1. 09 Feb, 2021 25 commits
  2. 08 Feb, 2021 2 commits
  3. 04 Feb, 2021 13 commits
    • Sean Christopherson's avatar
      KVM: x86: Add helper to consolidate "raw" reserved GPA mask calculations · a8ac864a
      Sean Christopherson authored
      Add a helper to generate the mask of reserved GPA bits _without_ any
      adjustments for repurposed bits, and use it to replace a variety of
      open coded variants in the MTRR and APIC_BASE flows.
      
      No functional change intended.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-11-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      a8ac864a
    • Sean Christopherson's avatar
      KVM: x86/mmu: Add helper to generate mask of reserved HPA bits · 6f8e65a6
      Sean Christopherson authored
      Add a helper to generate the mask of reserved PA bits in the host.
      
      No functional change intended.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-10-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      6f8e65a6
    • Sean Christopherson's avatar
      KVM: x86: Use reserved_gpa_bits to calculate reserved PxE bits · 5b7f575c
      Sean Christopherson authored
      Use reserved_gpa_bits, which accounts for exceptions to the maxphyaddr
      rule, e.g. SEV's C-bit, for the page {table,directory,etc...} entry (PxE)
      reserved bits checks.  For SEV, the C-bit is ignored by hardware when
      walking pages tables, e.g. the APM states:
      
        Note that while the guest may choose to set the C-bit explicitly on
        instruction pages and page table addresses, the value of this bit is a
        don't-care in such situations as hardware always performs these as
        private accesses.
      
      Such behavior is expected to hold true for other features that repurpose
      GPA bits, e.g. KVM could theoretically emulate SME or MKTME, which both
      allow non-zero repurposed bits in the page tables.  Conceptually, KVM
      should apply reserved GPA checks universally, and any features that do
      not adhere to the basic rule should be explicitly handled, i.e. if a GPA
      bit is repurposed but not allowed in page tables for whatever reason.
      
      Refactor __reset_rsvds_bits_mask() to take the pre-generated reserved
      bits mask, and opportunistically clean up its code, e.g. to align lines
      and comments.
      
      Practically speaking, this is change is a likely a glorified nop given
      the current KVM code base.  SEV's C-bit is the only repurposed GPA bit,
      and KVM doesn't support shadowing encrypted page tables (which is
      theoretically possible via SEV debug APIs).
      
      Cc: Rick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-9-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      5b7f575c
    • Sean Christopherson's avatar
      KVM: x86: SEV: Treat C-bit as legal GPA bit regardless of vCPU mode · ca29e145
      Sean Christopherson authored
      Rename cr3_lm_rsvd_bits to reserved_gpa_bits, and use it for all GPA
      legality checks.  AMD's APM states:
      
        If the C-bit is an address bit, this bit is masked from the guest
        physical address when it is translated through the nested page tables.
      
      Thus, any access that can conceivably be run through NPT should ignore
      the C-bit when checking for validity.
      
      For features that KVM emulates in software, e.g. MTRRs, there is no
      clear direction in the APM for how the C-bit should be handled.  For
      such cases, follow the SME behavior inasmuch as possible, since SEV is
      is essentially a VM-specific variant of SME.  For SME, the APM states:
      
        In this case the upper physical address bits are treated as reserved
        when the feature is enabled except where otherwise indicated.
      
      Collecting the various relavant SME snippets in the APM and cross-
      referencing the omissions with Linux kernel code, this leaves MTTRs and
      APIC_BASE as the only flows that KVM emulates that should _not_ ignore
      the C-bit.
      
      Note, this means the reserved bit checks in the page tables are
      technically broken.  This will be remedied in a future patch.
      
      Although the page table checks are technically broken, in practice, it's
      all but guaranteed to be irrelevant.  NPT is required for SEV, i.e.
      shadowing page tables isn't needed in the common case.  Theoretically,
      the checks could be in play for nested NPT, but it's extremely unlikely
      that anyone is running nested VMs on SEV, as doing so would require L1
      to expose sensitive data to L0, e.g. the entire VMCB.  And if anyone is
      running nested VMs, L0 can't read the guest's encrypted memory, i.e. L1
      would need to put its NPT in shared memory, in which case the C-bit will
      never be set.  Or, L1 could use shadow paging, but again, if L0 needs to
      read page tables, e.g. to load PDPTRs, the memory can't be encrypted if
      L1 has any expectation of L0 doing the right thing.
      
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Brijesh Singh <brijesh.singh@amd.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-8-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      ca29e145
    • Sean Christopherson's avatar
      KVM: nSVM: Use common GPA helper to check for illegal CR3 · bbc2c63d
      Sean Christopherson authored
      Replace an open coded check for an invalid CR3 with its equivalent
      helper.
      
      No functional change intended.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-7-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      bbc2c63d
    • Sean Christopherson's avatar
      KVM: VMX: Use GPA legality helpers to replace open coded equivalents · 636e8b73
      Sean Christopherson authored
      Replace a variety of open coded GPA checks with the recently introduced
      common helpers.
      
      No functional change intended.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-6-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      636e8b73
    • Sean Christopherson's avatar
      KVM: x86: Add a helper to handle legal GPA with an alignment requirement · da6c6a7c
      Sean Christopherson authored
      Add a helper to genericize checking for a legal GPA that also must
      conform to an arbitrary alignment, and use it in the existing
      page_address_valid().  Future patches will replace open coded variants
      in VMX and SVM.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-5-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      da6c6a7c
    • Sean Christopherson's avatar
      KVM: x86: Add a helper to check for a legal GPA · 4bda0e97
      Sean Christopherson authored
      Add a helper to check for a legal GPA, and use it to consolidate code
      in existing, related helpers.  Future patches will extend usage to
      VMX and SVM code, properly handle exceptions to the maxphyaddr rule, and
      add more helpers.
      
      No functional change intended.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-4-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      4bda0e97
    • Sean Christopherson's avatar
      KVM: nSVM: Don't strip host's C-bit from guest's CR3 when reading PDPTRs · 2732be90
      Sean Christopherson authored
      Don't clear the SME C-bit when reading a guest PDPTR, as the GPA (CR3) is
      in the guest domain.
      
      Barring a bizarre paravirtual use case, this is likely a benign bug.  SME
      is not emulated by KVM, loading SEV guest PDPTRs is doomed as KVM can't
      use the correct key to read guest memory, and setting guest MAXPHYADDR
      higher than the host, i.e. overlapping the C-bit, would cause faults in
      the guest.
      
      Note, for SEV guests, stripping the C-bit is technically aligned with CPU
      behavior, but for KVM it's the greater of two evils.  Because KVM doesn't
      have access to the guest's encryption key, ignoring the C-bit would at
      best result in KVM reading garbage.  By keeping the C-bit, KVM will
      fail its read (unless userspace creates a memslot with the C-bit set).
      The guest will still undoubtedly die, as KVM will use '0' for the PDPTR
      value, but that's preferable to interpreting encrypted data as a PDPTR.
      
      Fixes: d0ec49d4 ("kvm/x86/svm: Support Secure Memory Encryption within KVM")
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Brijesh Singh <brijesh.singh@amd.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-3-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      2732be90
    • Sean Christopherson's avatar
      KVM: x86: Set so called 'reserved CR3 bits in LM mask' at vCPU reset · f156abec
      Sean Christopherson authored
      Set cr3_lm_rsvd_bits, which is effectively an invalid GPA mask, at vCPU
      reset.  The reserved bits check needs to be done even if userspace never
      configures the guest's CPUID model.
      
      Cc: stable@vger.kernel.org
      Fixes: 0107973a ("KVM: x86: Introduce cr3_lm_rsvd_bits in kvm_vcpu_arch")
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-2-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      f156abec
    • David Woodhouse's avatar
    • David Woodhouse's avatar
      KVM: x86: declare Xen HVM shared info capability and add test case · 8d4e7e80
      David Woodhouse authored
      Instead of adding a plethora of new KVM_CAP_XEN_FOO capabilities, just
      add bits to the return value of KVM_CAP_XEN_HVM.
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      8d4e7e80
    • David Woodhouse's avatar
      KVM: x86/xen: Add event channel interrupt vector upcall · 40da8ccd
      David Woodhouse authored
      It turns out that we can't handle event channels *entirely* in userspace
      by delivering them as ExtINT, because KVM is a bit picky about when it
      accepts ExtINT interrupts from a legacy PIC. The in-kernel local APIC
      has to have LVT0 configured in APIC_MODE_EXTINT and unmasked, which
      isn't necessarily the case for Xen guests especially on secondary CPUs.
      
      To cope with this, add kvm_xen_get_interrupt() which checks the
      evtchn_pending_upcall field in the Xen vcpu_info, and delivers the Xen
      upcall vector (configured by KVM_XEN_ATTR_TYPE_UPCALL_VECTOR) if it's
      set regardless of LAPIC LVT0 configuration. This gives us the minimum
      support we need for completely userspace-based implementation of event
      channels.
      
      This does mean that vcpu_enter_guest() needs to check for the
      evtchn_pending_upcall flag being set, because it can't rely on someone
      having set KVM_REQ_EVENT unless we were to add some way for userspace to
      do so manually.
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      40da8ccd