From: Lai Jiangshan <jiangshan.ljs@xxxxxxxxxxxx>
When shadowing 5-level NPT for 4-level NPT L1 guest, the root_sp is
allocated with role.level = 5 and the guest pagetable's root gfn.
And root_sp->spt[0] is also allocated with the same gfn and the same
role except role.level = 4. Luckily that they are different shadow
pages, but only root_sp->spt[0] is the real translation of the guest
pagetable.
Here comes a problem:
If the guest switches from gCR4_LA57=0 to gCR4_LA57=1 (or vice verse)
and uses the same gfn as the root page for nested NPT before and after
switching gCR4_LA57. The host (hCR4_LA57=1) might use the same root_sp
for the guest even the guest switches gCR4_LA57. The guest will see
unexpected page mapped and L2 may exploit the bug and hurt L1. It is
lucky that the problem can't hurt L0.
Fix it by introducing role.passthrough.
Lai Jiangshan (2):
KVM: X86/MMU: Add sp_has_gptes()
KVM: X86/MMU: Introduce role.passthrough for shadowing 5-level NPT for
4-level NPT L1 guest
Documentation/virt/kvm/mmu.rst | 3 +++
arch/x86/include/asm/kvm_host.h | 5 +++--
arch/x86/kvm/mmu/mmu.c | 38 +++++++++++++++++++++++++++------
arch/x86/kvm/mmu/paging_tmpl.h | 1 +
4 files changed, 38 insertions(+), 9 deletions(-)
--
2.19.1.6.gb485710b
