1. 10 Feb, 2021 3 commits
  2. 09 Feb, 2021 30 commits
  3. 08 Feb, 2021 2 commits
  4. 04 Feb, 2021 5 commits
    • Sean Christopherson's avatar
      KVM: x86: Add helper to consolidate "raw" reserved GPA mask calculations · a8ac864a
      Sean Christopherson authored
      Add a helper to generate the mask of reserved GPA bits _without_ any
      adjustments for repurposed bits, and use it to replace a variety of
      open coded variants in the MTRR and APIC_BASE flows.
      
      No functional change intended.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-11-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      a8ac864a
    • Sean Christopherson's avatar
      KVM: x86/mmu: Add helper to generate mask of reserved HPA bits · 6f8e65a6
      Sean Christopherson authored
      Add a helper to generate the mask of reserved PA bits in the host.
      
      No functional change intended.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-10-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      6f8e65a6
    • Sean Christopherson's avatar
      KVM: x86: Use reserved_gpa_bits to calculate reserved PxE bits · 5b7f575c
      Sean Christopherson authored
      Use reserved_gpa_bits, which accounts for exceptions to the maxphyaddr
      rule, e.g. SEV's C-bit, for the page {table,directory,etc...} entry (PxE)
      reserved bits checks.  For SEV, the C-bit is ignored by hardware when
      walking pages tables, e.g. the APM states:
      
        Note that while the guest may choose to set the C-bit explicitly on
        instruction pages and page table addresses, the value of this bit is a
        don't-care in such situations as hardware always performs these as
        private accesses.
      
      Such behavior is expected to hold true for other features that repurpose
      GPA bits, e.g. KVM could theoretically emulate SME or MKTME, which both
      allow non-zero repurposed bits in the page tables.  Conceptually, KVM
      should apply reserved GPA checks universally, and any features that do
      not adhere to the basic rule should be explicitly handled, i.e. if a GPA
      bit is repurposed but not allowed in page tables for whatever reason.
      
      Refactor __reset_rsvds_bits_mask() to take the pre-generated reserved
      bits mask, and opportunistically clean up its code, e.g. to align lines
      and comments.
      
      Practically speaking, this is change is a likely a glorified nop given
      the current KVM code base.  SEV's C-bit is the only repurposed GPA bit,
      and KVM doesn't support shadowing encrypted page tables (which is
      theoretically possible via SEV debug APIs).
      
      Cc: Rick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-9-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      5b7f575c
    • Sean Christopherson's avatar
      KVM: x86: SEV: Treat C-bit as legal GPA bit regardless of vCPU mode · ca29e145
      Sean Christopherson authored
      Rename cr3_lm_rsvd_bits to reserved_gpa_bits, and use it for all GPA
      legality checks.  AMD's APM states:
      
        If the C-bit is an address bit, this bit is masked from the guest
        physical address when it is translated through the nested page tables.
      
      Thus, any access that can conceivably be run through NPT should ignore
      the C-bit when checking for validity.
      
      For features that KVM emulates in software, e.g. MTRRs, there is no
      clear direction in the APM for how the C-bit should be handled.  For
      such cases, follow the SME behavior inasmuch as possible, since SEV is
      is essentially a VM-specific variant of SME.  For SME, the APM states:
      
        In this case the upper physical address bits are treated as reserved
        when the feature is enabled except where otherwise indicated.
      
      Collecting the various relavant SME snippets in the APM and cross-
      referencing the omissions with Linux kernel code, this leaves MTTRs and
      APIC_BASE as the only flows that KVM emulates that should _not_ ignore
      the C-bit.
      
      Note, this means the reserved bit checks in the page tables are
      technically broken.  This will be remedied in a future patch.
      
      Although the page table checks are technically broken, in practice, it's
      all but guaranteed to be irrelevant.  NPT is required for SEV, i.e.
      shadowing page tables isn't needed in the common case.  Theoretically,
      the checks could be in play for nested NPT, but it's extremely unlikely
      that anyone is running nested VMs on SEV, as doing so would require L1
      to expose sensitive data to L0, e.g. the entire VMCB.  And if anyone is
      running nested VMs, L0 can't read the guest's encrypted memory, i.e. L1
      would need to put its NPT in shared memory, in which case the C-bit will
      never be set.  Or, L1 could use shadow paging, but again, if L0 needs to
      read page tables, e.g. to load PDPTRs, the memory can't be encrypted if
      L1 has any expectation of L0 doing the right thing.
      
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Brijesh Singh <brijesh.singh@amd.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-8-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      ca29e145
    • Sean Christopherson's avatar
      KVM: nSVM: Use common GPA helper to check for illegal CR3 · bbc2c63d
      Sean Christopherson authored
      Replace an open coded check for an invalid CR3 with its equivalent
      helper.
      
      No functional change intended.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210204000117.3303214-7-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      bbc2c63d