Re: [PATCH v2] KVM: nVMX: Unrestricted guest mode requires EPT

Wanpeng Li <kernellwp@xxxxxxxxx> · Tue, 25 Sep 2018 10:39:01 +0800



On Tue, 25 Sep 2018 at 02:08, Jim Mattson <jmattson@xxxxxxxxxx> wrote:
>
> As specified in Intel's SDM, do not allow the L1 hypervisor to launch
> an L2 guest with the VM-execution controls for "unrestricted guest" or
> "mode-based execute control for EPT" set and the VM-execution control
> for "enable EPT" clear.
>
> Note that the VM-execution control for "mode-based execute control for
> EPT" is not yet virtualized by kvm.
>
> Reported-by: Andrew Thornton <andrewth@xxxxxxxxxx>
> Signed-off-by: Jim Mattson <jmattson@xxxxxxxxxx>
> Reviewed-by: Peter Shier <pshier@xxxxxxxxxx>

Reviewed-by: Wanpeng Li <wanpengli@xxxxxxxxxxx>

> ---
>  arch/x86/include/asm/vmx.h |  1 +
>  arch/x86/kvm/vmx.c         | 24 ++++++++++++++++++++++++
>  2 files changed, 25 insertions(+)
>
> diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
> index 9527ba5d62da..665632a4b54b 100644
> --- a/arch/x86/include/asm/vmx.h
> +++ b/arch/x86/include/asm/vmx.h
> @@ -78,6 +78,7 @@
>  #define SECONDARY_EXEC_RDSEED_EXITING          0x00010000
>  #define SECONDARY_EXEC_ENABLE_PML               0x00020000
>  #define SECONDARY_EXEC_XSAVES                  0x00100000
> +#define SECONDARY_EXEC_MODE_BASED_EPT_EXEC     0x00400000
>  #define SECONDARY_EXEC_TSC_SCALING              0x02000000
>
>  #define PIN_BASED_EXT_INTR_MASK                 0x00000001
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index 06412ba46aa3..b78607dd113c 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -11775,6 +11775,24 @@ static int nested_vmx_check_pml_controls(struct kvm_vcpu *vcpu,
>         return 0;
>  }
>
> +static int nested_vmx_check_unrestricted_guest_controls(struct kvm_vcpu *vcpu,
> +                                                       struct vmcs12 *vmcs12)
> +{
> +       if (nested_cpu_has2(vmcs12, SECONDARY_EXEC_UNRESTRICTED_GUEST) &&
> +           !nested_cpu_has_ept(vmcs12))
> +               return -EINVAL;
> +       return 0;
> +}
> +
> +static int nested_vmx_check_mode_based_ept_exec_controls(struct kvm_vcpu *vcpu,
> +                                                        struct vmcs12 *vmcs12)
> +{
> +       if (nested_cpu_has2(vmcs12, SECONDARY_EXEC_MODE_BASED_EPT_EXEC) &&
> +           !nested_cpu_has_ept(vmcs12))
> +               return -EINVAL;
> +       return 0;
> +}
> +
>  static int nested_vmx_check_shadow_vmcs_controls(struct kvm_vcpu *vcpu,
>                                                  struct vmcs12 *vmcs12)
>  {
> @@ -12397,6 +12415,12 @@ static int check_vmentry_prereqs(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
>         if (nested_vmx_check_pml_controls(vcpu, vmcs12))
>                 return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
>
> +       if (nested_vmx_check_unrestricted_guest_controls(vcpu, vmcs12))
> +               return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
> +
> +       if (nested_vmx_check_mode_based_ept_exec_controls(vcpu, vmcs12))
> +               return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
> +
>         if (nested_vmx_check_shadow_vmcs_controls(vcpu, vmcs12))
>                 return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
>
> --
> 2.19.0.444.g18242da7ef-goog
>