From: Liran Alon <liran.alon@xxxxxxxxxx> Add the address_space_isolation parameter to the kvm module. When set to true, KVM #VMExit handlers run in isolated address space which maps only KVM required code and per-VM information instead of entire kernel address space. This mechanism is meant to mitigate memory-leak side-channels CPU vulnerabilities (e.g. Spectre, L1TF and etc.) but can also be viewed as security in-depth as it also helps generically against info-leaks vulnerabilities in KVM #VMExit handlers and reduce the available gadgets for ROP attacks. This is set to false by default because it incurs a performance hit which some users will not want to take for security gain. Signed-off-by: Liran Alon <liran.alon@xxxxxxxxxx> Signed-off-by: Alexandre Chartre <alexandre.chartre@xxxxxxxxxx> --- arch/x86/kvm/Makefile | 3 ++- arch/x86/kvm/vmx/isolation.c | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletions(-) create mode 100644 arch/x86/kvm/vmx/isolation.c diff --git a/arch/x86/kvm/Makefile b/arch/x86/kvm/Makefile index 31ecf7a..71579ed 100644 --- a/arch/x86/kvm/Makefile +++ b/arch/x86/kvm/Makefile @@ -12,7 +12,8 @@ kvm-y += x86.o mmu.o emulate.o i8259.o irq.o lapic.o \ i8254.o ioapic.o irq_comm.o cpuid.o pmu.o mtrr.o \ hyperv.o page_track.o debugfs.o -kvm-intel-y += vmx/vmx.o vmx/vmenter.o vmx/pmu_intel.o vmx/vmcs12.o vmx/evmcs.o vmx/nested.o +kvm-intel-y += vmx/vmx.o vmx/vmenter.o vmx/pmu_intel.o vmx/vmcs12.o \ + vmx/evmcs.o vmx/nested.o vmx/isolation.o kvm-amd-y += svm.o pmu_amd.o obj-$(CONFIG_KVM) += kvm.o diff --git a/arch/x86/kvm/vmx/isolation.c b/arch/x86/kvm/vmx/isolation.c new file mode 100644 index 0000000..e25f663 --- /dev/null +++ b/arch/x86/kvm/vmx/isolation.c @@ -0,0 +1,26 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. + * + * KVM Address Space Isolation + */ + +#include <linux/module.h> +#include <linux/moduleparam.h> + +/* + * When set to true, KVM #VMExit handlers run in isolated address space + * which maps only KVM required code and per-VM information instead of + * entire kernel address space. + * + * This mechanism is meant to mitigate memory-leak side-channels CPU + * vulnerabilities (e.g. Spectre, L1TF and etc.) but can also be viewed + * as security in-depth as it also helps generically against info-leaks + * vulnerabilities in KVM #VMExit handlers and reduce the available + * gadgets for ROP attacks. + * + * This is set to false by default because it incurs a performance hit + * which some users will not want to take for security gain. + */ +static bool __read_mostly address_space_isolation; +module_param(address_space_isolation, bool, 0444); -- 1.7.1