Re: [PATCH v2] KVM: nVMX: Disable intercept for *_BASE MSR in vmcs02 when possible

Paolo Bonzini <pbonzini@xxxxxxxxxx> · Wed, 8 May 2019 14:31:02 +0200

On 06/05/19 10:59, Jintack Lim wrote:
> Even when neither L0 nor L1 configured to trap *_BASE MSR accesses from
> its own VMs, the current KVM L0 always traps *_BASE MSR accesses from
> L2.  Let's check if both L0 and L1 disabled trap for *_BASE MSR for its
> VMs respectively, and let L2 access to*_BASE MSR without trap if that's
> the case.
> 
> Signed-off-by: Jintack Lim <jintack@xxxxxxxxxxxxxxx>
> 
> ---
> 
> Changes since v1:
> - Added GS_BASE and KENREL_GS_BASE (Jim, Sean)
> - Changed to allow reads as well as writes (Sean)
> ---
>  arch/x86/kvm/vmx/nested.c | 24 +++++++++++++++++++++++-
>  1 file changed, 23 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index 0c601d0..d167bb6 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -537,6 +537,10 @@ static inline bool nested_vmx_prepare_msr_bitmap(struct kvm_vcpu *vcpu,
>  	 */
>  	bool pred_cmd = !msr_write_intercepted_l01(vcpu, MSR_IA32_PRED_CMD);
>  	bool spec_ctrl = !msr_write_intercepted_l01(vcpu, MSR_IA32_SPEC_CTRL);
> +	bool fs_base = !msr_write_intercepted_l01(vcpu, MSR_FS_BASE);
> +	bool gs_base = !msr_write_intercepted_l01(vcpu, MSR_GS_BASE);
> +	bool kernel_gs_base = !msr_write_intercepted_l01(vcpu,
> +							 MSR_KERNEL_GS_BASE);
>  
>  	/* Nothing to do if the MSR bitmap is not in use.  */
>  	if (!cpu_has_vmx_msr_bitmap() ||
> @@ -544,7 +548,7 @@ static inline bool nested_vmx_prepare_msr_bitmap(struct kvm_vcpu *vcpu,
>  		return false;
>  
>  	if (!nested_cpu_has_virt_x2apic_mode(vmcs12) &&
> -	    !pred_cmd && !spec_ctrl)
> +	    !pred_cmd && !spec_ctrl && !fs_base && !gs_base && !kernel_gs_base)
>  		return false;
>  
>  	page = kvm_vcpu_gpa_to_page(vcpu, vmcs12->msr_bitmap);
> @@ -592,6 +596,24 @@ static inline bool nested_vmx_prepare_msr_bitmap(struct kvm_vcpu *vcpu,
>  		}
>  	}
>  
> +	if (fs_base)
> +		nested_vmx_disable_intercept_for_msr(
> +					msr_bitmap_l1, msr_bitmap_l0,
> +					MSR_FS_BASE,
> +					MSR_TYPE_RW);
> +
> +	if (gs_base)
> +		nested_vmx_disable_intercept_for_msr(
> +					msr_bitmap_l1, msr_bitmap_l0,
> +					MSR_GS_BASE,
> +					MSR_TYPE_RW);
> +
> +	if (kernel_gs_base)
> +		nested_vmx_disable_intercept_for_msr(
> +					msr_bitmap_l1, msr_bitmap_l0,
> +					MSR_KERNEL_GS_BASE,
> +					MSR_TYPE_RW);
> +
>  	if (spec_ctrl)
>  		nested_vmx_disable_intercept_for_msr(
>  					msr_bitmap_l1, msr_bitmap_l0,
> 

Queued, thanks.  (It may take a couple days until I finish testing
everything for the merge window, but it will be in 5.2).

Paolo