RE: [RFC][PATCH v2 1/1] KVM: nVMX: Don't leak L1 MMIO regions to L2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: Tian, Kevin
> Sent: Thursday, September 12, 2019 3:49 PM
> 
> > From: Jim Mattson
> > Sent: Tuesday, September 10, 2019 6:28 AM
> >
> > If the "virtualize APIC accesses" VM-execution control is set in the
> > VMCS, the APIC virtualization hardware is triggered when a page walk
> > in VMX non-root mode terminates at a PTE wherein the address of the 4k
> > page frame matches the APIC-access address specified in the VMCS. On
> > hardware, the APIC-access address may be any valid 4k-aligned physical
> > address.
> >
> > KVM's nVMX implementation enforces the additional constraint that the
> > APIC-access address specified in the vmcs12 must be backed by
> > cacheable memory in L1. If not, L0 will simply clear the "virtualize
> > APIC accesses" VM-execution control in the vmcs02.
> >
> > The problem with this approach is that the L1 guest has arranged the
> > vmcs12 EPT tables--or shadow page tables, if the "enable EPT"
> > VM-execution control is clear in the vmcs12--so that the L2 guest
> > physical address(es)--or L2 guest linear address(es)--that reference
> > the L2 APIC map to the APIC-access address specified in the
> > vmcs12. Without the "virtualize APIC accesses" VM-execution control in
> > the vmcs02, the APIC accesses in the L2 guest will directly access the
> > APIC-access page in L1.
> >
> > When L0 has no mapping whatsoever for the APIC-access address in L1,
> > the L2 VM just loses the intended APIC virtualization. However, when
> > the L2 APIC-access address is mapped to an MMIO region in L1, the L2
> > guest gets direct access to the L1 MMIO device. For example, if the
> > APIC-access address specified in the vmcs12 is 0xfee00000, then L2
> > gets direct access to L1's APIC.
> 
> 'direct access to L1 APIC' is conceptually correct but won't happen
> in current KVM design. Above either leads to direct access to L0's
> APIC-access page (if L0 VMM enables "virtualized APIC accesses"
> and maps L1 0xfee00000 to L0 APIC-access page), which doesn't
> really hold L1's APIC state, or cause nested EPT violation fault into
> L1 VMM (if L0 VMM disables "virtualized APIC accesses", thus L1
> 0xfee00000 has no valid mapping in L0 EPT). Of course either way
> is still broken. The former cannot properly virtualize the L2 APIC,
> while the latter may confuse the L1 VMM if only APIC-access
> VM exit is expected. But there is not direct L2 access to L1's APIC
> state anyway. :-)

Sorry sent too fast. :/ There is no nested EPT fault in the latter 
case - it's caused by L0 EPT instead of L1 EPT. Then L0 VMM will
emulate the L2 access using L1's APIC, as you described.

> 
> >
> > Fixing this correctly is complicated. Since this vmcs12 configuration
> > is something that KVM cannot faithfully emulate, the appropriate
> 
> Why cannot it be faithfully emulated? At least your comments in
> below code already represents a feasible option. Although, yes, it
> is possibly complicated...
> 
> > response is to exit to userspace with
> > KVM_INTERNAL_ERROR_EMULATION. Sadly, the kvm-unit-tests fail, so
> I'm
> > posting this as an RFC.
> >
> > Note that the 'Code' line emitted by qemu in response to this error
> > shows the guest %rip two instructions after the
> > vmlaunch/vmresume. Hmmm.
> >
> > Fixes: fe3ef05c7572 ("KVM: nVMX: Prepare vmcs02 from vmcs01 and
> > vmcs12")
> > Reported-by: Dan Cross <dcross@xxxxxxxxxx>
> > Signed-off-by: Jim Mattson <jmattson@xxxxxxxxxx>
> > Reviewed-by: Marc Orr <marcorr@xxxxxxxxxx>
> > Reviewed-by: Peter Shier <pshier@xxxxxxxxxx>
> > Reviewed-by: Dan Cross <dcross@xxxxxxxxxx>
> > ---
> >  arch/x86/include/asm/kvm_host.h |  2 +-
> >  arch/x86/kvm/vmx/nested.c       | 65 +++++++++++++++++++++------------
> >  arch/x86/kvm/x86.c              |  9 ++++-
> >  3 files changed, 49 insertions(+), 27 deletions(-)
> >
> > diff --git a/arch/x86/include/asm/kvm_host.h
> > b/arch/x86/include/asm/kvm_host.h
> > index 74e88e5edd9cf..e95acf8c82b47 100644
> > --- a/arch/x86/include/asm/kvm_host.h
> > +++ b/arch/x86/include/asm/kvm_host.h
> > @@ -1191,7 +1191,7 @@ struct kvm_x86_ops {
> >  	int (*set_nested_state)(struct kvm_vcpu *vcpu,
> >  				struct kvm_nested_state __user
> > *user_kvm_nested_state,
> >  				struct kvm_nested_state *kvm_state);
> > -	void (*get_vmcs12_pages)(struct kvm_vcpu *vcpu);
> > +	int (*get_vmcs12_pages)(struct kvm_vcpu *vcpu);
> >
> >  	int (*smi_allowed)(struct kvm_vcpu *vcpu);
> >  	int (*pre_enter_smm)(struct kvm_vcpu *vcpu, char *smstate);
> > diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> > index ced9fba32598d..04b5069d4a9b3 100644
> > --- a/arch/x86/kvm/vmx/nested.c
> > +++ b/arch/x86/kvm/vmx/nested.c
> > @@ -2871,7 +2871,7 @@ static int
> nested_vmx_check_vmentry_hw(struct
> > kvm_vcpu *vcpu)
> >  static inline bool nested_vmx_prepare_msr_bitmap(struct kvm_vcpu
> > *vcpu,
> >  						 struct vmcs12 *vmcs12);
> >
> > -static void nested_get_vmcs12_pages(struct kvm_vcpu *vcpu)
> > +static int nested_get_vmcs12_pages(struct kvm_vcpu *vcpu)
> >  {
> >  	struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
> >  	struct vcpu_vmx *vmx = to_vmx(vcpu);
> > @@ -2891,19 +2891,33 @@ static void nested_get_vmcs12_pages(struct
> > kvm_vcpu *vcpu)
> >  			vmx->nested.apic_access_page = NULL;
> >  		}
> >  		page = kvm_vcpu_gpa_to_page(vcpu, vmcs12-
> > >apic_access_addr);
> > -		/*
> > -		 * If translation failed, no matter: This feature asks
> > -		 * to exit when accessing the given address, and if it
> > -		 * can never be accessed, this feature won't do
> > -		 * anything anyway.
> > -		 */
> > -		if (!is_error_page(page)) {
> > +		if (likely(!is_error_page(page))) {
> >  			vmx->nested.apic_access_page = page;
> >  			hpa = page_to_phys(vmx-
> > >nested.apic_access_page);
> >  			vmcs_write64(APIC_ACCESS_ADDR, hpa);
> >  		} else {
> > -			secondary_exec_controls_clearbit(vmx,
> > -
> > 	SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES);
> > +			/*
> > +			 * Since there is no backing page, we can't
> > +			 * just rely on the usual L1 GPA -> HPA
> > +			 * translation mechanism to do the right
> > +			 * thing. We'd have to assign an appropriate
> > +			 * HPA for the L1 APIC-access address, and
> > +			 * then we'd have to modify the MMU to ensure
> > +			 * that the L1 APIC-access address is mapped
> > +			 * to the assigned HPA if and only if an L2 VM
> > +			 * with that APIC-access address and the
> > +			 * "virtualize APIC accesses" VM-execution
> > +			 * control set in the vmcs12 is running. For
> > +			 * now, just admit defeat.
> > +			 */
> > +			pr_warn_ratelimited("Unsupported vmcs12 APIC-
> > access address 0x%llx\n",
> > +				vmcs12->apic_access_addr);
> > +			vcpu->run->exit_reason =
> > KVM_EXIT_INTERNAL_ERROR;
> > +			vcpu->run->internal.suberror =
> > +				KVM_INTERNAL_ERROR_EMULATION;
> > +			vcpu->run->internal.ndata = 1;
> > +			vcpu->run->internal.data[0] = vmcs12-
> > >apic_access_addr;
> > +			return -EINTR;
> 
> What about always using L0 APIC-access address in vmcs02 and mapping
> 
> 
> >  		}
> >  	}
> >
> > @@ -2948,6 +2962,7 @@ static void nested_get_vmcs12_pages(struct
> > kvm_vcpu *vcpu)
> >  		exec_controls_setbit(vmx,
> > CPU_BASED_USE_MSR_BITMAPS);
> >  	else
> >  		exec_controls_clearbit(vmx,
> > CPU_BASED_USE_MSR_BITMAPS);
> > +	return 0;
> >  }
> >
> >  /*
> > @@ -2986,11 +3001,11 @@ static void load_vmcs12_host_state(struct
> > kvm_vcpu *vcpu,
> >  /*
> >   * If from_vmentry is false, this is being called from state restore (either
> > RSM
> >   * or KVM_SET_NESTED_STATE).  Otherwise it's called from
> > vmlaunch/vmresume.
> > -+ *
> > -+ * Returns:
> > -+ *   0 - success, i.e. proceed with actual VMEnter
> > -+ *   1 - consistency check VMExit
> > -+ *  -1 - consistency check VMFail
> > + *
> > + * Returns:
> > + * -EINTR  - exit to userspace
> > + * -EINVAL - VMentry failure; continue
> > + *  0      - success, i.e. proceed with actual VMEnter
> >   */
> >  int nested_vmx_enter_non_root_mode(struct kvm_vcpu *vcpu, bool
> > from_vmentry)
> >  {
> > @@ -2999,6 +3014,7 @@ int nested_vmx_enter_non_root_mode(struct
> > kvm_vcpu *vcpu, bool from_vmentry)
> >  	bool evaluate_pending_interrupts;
> >  	u32 exit_reason = EXIT_REASON_INVALID_STATE;
> >  	u32 exit_qual;
> > +	int r;
> >
> >  	evaluate_pending_interrupts = exec_controls_get(vmx) &
> >  		(CPU_BASED_VIRTUAL_INTR_PENDING |
> > CPU_BASED_VIRTUAL_NMI_PENDING);
> > @@ -3035,11 +3051,15 @@ int
> nested_vmx_enter_non_root_mode(struct
> > kvm_vcpu *vcpu, bool from_vmentry)
> >  	prepare_vmcs02_early(vmx, vmcs12);
> >
> >  	if (from_vmentry) {
> > -		nested_get_vmcs12_pages(vcpu);
> > +		r = nested_get_vmcs12_pages(vcpu);
> > +		if (unlikely(r))
> > +			return r;
> >
> >  		if (nested_vmx_check_vmentry_hw(vcpu)) {
> >  			vmx_switch_vmcs(vcpu, &vmx->vmcs01);
> > -			return -1;
> > +			r = nested_vmx_failValid(vcpu,
> > +
> > VMXERR_ENTRY_INVALID_CONTROL_FIELD);
> > +			return r ? -EINVAL : -EINTR;
> >  		}
> >
> >  		if (nested_vmx_check_guest_state(vcpu, vmcs12,
> > &exit_qual))
> > @@ -3119,14 +3139,14 @@ int
> nested_vmx_enter_non_root_mode(struct
> > kvm_vcpu *vcpu, bool from_vmentry)
> >  	vmx_switch_vmcs(vcpu, &vmx->vmcs01);
> >
> >  	if (!from_vmentry)
> > -		return 1;
> > +		return -EINVAL;
> >
> >  	load_vmcs12_host_state(vcpu, vmcs12);
> >  	vmcs12->vm_exit_reason = exit_reason |
> > VMX_EXIT_REASONS_FAILED_VMENTRY;
> >  	vmcs12->exit_qualification = exit_qual;
> >  	if (enable_shadow_vmcs || vmx->nested.hv_evmcs)
> >  		vmx->nested.need_vmcs12_to_shadow_sync = true;
> > -	return 1;
> > +	return -EINVAL;
> >  }
> >
> >  /*
> > @@ -3200,11 +3220,8 @@ static int nested_vmx_run(struct kvm_vcpu
> > *vcpu, bool launch)
> >  	vmx->nested.nested_run_pending = 1;
> >  	ret = nested_vmx_enter_non_root_mode(vcpu, true);
> >  	vmx->nested.nested_run_pending = !ret;
> > -	if (ret > 0)
> > -		return 1;
> > -	else if (ret)
> > -		return nested_vmx_failValid(vcpu,
> > -			VMXERR_ENTRY_INVALID_CONTROL_FIELD);
> > +	if (ret)
> > +		return ret != -EINTR;
> >
> >  	/* Hide L1D cache contents from the nested guest.  */
> >  	vmx->vcpu.arch.l1tf_flush_l1d = true;
> > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> > index 290c3c3efb877..5ddbf16c8b108 100644
> > --- a/arch/x86/kvm/x86.c
> > +++ b/arch/x86/kvm/x86.c
> > @@ -7803,8 +7803,13 @@ static int vcpu_enter_guest(struct kvm_vcpu
> > *vcpu)
> >  	bool req_immediate_exit = false;
> >
> >  	if (kvm_request_pending(vcpu)) {
> > -		if (kvm_check_request(KVM_REQ_GET_VMCS12_PAGES,
> > vcpu))
> > -			kvm_x86_ops->get_vmcs12_pages(vcpu);
> > +		if (kvm_check_request(KVM_REQ_GET_VMCS12_PAGES,
> > vcpu)) {
> > +			r = kvm_x86_ops->get_vmcs12_pages(vcpu);
> > +			if (unlikely(r)) {
> > +				r = 0;
> > +				goto out;
> > +			}
> > +		}
> >  		if (kvm_check_request(KVM_REQ_MMU_RELOAD, vcpu))
> >  			kvm_mmu_unload(vcpu);
> >  		if (kvm_check_request(KVM_REQ_MIGRATE_TIMER, vcpu))
> > --
> > 2.23.0.162.g0b9fbb3734-goog





[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux