On 07/07/20 08:11, Sean Christopherson wrote: > One oddity with this whole thing is that by passing through the MSR, KVM is > allowing the guest to write bits it doesn't know about, which is definitely > not normal. It also means the guest could write bits that the host VMM > can't. That's true. However, the main purpose of the kvm_spec_ctrl_valid_bits check is to ensure that host-initiated writes are valid; this way, you don't get a #GP on the next vmentry's WRMSR to MSR_IA32_SPEC_CTRL. Checking the guest CPUID bit is not even necessary. Paolo > Somehwat crazy idea inbound... rather than calculating the valid bits in > software, what if we throw the value at the CPU and see if it fails? At > least that way the host and guest are subject to the same rules. E.g. > > --- a/arch/x86/kvm/vmx/vmx.c > +++ b/arch/x86/kvm/vmx/vmx.c > @@ -2062,11 +2062,19 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) > !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL)) > return 1; > > - if (data & ~kvm_spec_ctrl_valid_bits(vcpu)) > - return 1; > - > + ret = 0; > vmx->spec_ctrl = data; > - if (!data) > + > + local_irq_disable(); > + if (rdmsrl_safe(MSR_IA32_SPEC_CTRL, &data)) > + ret = 1; > + else if (wrmsrl_safe(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl)) > + ret = 1; > + else > + wrmsrl(MSR_IA32_SPEC_CTRL, data)) > + local_irq_enable(); > + > + if (ret || !vmx->spec_ctrl) > break; > > /* >
