1. 28 Jun, 2024 3 commits
  2. 20 Jun, 2024 8 commits
  3. 05 Jun, 2024 3 commits
    • Ravi Bangoria's avatar
      KVM: SNP: Fix LBR Virtualization for SNP guest · f99b0522
      Ravi Bangoria authored
      SEV-ES and thus SNP guest mandates LBR Virtualization to be _always_ ON.
      Although commit b7e4be0a ("KVM: SEV-ES: Delegate LBR virtualization
      to the processor") did the correct change for SEV-ES guests, it missed
      the SNP. Fix it.
      Reported-by: default avatarSrikanth Aithal <sraithal@amd.com>
      Fixes: b7e4be0a ("KVM: SEV-ES: Delegate LBR virtualization to the processor")
      Signed-off-by: default avatarRavi Bangoria <ravi.bangoria@amd.com>
      Message-ID: <20240605114810.1304-1-ravi.bangoria@amd.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      f99b0522
    • Tao Su's avatar
      KVM: x86/mmu: Don't save mmu_invalidate_seq after checking private attr · db574f2f
      Tao Su authored
      Drop the second snapshot of mmu_invalidate_seq in kvm_faultin_pfn().
      Before checking the mismatch of private vs. shared, mmu_invalidate_seq is
      saved to fault->mmu_seq, which can be used to detect an invalidation
      related to the gfn occurred, i.e. KVM will not install a mapping in page
      table if fault->mmu_seq != mmu_invalidate_seq.
      
      Currently there is a second snapshot of mmu_invalidate_seq, which may not
      be same as the first snapshot in kvm_faultin_pfn(), i.e. the gfn attribute
      may be changed between the two snapshots, but the gfn may be mapped in
      page table without hindrance. Therefore, drop the second snapshot as it
      has no obvious benefits.
      
      Fixes: f6adeae8 ("KVM: x86/mmu: Handle no-slot faults at the beginning of kvm_faultin_pfn()")
      Signed-off-by: default avatarTao Su <tao1.su@linux.intel.com>
      Message-ID: <20240528102234.2162763-1-tao1.su@linux.intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      db574f2f
    • Paolo Bonzini's avatar
      Merge tag 'kvmarm-fixes-6.10-1' of... · 45ce0314
      Paolo Bonzini authored
      Merge tag 'kvmarm-fixes-6.10-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD
      
      KVM/arm64 fixes for 6.10, take #1
      
      - Large set of FP/SVE fixes for pKVM, addressing the fallout
        from the per-CPU data rework and making sure that the host
        is not involved in the FP/SVE switching any more
      
      - Allow FEAT_BTI to be enabled with NV now that FEAT_PAUTH
        is copletely supported
      
      - Fix for the respective priorities of Failed PAC, Illegal
        Execution state and Instruction Abort exceptions
      
      - Fix the handling of AArch32 instruction traps failing their
        condition code, which was broken by the introduction of
        ESR_EL2.ISS2
      
      - Allow vpcus running in AArch32 state to be restored in
        System mode
      
      - Fix AArch32 GPR restore that would lose the 64 bit state
        under some conditions
      45ce0314
  4. 04 Jun, 2024 9 commits
  5. 03 Jun, 2024 11 commits
    • Paolo Bonzini's avatar
      Merge branch 'kvm-6.11-sev-snp' into HEAD · ab978c62
      Paolo Bonzini authored
      Pull base x86 KVM support for running SEV-SNP guests from Michael Roth:
      
      * add some basic infrastructure and introduces a new KVM_X86_SNP_VM
        vm_type to handle differences versus the existing KVM_X86_SEV_VM and
        KVM_X86_SEV_ES_VM types.
      
      * implement the KVM API to handle the creation of a cryptographic
        launch context, encrypt/measure the initial image into guest memory,
        and finalize it before launching it.
      
      * implement handling for various guest-generated events such as page
        state changes, onlining of additional vCPUs, etc.
      
      * implement the gmem/mmu hooks needed to prepare gmem-allocated pages
        before mapping them into guest private memory ranges as well as
        cleaning them up prior to returning them to the host for use as
        normal memory. Because those cleanup hooks supplant certain
        activities like issuing WBINVDs during KVM MMU invalidations, avoid
        duplicating that work to avoid unecessary overhead.
      
      This merge leaves out support support for attestation guest requests
      and for loading the signing keys to be used for attestation requests.
      ab978c62
    • Paolo Bonzini's avatar
      Merge tag 'kvm-riscv-fixes-6.10-1' of https://github.com/kvm-riscv/linux into HEAD · b50788f7
      Paolo Bonzini authored
      KVM/riscv fixes for 6.10, take #1
      
      - No need to use mask when hart-index-bits is 0
      - Fix incorrect reg_subtype labels in kvm_riscv_vcpu_set_reg_isa_ext()
      b50788f7
    • Paolo Bonzini's avatar
      Merge branch 'kvm-fixes-6.10-1' into HEAD · b3233c73
      Paolo Bonzini authored
      * Fixes and debugging help for the #VE sanity check.  Also disable
        it by default, even for CONFIG_DEBUG_KERNEL, because it was found
        to trigger spuriously (most likely a processor erratum as the
        exact symptoms vary by generation).
      
      * Avoid WARN() when two NMIs arrive simultaneously during an NMI-disabled
        situation (GIF=0 or interrupt shadow) when the processor supports
        virtual NMI.  While generally KVM will not request an NMI window
        when virtual NMIs are supported, in this case it *does* have to
        single-step over the interrupt shadow or enable the STGI intercept,
        in order to deliver the latched second NMI.
      
      * Drop support for hand tuning APIC timer advancement from userspace.
        Since we have adaptive tuning, and it has proved to work well,
        drop the module parameter for manual configuration and with it a
        few stupid bugs that it had.
      b3233c73
    • Paolo Bonzini's avatar
      Merge branch 'kvm-fixes-6.10-1' into HEAD · f9d1b541
      Paolo Bonzini authored
      * Fixes and debugging help for the #VE sanity check.  Also disable
        it by default, even for CONFIG_DEBUG_KERNEL, because it was found
        to trigger spuriously (most likely a processor erratum as the
        exact symptoms vary by generation).
      
      * Avoid WARN() when two NMIs arrive simultaneously during an NMI-disabled
        situation (GIF=0 or interrupt shadow) when the processor supports
        virtual NMI.  While generally KVM will not request an NMI window
        when virtual NMIs are supported, in this case it *does* have to
        single-step over the interrupt shadow or enable the STGI intercept,
        in order to deliver the latched second NMI.
      
      * Drop support for hand tuning APIC timer advancement from userspace.
        Since we have adaptive tuning, and it has proved to work well,
        drop the module parameter for manual configuration and with it a
        few stupid bugs that it had.
      f9d1b541
    • Sean Christopherson's avatar
      KVM: x86: Drop support for hand tuning APIC timer advancement from userspace · 89a58812
      Sean Christopherson authored
      Remove support for specifying a static local APIC timer advancement value,
      and instead present a read-only boolean parameter to let userspace enable
      or disable KVM's dynamic APIC timer advancement.  Realistically, it's all
      but impossible for userspace to specify an advancement that is more
      precise than what KVM's adaptive tuning can provide.  E.g. a static value
      needs to be tuned for the exact hardware and kernel, and if KVM is using
      hrtimers, likely requires additional tuning for the exact configuration of
      the entire system.
      
      Dropping support for a userspace provided value also fixes several flaws
      in the interface.  E.g. KVM interprets a negative value other than -1 as a
      large advancement, toggling between a negative and positive value yields
      unpredictable behavior as vCPUs will switch from dynamic to static
      advancement, changing the advancement in the middle of VM creation can
      result in different values for vCPUs within a VM, etc.  Those flaws are
      mostly fixable, but there's almost no justification for taking on yet more
      complexity (it's minimal complexity, but still non-zero).
      
      The only arguments against using KVM's adaptive tuning is if a setup needs
      a higher maximum, or if the adjustments are too reactive, but those are
      arguments for letting userspace control the absolute max advancement and
      the granularity of each adjustment, e.g. similar to how KVM provides knobs
      for halt polling.
      
      Link: https://lore.kernel.org/all/20240520115334.852510-1-zhoushuling@huawei.com
      Cc: Shuling Zhou <zhoushuling@huawei.com>
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-ID: <20240522010304.1650603-1-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      89a58812
    • Ravi Bangoria's avatar
      KVM: SEV-ES: Delegate LBR virtualization to the processor · b7e4be0a
      Ravi Bangoria authored
      As documented in APM[1], LBR Virtualization must be enabled for SEV-ES
      guests. Although KVM currently enforces LBRV for SEV-ES guests, there
      are multiple issues with it:
      
      o MSR_IA32_DEBUGCTLMSR is still intercepted. Since MSR_IA32_DEBUGCTLMSR
        interception is used to dynamically toggle LBRV for performance reasons,
        this can be fatal for SEV-ES guests. For ex SEV-ES guest on Zen3:
      
        [guest ~]# wrmsr 0x1d9 0x4
        KVM: entry failed, hardware error 0xffffffff
        EAX=00000004 EBX=00000000 ECX=000001d9 EDX=00000000
      
        Fix this by never intercepting MSR_IA32_DEBUGCTLMSR for SEV-ES guests.
        No additional save/restore logic is required since MSR_IA32_DEBUGCTLMSR
        is of swap type A.
      
      o KVM will disable LBRV if userspace sets MSR_IA32_DEBUGCTLMSR before the
        VMSA is encrypted. Fix this by moving LBRV enablement code post VMSA
        encryption.
      
      [1]: AMD64 Architecture Programmer's Manual Pub. 40332, Rev. 4.07 - June
           2023, Vol 2, 15.35.2 Enabling SEV-ES.
           https://bugzilla.kernel.org/attachment.cgi?id=304653
      
      Fixes: 376c6d28 ("KVM: SVM: Provide support for SEV-ES vCPU creation/loading")
      Co-developed-by: default avatarNikunj A Dadhania <nikunj@amd.com>
      Signed-off-by: default avatarNikunj A Dadhania <nikunj@amd.com>
      Signed-off-by: default avatarRavi Bangoria <ravi.bangoria@amd.com>
      Message-ID: <20240531044644.768-4-ravi.bangoria@amd.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      b7e4be0a
    • Ravi Bangoria's avatar
      KVM: SEV-ES: Disallow SEV-ES guests when X86_FEATURE_LBRV is absent · d9220562
      Ravi Bangoria authored
      As documented in APM[1], LBR Virtualization must be enabled for SEV-ES
      guests. So, prevent SEV-ES guests when LBRV support is missing.
      
      [1]: AMD64 Architecture Programmer's Manual Pub. 40332, Rev. 4.07 - June
           2023, Vol 2, 15.35.2 Enabling SEV-ES.
           https://bugzilla.kernel.org/attachment.cgi?id=304653
      
      Fixes: 376c6d28 ("KVM: SVM: Provide support for SEV-ES vCPU creation/loading")
      Signed-off-by: default avatarRavi Bangoria <ravi.bangoria@amd.com>
      Message-ID: <20240531044644.768-3-ravi.bangoria@amd.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      d9220562
    • Nikunj A Dadhania's avatar
      KVM: SEV-ES: Prevent MSR access post VMSA encryption · 27bd5fdc
      Nikunj A Dadhania authored
      KVM currently allows userspace to read/write MSRs even after the VMSA is
      encrypted. This can cause unintentional issues if MSR access has side-
      effects. For ex, while migrating a guest, userspace could attempt to
      migrate MSR_IA32_DEBUGCTLMSR and end up unintentionally disabling LBRV on
      the target. Fix this by preventing access to those MSRs which are context
      switched via the VMSA, once the VMSA is encrypted.
      Suggested-by: default avatarSean Christopherson <seanjc@google.com>
      Signed-off-by: default avatarNikunj A Dadhania <nikunj@amd.com>
      Signed-off-by: default avatarRavi Bangoria <ravi.bangoria@amd.com>
      Message-ID: <20240531044644.768-2-ravi.bangoria@amd.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      27bd5fdc
    • Tom Lendacky's avatar
      KVM: SVM: Remove the need to trigger an UNBLOCK event on AP creation · b2ec0423
      Tom Lendacky authored
      All SNP APs are initially started using the APIC INIT/SIPI sequence in
      the guest. This sequence moves the AP MP state from
      KVM_MP_STATE_UNINITIALIZED to KVM_MP_STATE_RUNNABLE, so there is no need
      to attempt the UNBLOCK.
      
      As it is, the UNBLOCK support in SVM is only enabled when AVIC is
      enabled. When AVIC is disabled, AP creation is still successful.
      
      Remove the KVM_REQ_UNBLOCK request from the AP creation code and revert
      the changes to the vcpu_unblocking() kvm_x86_ops path.
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarMichael Roth <michael.roth@amd.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      b2ec0423
    • Paolo Bonzini's avatar
      KVM: SEV: Don't WARN() if RMP lookup fails when invalidating gmem pages · 73137f59
      Paolo Bonzini authored
      The hook only handles cleanup work specific to SNP, e.g. RMP table
      entries and flushing caches for encrypted guest memory. When run on a
      non-SNP-enabled host (currently only possible using
      KVM_X86_SW_PROTECTED_VM, e.g. via KVM selftests), the callback is a noop
      and will WARN due to the RMP table not being present. It's actually
      expected in this case that the RMP table wouldn't be present and that
      the hook should be a noop, so drop the WARN_ONCE().
      Reported-by: default avatarSean Christopherson <seanjc@google.com>
      Closes: https://lore.kernel.org/kvm/ZkU3_y0UoPk5yAeK@google.com/
      Fixes: 8eb01900 ("KVM: SEV: Implement gmem hook for invalidating private pages")
      Suggested-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarMichael Roth <michael.roth@amd.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      73137f59
    • Michael Roth's avatar
      KVM: SEV: Automatically switch reclaimed pages to shared · febff040
      Michael Roth authored
      Currently there's a consistent pattern of always calling
      host_rmp_make_shared() immediately after snp_page_reclaim(), so go ahead
      and handle it automatically as part of snp_page_reclaim(). Also rename
      it to kvm_rmp_make_shared() to more easily distinguish it as a
      KVM-specific variant of the more generic rmp_make_shared() helper.
      Suggested-by: default avatarSean Christopherson <seanjc@google.com>
      Signed-off-by: default avatarMichael Roth <michael.roth@amd.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      febff040
  6. 02 Jun, 2024 6 commits