK); - - /* PKRU is restored on VMEXIT, save the current host value */ hostsa->pkru = read_pkru(); - - /* MSR_IA32_XSS is restored on VMEXIT, save the currnet host value */ hostsa->xss = host_xss; } From patchwork Thu Jun 15 06:37:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Kardashevskiy X-Patchwork-Id: 13280750 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9433FEB64D9 for ; Thu, 15 Jun 2023 06:43:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243772AbjFOGn0 (ORCPT ); Thu, 15 Jun 2023 02:43:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49858 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243895AbjFOGml (ORCPT ); Thu, 15 Jun 2023 02:42:41 -0400 Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on20607.outbound.protection.outlook.com [IPv6:2a01:111:f400:7ea9::607]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4223F2D7D; Wed, 14 Jun 2023 23:41:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YfG2HxOj8RrI7+l71LS++518qpVnYCwgNw35tC0/Eu6SePXz+6Bfp090SVBzAKzhaeweMjJKHzqa3JpmAccaqHQx+pQl1pYTkV7JYHfB0Rdjm74m1fKV3Y1z1PuZIa/LCipLqPlPoIOWZ5rrWeLwDdpibmB+feFGIeev6l+eVUqCmId/dNTDZMVq26/hkyDeXn/VIfUgErw9P+y3iJRpZTU/ol1hL4wNb/L/XzvURZW8AoNJVNNrOoiRyM42FF7h5WIRTkDe7IERbLDiERhSMJdVgcT2ePxOM6+XsW9aLDWhmblJSgyI7OluYSPi53zY/NAvRhcz9fH3LLp7BMbc1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pa3S2hiu7F5Vfcg22CIERzw2g3AZjEjHTEEf5GOdD9Q=; b=aPELlVCNvgLi8Oxa5I4aEdW4Hc6Xxa3x3FQklRLNWbXcYsrveV1bD9LwlrpD5JUDsRdK74DIecgvJ8jX+aI15NOBg5Wxb3wfTQb1dP9oj7P4SLzgzxdm2QexiV4dNZp6k6U8T+HWorKvGfZTnXwCDNbQNm45xUHfi3UWUuB6u+XYkE00/jXakAHYKAGnT14BWunCuSK0dqFl7MqcMCue/+MgJinZI63hw4AnQlStnRN+wXJC5EnBg0eqlr/rDIoKiZ2CSXfnR42WCIK3ZADdwV+FJU76zllx8qbwVf5yCfcpnW/wOWjFVx94Tc961nQFgBBfaRIu/KZTjV1lk2Kchg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pa3S2hiu7F5Vfcg22CIERzw2g3AZjEjHTEEf5GOdD9Q=; b=HJ9cARrAC7LtcOawrWV7jnH1roRdyda1XxU9esMcSQ9WePJofVwJNRP1+nQAS+PWdr9SelS/rBpnXLrYAKg0zLeHJnOCIzcxi8pMQwyaJixz2Vp+xOrmN9mqLyfEn1uC0GAsedZvNZIeXp0Yl9peb2ycVvU5XTYDFQ70B+3mT70= Received: from SA1PR05CA0007.namprd05.prod.outlook.com (2603:10b6:806:2d2::9) by LV2PR12MB5871.namprd12.prod.outlook.com (2603:10b6:408:174::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6477.37; Thu, 15 Jun 2023 06:41:19 +0000 Received: from SN1PEPF0002529E.namprd05.prod.outlook.com (2603:10b6:806:2d2:cafe::69) by SA1PR05CA0007.outlook.office365.com (2603:10b6:806:2d2::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6500.25 via Frontend Transport; Thu, 15 Jun 2023 06:41:18 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by SN1PEPF0002529E.mail.protection.outlook.com (10.167.242.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.6500.27 via Frontend Transport; Thu, 15 Jun 2023 06:41:18 +0000 Received: from aiemdeew.1.ozlabs.ru (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 15 Jun 2023 01:41:14 -0500 From: Alexey Kardashevskiy To: CC: , , Tom Lendacky , Sean Christopherson , "Alexey Kardashevskiy" Subject: [PATCH kernel 4/9] KVM: SEV-ES: explicitly disable debug Date: Thu, 15 Jun 2023 16:37:52 +1000 Message-ID: <20230615063757.3039121-5-aik@amd.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230615063757.3039121-1-aik@amd.com> References: <20230615063757.3039121-1-aik@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN1PEPF0002529E:EE_|LV2PR12MB5871:EE_ X-MS-Office365-Filtering-Correlation-Id: ec44b2ab-b057-4f9e-e05a-08db6d6b8688 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: uj4x6OIojfXw5t3qiRU+kuB2mHnlmG7o/Hvn78GzMushLoC+ZFKAuSJ0+YGLW0fyz2iB9+6a/DLzy5qzkrzk3kYGXq+NEfDW1HysJ1UXjJ5o+4xPuXthwmW+6ecIQJsh+B64nwmJGIada9gaszg0IZ2pLUcghlggmxb2RG7ky2fw2hPUMymPCR4PYV8WGeBPSQS3ZsV6LSWD/vhv46q7Ej8MyPVTTS2LYRZm03dWrUrpnvlKrKPME3j5CdH7ZxnN+Wb7iOlGrjgY44WsmfHJdYEWXU1f1pcMbseC1j/GtzJ/BxWE5JJUWA8UVRJVDZAKplPLQs/0dDmbrLqVU19mw/Clev4Ls+EH2g54NK3gVjHA9Et3zichpw8TSenXltGOrhkeZCPw3EYAYR082ngMxZV87ZTFru1e8+O/YFPjbtiYKmFT+JK1icrQtt/X905KwmTCkrYhYS9nSwh+dYOQZ9uPe/gYUj8Lc/2g5vl0ZX49l8ABjFk2+lnQiqhYV8kJtifvexwpKuatoYCZUilCY5LgJJhIvxBColKdpc9s9HuBBzggBHsBAYWPhGYVlD3XBKvYoZT/TRQY2myVOOUO9NS7vqj3Weul1PWZ8A3S/yPU2c7p3hWMbqD7HM1MusP2urzJTI1fSrt28MniTNj6KiKEU8lVWBW7hhh6tznIlpmUIQIza6QgDlxMqk/q7EWbkUj4AsuLACCWGTGNfBkmZvDTC0B1XtuwzZb0elyDqm+4yWDq1UVBADDq7PbzKO9K7tAFh3AtuRXOQ7fiR6j0qA== X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(376002)(39860400002)(346002)(396003)(136003)(451199021)(36840700001)(40470700004)(46966006)(82740400003)(356005)(81166007)(40460700003)(40480700001)(478600001)(6666004)(54906003)(316002)(41300700001)(5660300002)(8936002)(8676002)(6916009)(70586007)(2906002)(70206006)(4326008)(47076005)(426003)(83380400001)(82310400005)(36860700001)(336012)(16526019)(26005)(186003)(1076003)(2616005)(36756003)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2023 06:41:18.8008 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: ec44b2ab-b057-4f9e-e05a-08db6d6b8688 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF0002529E.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV2PR12MB5871 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org SVM/SEV enable debug registers intercepts to skip swapping DRs on entering/exiting the guest. When the guest is in control of debug registers (vcpu->guest_debug == 0), there is an optimisation to reduce the number of context switches: intercepts are cleared and the KVM_DEBUGREG_WONT_EXIT flag is set to tell KVM to do swapping on guest enter/exit. The same code also executes for SEV-ES, however it has no effect as - it always takes (vcpu->guest_debug == 0) branch; - KVM_DEBUGREG_WONT_EXIT is set but DR7 intercept is not cleared; - vcpu_enter_guest() writes DRs but VMRUN for SEV-ES swaps them with the values from _encrypted_ VMSA. Be explicit about SEV-ES not supporting debug: - return right away from dr_interception() and skip unnecessary processing; - return an error right away from the KVM_SEV_LAUNCH_UPDATE_VMSA handler if debugging was already enabled. KVM_SET_GUEST_DEBUG are failing already after KVM_SEV_LAUNCH_UPDATE_VMSA is finished due to vcpu->arch.guest_state_protected set to true. Add WARN_ON to kvm_x86::sync_dirty_debug_regs() (saves guest DRs on guest exit) to signify that SEV-ES won't hit that path. Suggested-by: Sean Christopherson Signed-off-by: Alexey Kardashevskiy --- Changes: v6: * fail in LAUNCH_UPDATE_VMSA instead of clearing the flag * pr_warn_ratelimited -> pr_warn_once * due to the rework, removed Tom's "rb" v5: * new in the series --- arch/x86/kvm/svm/sev.c | 5 +++++ arch/x86/kvm/svm/svm.c | 9 ++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 36fe2fcb4698..981286359b72 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -619,6 +619,11 @@ static int __sev_launch_update_vmsa(struct kvm *kvm, struct kvm_vcpu *vcpu, struct vcpu_svm *svm = to_svm(vcpu); int ret; + if (vcpu->guest_debug) { + pr_warn_once("KVM_SET_GUEST_DEBUG for SEV-ES guest is not supported"); + return -EINVAL; + } + /* Perform some pre-encryption checks against the VMSA */ ret = sev_es_sync_vmsa(svm); if (ret) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 9c1b191aed4b..bec6fb82f494 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -1996,7 +1996,7 @@ static void svm_sync_dirty_debug_regs(struct kvm_vcpu *vcpu) { struct vcpu_svm *svm = to_svm(vcpu); - if (vcpu->arch.guest_state_protected) + if (WARN_ON_ONCE(sev_es_guest(vcpu->kvm))) return; get_debugreg(vcpu->arch.db[0], 0); @@ -2727,6 +2727,13 @@ static int dr_interception(struct kvm_vcpu *vcpu) unsigned long val; int err = 0; + /* + * SEV-ES intercepts DR7 only to disable guest debugging and the guest issues a VMGEXIT + * for DR7 write only. KVM cannot change DR7 (always swapped as type 'A') so return early. + */ + if (sev_es_guest(vcpu->kvm)) + return 1; + if (vcpu->guest_debug == 0) { /* * No more DR vmexits; force a reload of the debug registers From patchwork Thu Jun 15 06:37:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Kardashevskiy X-Patchwork-Id: 13280751 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F07CEB64D9 for ; Thu, 15 Jun 2023 06:45:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238236AbjFOGpK (ORCPT ); Thu, 15 Jun 2023 02:45:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53604 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244085AbjFOGoX (ORCPT ); Thu, 15 Jun 2023 02:44:23 -0400 Received: from NAM04-DM6-obe.outbound.protection.outlook.com (mail-dm6nam04on2061b.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8b::61b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D11C735A2; Wed, 14 Jun 2023 23:42:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XRd/I8cRayPT1Rm85BY1tkt2NtYef09uW9MXj//ow6GWcDhX0w+dkr44VmoYpxvMd7ExHYONSkCErJ4kcqV+lmiNr3JecJ/shgq0bqQc/sy25imr/9Vw8xdDfvRJuxc7WL+lQFPQQDrnhIBkofQDBFEd9LL4QrX9Or7kmL0cqtDKyV4N6gRq1rItL5G10+RUDlTTH2Xrtjgam/+P5d+68D1dK0czbfvVbOOjzeVN+nodEDMJA2rhoNRrBhTnvO+Gzg4bxneQ4AT9FZts6u3Bm5PRj5T2XKPAAE0ocLmlPL6iopaiNt+daTABy8R10xpHL5ClT5LdMKqAW8N5WWCsdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WFig3m3GZo4xcuo46AjjaGz5wr8vSn8NjIqI6ME3K5g=; b=eX8UStRQZKCkzwnuyb2eSKNSeD9Uzq05aqGM3a9Fm0jgv0WUKMmLTuehkrzx8jdMxvu+ISxCIA3be5Skc2X5smWdl2tFbtFBDg3NlQWr0Y0ob+7mmrvgeYjLEM23y7FIvLcx+gkrBgHcshy5c23YGo96EKveEWC1JFpu1+Fi1udDB4mHjYqdIGRU0Nr9vV9EG1ZS9qUAm64i37s6S8BNPlbPYJZyH5wVvBCZnd0ttIzcc4jnHfwAA4JCRMYt1jeBxD4vmZwiUx71aduZuWa/mbV5J6r2hXpm5KMRt/CWKaYTMsMz4bZ87j6Khsioo3d4RlhPc+IXNjbykUD7TLOTxA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WFig3m3GZo4xcuo46AjjaGz5wr8vSn8NjIqI6ME3K5g=; b=Hf4k63g67b7ZOeWnhWgaiisQriakKcCbNxvNJwEJQJylk26wnYpZXNsjPWUA0SKL5l5ailKLP815SJP3+rw/jfGMseq6Ze1HKdrSLQmKu8xMVgs+uUV+GXJmydEqzTLOdGIoJmEHDw1SqA0GQzIx7Smt/Me2+7caDR/joXhYG+M= Received: from PH8PR07CA0009.namprd07.prod.outlook.com (2603:10b6:510:2cd::27) by PH0PR12MB8030.namprd12.prod.outlook.com (2603:10b6:510:28d::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6500.25; Thu, 15 Jun 2023 06:42:55 +0000 Received: from SN1PEPF000252A1.namprd05.prod.outlook.com (2603:10b6:510:2cd:cafe::3d) by PH8PR07CA0009.outlook.office365.com (2603:10b6:510:2cd::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6500.25 via Frontend Transport; Thu, 15 Jun 2023 06:42:55 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by SN1PEPF000252A1.mail.protection.outlook.com (10.167.242.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.6500.27 via Frontend Transport; Thu, 15 Jun 2023 06:42:55 +0000 Received: from aiemdeew.1.ozlabs.ru (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 15 Jun 2023 01:41:48 -0500 From: Alexey Kardashevskiy To: CC: , , Tom Lendacky , Sean Christopherson , "Alexey Kardashevskiy" , Santosh Shukla Subject: [PATCH kernel 5/9] KVM: SVM/SEV/SEV-ES: Rework intercepts Date: Thu, 15 Jun 2023 16:37:53 +1000 Message-ID: <20230615063757.3039121-6-aik@amd.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230615063757.3039121-1-aik@amd.com> References: <20230615063757.3039121-1-aik@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN1PEPF000252A1:EE_|PH0PR12MB8030:EE_ X-MS-Office365-Filtering-Correlation-Id: d84c6f1d-879f-403b-1962-08db6d6bc00f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 5FBFzCiBFHu3SUju6e6+DryKm47pLbE3f6sLHbocN4Piy9HwklI+W5zULSCfg5/ahF0dzhvyPZxVeEQQYBxWRH/pCFNHw0fLLxsgOHS5K9nkoB+Mc/PZxP3Pg+xc2ewnmCpAdSoxxL4FqVZ1E3dF1teHfqt3Q7W4auizPscmfCm9g7RfdwNWPUfbiP3GwFdtaGnNcWlKg9uxz/R/iLryGV9OfBwTQIbHHb4WMHZ+1RLUs4+zd6Ie5JI673vYwRcGtXWH+vqRQa4UHud344VyxiPw5tL+TsAvnaBWNMAIIUsbSr68EJAqAwcCiLjLvKFFC1BQqDXt580sAp0mhmbEUabsheQ07/J4XYzxakwtogFclroDTK/kfcuwPHP4f55A9MGEl++Ssl9L1d/klCiM/MmxDnTQA/x54Q+reDbnfTZVGbhJRZEe6SS5qw2iVF+9FjQ5YePRp4ZaDXu3oRdovrfShH4J2yfN/HKSzAbSU69H5e8Zd0Yi0akc5j77wz7flQx0vuJZvPSmu2yos0UVUxgdkisyHtlDabprVOrSUrt+Q0wYqnBwDgoXw2YRoHqxiQiVLmX8wt/WloY2KqVkPAGZ7D9Bch/STQWAqw2W6lLc6I+FB5tO3w7jhcGT+zih4PFXO04noaPmroI905Rr9WAsx0qUY+tQB5U9O81+m+0JfffQBap6REIjQtJhUbSomZYK1nCw98AcmUadtYRarJfHbKXXBdGkbARirvpHPy9q2vX9PYZeIt2FLjdpL8sC X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(376002)(136003)(39860400002)(346002)(396003)(451199021)(36840700001)(46966006)(40470700004)(1076003)(26005)(16526019)(478600001)(36756003)(186003)(966005)(40480700001)(6666004)(40460700003)(2906002)(8936002)(316002)(41300700001)(8676002)(356005)(81166007)(82310400005)(5660300002)(82740400003)(336012)(426003)(54906003)(47076005)(83380400001)(2616005)(6916009)(4326008)(70206006)(70586007)(36860700001)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2023 06:42:55.3575 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: d84c6f1d-879f-403b-1962-08db6d6bc00f X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF000252A1.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR12MB8030 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Currently SVM setup is done sequentially in init_vmcb() -> sev_init_vmcb() -> sev_es_init_vmcb() and tries keeping SVM/SEV/SEV-ES bits separated. One of the exceptions is DR intercepts which is for SEV-ES before sev_es_init_vmcb() runs. Move the SEV-ES intercept setup to sev_es_init_vmcb(). From now on set_dr_intercepts()/clr_dr_intercepts() handle SVM/SEV only. Extend the comment about intercepting DR7 which is to prevent the CPU from getting stuck in an infinite #DB loop as described in https://bugzilla.redhat.com/show_bug.cgi?id=1278496 No functional change intended. Suggested-by: Sean Christopherson Signed-off-by: Alexey Kardashevskiy Reviewed-by: Santosh Shukla Reviewed-by: Tom Lendacky --- Changes: v6: * updated the commit log * updated the DR7 intercept comment in the code v5: * updated the comments * removed sev_es_guest() checks from set_dr_intercepts()/clr_dr_intercepts() * removed remaining intercepts from clr_dr_intercepts() --- arch/x86/kvm/svm/sev.c | 11 ++++++ arch/x86/kvm/svm/svm.c | 37 ++++++++------------ 2 files changed, 25 insertions(+), 23 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 981286359b72..744bcc2e6a05 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2948,6 +2948,7 @@ int sev_es_string_io(struct vcpu_svm *svm, int size, unsigned int port, int in) static void sev_es_init_vmcb(struct vcpu_svm *svm) { + struct vmcb *vmcb = svm->vmcb01.ptr; struct kvm_vcpu *vcpu = &svm->vcpu; svm->vmcb->control.nested_ctl |= SVM_NESTED_CTL_SEV_ES_ENABLE; @@ -2976,6 +2977,16 @@ static void sev_es_init_vmcb(struct vcpu_svm *svm) svm_set_intercept(svm, TRAP_CR4_WRITE); svm_set_intercept(svm, TRAP_CR8_WRITE); + /* + * DR7 access must remain intercepted for an SEV-ES guest to disallow + * the guest kernel set up a #DB on memory that's needed to vector a #DB + * as otherwise the CPU gets stuck in an infinite #DB loop. + */ + vmcb->control.intercepts[INTERCEPT_DR] = 0; + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE); + recalc_intercepts(svm); + /* Can't intercept XSETBV, HV can't modify XCR0 directly */ svm_clr_intercept(svm, INTERCEPT_XSETBV); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index bec6fb82f494..1df99e9f8655 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -694,23 +694,20 @@ static void set_dr_intercepts(struct vcpu_svm *svm) { struct vmcb *vmcb = svm->vmcb01.ptr; - if (!sev_es_guest(svm->vcpu.kvm)) { - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR0_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR1_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR2_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR3_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR4_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR5_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR6_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR0_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR1_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR2_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR3_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR4_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR5_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR6_WRITE); - } - + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR0_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR1_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR2_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR3_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR4_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR5_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR6_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR0_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR1_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR2_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR3_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR4_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR5_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR6_WRITE); vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ); vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE); @@ -723,12 +720,6 @@ static void clr_dr_intercepts(struct vcpu_svm *svm) vmcb->control.intercepts[INTERCEPT_DR] = 0; - /* DR7 access must remain intercepted for an SEV-ES guest */ - if (sev_es_guest(svm->vcpu.kvm)) { - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE); - } - recalc_intercepts(svm); } From patchwork Thu Jun 15 06:37:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Kardashevskiy X-Patchwork-Id: 13280781 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0DB19EB64D9 for ; Thu, 15 Jun 2023 06:46:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244268AbjFOGqH (ORCPT ); Thu, 15 Jun 2023 02:46:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53376 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243555AbjFOGp1 (ORCPT ); Thu, 15 Jun 2023 02:45:27 -0400 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on20617.outbound.protection.outlook.com [IPv6:2a01:111:f400:7eaa::617]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 04D8930CD; Wed, 14 Jun 2023 23:43:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SoI+Z0/iK2FIjpLYvNxANBzHJn995WG2sLX4koBvlOGwt/hq6gpmp++xBL5+IVJB14VybK/q6t9g+t02nF5wKiAqIEDADi7TqXqc5KGumMCIsWwt1oWlxXjW+1K4ZvUF7guzg+tpKn+u0zRLDnbYvDZVakG+1ZUw+oz3NP7VCzEub83aPCGnqJmp3ql82ro0af/HuohIaF+0ABXNkgJ18bEaC3NRY5Q9Vc3rtfbt65Eze7ToHDVIbF1PlwRSimXYAIwUb6DmPrnm1e8hlPZ971fjMmyrLbMQyg8DtOUGbqQpIN8+ZkE9iTs9soCWTkV3u1WHSm9CSMeWcwKOHmqNLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lOZnwyxQnsUUihmQQx5SEExZpjGh6KXDxM9kVsGQj5w=; b=bZW8eedVFjArZ/LADLs4gwmz9EaTodgjMLd6F1jYH84zGb2oC5a61jj1si216N9ELNscbUtUuhoWixZM7GzP7ygDYhgK5w9p3DgeJQZn6ANiLeWDt05e9UVv7isPdux01fENTURQWMOb9/BA0uZMM2oAG8dh+AYiy9vb4LH1w6NJ16T1QFd0dlcnt6/SuJ6zMUtk1QQfF7paa1a+9CflGXbU10frtyaGNTv4/GE9pujYybrB2b7PI8VNkh/ggE+Le8tkOA8K6mjRsCCJwKsGdPb8/L894+rMtPnOPOeaGNpwiCeUNvNwDyei7zo7AIV3rLRp/h8nXIkoVQyP8EQ18g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lOZnwyxQnsUUihmQQx5SEExZpjGh6KXDxM9kVsGQj5w=; b=k6MYd6GIxPAuEHiYMXdP7N7sTQB921umWKjDKu3M8jVOAmtfQ1JAYY3LUV91pmd5ctXF6wXNdlDqLX1WPpNrfXviXRePJHL6RAKlcw/lAnVC0+78TWH7+4ui6sjgA+9QD9AKCG5nFf3ACTQb5n2VYqeARi7SkTxaiqmSPdYH8fM= Received: from SA1PR05CA0004.namprd05.prod.outlook.com (2603:10b6:806:2d2::29) by SN7PR12MB6766.namprd12.prod.outlook.com (2603:10b6:806:26a::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6477.37; Thu, 15 Jun 2023 06:43:36 +0000 Received: from SN1PEPF0002529E.namprd05.prod.outlook.com (2603:10b6:806:2d2:cafe::59) by SA1PR05CA0004.outlook.office365.com (2603:10b6:806:2d2::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.11 via Frontend Transport; Thu, 15 Jun 2023 06:43:36 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by SN1PEPF0002529E.mail.protection.outlook.com (10.167.242.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.6500.27 via Frontend Transport; Thu, 15 Jun 2023 06:43:36 +0000 Received: from aiemdeew.1.ozlabs.ru (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 15 Jun 2023 01:43:31 -0500 From: Alexey Kardashevskiy To: CC: , , Tom Lendacky , Sean Christopherson , "Alexey Kardashevskiy" Subject: [PATCH kernel 6/9] KVM: SEV: Enable data breakpoints in SEV-ES Date: Thu, 15 Jun 2023 16:37:54 +1000 Message-ID: <20230615063757.3039121-7-aik@amd.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230615063757.3039121-1-aik@amd.com> References: <20230615063757.3039121-1-aik@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN1PEPF0002529E:EE_|SN7PR12MB6766:EE_ X-MS-Office365-Filtering-Correlation-Id: e961c737-f0b2-4939-487f-08db6d6bd8be X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 6LwQ+ocgYokurMVbdz9zlG+suhRaYe9L2jqff9tvwy1mLi4BlomXr+5v0GREOkrvmoR20+CAsQF+RrqjnNLFSmfVNt/FpSVLmZkHZZecQfyWwq4ZJ7PKg+rAvnq8b45f9kLgIJ9D68vdTRepq6YL7O793K0ROfKKCCTxB8ZS9f91brvOpZeQTepLeTKoJfASLjvhfQALXD8blBDfelvGP4yYCReSCgjV6sG7Ljzj5cdA9eMxX8zRdBQ8PIV0YMMkSNm9qlyP2nVqIzBXpvtxTmJ+jPZoK0opfXYZFyc9yWD5UTb6TMBXvzopI3d8qR9+62hwNCT7KqyaGnpm7jtf0pF4gi2HePCm5ITTBfBukT6+wCILYSi6VQ5IPZdkGgKGhtHH77FLYqiZrjq0OwWnkx2+B0E9ClWWKRa0NhZAUxaM8tb9RNAOLMtdLbnaLK8kF6ZEjrBOKaXSR3Ul95zPiTR6DijYAnEvpph7GhI+NGUHehn1k3SNAlofa9k7I94oHvcSocDiw5LaUBmrSd030zgTCy46h+YSSEP336n+boqtFMrLEuAhslHsqvrYNJrgVMybS2K6v/O/qwOzjOSE0RaUWcPt10UbkHYCwouJVCz39ul/BFRSZgGfTtidewAO51A2K9/WSljtoB1TXYJ/iMCmE4YhdNCuUltifb89ymmYWmaEAyWjvukk2NJyl+n7jLtKndIGv5/lZQecV4O9PJ/G5GaJNDBtyxyhejZ3g3E7jBQrQV4xFNFsEh1x3Al2sCKSvALzdLnAOdHRyWA0Cg== X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(136003)(39860400002)(396003)(376002)(346002)(451199021)(40470700004)(46966006)(36840700001)(8676002)(8936002)(2906002)(82310400005)(5660300002)(356005)(70586007)(70206006)(316002)(4326008)(6916009)(81166007)(41300700001)(36860700001)(83380400001)(47076005)(426003)(54906003)(336012)(82740400003)(2616005)(36756003)(478600001)(16526019)(1076003)(26005)(186003)(40480700001)(6666004)(40460700003)(966005)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2023 06:43:36.7709 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e961c737-f0b2-4939-487f-08db6d6bd8be X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF0002529E.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR12MB6766 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Add support for "DebugSwap for SEV-ES guests", which provides support for swapping DR[0-3] and DR[0-3]_ADDR_MASK on VMRUN and VMEXIT, i.e. allows KVM to expose debug capabilities to SEV-ES guests. Without DebugSwap support, the CPU doesn't save/load most _guest_ debug registers (except DR6/7), and KVM cannot manually context switch guest DRs due the VMSA being encrypted. Enable DebugSwap if and only if the CPU also supports NoNestedDataBp, which causes the CPU to ignore nested #DBs, i.e. #DBs that occur when vectoring a #DB. Without NoNestedDataBp, a malicious guest can DoS the host by putting the CPU into an infinite loop of vectoring #DBs (see https://bugzilla.redhat.com/show_bug.cgi?id=1278496) Set the features bit in sev_es_sync_vmsa() which is the last point when VMSA is not encrypted yet as sev_(es_)init_vmcb() (where the most init happens) is called not only when VCPU is initialised but also on intrahost migration when VMSA is encrypted. Eliminate DR7 intercepts as KVM can't modify guest DR7, and intercepting DR7 would completely defeat the purpose of enabling DebugSwap. Make X86_FEATURE_DEBUG_SWAP appear in /proc/cpuinfo (by not adding "") to let the operator know if the VM can debug. Signed-off-by: Alexey Kardashevskiy --- Changes: v6: * rewrote the commit log as suggested by Sean * clr_exception_intercept(#DB) moved to a separate patch (next to this) * updated tools/arch/x86/include/asm/cpufeatures.h (old versions from when this was a single patch, ignore?) v9: * changed the commit log to one from Sean * moved #DB intercept handling later in the series v5: * added CPUID's DebugSwap feature * commit log, comments updated * redid the whole thing v4: * removed sev_es_is_debug_swap_enabled() helper * made sev_es_debug_swap_enabled (module param) static * set sev_feature early in sev_es_init_vmcb() and made intercepts dependend on it vs. module param * move set_/clr_dr_intercepts to .c v3: * rewrote the commit log again * rebased on tip/master to use recently defined X86_FEATURE_NO_NESTED_DATA_BP * s/boot_cpu_has/cpu_feature_enabled/ v2: * debug_swap moved from vcpu to module_param * rewrote commit log --- Tested with: === int x; int main(int argc, char *argv[]) { x = 1; return 0; } === gcc -g a.c rsync a.out ruby-954vm:~/ ssh -t ruby-954vm 'gdb -ex "file a.out" -ex "watch x" -ex r' where ruby-954vm is a VM. With "/sys/module/kvm_amd/parameters/debug_swap = 0", gdb does not stop on the watchpoint, with "= 1" - gdb does. --- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/svm.h | 1 + tools/arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/kvm/svm/sev.c | 37 ++++++++++++++++++-- 4 files changed, 37 insertions(+), 3 deletions(-) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index cb8ca46213be..31c862d79fae 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -434,6 +434,7 @@ #define X86_FEATURE_SEV_ES (19*32+ 3) /* AMD Secure Encrypted Virtualization - Encrypted State */ #define X86_FEATURE_V_TSC_AUX (19*32+ 9) /* "" Virtual TSC_AUX */ #define X86_FEATURE_SME_COHERENT (19*32+10) /* "" AMD hardware-enforced cache coherency */ +#define X86_FEATURE_DEBUG_SWAP (19*32+14) /* AMD SEV-ES full debug state swap support */ /* AMD-defined Extended Feature 2 EAX, CPUID level 0x80000021 (EAX), word 20 */ #define X86_FEATURE_NO_NESTED_DATA_BP (20*32+ 0) /* "" No Nested Data Breakpoints */ diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h index e7c7379d6ac7..72ebd5e4e975 100644 --- a/arch/x86/include/asm/svm.h +++ b/arch/x86/include/asm/svm.h @@ -288,6 +288,7 @@ static_assert((X2AVIC_MAX_PHYSICAL_ID & AVIC_PHYSICAL_MAX_INDEX_MASK) == X2AVIC_ #define AVIC_HPA_MASK ~((0xFFFULL << 52) | 0xFFF) +#define SVM_SEV_FEAT_DEBUG_SWAP BIT(5) struct vmcb_seg { u16 selector; diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h index cb8ca46213be..31c862d79fae 100644 --- a/tools/arch/x86/include/asm/cpufeatures.h +++ b/tools/arch/x86/include/asm/cpufeatures.h @@ -434,6 +434,7 @@ #define X86_FEATURE_SEV_ES (19*32+ 3) /* AMD Secure Encrypted Virtualization - Encrypted State */ #define X86_FEATURE_V_TSC_AUX (19*32+ 9) /* "" Virtual TSC_AUX */ #define X86_FEATURE_SME_COHERENT (19*32+10) /* "" AMD hardware-enforced cache coherency */ +#define X86_FEATURE_DEBUG_SWAP (19*32+14) /* AMD SEV-ES full debug state swap support */ /* AMD-defined Extended Feature 2 EAX, CPUID level 0x80000021 (EAX), word 20 */ #define X86_FEATURE_NO_NESTED_DATA_BP (20*32+ 0) /* "" No Nested Data Breakpoints */ diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 744bcc2e6a05..abc502ce7871 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -23,6 +23,7 @@ #include #include #include +#include #include "mmu.h" #include "x86.h" @@ -54,9 +55,14 @@ module_param_named(sev, sev_enabled, bool, 0444); /* enable/disable SEV-ES support */ static bool sev_es_enabled = true; module_param_named(sev_es, sev_es_enabled, bool, 0444); + +/* enable/disable SEV-ES DebugSwap support */ +static bool sev_es_debug_swap_enabled = true; +module_param_named(debug_swap, sev_es_debug_swap_enabled, bool, 0444); #else #define sev_enabled false #define sev_es_enabled false +#define sev_es_debug_swap_enabled false #endif /* CONFIG_KVM_AMD_SEV */ static u8 sev_enc_bit; @@ -606,6 +612,9 @@ static int sev_es_sync_vmsa(struct vcpu_svm *svm) save->xss = svm->vcpu.arch.ia32_xss; save->dr6 = svm->vcpu.arch.dr6; + if (sev_es_debug_swap_enabled) + save->sev_features |= SVM_SEV_FEAT_DEBUG_SWAP; + pr_debug("Virtual Machine Save Area (VMSA):\n"); print_hex_dump_debug("", DUMP_PREFIX_NONE, 16, 1, save, sizeof(*save), false); @@ -2258,6 +2267,9 @@ void __init sev_hardware_setup(void) out: sev_enabled = sev_supported; sev_es_enabled = sev_es_supported; + if (!sev_es_enabled || !cpu_feature_enabled(X86_FEATURE_DEBUG_SWAP) || + !cpu_feature_enabled(X86_FEATURE_NO_NESTED_DATA_BP)) + sev_es_debug_swap_enabled = false; #endif } @@ -2978,14 +2990,17 @@ static void sev_es_init_vmcb(struct vcpu_svm *svm) svm_set_intercept(svm, TRAP_CR8_WRITE); /* + * Unless DebugSwap (depends on X86_FEATURE_NO_NESTED_DATA_BP) is enabled, * DR7 access must remain intercepted for an SEV-ES guest to disallow * the guest kernel set up a #DB on memory that's needed to vector a #DB * as otherwise the CPU gets stuck in an infinite #DB loop. */ vmcb->control.intercepts[INTERCEPT_DR] = 0; - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE); - recalc_intercepts(svm); + if (!sev_es_debug_swap_enabled) { + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE); + recalc_intercepts(svm); + } /* Can't intercept XSETBV, HV can't modify XCR0 directly */ svm_clr_intercept(svm, INTERCEPT_XSETBV); @@ -3055,6 +3070,22 @@ void sev_es_prepare_switch_to_guest(struct sev_es_save_area *hostsa) hostsa->xcr0 = xgetbv(XCR_XFEATURE_ENABLED_MASK); hostsa->pkru = read_pkru(); hostsa->xss = host_xss; + + /* + * If DebugSwap is enabled, debug registers are loaded but NOT saved by + * the CPU (Type-B). If DebugSwap is disabled/unsupported, the CPU both + * saves and loads debug registers (Type-A). + */ + if (sev_es_debug_swap_enabled) { + hostsa->dr0 = native_get_debugreg(0); + hostsa->dr1 = native_get_debugreg(1); + hostsa->dr2 = native_get_debugreg(2); + hostsa->dr3 = native_get_debugreg(3); + hostsa->dr0_addr_mask = amd_get_dr_addr_mask(0); + hostsa->dr1_addr_mask = amd_get_dr_addr_mask(1); + hostsa->dr2_addr_mask = amd_get_dr_addr_mask(2); + hostsa->dr3_addr_mask = amd_get_dr_addr_mask(3); + } } void sev_vcpu_deliver_sipi_vector(struct kvm_vcpu *vcpu, u8 vector) From patchwork Thu Jun 15 06:37:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Kardashevskiy X-Patchwork-Id: 13280782 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4FBEBEB64D9 for ; Thu, 15 Jun 2023 06:47:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244285AbjFOGrA (ORCPT ); Thu, 15 Jun 2023 02:47:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53520 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244092AbjFOGqV (ORCPT ); Thu, 15 Jun 2023 02:46:21 -0400 Received: from NAM02-DM3-obe.outbound.protection.outlook.com (mail-dm3nam02on2052.outbound.protection.outlook.com [40.107.95.52]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0CC9A30F7; Wed, 14 Jun 2023 23:44:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=j6pg/9dxoomqm0TjtEQIDJGL64OC57dDGXGlhXC3z9sKkuq6hI1Mhndw2CGg47Hjlj1At1vBMgShrTqQnaQrcPX39kB8lr8tg3dJZujoOW7bZybUZUX3uMxo/PNGLbisZL5oUf5HHi2UGncVxKWTe8QyX+j27QBo68HHrbRD8qQTmA0krOcRBKopefYnLyZO2fP1Y+zy3U74FNgoqa7ZKvkDXBEr7FBj+pnSjGDXGrwesu1tbCaXH6wR3Le839YTwPyW0G0q9QmaoPsuDw6wffJ6ymZbr8sMlXufU4l+cESZBmWZuFbpK4RXFJSmY+rOpjdPs9jcVwluIGGIZoiC7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WS0scFMuNZKYxG6m9F5MeX99/Qkd68KofPCTfz0PbfE=; b=QCzGaCnHuTznW7nkPixjMXsK280ItykwNjEvdWRwHjgJO2V1M1D/1bQaS//lkkUg8NFslkNC+Fh+nWZjcuDBEwq1QxeltZujOsrhwtThsmtEmDUzr2jl8FAiXTPdIxdhbQ3B4YWxYymRLPd97tjIwDOAq59h94AEieCZQFkWuoLTwbm8nJnVDijjyrAgiZgY1CFsWzYhB2HPiFA+NGRjXS9+kvg/gd5HZ3a+lHCOvFr1o3mUMcNwYh8uuFFDx7zH0mIQnCRWZur1yauAeJ5SiOq62LJkfkIDhLMFZDO4fzzZQoBcs8Ni+jIjoey1v9P9hMp1MrG/INo8k0QWa0XleQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WS0scFMuNZKYxG6m9F5MeX99/Qkd68KofPCTfz0PbfE=; b=k+CIcul7RS5/cCQiV+qT6KZf8LUbGvxWjGRcdrLYmWfiGuN+zDLVXcPdJ3784wtUkArgjIxqgKgmV85BLEV19fOx/s1oFxAT4Gyi+PtRquijWPZVYDkGEN/UYXwOCEELF5g+xdIVs6tev4gU/JtSxKT50j6wEeOczz2skWmKBFw= Received: from PH8PR07CA0025.namprd07.prod.outlook.com (2603:10b6:510:2cf::13) by DS7PR12MB5910.namprd12.prod.outlook.com (2603:10b6:8:7b::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6500.25; Thu, 15 Jun 2023 06:44:10 +0000 Received: from SN1PEPF000252A4.namprd05.prod.outlook.com (2603:10b6:510:2cf:cafe::7a) by PH8PR07CA0025.outlook.office365.com (2603:10b6:510:2cf::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6500.25 via Frontend Transport; Thu, 15 Jun 2023 06:44:09 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by SN1PEPF000252A4.mail.protection.outlook.com (10.167.242.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.6500.27 via Frontend Transport; Thu, 15 Jun 2023 06:44:09 +0000 Received: from aiemdeew.1.ozlabs.ru (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 15 Jun 2023 01:44:06 -0500 From: Alexey Kardashevskiy To: CC: , , Tom Lendacky , Sean Christopherson , "Alexey Kardashevskiy" Subject: [PATCH kernel 7/9] KVM: SEV-ES: Eliminate #DB intercept when DebugSwap enabled Date: Thu, 15 Jun 2023 16:37:55 +1000 Message-ID: <20230615063757.3039121-8-aik@amd.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230615063757.3039121-1-aik@amd.com> References: <20230615063757.3039121-1-aik@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN1PEPF000252A4:EE_|DS7PR12MB5910:EE_ X-MS-Office365-Filtering-Correlation-Id: df6dc960-92d3-4b31-7e98-08db6d6bec69 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /YWQ/5KtStHUn0whob3JsC1pB5RThqK08IdrJkosFm8WOWKVkYri02t4T8HyPaUy/R2zNfa91G/N8iZbcLLLo3rOGBbAKe72PN7njZjCQskD2bbrWyrTowU8hETdJRIW708cG0DQ42naqyizOGG0/5o/9voFV3QbN9M3HZ0pfs05sHZKMtpzGPAIBy1IiXR3vtlEmA01pkT3YMinOCITrYmN0owZj70Lp96OpLtEi+Xse2QUl2NmEKPnixY3O/OC0nw/4QqsS/ELsi9jp7o8ywLesXYUYBUvH8cS3H7FEAi6f7A+enNtVRBZMVOeGk3BVLeqHj0k+U8M5JPo+3fzS8hw7JEBqYcTtpf9obO+5EaELTBgSm43Tg+f8ro31ksONWpX1HzdMYxT7qLeQzG+RnJo1i8kcWQzQdX+2iiWy1QMeyZSEqe/jaGujkR6qMfByRNcCqMfGavtlUBLyIRQyI1I2YenbvbLrNmP7zsmZhDapayafwiAL4URjv35QUgQL//sJ3ll4NBVGiCzLqM60N/08J6Lxu8HSMqfM8HTDJFvdKEckK/Ci0FDsVStXv50DMtUTxZ/5KMP2MDwoT5gcIK88iqvGeQQnxaEaxXp4jkQ0EYpqB96B7LxDeoFnhK2usnNmnaHYu2+xlFKgofY6osbgVt4Ep+6kzmW8EoXz6O+/8ucWaUUtm7VO4tXF5tbuKKJmcloNYi5INqhHligs7P8KBSx4LV/y/w010tU6DWEGi6iwqoO1RpS7jrVor86yTWcgMq14c8DQIqS4kmzfw== X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(136003)(39860400002)(346002)(396003)(376002)(451199021)(36840700001)(46966006)(40470700004)(40460700003)(5660300002)(82740400003)(81166007)(356005)(336012)(2616005)(426003)(1076003)(186003)(16526019)(2906002)(4744005)(26005)(36860700001)(47076005)(478600001)(40480700001)(6666004)(6916009)(70206006)(316002)(8936002)(8676002)(41300700001)(82310400005)(70586007)(36756003)(4326008)(54906003)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2023 06:44:09.7697 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: df6dc960-92d3-4b31-7e98-08db6d6bec69 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF000252A4.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR12MB5910 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Disable #DB for SEV-ES guests when DebugSwap is enabled. There is no point in such intercept as KVM does not allow guest debug for SEV-ES guests. Signed-off-by: Alexey Kardashevskiy --- Changes: v6: * new to the series --- arch/x86/kvm/svm/sev.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index abc502ce7871..9c43cbdab022 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3000,6 +3000,8 @@ static void sev_es_init_vmcb(struct vcpu_svm *svm) vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ); vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE); recalc_intercepts(svm); + } else { + clr_exception_intercept(svm, DB_VECTOR); } /* Can't intercept XSETBV, HV can't modify XCR0 directly */ From patchwork Thu Jun 15 06:37:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Kardashevskiy X-Patchwork-Id: 13280783 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94450EB64D9 for ; Thu, 15 Jun 2023 06:47:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244315AbjFOGr6 (ORCPT ); Thu, 15 Jun 2023 02:47:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53312 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233683AbjFOGrV (ORCPT ); Thu, 15 Jun 2023 02:47:21 -0400 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2061.outbound.protection.outlook.com [40.107.237.61]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 621813586; Wed, 14 Jun 2023 23:45:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cFCt5uxmwH+hy/y4xDleHLM0bzCTP8pEcrXVhwt1v8dDueLDr3zHg1f6Cmm1yldOT1W98FCgRxgTCwRKCe3+0k+rVry+ce623zHuVvX8n0LVcuUSalZ+o1/i2beHRXj4S2cyglP/gc/Qqy4CbB3VWop1MyUQ+nNunrilosHYe6AWTlokeSsDGOVme3E4TBkKyjzs7oZMy9OWE59TI9TEOuLC0w84wWeeOj3W9oivbKBxo+DHasf/frhRPSWxpdmuPP4geRGCxHCFyE5X9ZH9jYHpJp5kYu65r5nPDeIsHoLGaLj9l67SX52dha6nlQ07tuzfheHFpnub4pmvPfPUag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i4zg+ofpMEtJgEGUq76EAOBBnknuQ1bMrmJV59o9070=; b=JSj59LnHbcYGeL5LMu7WiDJgI+kCDYpELWbjlW7oS1nrn30HVHCWbQVQvjzCrUgtXaUgDY+7FSp4G4yFY/LmfnNEI7c7eWsvFR/DHkPBFDUwsPOeCbJWr1cF78FIEhA26HBAur+hRelvAonCZAIi0aW/b7Dm2+q1n9yjgcAjC8vGS8kuMUPoQIbTuN5iw9K3TDPLHrbygchBM0KD2MEjFqu2hGy5mlmkPzb1NAMjn4n03lZwZJKDqCOgvZYLeGSk7Juv/CeyOAfLTh/123gqsNlSWPYHKn0NNr2YTAtQpqOQNHbiQjZE2zZRzsgrrbE6VgAaE1bgM7xCyJSi6XuObg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i4zg+ofpMEtJgEGUq76EAOBBnknuQ1bMrmJV59o9070=; b=xysldIrKj7FsYQ7dAb8oZwdpCo7GdwkCq65Y4R1HZc20AER73DWTRB0R+yOtze+I5P/mc7cJxYCxtuReTpWJbbKNtsZ8nYNJnp8rt5+9g48NZAldaTKQdBjqSeyIiW8i3dyI8sjEf7Psyi+gMAoJ97pc/VBRnxuODCHQaKGqT0A= Received: from PH8PR07CA0009.namprd07.prod.outlook.com (2603:10b6:510:2cd::27) by BL1PR12MB5269.namprd12.prod.outlook.com (2603:10b6:208:30b::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6500.25; Thu, 15 Jun 2023 06:45:40 +0000 Received: from SN1PEPF000252A1.namprd05.prod.outlook.com (2603:10b6:510:2cd:cafe::69) by PH8PR07CA0009.outlook.office365.com (2603:10b6:510:2cd::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6500.25 via Frontend Transport; Thu, 15 Jun 2023 06:45:40 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by SN1PEPF000252A1.mail.protection.outlook.com (10.167.242.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.6500.27 via Frontend Transport; Thu, 15 Jun 2023 06:45:40 +0000 Received: from aiemdeew.1.ozlabs.ru (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 15 Jun 2023 01:45:00 -0500 From: Alexey Kardashevskiy To: CC: , , Tom Lendacky , Sean Christopherson , "Alexey Kardashevskiy" Subject: [PATCH kernel 8/9] KVM: SVM: Don't defer NMI unblocking until next exit for SEV-ES guests Date: Thu, 15 Jun 2023 16:37:56 +1000 Message-ID: <20230615063757.3039121-9-aik@amd.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230615063757.3039121-1-aik@amd.com> References: <20230615063757.3039121-1-aik@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN1PEPF000252A1:EE_|BL1PR12MB5269:EE_ X-MS-Office365-Filtering-Correlation-Id: d8b97acf-352a-407d-a2f2-08db6d6c223d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 6GO6PmghcDAHvt2d1u+rUMziAVVinZUSNylMiQBlI8OEdMaeX6KpLoGQbR0+FmjaOBXrS2ffHGaiccsAt148cFgn8wwRSNqi90QlRUGrZ6np7mpBUlk04HIpUGcsSwDqTEVYImzSWdD71uCRIrJR6zn5/ca8JZwto43ont4a92yXfKhLWn+OaKmncgo4pY/7kA0LgnDVsPhHuFXxQNWfC1RbEftPmREfvpSYunJ753Qq8AiIm7rU3HbiEFj4z826WbOv8kgpesRLC6/NT58Mt/gKeneeyJO07oEzR5gywu4YrdC4m300DZufw97oD7KHtHw7eEOWGoxFe0BeBngFt3Bl5h75pvQEFmcIZjccZVrUy4V5QZYFD0dWOF+8CRxlSbzqy1tSbkHTXlvVz87T29Hw6N5LKwsDu0hBKZBM+EgosXplYHxBGh+gyyqWr0S280EqGDevvGIyuOtYk3H+ZTfppeh0PMSdQ0UIWYY+6Oeo6yWMlVc+Kt2k4xBfniuq9c30EPHSNvJTbLdfhHkH+4JQNtCjt3bN8IqhW7CT4tvX9slxwPRoBvE4xvJsAxTr9vEOMf7LWUmrnjbOHt7JT2cNGb0/97fWCpLoO6jDL1XfqNSku+/wdPniGnyUEiu4k1v7k6NO3plY32Wt4rzDhHK3qEi0WkFC7pi0iOyfXyHf9o0ZQx0EbsnUOR6mLI2VZHVKDcox5irY6X86Il1zb0cSEL7q1ELvRIl0CcFAA12cJ9ftr8lHXmlTnSBgv9MD2lEk4miRikYjkBO5D784uA== X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(136003)(39860400002)(346002)(396003)(376002)(451199021)(36840700001)(46966006)(40470700004)(40460700003)(5660300002)(82740400003)(81166007)(356005)(336012)(2616005)(83380400001)(426003)(1076003)(186003)(16526019)(2906002)(26005)(36860700001)(47076005)(478600001)(40480700001)(6666004)(6916009)(70206006)(316002)(8936002)(8676002)(41300700001)(82310400005)(70586007)(36756003)(4326008)(54906003)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2023 06:45:40.0792 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: d8b97acf-352a-407d-a2f2-08db6d6c223d X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF000252A1.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR12MB5269 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org From: Sean Christopherson Immediately mark NMIs as unmasked in response to #VMGEXIT(NMI complete) instead of setting awaiting_iret_completion and waiting until the *next* VM-Exit to unmask NMIs. The whole point of "NMI complete" is that the guest is responsible for telling the hypervisor when it's safe to inject an NMI, i.e. there's no need to wait. And because there's no IRET to single-step, the next VM-Exit could be a long time coming, i.e. KVM could incorrectly hold an NMI pending for far longer than what is required and expected. Opportunistically fix a stale reference to HF_IRET_MASK. Fixes: 916b54a7688b ("KVM: x86: Move HF_NMI_MASK and HF_IRET_MASK into "struct vcpu_svm"") Fixes: 4444dfe4050b ("KVM: SVM: Add NMI support for an SEV-ES guest") Cc: Tom Lendacky Signed-off-by: Sean Christopherson --- May be 916b54a7688b is not really necessary to mention to avoid triggering the stable kernel backporting bot? --- Changes: v6: * new to the series --- arch/x86/kvm/svm/sev.c | 5 ++++- arch/x86/kvm/svm/svm.c | 10 +++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 9c43cbdab022..4a426feab1b8 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2897,7 +2897,10 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) svm->sev_es.ghcb_sa); break; case SVM_VMGEXIT_NMI_COMPLETE: - ret = svm_invoke_exit_handler(vcpu, SVM_EXIT_IRET); + ++vcpu->stat.nmi_window_exits; + svm->nmi_masked = false; + kvm_make_request(KVM_REQ_EVENT, vcpu); + ret = 1; break; case SVM_VMGEXIT_AP_HLT_LOOP: ret = kvm_emulate_ap_reset_hold(vcpu); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 1df99e9f8655..52f1d88e82a0 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -2548,12 +2548,13 @@ static int iret_interception(struct kvm_vcpu *vcpu) { struct vcpu_svm *svm = to_svm(vcpu); + WARN_ON_ONCE(sev_es_guest(vcpu->kvm)); + ++vcpu->stat.nmi_window_exits; svm->awaiting_iret_completion = true; svm_clr_iret_intercept(svm); - if (!sev_es_guest(vcpu->kvm)) - svm->nmi_iret_rip = kvm_rip_read(vcpu); + svm->nmi_iret_rip = kvm_rip_read(vcpu); kvm_make_request(KVM_REQ_EVENT, vcpu); return 1; @@ -3972,12 +3973,11 @@ static void svm_complete_interrupts(struct kvm_vcpu *vcpu) svm->soft_int_injected = false; /* - * If we've made progress since setting HF_IRET_MASK, we've + * If we've made progress since setting awaiting_iret_completion, we've * executed an IRET and can allow NMI injection. */ if (svm->awaiting_iret_completion && - (sev_es_guest(vcpu->kvm) || - kvm_rip_read(vcpu) != svm->nmi_iret_rip)) { + kvm_rip_read(vcpu) != svm->nmi_iret_rip) { svm->awaiting_iret_completion = false; svm->nmi_masked = false; kvm_make_request(KVM_REQ_EVENT, vcpu); From patchwork Thu Jun 15 06:37:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Kardashevskiy X-Patchwork-Id: 13280784 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F6CAEB64D9 for ; Thu, 15 Jun 2023 06:48:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244342AbjFOGsB (ORCPT ); Thu, 15 Jun 2023 02:48:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53330 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243833AbjFOGr1 (ORCPT ); Thu, 15 Jun 2023 02:47:27 -0400 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2058.outbound.protection.outlook.com [40.107.92.58]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F07652D73; Wed, 14 Jun 2023 23:45:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J+eGVH8AKE2F4zQrZsE6YVis1zrKs741KNUWPUEyq8j6bLjFXZIkD3Cc2x/ZrlJYPcX4kk1hxc820MWuLYhs2v6JNi3UrEvlpaX1sf3FW6ADsxVx1TPC9ga/xSXZgN50+nkmgLaGxdodGI9ewAkVHvsItRLDk3/arkbTYqjAdEnzswD4dMuO+CIX1LcIKH9Iw78V6dLa2HUKFR2ofaQzwmQPE/TvRXHmBI19JEw0BlRjZ5/cg7peCRbCrPm/VKf3mVlxB3yjjedPbwCIEEanIwnfvdsFX4Kde+8d00D32uFx6QGh4sfhJwk+uZhoTG0juf7+Fp0gcFbkQfpVlwHqFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BU8usJu9FWlNapYkideYsZqh/0lbBgQTMVI09v776vM=; b=OZ/9Lf/Bh4aY1MYHOj28Cz8Pb471ARDyrv5eFPu+MxbqCCmqTu3F8EGyptGPffuuDUMaLJ+Q/HG8477tLfuflgpvtJJbaOFritYFj6dvSX0ywyt7rKt5/v/Vqo6atSUs9bwE7vro1RC9jRsKpGX/usa95xEg62K/ISCx7qDLKbRfWKhbq/w7s95tZf0khlag1RnTk+8rJKIWOEuqyOVrS+kuzXdxeTyiX0Qw8CYmgfSAilh+ICYjYoBzHXA9Laone+98Prd99UyIqeLTwZSetq5yOFQSEHqQcT8AfUfSzdjIZjZmvKi0Sf5ul5icwrah7Da3lRAsWSuh9mKYCFwbMA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BU8usJu9FWlNapYkideYsZqh/0lbBgQTMVI09v776vM=; b=CsccAJ84eIYBvbGdcm2md5XOnYNaPPbB5rxKpi3YVz5ydPReJ8/gF+/C3Y2Bj9KymaDIxec5vZ8MWImM6SBMa2fF7R/A7qSjiVrPhh2TtLzyoAoc4hnQkIdsxMaO177ySKkE9wciyE9i5li3MxMIYIPLEuVNWW3H/Qk04aYj+fg= Received: from PH8PR07CA0004.namprd07.prod.outlook.com (2603:10b6:510:2cd::13) by DM4PR12MB6397.namprd12.prod.outlook.com (2603:10b6:8:b4::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6500.25; Thu, 15 Jun 2023 06:45:54 +0000 Received: from SN1PEPF000252A1.namprd05.prod.outlook.com (2603:10b6:510:2cd:cafe::57) by PH8PR07CA0004.outlook.office365.com (2603:10b6:510:2cd::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6477.37 via Frontend Transport; Thu, 15 Jun 2023 06:45:54 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by SN1PEPF000252A1.mail.protection.outlook.com (10.167.242.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.6500.27 via Frontend Transport; Thu, 15 Jun 2023 06:45:54 +0000 Received: from aiemdeew.1.ozlabs.ru (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 15 Jun 2023 01:45:50 -0500 From: Alexey Kardashevskiy To: CC: , , Tom Lendacky , Sean Christopherson , "Alexey Kardashevskiy" Subject: [PATCH kernel 9/9] KVM: SVM: Don't try to pointlessly single-step SEV-ES guests for NMI window Date: Thu, 15 Jun 2023 16:37:57 +1000 Message-ID: <20230615063757.3039121-10-aik@amd.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230615063757.3039121-1-aik@amd.com> References: <20230615063757.3039121-1-aik@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN1PEPF000252A1:EE_|DM4PR12MB6397:EE_ X-MS-Office365-Filtering-Correlation-Id: 37b20135-383b-40aa-e660-08db6d6c2ab4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: wdbAKxL95S0WRAWLCF/G6GtFVaAs39K1D4rTp9zNFuslMq0C+xMDqlAtuvX/T4HhNvoxDuXX9c+uIfx7lYSh16mFmkUD66vJX1pv/WjOGVYpfdyFjKUgqWRFasQy4Of1aQdfjZlpr3L7cAXx5wnRroTDc0jvEMD5Ua4X3L6OJdNefgKgbIqONo4wkMKRxCODDrByag9JaN/lASbIV39Y9b2IBsoB+7SWFrmwcJy34Hz+7BxoTdBKgwrI85DPvE60qIJpPtVgfF9RROuPLNtCOeYZCUXarimueEXxqcLNvqVz8K9StqtIZ47B0mfXLNlgW6nmsHtN9n1I7nhubEjHkZzPB94x4odio87yirjc5/wnPR9IDQXtPBezETozEDjuhedl2XRdEh8dg0H8coZr2abv+Q5cAVQ/CqZN1W7PGd1a7NjlZ6giNX/mt7hQp1UXI0Zjlf3mdNKwMjjIOVWstNumh71y3ki3lPngP7HPq1ZkLyZnRQYld+NEZ4GKC7Vpouq/fqJB0GVLXWN8lnsLqTmkZLL8Jrxp5MGtlS0pa+vY25BHsTHo04NGMambr5+FVXoOc9fAxlaAnRRPAJpX33Bu/AJNCocaOdsY6V1FLPQpoyUHGAW1XaF2uW3Ii5PwsnBmIzCh8r4hu2Q+3kkwDQq+HOYviTtDxGjhzaGJXB44Yhxv2WxxdiXeASs59DcbYu1CtdKnVlWGT9BQTo4xVPqdqDL5IZOJThfS34Fgo9NAkmHgHQUINgdiDJVQ+XLM2DS4s86W+crjSkw0h7xHuQ== X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(39860400002)(376002)(136003)(396003)(346002)(451199021)(46966006)(36840700001)(40470700004)(1076003)(26005)(478600001)(16526019)(36756003)(186003)(40480700001)(40460700003)(2906002)(316002)(41300700001)(356005)(82310400005)(81166007)(5660300002)(8936002)(8676002)(82740400003)(336012)(426003)(54906003)(83380400001)(47076005)(2616005)(6916009)(70586007)(70206006)(4326008)(36860700001)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2023 06:45:54.2826 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 37b20135-383b-40aa-e660-08db6d6c2ab4 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF000252A1.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB6397 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org From: Sean Christopherson Bail early from svm_enable_nmi_window() for SEV-ES guests without trying to enable single-step of the guest, as single-stepping an SEV-ES guest is impossible and the guest is responsible for *telling* KVM when it is ready for an new NMI to be injected. Functionally, setting TF and RF in svm->vmcb->save.rflags is benign as the field is ignored by hardware, but it's all kinds of confusing. Signed-off-by: Sean Christopherson [aik: removed the clause about "KVM suppresses EFER.SVME (see efer_trap())"] Signed-off-by: Alexey Kardashevskiy --- Changes: v6: * new to the series --- arch/x86/kvm/svm/svm.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 52f1d88e82a0..c9837a8667b7 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -3824,6 +3824,19 @@ static void svm_enable_nmi_window(struct kvm_vcpu *vcpu) if (svm_get_nmi_mask(vcpu) && !svm->awaiting_iret_completion) return; /* IRET will cause a vm exit */ + /* + * SEV-ES guests are responsible for signaling when a vCPU is ready to + * receive a new NMI, as SEV-ES guests can't be single-stepped, i.e. + * KVM can't intercept and single-step IRET to detect when NMIs are + * unblocked (architecturally speaking). See SVM_VMGEXIT_NMI_COMPLETE. + * + * Note, GIF is guaranteed to be '1' for SEV-ES guests as hardware + * ignores SEV-ES guest writes to EFER.SVME *and* CLGI/STGI are not + * supported NAEs in the GHCB protocol. + */ + if (sev_es_guest(vcpu->kvm)) + return; + if (!gif_set(svm)) { if (vgif) svm_set_intercept(svm, INTERCEPT_STGI);