From patchwork Wed Apr 10 14:34:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chao Gao X-Patchwork-Id: 13624654 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 24ECC16D9D6; Wed, 10 Apr 2024 14:35:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759720; cv=none; b=fMdRsO6BAPjdSiQGYpGexJeTFWOeKygU1aWPe2jsLsp7UQEyjd2VkPR3KaZ/2ZWlgBGwLd8jtXj2iMLnBTMxNgJc4/TSKzlx0CytMH9ZlQVWLIWOsPwkmCnyS1Yi/RTq7/65KMW4GNjvivEV+zd4j1hhlaWqnqzhNbSy+yZwBW4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759720; c=relaxed/simple; bh=lp3rXRKa6Fi/CTX+nXd22i7jmZlFr/jrwPBQoIWIaag=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=au+D5ld0xusUtoo68voXPNhUrtMcR9E7ddKgUERQyab7QWnClRUAYI6IowccFddWvr4aJ6kEZ0YnAUoCq4Hru8jcGe1mx5VEKWBWav+S7AizM6uVx00q2/77cx8fhoyQSYnDuSWv8H/zxAa3TmLnXt0tjtYVWTKrIArH6qJ5zYY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=mAM6hD8s; arc=none smtp.client-ip=192.198.163.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="mAM6hD8s" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1712759718; x=1744295718; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=lp3rXRKa6Fi/CTX+nXd22i7jmZlFr/jrwPBQoIWIaag=; b=mAM6hD8sfh0IlQoEiviKyEJNQJbt08dWsVlMymLxDZWhCY/krji5gPE/ CbgEusAtWc8t+IeX03IcgQ1lA0g7livWYndE0AVgZElIIFNRHCLfbxxUD E8TdLQGYg8ZfuPK6eqNeaZqCfy9GsKzVz0KIbFdKDdM/GEBIALJnIcpZz MGjbmzGugQ2zfWajk+u7iRCak7sysoZFWVXgJGS+cCTJgLdrq2gwV6DfN XKewnLc/w5X+XMwU0XlBxSZEJLwnRO4GtNCZK9KvNEEaAbT2tPpKlcDKR XrwMFX60BPdJq1G9g4uhY6By+KyYRwomlTqjZP/Wn4uVeH9oH8FCweFZr A==; X-CSE-ConnectionGUID: +ibCV/esS5aVBOkZkHyxyw== X-CSE-MsgGUID: zv9z4XyzTjyVTNdEINiKLg== X-IronPort-AV: E=McAfee;i="6600,9927,11039"; a="18837741" X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="18837741" Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:18 -0700 X-CSE-ConnectionGUID: k+Sjza0NTwagt4rdPS9t7w== X-CSE-MsgGUID: 6jMrHIHFTxmj0dV9tcelWQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="25095489" Received: from unknown (HELO spr.sh.intel.com) ([10.239.53.118]) by fmviesa003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:13 -0700 From: Chao Gao To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: daniel.sneddon@linux.intel.com, pawan.kumar.gupta@linux.intel.com, Sean Christopherson , Chao Gao , Paolo Bonzini , Jonathan Corbet , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , linux-doc@vger.kernel.org Subject: [RFC PATCH v3 01/10] KVM: VMX: Virtualize Intel IA32_SPEC_CTRL Date: Wed, 10 Apr 2024 22:34:29 +0800 Message-Id: <20240410143446.797262-2-chao.gao@intel.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20240410143446.797262-1-chao.gao@intel.com> References: <20240410143446.797262-1-chao.gao@intel.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Daniel Sneddon Currently KVM disables interception of IA32_SPEC_CTRL after a non-0 is written to IA32_SPEC_CTRL by guest. The guest is allowed to write any value directly to hardware. There is a tertiary control for IA32_SPEC_CTRL. This control allows for bits in IA32_SPEC_CTRL to be masked to prevent guests from changing those bits. Add controls setting the mask for IA32_SPEC_CTRL and desired value for masked bits. These new controls are especially helpful for protecting guests that don't know about BHI_DIS_S and that are running on hardware that supports it. This allows the hypervisor to set BHI_DIS_S to fully protect the guest. Suggested-by: Sean Christopherson Signed-off-by: Daniel Sneddon Signed-off-by: Pawan Gupta [ add a new ioctl to report supported bits. Fix the inverted check ] Signed-off-by: Chao Gao --- Documentation/virt/kvm/api.rst | 39 +++++++++++++++++ arch/x86/include/asm/kvm_host.h | 4 ++ arch/x86/include/asm/vmx.h | 5 +++ arch/x86/include/asm/vmxfeatures.h | 2 + arch/x86/kvm/vmx/capabilities.h | 5 +++ arch/x86/kvm/vmx/vmx.c | 68 +++++++++++++++++++++++++++--- arch/x86/kvm/vmx/vmx.h | 3 +- arch/x86/kvm/x86.c | 30 +++++++++++++ arch/x86/kvm/x86.h | 1 + include/uapi/linux/kvm.h | 4 ++ 10 files changed, 155 insertions(+), 6 deletions(-) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index 0b5a33ee71ee..b6eeb1d6eb65 100644 --- a/Documentation/virt/kvm/api.rst +++ b/Documentation/virt/kvm/api.rst @@ -6352,6 +6352,19 @@ a single guest_memfd file, but the bound ranges must not overlap). See KVM_SET_USER_MEMORY_REGION2 for additional details. +4.143 KVM_GET_SUPPORTED_FORCE_SPEC_CTRL +--------------------------------------- + +:Capability: KVM_CAP_FORCE_SPEC_CTRL +:Architectures: x86 +:Type: vm ioctl +:Parameters: u64 supported_bitmask (out) +:Returns: 0 on success, -EFAULT if supported_bitmap cannot be accessed + +Returns a bitmask of SPEC_CTRL MSR bits which can be forced on. All bits can be +forced to 0 (i.e., prevent guest from setting it) even if KVM doesn't support +the bit. + 5. The kvm_run structure ======================== @@ -8063,6 +8076,32 @@ error/annotated fault. See KVM_EXIT_MEMORY_FAULT for more information. +7.35 KVM_CAP_FORCE_SPEC_CTRL +---------------------------- + +:Architectures: x86 +:Parameters: args[0] contains the bitmask to prevent guests from modifying those + bits + args[1] contains the desired value to set in IA32_SPEC_CTRL for the + masked bits +:Returns: 0 on success, -EINVAL if args[0] or args[1] contain invalid values + +This capability allows userspace to configure the value of IA32_SPEC_CTRL and +what bits the VM can and cannot access. This is especially useful when a VM is +migrated to newer hardware with hardware based speculation mitigations not +provided to the VM previously. + +IA32_SPEC_CTRL virtualization works by introducing the IA32_SPEC_CTRL shadow +and mask fields. When a guest writes to IA32_SPEC_CTRL when it is virtualized +the value written is: + +(GUEST_WRMSR_VAL & ~MASK) | (REAL_MSR_VAL & MASK). + +No bit that is masked can be modified by the guest. + +The shadow field contains the value the guest wrote to the MSR and is what is +returned to the guest when the virtualized MSR is read. + 8. Other capabilities. ====================== diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index 16e07a2eee19..8220414cf697 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1404,6 +1404,10 @@ struct kvm_arch { u32 notify_window; u32 notify_vmexit_flags; + + u64 force_spec_ctrl_mask; + u64 force_spec_ctrl_value; + /* * If exit_on_emulation_error is set, and the in-kernel instruction * emulator fails to emulate an instruction, allow userspace diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h index 4dba17363008..f65651a3898c 100644 --- a/arch/x86/include/asm/vmx.h +++ b/arch/x86/include/asm/vmx.h @@ -84,6 +84,7 @@ * Definitions of Tertiary Processor-Based VM-Execution Controls. */ #define TERTIARY_EXEC_IPI_VIRT VMCS_CONTROL_BIT(IPI_VIRT) +#define TERTIARY_EXEC_SPEC_CTRL_SHADOW VMCS_CONTROL_BIT(SPEC_CTRL_SHADOW) #define PIN_BASED_EXT_INTR_MASK VMCS_CONTROL_BIT(INTR_EXITING) #define PIN_BASED_NMI_EXITING VMCS_CONTROL_BIT(NMI_EXITING) @@ -236,6 +237,10 @@ enum vmcs_field { TERTIARY_VM_EXEC_CONTROL_HIGH = 0x00002035, PID_POINTER_TABLE = 0x00002042, PID_POINTER_TABLE_HIGH = 0x00002043, + IA32_SPEC_CTRL_MASK = 0x0000204A, + IA32_SPEC_CTRL_MASK_HIGH = 0x0000204B, + IA32_SPEC_CTRL_SHADOW = 0x0000204C, + IA32_SPEC_CTRL_SHADOW_HIGH = 0x0000204D, GUEST_PHYSICAL_ADDRESS = 0x00002400, GUEST_PHYSICAL_ADDRESS_HIGH = 0x00002401, VMCS_LINK_POINTER = 0x00002800, diff --git a/arch/x86/include/asm/vmxfeatures.h b/arch/x86/include/asm/vmxfeatures.h index 266daf5b5b84..6dbfe9004d92 100644 --- a/arch/x86/include/asm/vmxfeatures.h +++ b/arch/x86/include/asm/vmxfeatures.h @@ -90,4 +90,6 @@ /* Tertiary Processor-Based VM-Execution Controls, word 3 */ #define VMX_FEATURE_IPI_VIRT ( 3*32+ 4) /* Enable IPI virtualization */ +#define VMX_FEATURE_SPEC_CTRL_SHADOW ( 3*32+ 7) /* IA32_SPEC_CTRL shadow */ + #endif /* _ASM_X86_VMXFEATURES_H */ diff --git a/arch/x86/kvm/vmx/capabilities.h b/arch/x86/kvm/vmx/capabilities.h index 41a4533f9989..6c51a5abb16b 100644 --- a/arch/x86/kvm/vmx/capabilities.h +++ b/arch/x86/kvm/vmx/capabilities.h @@ -138,6 +138,11 @@ static inline bool cpu_has_tertiary_exec_ctrls(void) CPU_BASED_ACTIVATE_TERTIARY_CONTROLS; } +static inline bool cpu_has_spec_ctrl_shadow(void) +{ + return vmcs_config.cpu_based_3rd_exec_ctrl & TERTIARY_EXEC_SPEC_CTRL_SHADOW; +} + static inline bool cpu_has_vmx_virtualize_apic_accesses(void) { return vmcs_config.cpu_based_2nd_exec_ctrl & diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index c37a89eda90f..a6154d725025 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2008,7 +2008,10 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) !guest_has_spec_ctrl_msr(vcpu)) return 1; - msr_info->data = to_vmx(vcpu)->spec_ctrl; + if (cpu_has_spec_ctrl_shadow()) + msr_info->data = vmcs_read64(IA32_SPEC_CTRL_SHADOW); + else + msr_info->data = to_vmx(vcpu)->spec_ctrl; break; case MSR_IA32_SYSENTER_CS: msr_info->data = vmcs_read32(GUEST_SYSENTER_CS); @@ -2148,6 +2151,19 @@ static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated return debugctl; } +static void vmx_set_spec_ctrl(struct kvm_vcpu *vcpu, u64 val) +{ + struct vcpu_vmx *vmx = to_vmx(vcpu); + + vmx->spec_ctrl = val; + + if (cpu_has_spec_ctrl_shadow()) { + vmcs_write64(IA32_SPEC_CTRL_SHADOW, val); + + vmx->spec_ctrl |= vcpu->kvm->arch.force_spec_ctrl_value; + } +} + /* * Writes msr value into the appropriate "register". * Returns 0 on success, non-0 otherwise. @@ -2273,7 +2289,8 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) if (kvm_spec_ctrl_test_value(data)) return 1; - vmx->spec_ctrl = data; + vmx_set_spec_ctrl(vcpu, data); + if (!data) break; @@ -4785,6 +4802,23 @@ static void init_vmcs(struct vcpu_vmx *vmx) if (cpu_has_vmx_xsaves()) vmcs_write64(XSS_EXIT_BITMAP, VMX_XSS_EXIT_BITMAP); + if (cpu_has_spec_ctrl_shadow()) { + vmcs_write64(IA32_SPEC_CTRL_SHADOW, 0); + + /* + * Note, IA32_SPEC_CTRL_{SHADOW,MASK} subtly behave *very* + * differently than other shadow+mask combinations. Attempts + * to modify bits in MASK are silently ignored and do NOT cause + * a VM-Exit. This allows the host to force bits to be set or + * cleared on behalf of the guest, while still allowing the + * guest modify other bits at will, without triggering VM-Exits. + */ + if (kvm->arch.force_spec_ctrl_mask) + vmcs_write64(IA32_SPEC_CTRL_MASK, kvm->arch.force_spec_ctrl_mask); + else + vmcs_write64(IA32_SPEC_CTRL_MASK, 0); + } + if (enable_pml) { vmcs_write64(PML_ADDRESS, page_to_phys(vmx->pml_pg)); vmcs_write16(GUEST_PML_INDEX, PML_ENTITY_NUM - 1); @@ -4853,7 +4887,7 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) __vmx_vcpu_reset(vcpu); vmx->rmode.vm86_active = 0; - vmx->spec_ctrl = 0; + vmx_set_spec_ctrl(vcpu, 0); vmx->msr_ia32_umwait_control = 0; @@ -7211,8 +7245,14 @@ void noinstr vmx_spec_ctrl_restore_host(struct vcpu_vmx *vmx, if (!cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL)) return; - if (flags & VMX_RUN_SAVE_SPEC_CTRL) - vmx->spec_ctrl = __rdmsr(MSR_IA32_SPEC_CTRL); + if (flags & VMX_RUN_SAVE_SPEC_CTRL) { + if (cpu_has_spec_ctrl_shadow()) + vmx->spec_ctrl = (vmcs_read64(IA32_SPEC_CTRL_SHADOW) & + ~vmx->vcpu.kvm->arch.force_spec_ctrl_mask) | + vmx->vcpu.kvm->arch.force_spec_ctrl_value; + else + vmx->spec_ctrl = __rdmsr(MSR_IA32_SPEC_CTRL); + } /* * If the guest/host SPEC_CTRL values differ, restore the host value. @@ -8598,6 +8638,24 @@ static __init int hardware_setup(void) kvm_caps.tsc_scaling_ratio_frac_bits = 48; kvm_caps.has_bus_lock_exit = cpu_has_vmx_bus_lock_detection(); kvm_caps.has_notify_vmexit = cpu_has_notify_vmexit(); + kvm_caps.supported_force_spec_ctrl = 0; + + if (cpu_has_spec_ctrl_shadow()) { + kvm_caps.supported_force_spec_ctrl |= SPEC_CTRL_IBRS; + + if (boot_cpu_has(X86_FEATURE_STIBP)) + kvm_caps.supported_force_spec_ctrl |= SPEC_CTRL_STIBP; + + if (boot_cpu_has(X86_FEATURE_SSBD)) + kvm_caps.supported_force_spec_ctrl |= SPEC_CTRL_SSBD; + + if (boot_cpu_has(X86_FEATURE_RRSBA_CTRL) && + (host_arch_capabilities & ARCH_CAP_RRSBA)) + kvm_caps.supported_force_spec_ctrl |= SPEC_CTRL_RRSBA_DIS_S; + + if (boot_cpu_has(X86_FEATURE_BHI_CTRL)) + kvm_caps.supported_force_spec_ctrl |= SPEC_CTRL_BHI_DIS_S; + } set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */ diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index 65786dbe7d60..f26ac82b5a59 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -578,7 +578,8 @@ static inline u8 vmx_get_rvi(void) #define KVM_REQUIRED_VMX_TERTIARY_VM_EXEC_CONTROL 0 #define KVM_OPTIONAL_VMX_TERTIARY_VM_EXEC_CONTROL \ - (TERTIARY_EXEC_IPI_VIRT) + (TERTIARY_EXEC_IPI_VIRT | \ + TERTIARY_EXEC_SPEC_CTRL_SHADOW) #define BUILD_CONTROLS_SHADOW(lname, uname, bits) \ static inline void lname##_controls_set(struct vcpu_vmx *vmx, u##bits val) \ diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 984ea2089efc..9a59b5a93d0e 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -4836,6 +4836,9 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext) if (kvm_is_vm_type_supported(KVM_X86_SW_PROTECTED_VM)) r |= BIT(KVM_X86_SW_PROTECTED_VM); break; + case KVM_CAP_FORCE_SPEC_CTRL: + r = !!kvm_caps.supported_force_spec_ctrl; + break; default: break; } @@ -4990,6 +4993,13 @@ long kvm_arch_dev_ioctl(struct file *filp, r = kvm_x86_dev_has_attr(&attr); break; } + case KVM_GET_SUPPORTED_FORCE_SPEC_CTRL: { + r = 0; + if (copy_to_user(argp, &kvm_caps.supported_force_spec_ctrl, + sizeof(kvm_caps.supported_force_spec_ctrl))) + r = -EFAULT; + break; + } default: r = -EINVAL; break; @@ -6729,6 +6739,26 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm, } mutex_unlock(&kvm->lock); break; + case KVM_CAP_FORCE_SPEC_CTRL: + r = -EINVAL; + + mutex_lock(&kvm->lock); + + /* + * Note, only the value is restricted to known bits that KVM + * can force on. Userspace is allowed to set any mask bits, + * i.e. can prevent the guest from setting a bit, even if KVM + * doesn't support the bit. + */ + if (kvm_caps.supported_force_spec_ctrl && !kvm->created_vcpus && + !(~kvm_caps.supported_force_spec_ctrl & cap->args[1]) && + !(~cap->args[0] & cap->args[1])) { + kvm->arch.force_spec_ctrl_mask = cap->args[0]; + kvm->arch.force_spec_ctrl_value = cap->args[1]; + r = 0; + } + mutex_unlock(&kvm->lock); + break; default: r = -EINVAL; break; diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h index a8b71803777b..6dd12776b310 100644 --- a/arch/x86/kvm/x86.h +++ b/arch/x86/kvm/x86.h @@ -29,6 +29,7 @@ struct kvm_caps { u64 supported_xcr0; u64 supported_xss; u64 supported_perf_cap; + u64 supported_force_spec_ctrl; }; void kvm_spurious_fault(void); diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h index 2190adbe3002..fb918bdb930c 100644 --- a/include/uapi/linux/kvm.h +++ b/include/uapi/linux/kvm.h @@ -917,6 +917,7 @@ struct kvm_enable_cap { #define KVM_CAP_MEMORY_ATTRIBUTES 233 #define KVM_CAP_GUEST_MEMFD 234 #define KVM_CAP_VM_TYPES 235 +#define KVM_CAP_FORCE_SPEC_CTRL 236 struct kvm_irq_routing_irqchip { __u32 irqchip; @@ -1243,6 +1244,9 @@ struct kvm_vfio_spapr_tce { #define KVM_GET_DEVICE_ATTR _IOW(KVMIO, 0xe2, struct kvm_device_attr) #define KVM_HAS_DEVICE_ATTR _IOW(KVMIO, 0xe3, struct kvm_device_attr) +/* Available with KVM_CAP_FORCE_SPEC_CTRL */ +#define KVM_GET_SUPPORTED_FORCE_SPEC_CTRL _IOR(KVMIO, 0xe4, __u64) + /* * ioctls for vcpu fds */ From patchwork Wed Apr 10 14:34:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chao Gao X-Patchwork-Id: 13624655 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4D3FF16DECE; Wed, 10 Apr 2024 14:35:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759723; cv=none; b=jKRPk/d1vg6pbb5/8RQyTyAcEdzlXy0+TyLIy9vkwwa7BrBhMYS0GyBSt5xZLJ89vPhYAgZfT3BaBM4rZILts77lkcmJDesWuL1Yz9B7QRism7WdxOpNNftsLgfi13vZ1SsvaWhYGh7LBZgEMj6/VrqRhsJJ0TwS+FhLboS7S3g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759723; c=relaxed/simple; bh=2OcWNwE6hI9rpeiZBy7dyOdf0VxZdQ5gXISCKaAfKFE=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=NyKKyMa2QB7M/2Ba5j5r7H7c6k3ffgKn2vOUrfJbq1d1B6nFmwMCh8wLiugGTh+y9B2G9PyEMaZOdbGj540mewaQheP9TuFp0aB3GFWJq2fYDSbTJVUXCtFrx90IXjKpcfj1iITo5E+hMIMjS1sLpeH6NBKt4PdGTYjNkFxOE9c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=LTHwJL1U; arc=none smtp.client-ip=192.198.163.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="LTHwJL1U" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1712759722; x=1744295722; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=2OcWNwE6hI9rpeiZBy7dyOdf0VxZdQ5gXISCKaAfKFE=; b=LTHwJL1U7xnzPORI7oGPCtBlT6kLenNpqSa4KMMY7qe18kFcE5tCwsb0 t2tWYDH3MEuzYhEoeMiqSiyP9ZqH3rTCZsLwQgCYDaP6B/tpoS3JbIuYG 8wdDUvXJdH82Nym1wfgPqdbzkJwzP5tvszDy2j04Wmg4UK8D2zE6WxnjL p8R/m5RxjjTFYLhhhwJZJyuRDd70DlqtCIdK5sKPZbsiY5BtnuXPZQ/9I Zz0vuMpGQX9dUYvUA/l0eoxStT7w8PYpDSNs0SaeSousFv9vi1rbFaVme 656tGAU/kiqUKNgS5mfVbg+dfGjLKpkJojFYkkcTHaHCTEEvsKC6uI6iM A==; X-CSE-ConnectionGUID: ZQ92OsueSPqbU3zStK7VdA== X-CSE-MsgGUID: V1BZAS0TRjOjAK5t6EoAEw== X-IronPort-AV: E=McAfee;i="6600,9927,11039"; a="18837752" X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="18837752" Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:21 -0700 X-CSE-ConnectionGUID: tkOZQ7LkRWWM8ctnydozkw== X-CSE-MsgGUID: 0yQ9ABfoTr279Clfls7JBQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="25095493" Received: from unknown (HELO spr.sh.intel.com) ([10.239.53.118]) by fmviesa003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:18 -0700 From: Chao Gao To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: daniel.sneddon@linux.intel.com, pawan.kumar.gupta@linux.intel.com, Chao Gao , Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" Subject: [RFC PATCH v3 02/10] KVM: VMX: Cache IA32_SPEC_CTRL_SHADOW field of VMCS Date: Wed, 10 Apr 2024 22:34:30 +0800 Message-Id: <20240410143446.797262-3-chao.gao@intel.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20240410143446.797262-1-chao.gao@intel.com> References: <20240410143446.797262-1-chao.gao@intel.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This field is effectively the value of IA32_SPEC_CTRL MSR in guest's view. Cache it for nested VMX transitions. The value should be propagated between vmcs01 and vmcs02 so that across nested VMX transitions, in guest's view, IA32_SPEC_CTRL MSR won't be changed magically. IA32_SPEC_CTRL_SHADOW field may be changed by guest if IA32_SPEC_CTRL MSR is pass-thru'd to the guest. So, update the cache right after VM-exit to ensure it is always consistent with the value in guest's view. A bonus is vmx_get_msr() can return the cache directly thus no need to make a VMREAD. No functional change intended. Signed-off-by: Chao Gao --- arch/x86/kvm/vmx/vmx.c | 12 ++++++++---- arch/x86/kvm/vmx/vmx.h | 6 ++++++ 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index a6154d725025..93c208f009cf 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2009,7 +2009,7 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) return 1; if (cpu_has_spec_ctrl_shadow()) - msr_info->data = vmcs_read64(IA32_SPEC_CTRL_SHADOW); + msr_info->data = to_vmx(vcpu)->spec_ctrl_shadow; else msr_info->data = to_vmx(vcpu)->spec_ctrl; break; @@ -2158,6 +2158,7 @@ static void vmx_set_spec_ctrl(struct kvm_vcpu *vcpu, u64 val) vmx->spec_ctrl = val; if (cpu_has_spec_ctrl_shadow()) { + vmx->spec_ctrl_shadow = val; vmcs_write64(IA32_SPEC_CTRL_SHADOW, val); vmx->spec_ctrl |= vcpu->kvm->arch.force_spec_ctrl_value; @@ -4803,6 +4804,7 @@ static void init_vmcs(struct vcpu_vmx *vmx) vmcs_write64(XSS_EXIT_BITMAP, VMX_XSS_EXIT_BITMAP); if (cpu_has_spec_ctrl_shadow()) { + vmx->spec_ctrl_shadow = 0; vmcs_write64(IA32_SPEC_CTRL_SHADOW, 0); /* @@ -7246,12 +7248,14 @@ void noinstr vmx_spec_ctrl_restore_host(struct vcpu_vmx *vmx, return; if (flags & VMX_RUN_SAVE_SPEC_CTRL) { - if (cpu_has_spec_ctrl_shadow()) - vmx->spec_ctrl = (vmcs_read64(IA32_SPEC_CTRL_SHADOW) & + if (cpu_has_spec_ctrl_shadow()) { + vmx->spec_ctrl_shadow = vmcs_read64(IA32_SPEC_CTRL_SHADOW); + vmx->spec_ctrl = (vmx->spec_ctrl_shadow & ~vmx->vcpu.kvm->arch.force_spec_ctrl_mask) | vmx->vcpu.kvm->arch.force_spec_ctrl_value; - else + } else { vmx->spec_ctrl = __rdmsr(MSR_IA32_SPEC_CTRL); + } } /* diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index f26ac82b5a59..97324f6ee01c 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -281,6 +281,12 @@ struct vcpu_vmx { #endif u64 spec_ctrl; + /* + * Cache IA32_SPEC_CTRL_SHADOW field of VMCS, i.e., the value of + * MSR_IA32_SPEC_CTRL in guest's view. + */ + u64 spec_ctrl_shadow; + u32 msr_ia32_umwait_control; /* From patchwork Wed Apr 10 14:34:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chao Gao X-Patchwork-Id: 13624656 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E1D2816E88C; Wed, 10 Apr 2024 14:35:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759726; cv=none; b=jGrzkWDUt48bnwODbth04akqWTmX4Eu97XiuVIJ4o2NIxx+HLOjUNBiGKRq+rLV53xDBJ/iozJNRZVTilaHf5Pzw2IfsEwXgHxCxkporIn2V/CC/54xP7A7gkMQqMkOfxIcGO81MRvR3jbd9qtbgH2OMxuiGabmBVOk5AvwNcFg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759726; c=relaxed/simple; bh=gyZ9wRtB5eViadP4NCY6w/8MgIjA+6mKnlxGlnGXBWc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=sqOrPur0w8PNd8DaMv+YQ51hxbhc/KVDhlN4mDoJXCZdRSQWXYnxmxpmIR+E79pwGoFiNv/KZHggEjYt+L/hGvhsDMvHjJevMmfR1g9T60HflduyFj59wJIUP354HFnozFefVg7fblKX8CIUM5XD+QbDoD3hs9k3yvL8bU6ionQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=T7Es6lqT; arc=none smtp.client-ip=192.198.163.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="T7Es6lqT" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1712759725; x=1744295725; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=gyZ9wRtB5eViadP4NCY6w/8MgIjA+6mKnlxGlnGXBWc=; b=T7Es6lqTQ1uk4bUX1yWUDSJ63Dn5mfjZNaGq9+VPUIlTKCSaprhU0eKP RMm8Ru6+SULGzYdo0FOA5J1NwsNYvQMo+gy3lqxsJYyf0j5Sa0e0naL6R d7Lgu+JvsxyBnvtuFHEYt5eQgWfzknw4OTuOjp5gwrB7qG6rMHdqTxc/x Pw+kcCy4RUVQLWaiTJjZIv6a7tanQf/0+2+FEhSS8+ldz88t+eih2d671 o2umlTpomYbM2t+tM4KZ1qvje68XkDRkb4MuRCa99g+oQfTTLcEFaL540 v/2PQCg8MnzHsI+4dD6BW4tpntXGGonBlm130MSdvxsGxrBz7lBDNjbsc w==; X-CSE-ConnectionGUID: pCxRY7A7QmC5hgxspmoXFA== X-CSE-MsgGUID: lhjutiiERQqXzuc6GoQ6fQ== X-IronPort-AV: E=McAfee;i="6600,9927,11039"; a="18837761" X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="18837761" Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:25 -0700 X-CSE-ConnectionGUID: GNF/cqXIScSfPXR2Cr4FDg== X-CSE-MsgGUID: PcZoryvtRB6NmJNLe1DrZA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="25095497" Received: from unknown (HELO spr.sh.intel.com) ([10.239.53.118]) by fmviesa003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:21 -0700 From: Chao Gao To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: daniel.sneddon@linux.intel.com, pawan.kumar.gupta@linux.intel.com, Chao Gao , Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" Subject: [RFC PATCH v3 03/10] KVM: nVMX: Enable SPEC_CTRL virtualizaton for vmcs02 Date: Wed, 10 Apr 2024 22:34:31 +0800 Message-Id: <20240410143446.797262-4-chao.gao@intel.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20240410143446.797262-1-chao.gao@intel.com> References: <20240410143446.797262-1-chao.gao@intel.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 to prevent nested guests from changing the SPEC_CTRL bits that userspace doesn't allow a guest to change. Propagate tertiary vm-exec controls from vmcs01 to vmcs02 and program the mask of SPEC_CTRL MSRs as the userspace VMM requested. With SPEC_CTRL virtualization enabled, guest will read from the shadow value in VMCS. To ensure consistent view across nested VMX transitions, propagate the shadow value between vmcs01 and vmcs02. Signed-off-by: Chao Gao --- arch/x86/kvm/vmx/nested.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index d05ddf751491..174790b2ffbc 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -2381,6 +2381,20 @@ static void prepare_vmcs02_early(struct vcpu_vmx *vmx, struct loaded_vmcs *vmcs0 secondary_exec_controls_set(vmx, exec_control); } + /* + * TERTIARY EXEC CONTROLS + */ + if (cpu_has_tertiary_exec_ctrls()) { + exec_control = __tertiary_exec_controls_get(vmcs01); + + exec_control &= TERTIARY_EXEC_SPEC_CTRL_SHADOW; + if (exec_control & TERTIARY_EXEC_SPEC_CTRL_SHADOW) + vmcs_write64(IA32_SPEC_CTRL_MASK, + vmx->vcpu.kvm->arch.force_spec_ctrl_mask); + + tertiary_exec_controls_set(vmx, exec_control); + } + /* * ENTRY CONTROLS * @@ -2625,6 +2639,19 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12, if (kvm_caps.has_tsc_control) vmcs_write64(TSC_MULTIPLIER, vcpu->arch.tsc_scaling_ratio); + /* + * L2 after nested VM-entry should observe the same value of + * IA32_SPEC_CTRL MSR as L1 unless: + * a. L1 loads IA32_SPEC_CTRL via MSR-load area. + * b. L1 enables IA32_SPEC_CTRL virtualization. this cannot + * happen since KVM doesn't expose this feature to L1. + * + * Propagate spec_ctrl_shadow (the value guest will get via RDMSR) + * to vmcs02. Later nested_vmx_load_msr() will take care of case a. + */ + if (vmx->nested.nested_run_pending && cpu_has_spec_ctrl_shadow()) + vmcs_write64(IA32_SPEC_CTRL_SHADOW, vmx->spec_ctrl_shadow); + nested_vmx_transition_tlb_flush(vcpu, vmcs12, true); if (nested_cpu_has_ept(vmcs12)) @@ -4883,6 +4910,9 @@ void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 vm_exit_reason, vmx_update_cpu_dirty_logging(vcpu); } + if (cpu_has_spec_ctrl_shadow()) + vmcs_write64(IA32_SPEC_CTRL_SHADOW, vmx->spec_ctrl_shadow); + /* Unpin physical memory we referred to in vmcs02 */ kvm_vcpu_unmap(vcpu, &vmx->nested.apic_access_page_map, false); kvm_vcpu_unmap(vcpu, &vmx->nested.virtual_apic_map, true); From patchwork Wed Apr 10 14:34:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chao Gao X-Patchwork-Id: 13624657 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3642916D9B0; Wed, 10 Apr 2024 14:35:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759736; cv=none; b=FSdbimWxCPOQFSij3AmWTWHPkILIz019TBQppuU2xJjMzQaf9G8Q/MmrJJgMFHgUIowlOz1E5rL/VHA0g6iOEsSO4L3hYQQUAw2pWXeQeElbj0TmduQOHOYy1hlHfBXVJARnm6ZZeujOIAZ56oclelRuLn2oaB8K6HJUynWLN8s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759736; c=relaxed/simple; bh=UjozbkaecHOIw9YUjZqS9NVQ0WA1ndVs75lx+QT9fiA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=u6pvoWDENZci6vg17l0BG0Uu0N3GBU5YO1y5MfkMwciF/JsBRTmKcZbgIOn4uBlRbQx8ag7A9D5Y7fZ+mlQi6PN2T251UMATjsWwFRsw+iA8Z9h0HwZ0hlTriUGf3h1JO/8gyFBEVZmrXoT591Nu7C19jPUedXpJbj8wGDKBrdE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=nKgJZoyn; arc=none smtp.client-ip=192.198.163.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="nKgJZoyn" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1712759735; x=1744295735; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=UjozbkaecHOIw9YUjZqS9NVQ0WA1ndVs75lx+QT9fiA=; b=nKgJZoyn7Ieo5jvMUFK1qIMr5ZkhIAJv2U+FMvXAPrFCS1fXpUPJBqM3 J4tnkuRP2yRZPIaqP7UZS+4Oqd5gj1yDc1egyPiRAJZUo60eEg/2R8pf3 wJFv/IvYYcJCVXFo1ts1RDp83JCideDpc3JiP1xnr31URhanbKTJ10cl0 DwLjkIXC8L5yeOeIPgYiPaMJVNHyhN+FgviDlnuW67lrWX9NRVfLvvPST PqzAT1jcNOXrh8L82R6mJu+FgR8RQx4VplWbmdFo8PaWD74Cx6LGNtW7Y XNQZZrIQAFsXHuzumXYchg8AKEpFhzWuitsCyAKyPNbAQvIDIcFKR4yDv A==; X-CSE-ConnectionGUID: bK1/RL2oS72TQut2TC5UtA== X-CSE-MsgGUID: RRI639NzQ9qYtirqoc+0iA== X-IronPort-AV: E=McAfee;i="6600,9927,11039"; a="18837780" X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="18837780" Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:34 -0700 X-CSE-ConnectionGUID: zMGqbJm9SeGQFFRyv3CNTg== X-CSE-MsgGUID: SX3zAcUlRJ22di1Mwz4BkA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="25095500" Received: from unknown (HELO spr.sh.intel.com) ([10.239.53.118]) by fmviesa003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:28 -0700 From: Chao Gao To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: daniel.sneddon@linux.intel.com, pawan.kumar.gupta@linux.intel.com, Chao Gao , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Josh Poimboeuf , =?utf-8?q?Ilpo_J=C3=A4rvinen?= , Sean Christopherson , Kai Huang , Jithu Joseph , Kan Liang , Paolo Bonzini , Sandipan Das , Vegard Nossum , Nikolay Borisov , Rick Edgecombe , Adam Dunlap , Arjan van de Ven Subject: [RFC PATCH v3 04/10] x86/bugs: Use Virtual MSRs to request BHI_DIS_S Date: Wed, 10 Apr 2024 22:34:32 +0800 Message-Id: <20240410143446.797262-5-chao.gao@intel.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20240410143446.797262-1-chao.gao@intel.com> References: <20240410143446.797262-1-chao.gao@intel.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Pawan Gupta Mitigation for BHI is to use hardware control BHI_DIS_S or the software sequence. On platforms that support BHI_DIS_S, a software sequence may be ineffective to mitigate BHI. Guests that are not aware of BHI_DIS_S on host, and deploy the ineffective software sequence clear_bhb_loop(), may become vulnerable to BHI. To overcome this problem Intel has defined a virtual MSR interface through which guests can report their mitigation status and request VMM to deploy relevant hardware mitigations. Use this virtual MSR interface to tell VMM that the guest is using a short software sequence. Based on this information a VMM can deploy BHI_DIS_S for the guest using virtual SPEC_CTRL. Signed-off-by: Pawan Gupta Signed-off-by: Chao Gao --- arch/x86/include/asm/msr-index.h | 18 ++++++++++++++++++ arch/x86/kernel/cpu/bugs.c | 26 ++++++++++++++++++++++++++ arch/x86/kernel/cpu/common.c | 1 + arch/x86/kernel/cpu/cpu.h | 1 + 4 files changed, 46 insertions(+) diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h index e72c2b872957..18a4081bf5cb 100644 --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -196,6 +196,7 @@ * IA32_XAPIC_DISABLE_STATUS MSR * supported */ +#define ARCH_CAP_VIRTUAL_ENUM BIT_ULL(63) /* MSR_VIRTUAL_ENUMERATION supported */ #define MSR_IA32_FLUSH_CMD 0x0000010b #define L1D_FLUSH BIT(0) /* @@ -1178,6 +1179,23 @@ #define MSR_IA32_VMX_MISC_VMWRITE_SHADOW_RO_FIELDS (1ULL << 29) #define MSR_IA32_VMX_MISC_PREEMPTION_TIMER_SCALE 0x1F +/* Intel virtual MSRs */ +#define MSR_VIRTUAL_ENUMERATION 0x50000000 +#define VIRT_ENUM_MITIGATION_CTRL_SUPPORT BIT(0) /* + * Mitigation ctrl via virtual + * MSRs supported + */ + +#define MSR_VIRTUAL_MITIGATION_ENUM 0x50000001 +#define MITI_ENUM_BHB_CLEAR_SEQ_S_SUPPORT BIT(0) /* VMM supports BHI_DIS_S */ + +#define MSR_VIRTUAL_MITIGATION_CTRL 0x50000002 +#define MITI_CTRL_BHB_CLEAR_SEQ_S_USED_BIT 0 /* + * Request VMM to deploy + * BHI_DIS_S mitigation + */ +#define MITI_CTRL_BHB_CLEAR_SEQ_S_USED BIT(MITI_CTRL_BHB_CLEAR_SEQ_S_USED_BIT) + /* AMD-V MSRs */ #define MSR_VM_CR 0xc0010114 #define MSR_VM_IGNNE 0xc0010115 diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 295463707e68..e74e4c51d387 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -50,6 +50,8 @@ static void __init l1d_flush_select_mitigation(void); static void __init srso_select_mitigation(void); static void __init gds_select_mitigation(void); +void virt_mitigation_ctrl_init(void); + /* The base value of the SPEC_CTRL MSR without task-specific bits set */ u64 x86_spec_ctrl_base; EXPORT_SYMBOL_GPL(x86_spec_ctrl_base); @@ -171,6 +173,8 @@ void __init cpu_select_mitigations(void) */ srso_select_mitigation(); gds_select_mitigation(); + + virt_mitigation_ctrl_init(); } /* @@ -1680,6 +1684,28 @@ static void __init bhi_select_mitigation(void) pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n"); } +void virt_mitigation_ctrl_init(void) +{ + u64 msr_virt_enum, msr_mitigation_enum; + + if (!(x86_read_arch_cap_msr() & ARCH_CAP_VIRTUAL_ENUM)) + return; + + rdmsrl(MSR_VIRTUAL_ENUMERATION, msr_virt_enum); + if (!(msr_virt_enum & VIRT_ENUM_MITIGATION_CTRL_SUPPORT)) + return; + + rdmsrl(MSR_VIRTUAL_MITIGATION_ENUM, msr_mitigation_enum); + + if (msr_mitigation_enum & MITI_ENUM_BHB_CLEAR_SEQ_S_SUPPORT) { + /* When BHI short seq is being used, request BHI_DIS_S */ + if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) + msr_set_bit(MSR_VIRTUAL_MITIGATION_CTRL, MITI_CTRL_BHB_CLEAR_SEQ_S_USED_BIT); + else + msr_clear_bit(MSR_VIRTUAL_MITIGATION_CTRL, MITI_CTRL_BHB_CLEAR_SEQ_S_USED_BIT); + } +} + static void __init spectre_v2_select_mitigation(void) { enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 754d91857d63..29f16655a7a0 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -1960,6 +1960,7 @@ void identify_secondary_cpu(struct cpuinfo_x86 *c) update_gds_msr(); tsx_ap_init(); + virt_mitigation_ctrl_init(); } void print_cpu_info(struct cpuinfo_x86 *c) diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h index ea9e07d57c8d..1cddf506b6ae 100644 --- a/arch/x86/kernel/cpu/cpu.h +++ b/arch/x86/kernel/cpu/cpu.h @@ -87,6 +87,7 @@ void cpu_select_mitigations(void); extern void x86_spec_ctrl_setup_ap(void); extern void update_srbds_msr(void); extern void update_gds_msr(void); +extern void virt_mitigation_ctrl_init(void); extern enum spectre_v2_mitigation spectre_v2_enabled; From patchwork Wed Apr 10 14:34:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chao Gao X-Patchwork-Id: 13624658 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2736016F0EB; Wed, 10 Apr 2024 14:35:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759741; cv=none; b=DmUSli3ui5wH1SV2t9IClqe7/T9HcdD+XEhKp6UvNZwRum3f+wtKTnRRMk5BbINCvUvTYNFJekof0gi/5Stvm4EF+sOBdcNNN2t+/ZqnflnrsLj2uLtKUdYl2aUoJGFY/r4RbAF2LFNdcIfN/UAxyM4E66s6wa3WafzUaQRSFgM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759741; c=relaxed/simple; bh=5il9OHilAi2ANaGv1ruKuj5PaBc3F8Q+mi5GQ5Db0nw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=QlZ2b8Ap7rrgAv4tzCaZug7S2o8T4nfnnRILtbmIaU8bOsRcCOxoNd0lExjXWibdcyXQOCmEDohklbCRv9j/bmG/rsspwv+v1HBSpGHnyUdnQoBpc3Pdms6C4tHlIOwJ7WweHjBhmBVw2qmT8UBX7d8HlYlRlhOW2edwRMvJn1Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=m1zFH6LA; arc=none smtp.client-ip=192.198.163.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="m1zFH6LA" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1712759740; x=1744295740; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=5il9OHilAi2ANaGv1ruKuj5PaBc3F8Q+mi5GQ5Db0nw=; b=m1zFH6LAVERRKLqJIXTlyaFIm729dwYM918lw/FLDjiI3EVs5cNaDObF JQS3SWA1SL7DvjjwSHQ9KXvzTJTaDHeejL10dx0wnYFNI1jJnVKe/rulo V6+2gjyDTDy9Cs4wJjP9m/LyQYK7eyPk63gQYMntIQruL9s5KG3Iga7Jb YOJfCorr4AbiCEw6HENAN1Sagfaku6YodlVDWZDpoGqdE7Yy0mC+lM9VR tQcgyhrO4bn0Z9lsHwdJp4+mBvYdEjIJHaxC6pRXOxobFpsYn7jsP8BTw 5ATJelK2yC+wXxQfKTWo0eVHriSS0w2JJs8EAQmTAPoM+SGkvKnX5hrE4 Q==; X-CSE-ConnectionGUID: X/O/8AZKRmabWeR+IF7WHg== X-CSE-MsgGUID: 1ZcOLAAUS0ehEXrkdchdWw== X-IronPort-AV: E=McAfee;i="6600,9927,11039"; a="18837800" X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="18837800" Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:40 -0700 X-CSE-ConnectionGUID: uErwFPCnTzue+YRZHA60Zg== X-CSE-MsgGUID: N5S1ITokTmK7h5lrgqyJDQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="25095505" Received: from unknown (HELO spr.sh.intel.com) ([10.239.53.118]) by fmviesa003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:35 -0700 From: Chao Gao To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: daniel.sneddon@linux.intel.com, pawan.kumar.gupta@linux.intel.com, Chao Gao , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Josh Poimboeuf , =?utf-8?q?Ilpo_J=C3=A4rvinen?= , Tony Luck , "Maciej S. Szmigiero" , Kan Liang , Paolo Bonzini , Sandipan Das Subject: [RFC PATCH v3 05/10] x86/bugs: Use Virtual MSRs to request RRSBA_DIS_S Date: Wed, 10 Apr 2024 22:34:33 +0800 Message-Id: <20240410143446.797262-6-chao.gao@intel.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20240410143446.797262-1-chao.gao@intel.com> References: <20240410143446.797262-1-chao.gao@intel.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Pawan Gupta On CPUs with RRSBA behavior a guest using retpoline mitigation could become vulnerable to BHI. On such CPUs, when RSB underflows a RET could take prediction from BTB. Although these predictions are limited to same domain, they may be controllable from userspace using BHI. Alderlake and newer CPUs have RRSBA_DIS_S knob in MSR_SPEC_CTRL to disable RRSBA behavior. A guest migrating from older CPU may not be aware of RRSBA_DIS_S. Use MSR_VIRTUAL_MITIGATION_CTRL to request VMM to deploy RRSBA_DIS_S when retpoline mitigation is in use. Signed-off-by: Pawan Gupta Signed-off-by: Chao Gao --- arch/x86/include/asm/msr-index.h | 6 ++++++ arch/x86/kernel/cpu/bugs.c | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h index 18a4081bf5cb..469ab38c0ec8 100644 --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -1188,6 +1188,7 @@ #define MSR_VIRTUAL_MITIGATION_ENUM 0x50000001 #define MITI_ENUM_BHB_CLEAR_SEQ_S_SUPPORT BIT(0) /* VMM supports BHI_DIS_S */ +#define MITI_ENUM_RETPOLINE_S_SUPPORT BIT(1) /* VMM supports RRSBA_DIS_S */ #define MSR_VIRTUAL_MITIGATION_CTRL 0x50000002 #define MITI_CTRL_BHB_CLEAR_SEQ_S_USED_BIT 0 /* @@ -1195,6 +1196,11 @@ * BHI_DIS_S mitigation */ #define MITI_CTRL_BHB_CLEAR_SEQ_S_USED BIT(MITI_CTRL_BHB_CLEAR_SEQ_S_USED_BIT) +#define MITI_CTRL_RETPOLINE_S_USED_BIT 1 /* + * Request VMM to deploy + * RRSBA_DIS_S mitigation + */ +#define MITI_CTRL_RETPOLINE_S_USED BIT(MITI_CTRL_RETPOLINE_S_USED_BIT) /* AMD-V MSRs */ #define MSR_VM_CR 0xc0010114 diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index e74e4c51d387..766f4340eddf 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1704,6 +1704,13 @@ void virt_mitigation_ctrl_init(void) else msr_clear_bit(MSR_VIRTUAL_MITIGATION_CTRL, MITI_CTRL_BHB_CLEAR_SEQ_S_USED_BIT); } + if (msr_mitigation_enum & MITI_ENUM_RETPOLINE_S_SUPPORT) { + /* When retpoline is being used, request RRSBA_DIS_S */ + if (boot_cpu_has(X86_FEATURE_RETPOLINE)) + msr_set_bit(MSR_VIRTUAL_MITIGATION_CTRL, MITI_CTRL_RETPOLINE_S_USED_BIT); + else + msr_clear_bit(MSR_VIRTUAL_MITIGATION_CTRL, MITI_CTRL_RETPOLINE_S_USED_BIT); + } } static void __init spectre_v2_select_mitigation(void) From patchwork Wed Apr 10 14:34:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chao Gao X-Patchwork-Id: 13624659 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B00616F270; Wed, 10 Apr 2024 14:35:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759745; cv=none; b=lrYi71Ci1M9D0pIqHgONxWHL3xvdWzzQqqPQanzO8WPeu8io3qTiAeE5nXkHCBSaMjcYwepJndqzi2E78k0yxSKo3o1SyYkLgjSBWdVba4KvvITNhLLhWVtynyKY8Ml56YhWAJ84+p/HWsSXZVqI518jdvhHQiymFfTLn00MsYU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759745; c=relaxed/simple; bh=PyDLrkVKxGhZFcNlQk2wnU+WxUcndE/GUkxjE8uisg8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=fNEzB9FyWJxeH4rBbpShYVKpm8RkqU3US9QiJkVZvoWKzR0Z9Tqse2gfzZLzjPshJiqV1M8lQpj+vihuCxCiFojdghpPSTlTXkSnhbWddscxHyeQNr4kKEiDYhaXbUMqK5dyPeL4LqbYc5sa4pj1INTfZWYvfAFEhOYWjbS5Ibo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=Wz4Hjh+e; arc=none smtp.client-ip=192.198.163.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="Wz4Hjh+e" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1712759744; x=1744295744; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=PyDLrkVKxGhZFcNlQk2wnU+WxUcndE/GUkxjE8uisg8=; b=Wz4Hjh+ePTFbwuchWof67o7uhxw+phdJJKqJ8ODdty5vs6mCmKH9ZI0C j1JVLVg1Nl0za/0Xfu3DwLomFoJkwYpSt/g1GGNoaE3A4BIv4wVr5ROSv tg+GpR4rCj5tAKCu+9rHq25OT02VxV3LQsJh26scGRtlfbqfGF4tVeUhy KopvZbruwjh8LIKb7YnupXDMjekf3R1etAz7e+VmZOMytbOUrRLiaOW6f HUWVnNM2HuMidtIMA6erVZoDqfkB1a5UMVORk1BsHD6zCt85x33rGYcDD JgnbK0vOBv9FGpPwHtYIqHiMFiQRrHniC4hAWV42HjPlSUTzoV9kq5lQF A==; X-CSE-ConnectionGUID: bJ2k4buhQbW/j83CHNdFLQ== X-CSE-MsgGUID: hXNyTvyrTZq2zsXDTv1wtw== X-IronPort-AV: E=McAfee;i="6600,9927,11039"; a="18837813" X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="18837813" Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:43 -0700 X-CSE-ConnectionGUID: YnCVHT/lRVW2NGtLqZwYDw== X-CSE-MsgGUID: d7WsIpY/QWOMw1BeUbZWYg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="25095510" Received: from unknown (HELO spr.sh.intel.com) ([10.239.53.118]) by fmviesa003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:40 -0700 From: Chao Gao To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: daniel.sneddon@linux.intel.com, pawan.kumar.gupta@linux.intel.com, Chao Gao , Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" Subject: [RFC PATCH v3 06/10] KVM: VMX: Cache force_spec_ctrl_value/mask for each vCPU Date: Wed, 10 Apr 2024 22:34:34 +0800 Message-Id: <20240410143446.797262-7-chao.gao@intel.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20240410143446.797262-1-chao.gao@intel.com> References: <20240410143446.797262-1-chao.gao@intel.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 so that KVM can adjust the mask/value for each vCPU according to the software mitigations the vCPU is using. KVM_CAP_FORCE_SPEC_CTRL allows the userspace VMM to proactively enable hardware mitigations (by setting some bits in IA32_SPEC_CTRL MSRs) to protect the guest from becoming vulnerable to some security issues after live migration. E.g., if a guest using the short BHB-clearing sequence for BHI is migrated from a pre-SPR part to a SPR part will become vulnerable for BHI. Current solution is the userspace VMM deploys BHI_DIS_S for all guests migrated to SPR parts from pre-SPR parts. But KVM_CAP_FORCE_SPEC_CTRL isn't flexible because the userspace VMM may configure KVM to enable BHI_DIS_S for guests which don't care about BHI at all or are using other mitigations (e.g, TSX abort sequence) for BHI. This would cause unnecessary overhead to the guest. To reduce the overhead, the idea is to let the guest communicate which software mitigations are being used to the VMM via Intel-defined virtual MSRs [1]. This information from guests is much more accurate. KVM can adjust hardware mitigations accordingly to reduce the performance impact to the guest as much as possible. The Intel-defined value MSRs are per-thread scope. vCPUs _can_ program different values to them. This means, KVM may need to apply different mask/value to IA32_SPEC_CTRL MSR. So, cache force_spec_ctrl_value/mask for each vCPU in preparation for adding support for intel-defined virtual MSRs. [1]: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html Signed-off-by: Chao Gao --- arch/x86/kvm/vmx/nested.c | 2 +- arch/x86/kvm/vmx/vmx.c | 11 +++++++---- arch/x86/kvm/vmx/vmx.h | 7 +++++++ 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 174790b2ffbc..efbc871d0466 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -2390,7 +2390,7 @@ static void prepare_vmcs02_early(struct vcpu_vmx *vmx, struct loaded_vmcs *vmcs0 exec_control &= TERTIARY_EXEC_SPEC_CTRL_SHADOW; if (exec_control & TERTIARY_EXEC_SPEC_CTRL_SHADOW) vmcs_write64(IA32_SPEC_CTRL_MASK, - vmx->vcpu.kvm->arch.force_spec_ctrl_mask); + vmx->force_spec_ctrl_mask); tertiary_exec_controls_set(vmx, exec_control); } diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 93c208f009cf..cdfcc1290d82 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2161,7 +2161,7 @@ static void vmx_set_spec_ctrl(struct kvm_vcpu *vcpu, u64 val) vmx->spec_ctrl_shadow = val; vmcs_write64(IA32_SPEC_CTRL_SHADOW, val); - vmx->spec_ctrl |= vcpu->kvm->arch.force_spec_ctrl_value; + vmx->spec_ctrl |= vmx->force_spec_ctrl_value; } } @@ -4803,6 +4803,9 @@ static void init_vmcs(struct vcpu_vmx *vmx) if (cpu_has_vmx_xsaves()) vmcs_write64(XSS_EXIT_BITMAP, VMX_XSS_EXIT_BITMAP); + vmx->force_spec_ctrl_mask = kvm->arch.force_spec_ctrl_mask; + vmx->force_spec_ctrl_value = kvm->arch.force_spec_ctrl_value; + if (cpu_has_spec_ctrl_shadow()) { vmx->spec_ctrl_shadow = 0; vmcs_write64(IA32_SPEC_CTRL_SHADOW, 0); @@ -4816,7 +4819,7 @@ static void init_vmcs(struct vcpu_vmx *vmx) * guest modify other bits at will, without triggering VM-Exits. */ if (kvm->arch.force_spec_ctrl_mask) - vmcs_write64(IA32_SPEC_CTRL_MASK, kvm->arch.force_spec_ctrl_mask); + vmcs_write64(IA32_SPEC_CTRL_MASK, vmx->force_spec_ctrl_mask); else vmcs_write64(IA32_SPEC_CTRL_MASK, 0); } @@ -7251,8 +7254,8 @@ void noinstr vmx_spec_ctrl_restore_host(struct vcpu_vmx *vmx, if (cpu_has_spec_ctrl_shadow()) { vmx->spec_ctrl_shadow = vmcs_read64(IA32_SPEC_CTRL_SHADOW); vmx->spec_ctrl = (vmx->spec_ctrl_shadow & - ~vmx->vcpu.kvm->arch.force_spec_ctrl_mask) | - vmx->vcpu.kvm->arch.force_spec_ctrl_value; + ~vmx->force_spec_ctrl_mask) | + vmx->force_spec_ctrl_value; } else { vmx->spec_ctrl = __rdmsr(MSR_IA32_SPEC_CTRL); } diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index 97324f6ee01c..a4dfe538e5a8 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -287,6 +287,13 @@ struct vcpu_vmx { */ u64 spec_ctrl_shadow; + /* + * Mask and value of SPEC_CTRL MSR bits which the guest is not allowed to + * change. + */ + u64 force_spec_ctrl_mask; + u64 force_spec_ctrl_value; + u32 msr_ia32_umwait_control; /* From patchwork Wed Apr 10 14:34:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chao Gao X-Patchwork-Id: 13624660 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9B20E171073; Wed, 10 Apr 2024 14:35:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759749; cv=none; b=Mi2SRbY8zYGWBl92ePSJcoemlpnwWbZO2N1rJXhvMBfNt7NnxtWj1ZpBMq1IjtPKZ/Zwe+5IQZMmY5ZC3GatdMEob8M8eCbKIToO57PtAkoV1SpFrh2SkwxGDJAQvOn1KgK6IajpF/10wxirMrw0W6HBghuc6Em3KuLirQScHMY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759749; c=relaxed/simple; bh=cNmQuaykUjTgsyzqvPplWtqyCHJnkZzmlTH0JBz+nLo=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=UsQ95Fc6cG57ZuxZUbZKnD8Mc+uu2StANFWhoW3cd+4mC1QvtvpsGmCZ72Zjv1m8h2DS3YDrX7WEWDCTu11gRk0YWlGC14zR6QPzz5i08A0EtFvZxul2nRUh+lrfoHF8BmMAx06HazotNk3p6tWVGUEYOHYdeSRx9AZ9VCToXYE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=lCGZxp2A; arc=none smtp.client-ip=192.198.163.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="lCGZxp2A" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1712759748; x=1744295748; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=cNmQuaykUjTgsyzqvPplWtqyCHJnkZzmlTH0JBz+nLo=; b=lCGZxp2AyCz0akdj0i2R6xQOr1+EasjmpVgQtGSWVTbgI9aT9kQVGba/ RKyl8PEun4nMFGBi3p6JjSPsSImtCMqVo+YEgG67sYV3hiZhO02hy78Tj WkwJYol35VYrua7PDvRg20jjR8VyPr9zuyVnYyJSjqs8Ck8IMPyycQNqz HOnVrZL1yaALl9mC3t3bYn+KmNUa+NQ0ZU1cHf3Lw/LED3HBOxnTNPojt YA/jbVYfBGFATakEungD8Qn1HR/b2iXRxRSwMCRM4QOgI/SCkZSfEN5mT EMlfm85zvu7NaRHT9l1dv6ceU5ychHgQbafL8OznQHpsFVN7DlA8ZTRxg Q==; X-CSE-ConnectionGUID: czqyFYuYQMmRDR6Mj/DOvg== X-CSE-MsgGUID: IenEcrmVQticxcAo6cSmYQ== X-IronPort-AV: E=McAfee;i="6600,9927,11039"; a="18837825" X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="18837825" Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:47 -0700 X-CSE-ConnectionGUID: Tn8qKJ3gTMWjFjTSOLn5OQ== X-CSE-MsgGUID: 6GtUDP+sTR+kGaglm+pz9Q== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="25095520" Received: from unknown (HELO spr.sh.intel.com) ([10.239.53.118]) by fmviesa003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:43 -0700 From: Chao Gao To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: daniel.sneddon@linux.intel.com, pawan.kumar.gupta@linux.intel.com, Zhang Chen , Chao Gao , Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" Subject: [RFC PATCH v3 07/10] KVM: x86: Advertise ARCH_CAP_VIRTUAL_ENUM support Date: Wed, 10 Apr 2024 22:34:35 +0800 Message-Id: <20240410143446.797262-8-chao.gao@intel.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20240410143446.797262-1-chao.gao@intel.com> References: <20240410143446.797262-1-chao.gao@intel.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Zhang Chen Bit 63 of IA32_ARCH_CAPABILITIES MSR indicates availablility of the VIRTUAL_ENUMERATION_MSR (index 0x50000000) which enumerates features like e.g., mitigation enumeration that in turn is used for the guest to report software mitigations it is using. Advertise ARCH_CAP_VIRTUAL_ENUM support for VMX and emulate read/write of the VIRTUAL_ENUMERATION_MSR. Now VIRTUAL_ENUMERATION_MSR is always 0. Signed-off-by: Zhang Chen Co-developed-by: Chao Gao Signed-off-by: Chao Gao --- arch/x86/kvm/svm/svm.c | 1 + arch/x86/kvm/vmx/vmx.c | 19 +++++++++++++++++++ arch/x86/kvm/vmx/vmx.h | 2 ++ arch/x86/kvm/x86.c | 16 +++++++++++++++- 4 files changed, 37 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index d1a9f9951635..e3406971a8b7 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -4288,6 +4288,7 @@ static bool svm_has_emulated_msr(struct kvm *kvm, u32 index) { switch (index) { case MSR_IA32_MCG_EXT_CTL: + case MSR_VIRTUAL_ENUMERATION: case KVM_FIRST_EMULATED_VMX_MSR ... KVM_LAST_EMULATED_VMX_MSR: return false; case MSR_IA32_SMBASE: diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index cdfcc1290d82..dcb06406fd09 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -1955,6 +1955,8 @@ static inline bool is_vmx_feature_control_msr_valid(struct vcpu_vmx *vmx, return !(msr->data & ~valid_bits); } +#define VIRTUAL_ENUMERATION_VALID_BITS 0ULL + static int vmx_get_msr_feature(struct kvm_msr_entry *msr) { switch (msr->index) { @@ -1962,6 +1964,9 @@ static int vmx_get_msr_feature(struct kvm_msr_entry *msr) if (!nested) return 1; return vmx_get_vmx_msr(&vmcs_config.nested, msr->index, &msr->data); + case MSR_VIRTUAL_ENUMERATION: + msr->data = VIRTUAL_ENUMERATION_VALID_BITS; + return 0; default: return KVM_MSR_RET_INVALID; } @@ -2113,6 +2118,12 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) case MSR_IA32_DEBUGCTLMSR: msr_info->data = vmcs_read64(GUEST_IA32_DEBUGCTL); break; + case MSR_VIRTUAL_ENUMERATION: + if (!msr_info->host_initiated && + !(vcpu->arch.arch_capabilities & ARCH_CAP_VIRTUAL_ENUM)) + return 1; + msr_info->data = vmx->msr_virtual_enumeration; + break; default: find_uret_msr: msr = vmx_find_uret_msr(vmx, msr_info->index); @@ -2457,6 +2468,14 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) } ret = kvm_set_msr_common(vcpu, msr_info); break; + case MSR_VIRTUAL_ENUMERATION: + if (!msr_info->host_initiated) + return 1; + if (data & ~VIRTUAL_ENUMERATION_VALID_BITS) + return 1; + + vmx->msr_virtual_enumeration = data; + break; default: find_uret_msr: diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index a4dfe538e5a8..0519cf6187ac 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -294,6 +294,8 @@ struct vcpu_vmx { u64 force_spec_ctrl_mask; u64 force_spec_ctrl_value; + u64 msr_virtual_enumeration; + u32 msr_ia32_umwait_control; /* diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 9a59b5a93d0e..4721b6fe7641 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1564,6 +1564,7 @@ static const u32 emulated_msrs_all[] = { MSR_K7_HWCR, MSR_KVM_POLL_CONTROL, + MSR_VIRTUAL_ENUMERATION, }; static u32 emulated_msrs[ARRAY_SIZE(emulated_msrs_all)]; @@ -1579,6 +1580,7 @@ static const u32 msr_based_features_all_except_vmx[] = { MSR_IA32_UCODE_REV, MSR_IA32_ARCH_CAPABILITIES, MSR_IA32_PERF_CAPABILITIES, + MSR_VIRTUAL_ENUMERATION, }; static u32 msr_based_features[ARRAY_SIZE(msr_based_features_all_except_vmx) + @@ -1621,7 +1623,8 @@ static bool kvm_is_immutable_feature_msr(u32 msr) ARCH_CAP_PSCHANGE_MC_NO | ARCH_CAP_TSX_CTRL_MSR | ARCH_CAP_TAA_NO | \ ARCH_CAP_SBDR_SSDP_NO | ARCH_CAP_FBSDP_NO | ARCH_CAP_PSDP_NO | \ ARCH_CAP_FB_CLEAR | ARCH_CAP_RRSBA | ARCH_CAP_PBRSB_NO | ARCH_CAP_GDS_NO | \ - ARCH_CAP_RFDS_NO | ARCH_CAP_RFDS_CLEAR | ARCH_CAP_BHI_NO) + ARCH_CAP_RFDS_NO | ARCH_CAP_RFDS_CLEAR | ARCH_CAP_BHI_NO | \ + ARCH_CAP_VIRTUAL_ENUM) static u64 kvm_get_arch_capabilities(void) { @@ -1635,6 +1638,17 @@ static u64 kvm_get_arch_capabilities(void) */ data |= ARCH_CAP_PSCHANGE_MC_NO; + /* + * Virtual enumeration is a paravirt feature. The only usage for now + * is to bridge the gap caused by microarchitecture changes between + * different Intel processors. And its usage is linked to "virtualize + * IA32_SPEC_CTRL" which is a VMX feature. Whether AMD SVM can benefit + * from the same usage and how to implement it is still unclear. Limit + * virtual enumeration to VMX. + */ + if (static_call(kvm_x86_has_emulated_msr)(NULL, MSR_VIRTUAL_ENUMERATION)) + data |= ARCH_CAP_VIRTUAL_ENUM; + /* * If we're doing cache flushes (either "always" or "cond") * we will do one whenever the guest does a vmlaunch/vmresume. From patchwork Wed Apr 10 14:34:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chao Gao X-Patchwork-Id: 13624661 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A2DD172766; Wed, 10 Apr 2024 14:35:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759753; cv=none; b=CFP7PlTG61FSPBXZK7D6FN/nU8BeMvj6wyvHSNbHksnCGejT0S0SFGphdsUgW2e6IB7zHWbI1uu/smxmf6LL2zxOlHBB/Ubdlbp9SjsT5J7vYJIgxQ2nrwEl774bgrJxpPoaJInTnr5VYjiJv/9rujpanUjoauukeZ3yjRLnKp4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759753; c=relaxed/simple; bh=Kch3ontBrnhzONNS7yMK/xgJB/WrDka9r0jZ/w16MvY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=BArdTW1TSxMXFWOrlAysVOyRDoutbpMecbEARSb6ZU1B6m3BgcRFLyRHAQp6rmxxnN0JaLcakZwFKkcUltH3Nw6S3Gtmlin2AT5WKkyD4P/fbGoQ5njzZYjClG9CYwLyqKpzFEF/coCPMJr/VnBeoZQ3kFdLf87fmLAf5TFCir0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=jf6TYLMY; arc=none smtp.client-ip=192.198.163.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="jf6TYLMY" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1712759752; x=1744295752; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=Kch3ontBrnhzONNS7yMK/xgJB/WrDka9r0jZ/w16MvY=; b=jf6TYLMYvgiPBz+wzU2tu9VG5BQz/7diGj2J9dUu8Y5P4CXB+590GmTz nJlL5CbaY0VHBiATcnVgkZuxcky8/3TEhjWbyMrvViJ1rfEoFACOI35Hv QIxpxGOa1cz62HMXpPNfsCnMYfN5VVQMZofgGgw6gSpscYM3B1Zd6TVc+ 9oGln6luyDSaTmad+B70VWHNva5HhHsL/JMMESsuTPZsrdx4E4GPeHA3u LRiH+GYT/KLmysK4JCq7iiaOlUgNJFvJNv0iMMIqzHUVUGNudbDoItKac n8LNLv1LTsnb04w2bm5AxJdhHtQeyBTzic4LI+YA0VCU7ksKn5gaKO0kR Q==; X-CSE-ConnectionGUID: brHF9jBgRba/ng7x1x7yBg== X-CSE-MsgGUID: uyyOIgVdQC+0mkNhWPDZ/g== X-IronPort-AV: E=McAfee;i="6600,9927,11039"; a="18837840" X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="18837840" Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:51 -0700 X-CSE-ConnectionGUID: xyQJeQokRiWyj5uNFqeK2w== X-CSE-MsgGUID: mTy2O/yiT6qtNIIGpZtJzQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="25095538" Received: from unknown (HELO spr.sh.intel.com) ([10.239.53.118]) by fmviesa003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:47 -0700 From: Chao Gao To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: daniel.sneddon@linux.intel.com, pawan.kumar.gupta@linux.intel.com, Zhang Chen , Chao Gao , Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" Subject: [RFC PATCH v3 08/10] KVM: VMX: Advertise MITIGATION_CTRL support Date: Wed, 10 Apr 2024 22:34:36 +0800 Message-Id: <20240410143446.797262-9-chao.gao@intel.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20240410143446.797262-1-chao.gao@intel.com> References: <20240410143446.797262-1-chao.gao@intel.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Zhang Chen Advertise MITIGATION_CTRL support and emulate accesses to two associated MSRs. MITIGATION_CTRL is enumerated by bit 0 of MSR_VIRTUAL_ENUMERATION. If supported, two virtual MSRs MSR_VIRTUAL_MITIGATION_ENUM(0x50000001) and MSR_VIRTUAL_MITIGATION_CTRL(0x50000002) are available. The guest can use the two MSRs to report software mitigation status. According to this information, KVM can deploy some alternative mitigations (e.g., hardware mitigations) for the guest if some software mitigations are not effective on the host. Signed-off-by: Zhang Chen Co-developed-by: Chao Gao Signed-off-by: Chao Gao --- arch/x86/kvm/svm/svm.c | 2 ++ arch/x86/kvm/vmx/vmx.c | 36 +++++++++++++++++++++++++++++++++++- arch/x86/kvm/vmx/vmx.h | 3 +++ arch/x86/kvm/x86.c | 3 +++ 4 files changed, 43 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index e3406971a8b7..8a080592aa54 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -4289,6 +4289,8 @@ static bool svm_has_emulated_msr(struct kvm *kvm, u32 index) switch (index) { case MSR_IA32_MCG_EXT_CTL: case MSR_VIRTUAL_ENUMERATION: + case MSR_VIRTUAL_MITIGATION_ENUM: + case MSR_VIRTUAL_MITIGATION_CTRL: case KVM_FIRST_EMULATED_VMX_MSR ... KVM_LAST_EMULATED_VMX_MSR: return false; case MSR_IA32_SMBASE: diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index dcb06406fd09..cc260b14f8df 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -1955,7 +1955,9 @@ static inline bool is_vmx_feature_control_msr_valid(struct vcpu_vmx *vmx, return !(msr->data & ~valid_bits); } -#define VIRTUAL_ENUMERATION_VALID_BITS 0ULL +#define VIRTUAL_ENUMERATION_VALID_BITS VIRT_ENUM_MITIGATION_CTRL_SUPPORT +#define MITI_ENUM_VALID_BITS 0ULL +#define MITI_CTRL_VALID_BITS 0ULL static int vmx_get_msr_feature(struct kvm_msr_entry *msr) { @@ -1967,6 +1969,9 @@ static int vmx_get_msr_feature(struct kvm_msr_entry *msr) case MSR_VIRTUAL_ENUMERATION: msr->data = VIRTUAL_ENUMERATION_VALID_BITS; return 0; + case MSR_VIRTUAL_MITIGATION_ENUM: + msr->data = MITI_ENUM_VALID_BITS; + return 0; default: return KVM_MSR_RET_INVALID; } @@ -2124,6 +2129,18 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) return 1; msr_info->data = vmx->msr_virtual_enumeration; break; + case MSR_VIRTUAL_MITIGATION_ENUM: + if (!msr_info->host_initiated && + !(vmx->msr_virtual_enumeration & VIRT_ENUM_MITIGATION_CTRL_SUPPORT)) + return 1; + msr_info->data = vmx->msr_virtual_mitigation_enum; + break; + case MSR_VIRTUAL_MITIGATION_CTRL: + if (!msr_info->host_initiated && + !(vmx->msr_virtual_enumeration & VIRT_ENUM_MITIGATION_CTRL_SUPPORT)) + return 1; + msr_info->data = vmx->msr_virtual_mitigation_ctrl; + break; default: find_uret_msr: msr = vmx_find_uret_msr(vmx, msr_info->index); @@ -2476,7 +2493,23 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) vmx->msr_virtual_enumeration = data; break; + case MSR_VIRTUAL_MITIGATION_ENUM: + if (!msr_info->host_initiated) + return 1; + if (data & ~MITI_ENUM_VALID_BITS) + return 1; + + vmx->msr_virtual_mitigation_enum = data; + break; + case MSR_VIRTUAL_MITIGATION_CTRL: + if (!msr_info->host_initiated && + !(vmx->msr_virtual_enumeration & VIRT_ENUM_MITIGATION_CTRL_SUPPORT)) + return 1; + if (data & ~MITI_CTRL_VALID_BITS) + return 1; + vmx->msr_virtual_mitigation_ctrl = data; + break; default: find_uret_msr: msr = vmx_find_uret_msr(vmx, msr_index); @@ -4901,6 +4934,7 @@ static void __vmx_vcpu_reset(struct kvm_vcpu *vcpu) */ vmx->pi_desc.nv = POSTED_INTR_VECTOR; vmx->pi_desc.sn = 1; + vmx->msr_virtual_mitigation_ctrl = 0; } static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index 0519cf6187ac..7be5dd5dde6c 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -296,6 +296,9 @@ struct vcpu_vmx { u64 msr_virtual_enumeration; + u64 msr_virtual_mitigation_enum; + u64 msr_virtual_mitigation_ctrl; + u32 msr_ia32_umwait_control; /* diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 4721b6fe7641..f55d26d7c79a 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1565,6 +1565,8 @@ static const u32 emulated_msrs_all[] = { MSR_K7_HWCR, MSR_KVM_POLL_CONTROL, MSR_VIRTUAL_ENUMERATION, + MSR_VIRTUAL_MITIGATION_ENUM, + MSR_VIRTUAL_MITIGATION_CTRL, }; static u32 emulated_msrs[ARRAY_SIZE(emulated_msrs_all)]; @@ -1581,6 +1583,7 @@ static const u32 msr_based_features_all_except_vmx[] = { MSR_IA32_ARCH_CAPABILITIES, MSR_IA32_PERF_CAPABILITIES, MSR_VIRTUAL_ENUMERATION, + MSR_VIRTUAL_MITIGATION_ENUM, }; static u32 msr_based_features[ARRAY_SIZE(msr_based_features_all_except_vmx) + From patchwork Wed Apr 10 14:34:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chao Gao X-Patchwork-Id: 13624662 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 24FD1172BCE; Wed, 10 Apr 2024 14:35:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759756; cv=none; b=CgyB48gMke24GJHz33ZLHUmmosWrfGkITv+NXTD3rQk+KXLVeOykFheLuFf2RW0WJjwbbYX3rnfeRUy13GTbMUbJkSFSWaEHaXcAJ3VPrFtaOyVOdEN1GQWxHEkbHw6FIB61kzhgtX80CKJIKWDs1TFB92fCxQ1+07e70S2xyIE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759756; c=relaxed/simple; bh=HgvR740LxRCUJlie9YdeYMqkDa7fqKR6D+8llY0+tM0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=f9ItiHSffhbmZ9/g8iuITCpCmWkem0kY1TBvOHznhehAZfPUvWHfCEK60KeqkwFnLWnjayt3mSrkNd+mtrVj0BqeHJc4KyrTsk3rYbCbYz7In4EPlhEdmo+LmATtHivUBoaVmLKDJlMjwna94L3ddVeSgiMS2U0SCQPCyhUCLio= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=IPddA6Np; arc=none smtp.client-ip=192.198.163.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="IPddA6Np" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1712759755; x=1744295755; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=HgvR740LxRCUJlie9YdeYMqkDa7fqKR6D+8llY0+tM0=; b=IPddA6Np+SnL+0F33+DzVl7Sm88buQQN8rW/d0DzqPo6NM2M1m52UhDh nO3drCNUfvD1BECC+J39adKRY62AztmX4TdboKZ3NPriod+Pt+DrJ3YZ9 Tgjia91pKLaJhyC+tzxVMq/af/llhYFTd9JM8IBGf3GsAI2zDIjQU0ifv 5y71wqMvBaUfj/J7dXjY7+DuKhYytSbYzESZVcHosO8x3+cXl2yHoD5Kh uYsVJOVUIe5pYDtH6L9qCZFTvx9nn+4svk5am0qNtZr7qJVKuHttuoaH2 8eyKo0V13p8szTqjms1eNg+mt+atKgTsjvVqB8dTDunidPWsWhA6sT27t w==; X-CSE-ConnectionGUID: JEw0mznOQS+vLEhqa+RWMA== X-CSE-MsgGUID: eLCmGC8TT5+90CsveZ/OEA== X-IronPort-AV: E=McAfee;i="6600,9927,11039"; a="18837860" X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="18837860" Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:55 -0700 X-CSE-ConnectionGUID: TaxPF401TvehjmbDKiCEZw== X-CSE-MsgGUID: mdyfOuIcRpibXS+34hvRXg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="25095564" Received: from unknown (HELO spr.sh.intel.com) ([10.239.53.118]) by fmviesa003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:51 -0700 From: Chao Gao To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: daniel.sneddon@linux.intel.com, pawan.kumar.gupta@linux.intel.com, Zhang Chen , Chao Gao , Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" Subject: [RFC PATCH v3 09/10] KVM: VMX: Advertise MITI_CTRL_BHB_CLEAR_SEQ_S_SUPPORT Date: Wed, 10 Apr 2024 22:34:37 +0800 Message-Id: <20240410143446.797262-10-chao.gao@intel.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20240410143446.797262-1-chao.gao@intel.com> References: <20240410143446.797262-1-chao.gao@intel.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Zhang Chen Allow guest to report if the short BHB-clearing sequence is in use. KVM will deploy BHI_DIS_S for the guest if the short BHB-clearing sequence is in use and the processor doesn't enumerate BHI_NO. Signed-off-by: Zhang Chen Signed-off-by: Chao Gao --- arch/x86/kvm/vmx/vmx.c | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index cc260b14f8df..c5ceaebd954b 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -1956,8 +1956,8 @@ static inline bool is_vmx_feature_control_msr_valid(struct vcpu_vmx *vmx, } #define VIRTUAL_ENUMERATION_VALID_BITS VIRT_ENUM_MITIGATION_CTRL_SUPPORT -#define MITI_ENUM_VALID_BITS 0ULL -#define MITI_CTRL_VALID_BITS 0ULL +#define MITI_ENUM_VALID_BITS MITI_ENUM_BHB_CLEAR_SEQ_S_SUPPORT +#define MITI_CTRL_VALID_BITS MITI_CTRL_BHB_CLEAR_SEQ_S_USED static int vmx_get_msr_feature(struct kvm_msr_entry *msr) { @@ -2204,7 +2204,7 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) struct vmx_uret_msr *msr; int ret = 0; u32 msr_index = msr_info->index; - u64 data = msr_info->data; + u64 data = msr_info->data, spec_ctrl_mask = 0; u32 index; switch (msr_index) { @@ -2508,6 +2508,31 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) if (data & ~MITI_CTRL_VALID_BITS) return 1; + if (data & MITI_CTRL_BHB_CLEAR_SEQ_S_USED && + kvm_cpu_cap_has(X86_FEATURE_BHI_CTRL) && + !(host_arch_capabilities & ARCH_CAP_BHI_NO)) + spec_ctrl_mask |= SPEC_CTRL_BHI_DIS_S; + + /* + * Intercept IA32_SPEC_CTRL to disallow guest from changing + * certain bits if "virtualize IA32_SPEC_CTRL" isn't supported + * e.g., in nested case. + */ + if (spec_ctrl_mask && !cpu_has_spec_ctrl_shadow()) + vmx_enable_intercept_for_msr(vcpu, MSR_IA32_SPEC_CTRL, MSR_TYPE_RW); + + /* + * KVM_CAP_FORCE_SPEC_CTRL takes precedence over + * MSR_VIRTUAL_MITIGATION_CTRL. + */ + spec_ctrl_mask &= ~vmx->vcpu.kvm->arch.force_spec_ctrl_mask; + + vmx->force_spec_ctrl_mask = vmx->vcpu.kvm->arch.force_spec_ctrl_mask | + spec_ctrl_mask; + vmx->force_spec_ctrl_value = vmx->vcpu.kvm->arch.force_spec_ctrl_value | + spec_ctrl_mask; + vmx_set_spec_ctrl(&vmx->vcpu, vmx->spec_ctrl_shadow); + vmx->msr_virtual_mitigation_ctrl = data; break; default: From patchwork Wed Apr 10 14:34:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chao Gao X-Patchwork-Id: 13624663 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 87AD716E866; Wed, 10 Apr 2024 14:35:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759760; cv=none; b=laMTsSDdgIsh6jAU8ORn9uh3RagirLGxOdfv+zDQ0uyolOeYnnu5MwYWxepRTEvstNRtoKlEViJFkxys7IbysuyuWN72UoAjF0nfS7lEr4AKRkB6aYyJrnqDuUJPoob1VgtspJNcXJt8ieCgeLb/IVISvF9GKF02hM/GdExG8xw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712759760; c=relaxed/simple; bh=jdPSsyHlYjQqP3LARjfkhXrm0nOtLrLPubyWHx7h94Y=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=RNnhfhnqamQL+aqhnly/8BOLEqZ/dlQT7w/PhfdYSEPcR13gfSOlfTK7ivhDAWqfMIoeaII65MW3ROsZw3/EpaieUpW7JpMcWyE4hk2vZq3z6QEAp+ZN5Vo8yirbvCDQ261X8RE2dFmc72ILvs+Z9a04XlzNffQlsYrc9EfLa0A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=XmFiC3Tc; arc=none smtp.client-ip=192.198.163.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="XmFiC3Tc" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1712759759; x=1744295759; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=jdPSsyHlYjQqP3LARjfkhXrm0nOtLrLPubyWHx7h94Y=; b=XmFiC3TcBibFRjA9UD6g45iNiggWM8qBMJ2i8A8jwe7L7daZ0af2c2Aa hwltAeeOif4/LAQ1rmCgM2SggJUN9E1P8oFfbkh3fALypTOPwx3NK5Zsa eBr2IQL1Z23+QG/ItT++9lkBgrkzAULcQ4FZOFQQXXtWEaywrD885jV7f 3wGhEYQSZvdct/EAtn3Fto8dujMMwnFwfvj250OYJMO/7LAC11c3/fOib tlYjmewzcrqEXCGNUuP4PldRxroDxpvCcAIXKM7Fnh/irtEh94apE23X8 gHzn9wBb/4OdUAj27mR/KATebbM5ZBm76YV2aVd/6sTfpTR7JOFOs3uRZ w==; X-CSE-ConnectionGUID: T3km9xF1QYezFYtReetSkw== X-CSE-MsgGUID: QcDcbAA+RdS6tik/kdnAeg== X-IronPort-AV: E=McAfee;i="6600,9927,11039"; a="18837881" X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="18837881" Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:58 -0700 X-CSE-ConnectionGUID: aRgrC8THQLWC3UotmZwHqQ== X-CSE-MsgGUID: ip7l6a3QS3mvJd0R5CfSmg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,190,1708416000"; d="scan'208";a="25095588" Received: from unknown (HELO spr.sh.intel.com) ([10.239.53.118]) by fmviesa003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:35:55 -0700 From: Chao Gao To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: daniel.sneddon@linux.intel.com, pawan.kumar.gupta@linux.intel.com, Chao Gao , Zhang Chen , Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" Subject: [RFC PATCH v3 10/10] KVM: VMX: Advertise MITI_ENUM_RETPOLINE_S_SUPPORT Date: Wed, 10 Apr 2024 22:34:38 +0800 Message-Id: <20240410143446.797262-11-chao.gao@intel.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20240410143446.797262-1-chao.gao@intel.com> References: <20240410143446.797262-1-chao.gao@intel.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Allow guest to report if retpoline is used in supervisor mode. KVM will deploy RRSBA_DIS_S for guest if guest is using retpoline and the processor enumerates RRSBA. Signed-off-by: Zhang Chen Signed-off-by: Chao Gao --- arch/x86/kvm/vmx/vmx.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index c5ceaebd954b..235cb6ad69c0 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -1956,8 +1956,10 @@ static inline bool is_vmx_feature_control_msr_valid(struct vcpu_vmx *vmx, } #define VIRTUAL_ENUMERATION_VALID_BITS VIRT_ENUM_MITIGATION_CTRL_SUPPORT -#define MITI_ENUM_VALID_BITS MITI_ENUM_BHB_CLEAR_SEQ_S_SUPPORT -#define MITI_CTRL_VALID_BITS MITI_CTRL_BHB_CLEAR_SEQ_S_USED +#define MITI_ENUM_VALID_BITS (MITI_ENUM_BHB_CLEAR_SEQ_S_SUPPORT | \ + MITI_ENUM_RETPOLINE_S_SUPPORT) +#define MITI_CTRL_VALID_BITS (MITI_CTRL_BHB_CLEAR_SEQ_S_USED | \ + MITI_CTRL_RETPOLINE_S_USED) static int vmx_get_msr_feature(struct kvm_msr_entry *msr) { @@ -2508,6 +2510,11 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) if (data & ~MITI_CTRL_VALID_BITS) return 1; + if (data & MITI_CTRL_RETPOLINE_S_USED && + kvm_cpu_cap_has(X86_FEATURE_RRSBA_CTRL) && + host_arch_capabilities & ARCH_CAP_RRSBA) + spec_ctrl_mask |= SPEC_CTRL_RRSBA_DIS_S; + if (data & MITI_CTRL_BHB_CLEAR_SEQ_S_USED && kvm_cpu_cap_has(X86_FEATURE_BHI_CTRL) && !(host_arch_capabilities & ARCH_CAP_BHI_NO))