Received: by 10.223.176.46 with SMTP id f43csp1668685wra; Sun, 21 Jan 2018 01:50:54 -0800 (PST) X-Google-Smtp-Source: AH8x2247b3DPLIrvetIDsakWOz4ldqbUwRv9oHBCyRyEWOBQ6tURDfsDyr2a3wXP5TAMKfB1HYI5 X-Received: by 2002:a17:902:7182:: with SMTP id b2-v6mr1988452pll.38.1516528254250; Sun, 21 Jan 2018 01:50:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516528254; cv=none; d=google.com; s=arc-20160816; b=RClqpP+Ts9wUXJRzy4louGmzhfcfREMD3hMTpAQiPcbq3sVzSqGHZ2DRGS6eh4mhbD MaIF2F38FehgFrEIuUSmdSZkFZyiucXN9hBCJvETIG0QpMGs+hlJX+HDuuuBcxaGBUcj 2AgoDywyIwgswiyDKDKmWsFS+jx+YmshIA4FjsiCNFiJziIeqDequlrcw7GcQZhBgv3e 9NvKNdzmPH0uNb9RuEuhen//vpa5k+f/fBstdrQ0KFsGATR2kB9+tK4jN3cR2Lb6eY7z 3o3Sek0n+2uCUFElpUJeIbuIMZvkVUfuW9Q2BLfQHjbeJkK0gRqdwRVXBOdU/Ydo2H6w eaKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:to:from:dkim-signature:arc-authentication-results; bh=wncma6E3YRn59Z0//+y71jG96FxClgiDvLwQN01BxrI=; b=z1maHrdsJNj50dvIZVv028xLgARrB4p9YCLUvzJfypsIKtYnUjJ5rpvEYgob9fcK3C Xfe30cQiB3nOjIgSEriZ1LtTNMLRq92V+PLX/ziFP7vMTLsFY8rXsPPcQkBgYcG2wvmN KJH8DASIL0isicfp+qX0LtQVY5cKMyAkqpZK/2MJbEr9cIZ0s1PifOPU/uHVjNaN3WlQ z7tDOnc0kQksNYngtiQwYM/XkUgNFSve6A2omm0sPXKJBQ972jC27e+5KyTh4kTjjILx RX5HOyuxoe94MXuynfR+IEdd2crxQwaWH4n7gU5gaFf37Cc/ZoVz7nB7y+xV4z56f4aQ GVfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amazon.co.uk header.s=amazon201209 header.b=DLj1jn8z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.co.uk Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x13si2092069pgt.263.2018.01.21.01.50.40; Sun, 21 Jan 2018 01:50:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.co.uk header.s=amazon201209 header.b=DLj1jn8z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.co.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751290AbeAUJt7 (ORCPT + 99 others); Sun, 21 Jan 2018 04:49:59 -0500 Received: from smtp-fw-4101.amazon.com ([72.21.198.25]:64799 "EHLO smtp-fw-4101.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751211AbeAUJtk (ORCPT ); Sun, 21 Jan 2018 04:49:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.co.uk; i=@amazon.co.uk; q=dns/txt; s=amazon201209; t=1516528179; x=1548064179; h=from:to:subject:date:message-id:in-reply-to:references; bh=wncma6E3YRn59Z0//+y71jG96FxClgiDvLwQN01BxrI=; b=DLj1jn8zq1DA432SqpNnLrzVx5P9xEXHTUQdi2PSnl4Y/FAVZgmy79J3 DnDru6/+sCF+av0OIdhFSLk6GP7xjfP2ij0Z9gAQo+dSoJ3J+T6EKIJuM zZG5LcRniZuWpYUtkqUXVMv6TV+G67wD/fGSTpWQrWVyhynhZVmrPkJzU g=; X-IronPort-AV: E=Sophos;i="5.46,390,1511827200"; d="scan'208";a="704575207" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2a-f14f4a47.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Jan 2018 09:49:31 +0000 Received: from uc8d3ff76b9bc5848a9cc.ant.amazon.com (pdx2-ws-svc-lb17-vlan3.amazon.com [10.247.140.70]) by email-inbound-relay-2a-f14f4a47.us-west-2.amazon.com (8.14.7/8.14.7) with ESMTP id w0L9nQOt100754 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 21 Jan 2018 09:49:27 GMT Received: from uc8d3ff76b9bc5848a9cc.ant.amazon.com (localhost [127.0.0.1]) by uc8d3ff76b9bc5848a9cc.ant.amazon.com (8.15.2/8.15.2/Debian-3) with ESMTP id w0L9nPuc010309; Sun, 21 Jan 2018 09:49:25 GMT Received: (from dwmw@localhost) by uc8d3ff76b9bc5848a9cc.ant.amazon.com (8.15.2/8.15.2/Submit) id w0L9nPUx010308; Sun, 21 Jan 2018 09:49:25 GMT From: David Woodhouse To: arjan@linux.intel.com, tglx@linutronix.de, karahmed@amazon.de, x86@kernel.org, linux-kernel@vger.kernel.org, tim.c.chen@linux.intel.com, bp@alien8.de, peterz@infradead.org, pbonzini@redhat.com, ak@linux.intel.com, torvalds@linux-foundation.org, gregkh@linux-foundation.org Subject: [PATCH v2 6/8] x86/kvm: Add IBPB support Date: Sun, 21 Jan 2018 09:49:07 +0000 Message-Id: <1516528149-9370-7-git-send-email-dwmw@amazon.co.uk> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1516528149-9370-1-git-send-email-dwmw@amazon.co.uk> References: <1516528149-9370-1-git-send-email-dwmw@amazon.co.uk> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ashok Raj Add MSR passthrough for MSR_IA32_PRED_CMD and place branch predictor barriers on switching between VMs to avoid inter VM specte-v2 attacks. [peterz: rebase and changelog rewrite] [karahmed: - vmx: expose PRED_CMD whenever it is available - svm: only pass through IBPB if it is available] [dwmw2: - vmx: allow X86_FEATURE_AMD_PRED_CMD too] Cc: Asit Mallick Cc: Dave Hansen Cc: Arjan Van De Ven Cc: Tim Chen Cc: Linus Torvalds Cc: Andrea Arcangeli Cc: Andi Kleen Cc: Thomas Gleixner Cc: Dan Williams Cc: Jun Nakajima Cc: Andy Lutomirski Cc: Greg KH Cc: Paolo Bonzini Signed-off-by: Ashok Raj Signed-off-by: Peter Zijlstra (Intel) Link: http://lkml.kernel.org/r/1515720739-43819-6-git-send-email-ashok.raj@intel.com Signed-off-by: David Woodhouse Signed-off-by: KarimAllah Ahmed --- arch/x86/kvm/svm.c | 14 ++++++++++++++ arch/x86/kvm/vmx.c | 11 +++++++++++ 2 files changed, 25 insertions(+) diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c index 2744b973..cfdb9ab 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -529,6 +529,7 @@ struct svm_cpu_data { struct kvm_ldttss_desc *tss_desc; struct page *save_area; + struct vmcb *current_vmcb; }; static DEFINE_PER_CPU(struct svm_cpu_data *, svm_data); @@ -918,6 +919,9 @@ static void svm_vcpu_init_msrpm(u32 *msrpm) set_msr_interception(msrpm, direct_access_msrs[i].index, 1, 1); } + + if (boot_cpu_has(X86_FEATURE_AMD_PRED_CMD)) + set_msr_interception(msrpm, MSR_IA32_PRED_CMD, 1, 1); } static void add_msr_offset(u32 offset) @@ -1706,11 +1710,17 @@ static void svm_free_vcpu(struct kvm_vcpu *vcpu) __free_pages(virt_to_page(svm->nested.msrpm), MSRPM_ALLOC_ORDER); kvm_vcpu_uninit(vcpu); kmem_cache_free(kvm_vcpu_cache, svm); + /* + * The vmcb page can be recycled, causing a false negative in + * svm_vcpu_load(). So do a full IBPB now. + */ + indirect_branch_prediction_barrier(); } static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu) { struct vcpu_svm *svm = to_svm(vcpu); + struct svm_cpu_data *sd = per_cpu(svm_data, cpu); int i; if (unlikely(cpu != vcpu->cpu)) { @@ -1739,6 +1749,10 @@ static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu) if (static_cpu_has(X86_FEATURE_RDTSCP)) wrmsrl(MSR_TSC_AUX, svm->tsc_aux); + if (sd->current_vmcb != svm->vmcb) { + sd->current_vmcb = svm->vmcb; + indirect_branch_prediction_barrier(); + } avic_vcpu_load(vcpu, cpu); } diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index d1e25db..1e45bb3 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -2279,6 +2279,7 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu) if (per_cpu(current_vmcs, cpu) != vmx->loaded_vmcs->vmcs) { per_cpu(current_vmcs, cpu) = vmx->loaded_vmcs->vmcs; vmcs_load(vmx->loaded_vmcs->vmcs); + indirect_branch_prediction_barrier(); } if (!already_loaded) { @@ -6791,6 +6792,16 @@ static __init int hardware_setup(void) kvm_tsc_scaling_ratio_frac_bits = 48; } + /* + * The AMD_PRED_CMD bit might be exposed by hypervisors on Intel + * chips which only want to expose PRED_CMD to guests and not + * SPEC_CTRL. Because PRED_CMD is one-shot write-only, while + * PRED_CMD requires storage, live migration support, etc. + */ + if (boot_cpu_has(X86_FEATURE_SPEC_CTRL) || + boot_cpu_has(X86_FEATURE_AMD_PRED_CMD)) + vmx_disable_intercept_for_msr(MSR_IA32_PRED_CMD, false); + vmx_disable_intercept_for_msr(MSR_FS_BASE, false); vmx_disable_intercept_for_msr(MSR_GS_BASE, false); vmx_disable_intercept_for_msr(MSR_KERNEL_GS_BASE, true); -- 2.7.4