Patch "KVM: SEV: Do not intercept accesses to MSR_IA32_XSS for SEV-ES guests" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    KVM: SEV: Do not intercept accesses to MSR_IA32_XSS for SEV-ES guests

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     kvm-sev-do-not-intercept-accesses-to-msr_ia32_xss-fo.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 0d2adef0d6b8775bfaad1d626dd690bfc39fa8c4
Author: Michael Roth <michael.roth@xxxxxxx>
Date:   Mon Oct 16 08:27:32 2023 -0500

    KVM: SEV: Do not intercept accesses to MSR_IA32_XSS for SEV-ES guests
    
    [ Upstream commit a26b7cd2254695f8258cc370f33280db0a9a3813 ]
    
    When intercepts are enabled for MSR_IA32_XSS, the host will swap in/out
    the guest-defined values while context-switching to/from guest mode.
    However, in the case of SEV-ES, vcpu->arch.guest_state_protected is set,
    so the guest-defined value is effectively ignored when switching to
    guest mode with the understanding that the VMSA will handle swapping
    in/out this register state.
    
    However, SVM is still configured to intercept these accesses for SEV-ES
    guests, so the values in the initial MSR_IA32_XSS are effectively
    read-only, and a guest will experience undefined behavior if it actually
    tries to write to this MSR. Fortunately, only CET/shadowstack makes use
    of this register on SEV-ES-capable systems currently, which isn't yet
    widely used, but this may become more of an issue in the future.
    
    Additionally, enabling intercepts of MSR_IA32_XSS results in #VC
    exceptions in the guest in certain paths that can lead to unexpected #VC
    nesting levels. One example is SEV-SNP guests when handling #VC
    exceptions for CPUID instructions involving leaf 0xD, subleaf 0x1, since
    they will access MSR_IA32_XSS as part of servicing the CPUID #VC, then
    generate another #VC when accessing MSR_IA32_XSS, which can lead to
    guest crashes if an NMI occurs at that point in time. Running perf on a
    guest while it is issuing such a sequence is one example where these can
    be problematic.
    
    Address this by disabling intercepts of MSR_IA32_XSS for SEV-ES guests
    if the host/guest configuration allows it. If the host/guest
    configuration doesn't allow for MSR_IA32_XSS, leave it intercepted so
    that it can be caught by the existing checks in
    kvm_{set,get}_msr_common() if the guest still attempts to access it.
    
    Fixes: 376c6d285017 ("KVM: SVM: Provide support for SEV-ES vCPU creation/loading")
    Cc: Alexey Kardashevskiy <aik@xxxxxxx>
    Suggested-by: Tom Lendacky <thomas.lendacky@xxxxxxx>
    Signed-off-by: Michael Roth <michael.roth@xxxxxxx>
    Message-Id: <20231016132819.1002933-4-michael.roth@xxxxxxx>
    Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
    Stable-dep-of: b7e4be0a224f ("KVM: SEV-ES: Delegate LBR virtualization to the processor")
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 0e643d7a06d9e..f809dcfacc8a3 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -2994,6 +2994,25 @@ static void sev_es_vcpu_after_set_cpuid(struct vcpu_svm *svm)
 
 		set_msr_interception(vcpu, svm->msrpm, MSR_TSC_AUX, v_tsc_aux, v_tsc_aux);
 	}
+
+	/*
+	 * For SEV-ES, accesses to MSR_IA32_XSS should not be intercepted if
+	 * the host/guest supports its use.
+	 *
+	 * guest_can_use() checks a number of requirements on the host/guest to
+	 * ensure that MSR_IA32_XSS is available, but it might report true even
+	 * if X86_FEATURE_XSAVES isn't configured in the guest to ensure host
+	 * MSR_IA32_XSS is always properly restored. For SEV-ES, it is better
+	 * to further check that the guest CPUID actually supports
+	 * X86_FEATURE_XSAVES so that accesses to MSR_IA32_XSS by misbehaved
+	 * guests will still get intercepted and caught in the normal
+	 * kvm_emulate_rdmsr()/kvm_emulated_wrmsr() paths.
+	 */
+	if (guest_can_use(vcpu, X86_FEATURE_XSAVES) &&
+	    guest_cpuid_has(vcpu, X86_FEATURE_XSAVES))
+		set_msr_interception(vcpu, svm->msrpm, MSR_IA32_XSS, 1, 1);
+	else
+		set_msr_interception(vcpu, svm->msrpm, MSR_IA32_XSS, 0, 0);
 }
 
 void sev_vcpu_after_set_cpuid(struct vcpu_svm *svm)
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 9e084e22a12f7..08f1397138c80 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -103,6 +103,7 @@ static const struct svm_direct_access_msrs {
 	{ .index = MSR_IA32_LASTBRANCHTOIP,		.always = false },
 	{ .index = MSR_IA32_LASTINTFROMIP,		.always = false },
 	{ .index = MSR_IA32_LASTINTTOIP,		.always = false },
+	{ .index = MSR_IA32_XSS,			.always = false },
 	{ .index = MSR_EFER,				.always = false },
 	{ .index = MSR_IA32_CR_PAT,			.always = false },
 	{ .index = MSR_AMD64_SEV_ES_GHCB,		.always = true  },
diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
index 53bc4b0e388be..fb0ac8497fb20 100644
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -30,7 +30,7 @@
 #define	IOPM_SIZE PAGE_SIZE * 3
 #define	MSRPM_SIZE PAGE_SIZE * 2
 
-#define MAX_DIRECT_ACCESS_MSRS	46
+#define MAX_DIRECT_ACCESS_MSRS	47
 #define MSRPM_OFFSETS	32
 extern u32 msrpm_offsets[MSRPM_OFFSETS] __read_mostly;
 extern bool npt_enabled;




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux