Re: [PATCH 1/1] kvm/speculation: Allow KVM guests to use SSBD even if host does not

Paolo Bonzini <pbonzini@xxxxxxxxxx> · Tue, 25 Jun 2019 17:45:01 +0200



On 10/06/19 19:20, Alejandro Jimenez wrote:
> The bits set in x86_spec_ctrl_mask are used to calculate the
> guest's value of SPEC_CTRL that is written to the MSR before
> VMENTRY, and control which mitigations the guest can enable.
> In the case of SSBD, unless the host has enabled SSBD always
> on mode (by passing "spec_store_bypass_disable=on" in the
> kernel parameters), the SSBD bit is not set in the mask and
> the guest can not properly enable the SSBD always on
> mitigation mode.
> 
> This is confirmed by running the SSBD PoC on a guest using
> the SSBD always on mitigation mode (booted with kernel
> parameter "spec_store_bypass_disable=on"), and verifying
> that the guest is vulnerable unless the host is also using
> SSBD always on mode. In addition, the guest OS incorrectly
> reports the SSB vulnerability as mitigated.
> 
> Always set the SSBD bit in x86_spec_ctrl_mask when the host
> CPU supports it, allowing the guest to use SSBD whether or
> not the host has chosen to enable the mitigation in any of
> its modes.
> 
> Signed-off-by: Alejandro Jimenez <alejandro.j.jimenez@xxxxxxxxxx>
> Reviewed-by: Liam Merwick <liam.merwick@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx

Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

> ---
>  arch/x86/kernel/cpu/bugs.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 03b4cc0..66ca906 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -836,6 +836,16 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void)
>  	}
>  
>  	/*
> +	 * If SSBD is controlled by the SPEC_CTRL MSR, then set the proper
> +	 * bit in the mask to allow guests to use the mitigation even in the
> +	 * case where the host does not enable it.
> +	 */
> +	if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) ||
> +	    static_cpu_has(X86_FEATURE_AMD_SSBD)) {
> +		x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
> +	}
> +
> +	/*
>  	 * We have three CPU feature flags that are in play here:
>  	 *  - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
>  	 *  - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
> @@ -852,7 +862,6 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void)
>  			x86_amd_ssb_disable();
>  		} else {
>  			x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
> -			x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
>  			wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
>  		}
>  	}
>