When registering a TSC frequency calibration routine, sanity check that the incoming routine is as robust as the outgoing routine, and reject the incoming routine if the sanity check fails. Because native calibration routines only mark the TSC frequency as known and reliable when they actually run, the effective progression of capabilities is: None (native) => Known and maybe Reliable (PV) => Known and Reliable (CoCo). Violating that progression for a PV override is relatively benign, but messing up the progression when CoCo is involved is more problematic, as it likely means a trusted source of information (hardware/firmware) is being discarded in favor of a less trusted source (hypervisor). Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx> --- arch/x86/kernel/tsc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c index 47776f450720..d7096323c2c4 100644 --- a/arch/x86/kernel/tsc.c +++ b/arch/x86/kernel/tsc.c @@ -1260,8 +1260,13 @@ void tsc_register_calibration_routines(unsigned long (*calibrate_tsc)(void), if (properties & TSC_FREQUENCY_KNOWN) setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); + else if (WARN_ON(boot_cpu_has(X86_FEATURE_TSC_KNOWN_FREQ))) + return; + if (properties & TSC_RELIABLE) setup_force_cpu_cap(X86_FEATURE_TSC_RELIABLE); + else if (WARN_ON(boot_cpu_has(X86_FEATURE_TSC_RELIABLE))) + return; x86_platform.calibrate_tsc = calibrate_tsc; if (calibrate_cpu) -- 2.48.1.362.g079036d154-goog
