Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751571AbdINO4v (ORCPT <rfc822;w@1wt.eu>);
        Thu, 14 Sep 2017 10:56:51 -0400
Received: from mx2.suse.de ([195.135.220.15]:45435 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1751318AbdINO4t (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 14 Sep 2017 10:56:49 -0400
Date: Thu, 14 Sep 2017 16:56:38 +0200
From: Borislav Petkov <bp@suse.de>
To: Brijesh Singh <brijesh.singh@amd.com>
Cc: linux-kernel@vger.kernel.org, x86@kernel.org, kvm@vger.kernel.org,
        Thomas Gleixner <tglx@linutronix.de>, Joerg Roedel <joro@8bytes.org>,
        "Michael S . Tsirkin" <mst@redhat.com>,
        Paolo Bonzini <pbonzini@redhat.com>,
        =?utf-8?B?XCJSYWRpbSBLcsSNbcOhxZlcIg==?= <rkrcmar@redhat.com>,
        Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: [RFC Part2 PATCH v3 25/26] KVM: SVM: Do not install #UD
 intercept when SEV is enabled
Message-ID: <20170914145638.4ben574ghpnerv2k@pd.tnic>
References: <20170724200303.12197-1-brijesh.singh@amd.com>
 <20170724200303.12197-26-brijesh.singh@amd.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20170724200303.12197-26-brijesh.singh@amd.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1560
Lines: 48

On Mon, Jul 24, 2017 at 03:03:02PM -0500, Brijesh Singh wrote:
> On #UD, x86_emulate_instruction() fetches the data from guest memory and
> decodes the instruction bytes to assist further. When SEV is enabled, the
> instruction bytes will be encrypted using the guest-specific key, hypervisor

							"... key and the hypervisor... "

> will no longer able to fetch the instruction bytes to assist UD handling.
> By not installing intercept we let the guest receive and handle #UD.
> 
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> ---
>  arch/x86/kvm/svm.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
> index 64b9f60..4581d03 100644
> --- a/arch/x86/kvm/svm.c
> +++ b/arch/x86/kvm/svm.c
> @@ -1432,8 +1432,10 @@ static void init_vmcb(struct vcpu_svm *svm)
>  		svm->vmcb->control.virt_ext |= VIRTUAL_VMLOAD_VMSAVE_ENABLE_MASK;
>  	}
>  
> -	if (sev_guest(svm->vcpu.kvm))
> +	if (sev_guest(svm->vcpu.kvm)) {
>  		svm->vmcb->control.nested_ctl |= SVM_NESTED_CTL_SEV_ENABLE;
> +		clr_exception_intercept(svm, UD_VECTOR);
> +	}
>  
>  	mark_all_dirty(svm->vmcb);
>  
> -- 

Otherwise:

Reviewed-by: Borislav Petkov <bp@suse.de>

Btw, if this is really important for the hypervisor to continue to be
able to do decode assist, we probably should think about having the
guest give the hypervisor the couple instruction bytes in a controlled
manner...

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
--