Received: by 10.223.176.46 with SMTP id f43csp1668685wra;
        Sun, 21 Jan 2018 01:50:54 -0800 (PST)
X-Google-Smtp-Source: AH8x2247b3DPLIrvetIDsakWOz4ldqbUwRv9oHBCyRyEWOBQ6tURDfsDyr2a3wXP5TAMKfB1HYI5
X-Received: by 2002:a17:902:7182:: with SMTP id b2-v6mr1988452pll.38.1516528254250;
        Sun, 21 Jan 2018 01:50:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516528254; cv=none;
        d=google.com; s=arc-20160816;
        b=RClqpP+Ts9wUXJRzy4louGmzhfcfREMD3hMTpAQiPcbq3sVzSqGHZ2DRGS6eh4mhbD
         MaIF2F38FehgFrEIuUSmdSZkFZyiucXN9hBCJvETIG0QpMGs+hlJX+HDuuuBcxaGBUcj
         2AgoDywyIwgswiyDKDKmWsFS+jx+YmshIA4FjsiCNFiJziIeqDequlrcw7GcQZhBgv3e
         9NvKNdzmPH0uNb9RuEuhen//vpa5k+f/fBstdrQ0KFsGATR2kB9+tK4jN3cR2Lb6eY7z
         3o3Sek0n+2uCUFElpUJeIbuIMZvkVUfuW9Q2BLfQHjbeJkK0gRqdwRVXBOdU/Ydo2H6w
         eaKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:to:from:dkim-signature:arc-authentication-results;
        bh=wncma6E3YRn59Z0//+y71jG96FxClgiDvLwQN01BxrI=;
        b=z1maHrdsJNj50dvIZVv028xLgARrB4p9YCLUvzJfypsIKtYnUjJ5rpvEYgob9fcK3C
         Xfe30cQiB3nOjIgSEriZ1LtTNMLRq92V+PLX/ziFP7vMTLsFY8rXsPPcQkBgYcG2wvmN
         KJH8DASIL0isicfp+qX0LtQVY5cKMyAkqpZK/2MJbEr9cIZ0s1PifOPU/uHVjNaN3WlQ
         z7tDOnc0kQksNYngtiQwYM/XkUgNFSve6A2omm0sPXKJBQ972jC27e+5KyTh4kTjjILx
         RX5HOyuxoe94MXuynfR+IEdd2crxQwaWH4n7gU5gaFf37Cc/ZoVz7nB7y+xV4z56f4aQ
         GVfA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amazon.co.uk header.s=amazon201209 header.b=DLj1jn8z;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.co.uk
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x13si2092069pgt.263.2018.01.21.01.50.40;
        Sun, 21 Jan 2018 01:50:54 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amazon.co.uk header.s=amazon201209 header.b=DLj1jn8z;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.co.uk
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751290AbeAUJt7 (ORCPT <rfc822;yuankui.zhao@gmail.com>
        + 99 others); Sun, 21 Jan 2018 04:49:59 -0500
Received: from smtp-fw-4101.amazon.com ([72.21.198.25]:64799 "EHLO
        smtp-fw-4101.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751211AbeAUJtk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 21 Jan 2018 04:49:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=amazon.co.uk; i=@amazon.co.uk; q=dns/txt;
  s=amazon201209; t=1516528179; x=1548064179;
  h=from:to:subject:date:message-id:in-reply-to:references;
  bh=wncma6E3YRn59Z0//+y71jG96FxClgiDvLwQN01BxrI=;
  b=DLj1jn8zq1DA432SqpNnLrzVx5P9xEXHTUQdi2PSnl4Y/FAVZgmy79J3
   DnDru6/+sCF+av0OIdhFSLk6GP7xjfP2ij0Z9gAQo+dSoJ3J+T6EKIJuM
   zZG5LcRniZuWpYUtkqUXVMv6TV+G67wD/fGSTpWQrWVyhynhZVmrPkJzU
   g=;
X-IronPort-AV: E=Sophos;i="5.46,390,1511827200"; 
   d="scan'208";a="704575207"
Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2a-f14f4a47.us-west-2.amazon.com) ([10.124.125.6])
  by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Jan 2018 09:49:31 +0000
Received: from uc8d3ff76b9bc5848a9cc.ant.amazon.com (pdx2-ws-svc-lb17-vlan3.amazon.com [10.247.140.70])
        by email-inbound-relay-2a-f14f4a47.us-west-2.amazon.com (8.14.7/8.14.7) with ESMTP id w0L9nQOt100754
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
        Sun, 21 Jan 2018 09:49:27 GMT
Received: from uc8d3ff76b9bc5848a9cc.ant.amazon.com (localhost [127.0.0.1])
        by uc8d3ff76b9bc5848a9cc.ant.amazon.com (8.15.2/8.15.2/Debian-3) with ESMTP id w0L9nPuc010309;
        Sun, 21 Jan 2018 09:49:25 GMT
Received: (from dwmw@localhost)
        by uc8d3ff76b9bc5848a9cc.ant.amazon.com (8.15.2/8.15.2/Submit) id w0L9nPUx010308;
        Sun, 21 Jan 2018 09:49:25 GMT
From:   David Woodhouse <dwmw@amazon.co.uk>
To:     arjan@linux.intel.com, tglx@linutronix.de, karahmed@amazon.de,
        x86@kernel.org, linux-kernel@vger.kernel.org,
        tim.c.chen@linux.intel.com, bp@alien8.de, peterz@infradead.org,
        pbonzini@redhat.com, ak@linux.intel.com,
        torvalds@linux-foundation.org, gregkh@linux-foundation.org
Subject: [PATCH v2 6/8] x86/kvm: Add IBPB support
Date:   Sun, 21 Jan 2018 09:49:07 +0000
Message-Id: <1516528149-9370-7-git-send-email-dwmw@amazon.co.uk>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1516528149-9370-1-git-send-email-dwmw@amazon.co.uk>
References: <1516528149-9370-1-git-send-email-dwmw@amazon.co.uk>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Ashok Raj <ashok.raj@intel.com>

Add MSR passthrough for MSR_IA32_PRED_CMD and place branch predictor
barriers on switching between VMs to avoid inter VM specte-v2 attacks.

[peterz: rebase and changelog rewrite]
[karahmed: - vmx: expose PRED_CMD whenever it is available
	   - svm: only pass through IBPB if it is available]
[dwmw2:    - vmx: allow X86_FEATURE_AMD_PRED_CMD too]
Cc: Asit Mallick <asit.k.mallick@intel.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Jun Nakajima <jun.nakajima@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: http://lkml.kernel.org/r/1515720739-43819-6-git-send-email-ashok.raj@intel.com

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
---
 arch/x86/kvm/svm.c | 14 ++++++++++++++
 arch/x86/kvm/vmx.c | 11 +++++++++++
 2 files changed, 25 insertions(+)

diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 2744b973..cfdb9ab 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -529,6 +529,7 @@ struct svm_cpu_data {
 	struct kvm_ldttss_desc *tss_desc;
 
 	struct page *save_area;
+	struct vmcb *current_vmcb;
 };
 
 static DEFINE_PER_CPU(struct svm_cpu_data *, svm_data);
@@ -918,6 +919,9 @@ static void svm_vcpu_init_msrpm(u32 *msrpm)
 
 		set_msr_interception(msrpm, direct_access_msrs[i].index, 1, 1);
 	}
+
+	if (boot_cpu_has(X86_FEATURE_AMD_PRED_CMD))
+		set_msr_interception(msrpm, MSR_IA32_PRED_CMD, 1, 1);
 }
 
 static void add_msr_offset(u32 offset)
@@ -1706,11 +1710,17 @@ static void svm_free_vcpu(struct kvm_vcpu *vcpu)
 	__free_pages(virt_to_page(svm->nested.msrpm), MSRPM_ALLOC_ORDER);
 	kvm_vcpu_uninit(vcpu);
 	kmem_cache_free(kvm_vcpu_cache, svm);
+	/*
+	 * The vmcb page can be recycled, causing a false negative in
+	 * svm_vcpu_load(). So do a full IBPB now.
+	 */
+	indirect_branch_prediction_barrier();
 }
 
 static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
 {
 	struct vcpu_svm *svm = to_svm(vcpu);
+	struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
 	int i;
 
 	if (unlikely(cpu != vcpu->cpu)) {
@@ -1739,6 +1749,10 @@ static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
 	if (static_cpu_has(X86_FEATURE_RDTSCP))
 		wrmsrl(MSR_TSC_AUX, svm->tsc_aux);
 
+	if (sd->current_vmcb != svm->vmcb) {
+		sd->current_vmcb = svm->vmcb;
+		indirect_branch_prediction_barrier();
+	}
 	avic_vcpu_load(vcpu, cpu);
 }
 
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index d1e25db..1e45bb3 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2279,6 +2279,7 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
 	if (per_cpu(current_vmcs, cpu) != vmx->loaded_vmcs->vmcs) {
 		per_cpu(current_vmcs, cpu) = vmx->loaded_vmcs->vmcs;
 		vmcs_load(vmx->loaded_vmcs->vmcs);
+		indirect_branch_prediction_barrier();
 	}
 
 	if (!already_loaded) {
@@ -6791,6 +6792,16 @@ static __init int hardware_setup(void)
 		kvm_tsc_scaling_ratio_frac_bits = 48;
 	}
 
+	/*
+	 * The AMD_PRED_CMD bit might be exposed by hypervisors on Intel
+	 * chips which only want to expose PRED_CMD to guests and not
+	 * SPEC_CTRL. Because PRED_CMD is one-shot write-only, while
+	 * PRED_CMD requires storage, live migration support, etc.
+	 */
+	if (boot_cpu_has(X86_FEATURE_SPEC_CTRL) ||
+	    boot_cpu_has(X86_FEATURE_AMD_PRED_CMD))
+		vmx_disable_intercept_for_msr(MSR_IA32_PRED_CMD, false);
+
 	vmx_disable_intercept_for_msr(MSR_FS_BASE, false);
 	vmx_disable_intercept_for_msr(MSR_GS_BASE, false);
 	vmx_disable_intercept_for_msr(MSR_KERNEL_GS_BASE, true);
-- 
2.7.4