There are a few bits in the VMX entry/exit control MSRs where KVM
intervenes. The "load IA32_PERF_GLOBAL_CTRL" and "{load,clear}
IA32_BNDCFGS" VMX entry/exit control bits are under KVM control and
conditionally exposed based on the guest CPUID. If the guest CPUID
provides a supporting vPMU or MPX, the respective VMX control bits are
enabled.
These rules have not been upheld in all cases, though. Since commit
aedbaf4f6afd ("KVM: x86: Extract kvm_update_cpuid_runtime() from
kvm_update_cpuid()") KVM will only apply its updates to the MSRs
when the guest CPUID is set. Before, KVM called kvm_update_cpuid()
frequently when running a guest, which had the effect of overriding
any userspace setting of these MSRs.
If an unsuspecting VMM writes to these VMX control MSRs after the
CPUID has been set, KVM fails to configure the appropriate bits.
There does not exist any ordering requirements between setting CPUID
and writing to an MSR.
At the same time, we probably want to get KVM out of the business of
fiddling with these control MSRs. This series adds a quirk that allows
userspace to opt-out of KVM tweaks to these MSRs.
[Patch 1-2]
Fix the immediate issue by hooking writes to the VMX control MSRs. If
userspace writes to one of the affected MSRs, reapply KVMs tweaks to
these registers. Note that these patches employ the minimal change
required to fix the issue, in case they are worthy of a backport.
[Patch 3]
Add a quirk allowing sane VMMs to take full ownership of these control
MSR bits, when disabled.
[Patch 4-6]
Add tests to verify correct behavior with the quirk enabled (KVM
control) and quirk disabled (userspace control).
Applies cleanly to 5.17-rc5. Tested on a Skylake machine with the
included selftest.
v2: https://patchwork.kernel.org/project/kvm/cover/20220204204705.3538240-1-oupton@xxxxxxxxxx/
v2 -> v3:
- Fix changelog and blamed commit in patches 1-2 to better capture
the history and subsequent breakage of ABI (Sean)
- Skip consolidation of PMU/MPX control MSR updates into a single
helper. Sean has some cleanups that are preferrable.
- Add test cases for both MPX and PGC that assert KVM clears the
respective bits when the feature dependencies are not present in
guest CPUID (Paolo)
Oliver Upton (6):
KVM: nVMX: Keep KVM updates to BNDCFGS ctrl bits across MSR write
KVM: nVMX: Keep KVM updates to PERF_GLOBAL_CTRL ctrl bits across MSR
write
KVM: nVMX: Add a quirk for KVM tweaks to VMX control MSRs
selftests: KVM: Separate static alloc from KVM_GET_SUPPORTED_CPUID
call
selftests: KVM: Add test for PERF_GLOBAL_CTRL VMX control MSR bits
selftests: KVM: Add test for BNDCFGS VMX control MSR bits
arch/x86/include/uapi/asm/kvm.h | 11 +-
arch/x86/kvm/vmx/nested.c | 12 +
arch/x86/kvm/vmx/vmx.c | 7 +-
arch/x86/kvm/vmx/vmx.h | 2 +
tools/testing/selftests/kvm/.gitignore | 1 +
tools/testing/selftests/kvm/Makefile | 1 +
.../selftests/kvm/include/x86_64/processor.h | 1 +
.../selftests/kvm/include/x86_64/vmx.h | 2 +
.../selftests/kvm/lib/x86_64/processor.c | 33 ++-
.../kvm/x86_64/vmx_control_msrs_test.c | 232 ++++++++++++++++++
10 files changed, 290 insertions(+), 12 deletions(-)
create mode 100644 tools/testing/selftests/kvm/x86_64/vmx_control_msrs_test.c
--
2.35.1.574.g5d30c73bfb-goog
