• Tao Xu's avatar
    KVM: VMX: Enable Notify VM exit · 2f4073e0
    Tao Xu authored
    There are cases that malicious virtual machines can cause CPU stuck (due
    to event windows don't open up), e.g., infinite loop in microcode when
    nested #AC (CVE-2015-5307). No event window means no event (NMI, SMI and
    IRQ) can be delivered. It leads the CPU to be unavailable to host or
    other VMs.
    
    VMM can enable notify VM exit that a VM exit generated if no event
    window occurs in VM non-root mode for a specified amount of time (notify
    window).
    
    Feature enabling:
    - The new vmcs field SECONDARY_EXEC_NOTIFY_VM_EXITING is introduced to
      enable this feature. VMM can set NOTIFY_WINDOW vmcs field to adjust
      the expected notify window.
    - Add a new KVM capability KVM_CAP_X86_NOTIFY_VMEXIT so that user space
      can query and enable this feature in per-VM scope. The argument is a
      64bit value: bits 63:32 are used for notify window, and bits 31:0 are
      for flags. Current supported flags:
      - KVM_X86_NOTIFY_VMEXIT_ENABLED: enable the feature with the notify
        window provided.
      - KVM_X86_NOTIFY_VMEXIT_USER: exit to userspace once the exits happen.
    - It's safe to even set notify window to zero since an internal hardware
      threshold is added to vmcs.notify_window.
    
    VM exit handling:
    - Introduce a vcpu state notify_window_exits to records the count of
      notify VM exits and expose it through the debugfs.
    - Notify VM exit can happen incident to delivery of a vector event.
      Allow it in KVM.
    - Exit to userspace unconditionally for handling when VM_CONTEXT_INVALID
      bit is set.
    
    Nested handling
    - Nested notify VM exits are not supported yet. Keep the same notify
      window control in vmcs02 as vmcs01, so that L1 can't escape the
      restriction of notify VM exits through launching L2 VM.
    
    Notify VM exit is defined in latest Intel Architecture Instruction Set
    Extensions Programming Reference, chapter 9.2.
    Co-developed-by: default avatarXiaoyao Li <xiaoyao.li@intel.com>
    Signed-off-by: default avatarXiaoyao Li <xiaoyao.li@intel.com>
    Signed-off-by: default avatarTao Xu <tao3.xu@intel.com>
    Co-developed-by: default avatarChenyi Qiang <chenyi.qiang@intel.com>
    Signed-off-by: default avatarChenyi Qiang <chenyi.qiang@intel.com>
    Message-Id: <20220524135624.22988-5-chenyi.qiang@intel.com>
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    2f4073e0
x86.c 345 KB