On 6/1/2023 10:23 PM, Zeng Guang wrote:
Subject:
[PATCH v1 0/6] LASS KVM virtualization support
From:
Zeng Guang <guang.zeng@xxxxxxxxx>
Date:
6/1/2023, 10:23 PM
To:
Paolo Bonzini <pbonzini@xxxxxxxxxx>, Sean Christopherson
<seanjc@xxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Ingo Molnar
<mingo@xxxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Dave Hansen
<dave.hansen@xxxxxxxxxxxxxxx>, H Peter Anvin <hpa@xxxxxxxxx>,
kvm@xxxxxxxxxxxxxxx
CC:
x86@xxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, Zeng Guang
<guang.zeng@xxxxxxxxx>
Linear Address Space Separation (LASS)[1] is an independent mechanism
that enforces the mode-based protections on any access to a linear
address.
Based on a linear-address organization, the 64-bit canonical linear
address space is partitioned into two halves: all linear addresses
whose most significant bit is 0 are user space addresses, while linear
addresses whose most significant bit is 1 are supervisor space address.
LASS aims to prevent any attempt to probe supervisor space addresses by
user mode, and likewise stop any attempt to access (if SMAP enabled) or
execute user space addresses from supervisor mode.
When platform has LASS capability, KVM requires to expose this feature
to guest VM enumerated by CPUID.(EAX=07H.ECX=1):EAX.LASS[bit 6], and
allow guest to enable it via CR4.LASS[bit 27] on demand. For instruction
executed in the guest directly, hardware will perform the check. But KVM
also needs to behave same as hardware to apply LASS to kinds of guest
memory accesses when emulating privileged instructions by software.
Not just privileged instructions, e.g. MMIO access instructions.
KVM will take following LASS voilations check on emulation path.
/s/voilations/violations
User-mode access to supervisor space address:
LA[bit 63] && (CPL == 3)
Supervisor-mode access to user space address:
Instruction fetch: !LA[bit 63] && (CPL < 3)
Data access: !LA[bit 63] && (CR4.SMAP==1) && ((RFLAGS.AC == 0 &&
CPL < 3) || Implicit supervisor access)
This patch series provide a LASS KVM solution.
We tested the basic function of LASS virtualization including LASS
enumeration and enabling in non-root and nested environment. As KVM
unittest framework is not compatible to LASS rule, we use kernel module
and application test to emulate LASS violation instead. With KVM forced
emulation mechanism, we also verified the LASS functionality on some
emulation path with instruction fetch and data access to have same
behavior as hardware.
[1] Intel ISEhttps://cdrdv2.intel.com/v1/dl/getContent/671368
Chapter Linear Address Space Separation (LASS)
------------------------------------------------------
v0->v1
1. Adapt to new __linearize() API
2. Function refactor of vmx_check_lass()
3. Refine commit message to be more precise
4. Drop LASS kvm cap detection depending
on hardware capability
Binbin Wu (1):
KVM: x86: Consolidate flags for __linearize()
Zeng Guang (5):
KVM: x86: Virtualize CR4.LASS
KVM: VMX: Add new ops in kvm_x86_ops for LASS violation check
KVM: x86: Add emulator helper for LASS violation check
KVM: x86: LASS protection on KVM emulation
KVM: x86: Advertise LASS CPUID to user space
arch/x86/include/asm/kvm-x86-ops.h | 3 +-
arch/x86/include/asm/kvm_host.h | 4 ++-
arch/x86/kvm/cpuid.c | 5 ++-
arch/x86/kvm/emulate.c | 47 +++++++++++++++++++++++-----
arch/x86/kvm/kvm_emulate.h | 6 ++++
arch/x86/kvm/vmx/nested.c | 3 ++
arch/x86/kvm/vmx/sgx.c | 4 +++
arch/x86/kvm/vmx/vmx.c | 50 ++++++++++++++++++++++++++++++
arch/x86/kvm/vmx/vmx.h | 2 ++
arch/x86/kvm/x86.c | 12 +++++++
arch/x86/kvm/x86.h | 2 ++
11 files changed, 126 insertions(+), 12 deletions(-)
-- 2.27.0