Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754886AbcKJAwp (ORCPT ); Wed, 9 Nov 2016 19:52:45 -0500 Received: from mail-bl2nam02on0059.outbound.protection.outlook.com ([104.47.38.59]:60527 "EHLO NAM02-BL2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752796AbcKJAwc (ORCPT ); Wed, 9 Nov 2016 19:52:32 -0500 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Lendacky@amd.com; From: Tom Lendacky Subject: [RFC PATCH v3 17/20] x86/kvm: Enable Secure Memory Encryption of nested page tables To: , , , , , , , , CC: Rik van Riel , Radim =?utf-8?b?S3LEjW3DocWZ?= , Arnd Bergmann , Jonathan Corbet , Matt Fleming , Joerg Roedel , Konrad Rzeszutek Wilk , "Paolo Bonzini" , Larry Woodman , "Ingo Molnar" , Borislav Petkov , Andy Lutomirski , "H. Peter Anvin" , Andrey Ryabinin , Alexander Potapenko , "Thomas Gleixner" , Dmitry Vyukov Date: Wed, 9 Nov 2016 18:38:05 -0600 Message-ID: <20161110003805.3280.49182.stgit@tlendack-t1.amdoffice.net> In-Reply-To: <20161110003426.3280.2999.stgit@tlendack-t1.amdoffice.net> References: <20161110003426.3280.2999.stgit@tlendack-t1.amdoffice.net> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: DM5PR18CA0026.namprd18.prod.outlook.com (10.173.208.12) To CY4PR12MB1142.namprd12.prod.outlook.com (10.168.163.150) X-MS-Office365-Filtering-Correlation-Id: 8e593bba-7b9a-4bc3-6b65-08d40901d884 X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1142;2:JsVRCvl8yuu5GNt50WQchhF5qleRQICdnyLe8o32g0FJGG877IAU/u7q9HJiYSTozDMjLpGcyV1BQ+uwG1iKcGsdZrwaaF/hCbDyGWxr856KEfZXA7ne1tkpDeVfmlB3Q04wHPjY9HoQBmzOb82eDYDODoThnZuCn0i0baB8Qvnz4KTFWpeU6tUGKEuXlP92aAitrp98YgTRTTlXZIS+Ow==;3:5SA0U6v1BO2tx3gazWXiFT/49r7EYQSqzAcsq5aOh7QSyVcxk+K5mVGCSQGlqQDQ42SJ00cUviBaAl2KkF950IgVgnGQvElsaLEICmqE6YdsKlKSdnVceZcr5K4p0XG6nmcY5/RqRkjkVaK3roQRuw==;25:KqyO9D/lq7uY2p5oZO9+KfQbCw8JWQKED5qqq/93gYTVgB4lFjMKnIHVldKgKH/lIenb5laEh6+gOaobFHrx+Ln309hr0Q4LNuvL4lvtyTiI9rS65wIaJ1k5tmmHYN8Icr8C1qWJivoDQMkeXcXU44QrTToqq1fgS0j+K6WYtw23TB1alsvnDAL8W2G0NU9ooAQVzygFpybnQlcEDY6xmpyG9PnIRXWMsqfIJucY1/Sb4aKmSW2wxPgeyn3dQNC0uJxTQk056lyVAIzDL1BU5YLVDl7x5eCFdIFj2rBI/G7f4VU8fChYZ3AeNwxRILKTDdkMDpeJ2B2FBc1XTZd2zLUP3cAW4TMM2kOsfTgJZsjHgtGTPcoZFp1v1Bx4Pe6dqRyRym/fpwMOrg47DrkAf90h9N+EOX19jzPaVB1J7Fl5xpa1irRlvAOXzE4C/jbB X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY4PR12MB1142; X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1142;31:e2JTIKbVlx7PhXdj0PyGsHrUaoNVzZFcdkzIigIIKiUcScSOmVyqXtqmhYdHoInTFgoSRi45gYch0iBAoCfMqS6QK0dneHwZ+aaJ5apbWEAfXcg3LDAssuh+eEQVngGoecagpNafl89NePBegKZZp+2kS0d5Kb5q8A6AAFsLvk4pCsGk/7CHwMJXoBWL/DCr74mltCbBVXMo1LEv0j5v0nUgQ5aehXxCOe5JmEHowtDxXS4oMWGcFh+vp3DHNJrF;20:StNgmGMtgx4qLkm2HOEZkQBhjXwYhsw4rgGrywp5vovzeGJbuvF1hc5d3jRs/xYkRk8RHGKRgq3ZVEfgMbddovfEekwC2LX8XWfcWzczh3ovjAMkDCAUtL6iw4VhMcNggNhqJy3TAh7JawPKzANIjKQpTUbcckN1bupno3qIxlWPtKzdkduo/+tC00UE5cAtIxwgK+HI61Dm+C0seMr3a5cXkBb+6EjfxkWhCf++ImXtAFWmszIWyA4r5CzzAUUQ7nOL0O3DlZqbmCfeESE9FnkMdzguxvvv8rCIXSgTv7lyvGIq4B1auK+CW1iooAP4k1/YtSvsPfdh2zGRn0kG1vO++b7hPdBbSo7e3Zg4dnV4/oqZZl91xcudFsTXJ18wVeXJen7ZnuoiLPNs4bcT5zAkpmiJTxiXH0Vaxgr/YwYzndp6jpLKLmSCZ3qj1zVE2gg0ub+kFLhwBRXr8Fl6xEDOab/9d8nNEjAJsQki2ZNoszMSdD5paxZ4GU6vZd+R X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026);SRVR:CY4PR12MB1142;BCL:0;PCL:0;RULEID:;SRVR:CY4PR12MB1142; X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1142;4:X+QlAvMe1mh56J5erwjcTcODele+kXsom9VCI2/M0BW5KRy5QN4KVIJtl/VgGJtE8IMEQj+Z5Zp+YnlUuaayP9jjqdyjhtz4YeHoy1weczY51MksCmdGM+i9uflHq9uu58lvuH6sgYzjZHsE8xTna89+zdGFgXq4fzetrbyGN0j0NSaGMz2f+qvw1DK46j7WMXghCm8NJkwDsfdrd42LVxdMv9JZNJCkxCBTcgzE+Lz6acKdOdyLiyoR2uzvJdzsPQWhVyGnMApJlMU9ENBmyPtk+E5p2sOZ9SA6tLsDP7LKY1pUQgJFBAbNQvUPwW0xhq02COoMnyunRhGkpZ0LHP1md2lZOZ65vHDOTDXMN0vhPeN9O9y9OA0zd3WeAsVzITQrLODHQGu6J3MwYSiMNAsS4y0zP2FeFvYbb1BSYsfduOt4Af6CNLtrsw9pttH2f+YDqvTDFiybkczZcCuxkQ== X-Forefront-PRVS: 01221E3973 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6009001)(7916002)(189002)(199003)(7846002)(97746001)(23676002)(7736002)(5001770100001)(305945005)(101416001)(6666003)(33646002)(69596002)(230700001)(92566002)(2950100002)(103116003)(4001350100001)(66066001)(47776003)(77096005)(97736004)(54356999)(50986999)(76176999)(83506001)(2906002)(6116002)(105586002)(586003)(4326007)(189998001)(7416002)(1076002)(3846002)(81156014)(5660300001)(8676002)(53416004)(86362001)(68736007)(81166006)(50466002)(42186005)(106356001)(2201001)(9686002)(71626007)(217873001);DIR:OUT;SFP:1101;SCL:1;SRVR:CY4PR12MB1142;H:tlendack-t1.amdoffice.net;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtDWTRQUjEyTUIxMTQyOzIzOkVyV0xuYnlSa2diUFBuRTIvNjZjb0JGaHFJ?= =?utf-8?B?TFB5WkFjY3ZxcVpwL1oyY0t0ak9aYk9BVFNMZ0xOaEQ0amlURnZvOWVuYXVE?= =?utf-8?B?cGp3dEpQbXpXcHZNazhxT0VNc0F1Z0pXMndqb0hsMno4Y2RVY25qUStHWDN1?= =?utf-8?B?Znp4VUhaaWdqM0Uxd1lUMmx3Y3Z0RlNPcElzdDYvYURPUzFJZ041TXlkczQz?= =?utf-8?B?T2l5c1h4L1ozM3dFd1hlRUN3OFRKUnowWXBUNjQyNXFNTEhwVXhYN2pzeUFB?= =?utf-8?B?YjdzM2lka0MrTmVzVWVWbjdBdXk0SHFKamcxTkJlRzVFaTA3ME1qSVBRdENp?= =?utf-8?B?QkNsNVFlSGQ3R2d6RUZuTks3YXZzMnB5NjMzYWJkYTdpRWFIUk9uNkFWVGNK?= =?utf-8?B?TkMyTzMvQUZqNTRiYVA5bzlMNzJhV2ZTWkhER2xhTWlRN0dLVUxYR1hmNnNh?= =?utf-8?B?UFdjOFp0QUc2SWNBTVJxdGRacHFXL0NIVEJPamFVODNQYkZNWTlOcTNUU3lD?= =?utf-8?B?ejhBNCsydG5uUzVHZ3pPdDhxaGZ2NTlCNFJ2L1JoQjd0c0ZVNE1lQXBETHJB?= =?utf-8?B?V0UwNXBYV3d2KzhNMm9IWXJnK2dIMGJDTnRXb1VNUkxJcDlSSGYycitNSzM0?= =?utf-8?B?VVE1OWhUVm51S0ZCWkdqSDJUT0UxRnVROWQrN0dJMk1SV21CTk9hTkZQd0ht?= =?utf-8?B?YnZ3cFlGWkRzTlRqa1Y5MGhpdU44QlNqYVNUSGRKQlF5NytWZ1F0QVgwOXVk?= =?utf-8?B?UDYrQ2lSS1doOXZrUUJDNlBPZnJOajVPRVJtUUx1RTZadCsreHoxZ2dhbFdo?= =?utf-8?B?LzVvUFhDZzdCQlhERUZ6UEhRN0lBRkRuZWd3bHFMS2xtN2JkZkJTWkJ2MkxF?= =?utf-8?B?MkVjUlBhU1lVR21Jb0Y2QmZ5aTB4aUs5RkhMUElCV0lvaGpEenExaGtWenFX?= =?utf-8?B?TGpzNGNOcUduWElhZzErM0hISG9ncTJoRVZVczBBT0VXQ3M2YUZXQ3dmUTVY?= =?utf-8?B?cGIvV3JYUDZvMGo0d3ZlU3pOY2NFdmxGL2xLa1diNEhOU2FuNFI5c3ZmSUM3?= =?utf-8?B?NmJHU2d3MWJkMUh5MDBKTFJiMnNYMHV2TERUZUhnbitmQS90UzJueWtpYW1X?= =?utf-8?B?SVh2OWdpTlo3Tms4d0w1MmdsSmgzZElrQkZyWHY5aTRPS3JDSDh3QmozeGxV?= =?utf-8?B?N0JmTVJjemhxc1U0U2tqUzdMYTlZUkI1a0J3ZnFVZE4wQmVmMFFPdmZYSEQ5?= =?utf-8?B?ZXIvUzJsUWMrY0FZOXg4M0xTNnp5Nk9oc0N2MXM4M3lCSC9iUXVYUllWT0M1?= =?utf-8?B?WVl3WXA5MWdCaU9nUXdoMjFYQ3ZXeXFBR2NpZ0x1azFSUm9rQnA5TGFLN1VG?= =?utf-8?B?YlFWdi84aXdqQS96UkZkRFBYaGxUd0o3UStjWjlZbm9mdXZCRWN2UVFEbWxh?= =?utf-8?B?Ujk5QkpGRW5pb1J1ZUQvS1VJTkdnSXRMTEY3bjB1d21rWCtFV3RzcVdyMmlL?= =?utf-8?B?Zzk1VHZ2ZEE4cEU5aEJnb1lMWXFOUW15N1dwcWpFc0RWdmcyRmU3RXN6Wk84?= =?utf-8?B?bzVNTkFHY09RVFE5RGtqQTJlanNlZVpIZFBCU2hwenRBd2k5QVl6NkRXV3dG?= =?utf-8?B?VGcvNFVhRFpnWllUOVEvQzl4T3UwNVpuVWVtVVlWODdpRDl2TXUrLytLblBn?= =?utf-8?Q?qWigCYj+Z3ZzmujnGo=3D?= X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1142;6:PZAEuoNLqK1+notBukGijlAEGIDpruFFWUsynMddjy4zfIofzpZTzfMlAZZMMnqbfv6Ki9DxTTCv470DYlFxN08WPIr7HWsIBgiRHe58/bWe7IOII44VccELMWFKlVNMl4eqKea8sfI+m8OE7yWu1T+utw5+1yya0Oo3dtV4GkuQGKJZ6usRkjyzm9a3AqE5t3DjGCwjjS85/HahD3jaP8QTPygy+INpIeUujKSQ2RNkfbbkwJCKOZSSnqOjYP//P1LFcCsGYqN9u4okz+5xupUub8ZmPYygMFfts/uka5Q+ZY1P0oufR0n9ORuQOx0DmWsEOW/bwVx3kmkFy3d67F8JayaEq/5IswYs5zNpXB0=;5:oog8n0hLtryS9B1r4OUlUmMs+WYuDs+6l7WKGMZKQc5T6pJvT8P82KKOUFmkrbc2SGAWnJOxRk5ZsR9MEC2dnJjuK/1V3m8ZM5Sp8r/ygLKyh+rq3A108FSzSs1FAG9qkDkR5XaEqVbOkco9+bzT1g==;24:ysR1tZpKJStquPsUBF2d0lmqUxo2LJuGMu0QwN9XLe5BbuWV/Oe4TmrCodlhOaPlWrWdOpFOCu5xRwkf76nqXAsDoZwLIPE8S4l9F4BuFFM= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1142;7:EV2TfzEvExWFxwHJnL28H6NjG5Pisdo0GQIhjz2yPzw842HL/KadcDG4VnrZVWLd/Uw/WPbKqFheNH6fzRw85a1+NXJ/ShCMSA5SCl+9xOhHayNPoLBvgTrGIlUPDKvc4GxDY1TuWiiMvejkgn+sDpyBXQYbiYBJv3W84zTJzBd/Uc2Yys5PMaT1etkHtXQw8Zfk8Oxezt8/FtQw+ezle6lJfp47nzOKCauoZ8zxmNMCm2G/yOtDtf7THMw58Ac8gKyKuIn1H/YHJC8WVPXn40X6kxS95CQDabDMsdzZW6J+kJGCQRbdn0OF/g0UnPQAEupVDz0T+QBIdPveCG3m6OTTMH94gx25mOBZ6zVcgeo=;20:LnLNQcwnLnY57rPVcN5Tf/rOcbyzxv9SEOVv2H+el6hZSlEBw26XJFQqN4/bbNEwgOs6zeiZwrBnK9i8s58A6AYvRdgn+ZgkVrROqEV7lCJ6MmRCVLmhv9V5/edWsrWiKdvrX6hZQl/8aR4pV2HocoOfS1YWEsjJb9l9QsbDoBbZ4cWVR9pRy/nt5pR6JtM9PjsFADMlW2X+sP+nY+RtswHe/2Y7DJiuC/eLPb9Lrqw0CVQnAvweQQqRKAT31Rjy X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Nov 2016 00:38:08.7467 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR12MB1142 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3725 Lines: 107 Update the KVM support to include the memory encryption mask when creating and using nested page tables. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/kvm_host.h | 3 ++- arch/x86/kvm/mmu.c | 8 ++++++-- arch/x86/kvm/vmx.c | 3 ++- arch/x86/kvm/x86.c | 3 ++- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index 33ae3a4..c51c1cb 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1039,7 +1039,8 @@ void kvm_mmu_setup(struct kvm_vcpu *vcpu); void kvm_mmu_init_vm(struct kvm *kvm); void kvm_mmu_uninit_vm(struct kvm *kvm); void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask, - u64 dirty_mask, u64 nx_mask, u64 x_mask, u64 p_mask); + u64 dirty_mask, u64 nx_mask, u64 x_mask, u64 p_mask, + u64 me_mask); void kvm_mmu_reset_context(struct kvm_vcpu *vcpu); void kvm_mmu_slot_remove_write_access(struct kvm *kvm, diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c index 3d4cc8cc..a7040f4 100644 --- a/arch/x86/kvm/mmu.c +++ b/arch/x86/kvm/mmu.c @@ -122,7 +122,7 @@ module_param(dbg, bool, 0644); * PT32_LEVEL_BITS))) - 1)) #define PT64_PERM_MASK (PT_PRESENT_MASK | PT_WRITABLE_MASK | shadow_user_mask \ - | shadow_x_mask | shadow_nx_mask) + | shadow_x_mask | shadow_nx_mask | shadow_me_mask) #define ACC_EXEC_MASK 1 #define ACC_WRITE_MASK PT_WRITABLE_MASK @@ -177,6 +177,7 @@ static u64 __read_mostly shadow_accessed_mask; static u64 __read_mostly shadow_dirty_mask; static u64 __read_mostly shadow_mmio_mask; static u64 __read_mostly shadow_present_mask; +static u64 __read_mostly shadow_me_mask; static void mmu_spte_set(u64 *sptep, u64 spte); static void mmu_free_roots(struct kvm_vcpu *vcpu); @@ -284,7 +285,8 @@ static bool check_mmio_spte(struct kvm_vcpu *vcpu, u64 spte) } void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask, - u64 dirty_mask, u64 nx_mask, u64 x_mask, u64 p_mask) + u64 dirty_mask, u64 nx_mask, u64 x_mask, u64 p_mask, + u64 me_mask) { shadow_user_mask = user_mask; shadow_accessed_mask = accessed_mask; @@ -292,6 +294,7 @@ void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask, shadow_nx_mask = nx_mask; shadow_x_mask = x_mask; shadow_present_mask = p_mask; + shadow_me_mask = me_mask; } EXPORT_SYMBOL_GPL(kvm_mmu_set_mask_ptes); @@ -2553,6 +2556,7 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep, pte_access &= ~ACC_WRITE_MASK; spte |= (u64)pfn << PAGE_SHIFT; + spte |= shadow_me_mask; if (pte_access & ACC_WRITE_MASK) { diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index 121fdf6..1ae30c2 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -6482,7 +6482,8 @@ static __init int hardware_setup(void) (enable_ept_ad_bits) ? VMX_EPT_DIRTY_BIT : 0ull, 0ull, VMX_EPT_EXECUTABLE_MASK, cpu_has_vmx_ept_execute_only() ? - 0ull : VMX_EPT_READABLE_MASK); + 0ull : VMX_EPT_READABLE_MASK, + 0ull); ept_set_mmio_spte_mask(); kvm_enable_tdp(); } else diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 2c7e775..3b4d967 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -65,6 +65,7 @@ #include #include #include +#include #define CREATE_TRACE_POINTS #include "trace.h" @@ -5875,7 +5876,7 @@ int kvm_arch_init(void *opaque) kvm_mmu_set_mask_ptes(PT_USER_MASK, PT_ACCESSED_MASK, PT_DIRTY_MASK, PT64_NX_MASK, 0, - PT_PRESENT_MASK); + PT_PRESENT_MASK, sme_me_mask); kvm_timer_init(); perf_register_guest_info_callbacks(&kvm_guest_cbs);