On Thu, Jul 7, 2022 at 7:21 PM Sean Christopherson <seanjc@xxxxxxxxxx> wrote:
>
> On Sun, Jul 03, 2022, Aaron Lewis wrote:
> > If an MSR is not permitted to be filtered and deflected to userspace,
> > don't then allow it to be deflected to userspace by other means. If an
> > MSR that cannot be filtered #GP's, and KVM is configured to send all
> > MSRs that #GP to userspace, that MSR will be sent to userspace as well.
> > Prevent that from happening by filtering out disallowed MSRs from being
> > deflected to userspace.
>
> Why? Honest question. KVM doesn't allow filtering x2APIC accesses because
> supporting that would be messy, and there's no sane use case for intercepting
> x2APIC accesses if userspace has enabled the in-kernel local APIC.
>
> I can't think of a meaningful use case for intercepting faults on x2APIC MSRs,
> but I also don't see anything inherently broken with allowing userspace to intercept
> such faults.
Ack. I'll drop it in v2.
>
> > Signed-off-by: Aaron Lewis <aaronlewis@xxxxxxxxxx>
> > ---
> > arch/x86/kvm/x86.c | 16 ++++++++++++++--
> > 1 file changed, 14 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> > index 031678eff28e..a84741f7d254 100644
> > --- a/arch/x86/kvm/x86.c
> > +++ b/arch/x86/kvm/x86.c
> > @@ -1712,6 +1712,15 @@ void kvm_enable_efer_bits(u64 mask)
> > }
> > EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
> >
> > +bool kvm_msr_filtering_disallowed(u32 index)
>
> Should be static, per the test bot.
>
> > +{
> > + /* x2APIC MSRs do not support filtering. */
> > + if (index >= 0x800 && index <= 0x8ff)
> > + return true;
> > +
> > + return false;
> > +}
> > +
> > bool kvm_msr_allowed(struct kvm_vcpu *vcpu, u32 index, u32 type)
> > {
> > struct kvm_x86_msr_filter *msr_filter;
> > @@ -1721,8 +1730,8 @@ bool kvm_msr_allowed(struct kvm_vcpu *vcpu, u32 index, u32 type)
> > int idx;
> > u32 i;
> >
> > - /* x2APIC MSRs do not support filtering. */
> > - if (index >= 0x800 && index <= 0x8ff)
> > + /* Prevent certain MSRs from using MSR Filtering. */
> > + if (kvm_msr_filtering_disallowed(index))
> > return true;
> >
> > idx = srcu_read_lock(&kvm->srcu);
> > @@ -1962,6 +1971,9 @@ static int kvm_msr_user_space(struct kvm_vcpu *vcpu, u32 index,
> > if (!(vcpu->kvm->arch.user_space_msr_mask & msr_reason))
> > return 0;
> >
> > + if (kvm_msr_filtering_disallowed(index))
> > + return 0;
> > +
> > vcpu->run->exit_reason = exit_reason;
> > vcpu->run->msr.error = 0;
> > memset(vcpu->run->msr.pad, 0, sizeof(vcpu->run->msr.pad));
> > --
> > 2.37.0.rc0.161.g10f37bed90-goog
> >
