Received: by 10.223.176.46 with SMTP id f43csp3258109wra;
        Mon, 22 Jan 2018 10:57:36 -0800 (PST)
X-Google-Smtp-Source: AH8x227VYmakorlodVYBH7QIW0HJqGeg+Sg1wG7M60H+Rc5SKyee1l7KkqxHcqDWwKEu588flw4R
X-Received: by 10.107.20.194 with SMTP id 185mr9077837iou.127.1516647456140;
        Mon, 22 Jan 2018 10:57:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516647456; cv=none;
        d=google.com; s=arc-20160816;
        b=MG+zqD2y05W0NsP535d3GiFega1UCROgOCGrPIVrOBVRIqUqYWwDH3PKUgluC0omRW
         8JgCUnimF52ic+BpdkGcfPM8jVn75a9YCQIKtoFSUCWACy9x21eszK5DBhvvgzz+3wj7
         qdOwhk0S/xDDnFQCahC/s56CZKIoTIebaaFeyrN3grIQEHwMh/LGzfKC0HXhIkgBZl4u
         jegfgMLc+nY88/f6rzKZOse9tjzUsFHiUKm1eXEaIOWlhMwa2QbKHSllDI25MZwMcbZy
         CulvMZ2xrTKZJ10G2KRhVzvP+9wqfgqOGzUl0na1Hd50womBKbi9vlqD87cKGSD8oGhN
         iI9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=mO5b+D52gH+turRRmvVnugK0sk6drwLrIBHSK0bMaSg=;
        b=sZ21QoNjfmvL4zCNiXCZ4SpTSYgXNDtuA6s2Su9wSJUDWSoGTUIDkyGJQf20FAzjJr
         G3ZLwiEV9MkRYyMq3bBvCXnwqaf1VpkM20ov71YOqOYZ/c0xQvFawTAE3azsJeXVPXNv
         52yM+iuOmBmI+kAEExVk2WhShd+BMO+IlvmYmhG3D67FWyn9i1TzFam1110oUmVielCR
         8n/12nsaA4Uftmp4xHtaQqt80kV71qHhV8dpE/OZttElj1iMR/AxPK3h7wQinHs4QxjV
         N9X5mdZirn05ANFSOKCLFQiCeX0GgDmd78n2HkW58fl7R/dqFFV5GhDyGFKdN9X0QdhW
         PyLQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=C4teoAVm;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n18si11497904ioc.336.2018.01.22.10.57.23;
        Mon, 22 Jan 2018 10:57:36 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=C4teoAVm;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751704AbeAVS4K (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Mon, 22 Jan 2018 13:56:10 -0500
Received: from mail-it0-f65.google.com ([209.85.214.65]:43711 "EHLO
        mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751738AbeAVS4H (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 22 Jan 2018 13:56:07 -0500
Received: by mail-it0-f65.google.com with SMTP id u62so11046667ita.2
        for <linux-kernel@vger.kernel.org>; Mon, 22 Jan 2018 10:56:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=mO5b+D52gH+turRRmvVnugK0sk6drwLrIBHSK0bMaSg=;
        b=C4teoAVmXixOVRtY+2LvE3FtOzd2lUf9ymfQot+/5WGWlavClQTygIstcuwSKsJA7k
         UY//zui5KCS31NKJmn7IMQoqnB090yy6fqJ+9/C7IlyDjOo/XPuHo4LtEip7zGANnh0k
         vyjG/9ni8CUQHT8Ud6AWJ+xpNzuti8kGHiBfkpMNE9a4QOzlqzBEQ0NUcGwxjpQ81mis
         QodD9TcHy2+fPX6OSRvrbv+mh/ks+HqRxwGwzzim+VZtpkdJNKDEq2R1a2yON9306WZa
         ixmAWiZMhSEAbQVqAFtZ9NoWKA7cZVLyfxmgKExS0ZCZbHJDHcSDhbkzs2/3Bf4hQ+9H
         kvew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=mO5b+D52gH+turRRmvVnugK0sk6drwLrIBHSK0bMaSg=;
        b=AHf/7jwzfw8QiHm3kjBETlg/FBS6vw+VGzRjPJEFnHuG1g0Al64Kk9GJp0tAIZM0cl
         OCvNG3p69daeSQ4jpDANH9mN7c92QjfsC1nqMsZbnTjkIgvCDHCtN4moYBOOZxRC8KE+
         p7xbhgSuoc3J75XuzghVJ1S40mIc6Pc8/DVLpwyJpCx6tKAmsYkA8Z41ufHCJro1SMuM
         D1Wa3ZwhgwB6/e1wqrTbDBD9YGL1cAyjpOnvD7PvZasxqHEmKLXGaksDRcAdVKYkGLTf
         4ZQ55rnt8c3Y6hnseWHgZuOxbfQiHTOjoYAEBVyr9Ghip0AAfzPaNaDDXPkaCVTokBPD
         j10A==
X-Gm-Message-State: AKwxyte5IvJSHpAORhfJzyulUKbMVH5dyztcGCfcWt5014T1u5Fuedtl
        JUG/ejgWP5j3sAbpTQBVYSvNYcfebH/cZPruQ1Hywg==
X-Received: by 10.36.10.20 with SMTP id 20mr9079106itw.127.1516647366438; Mon,
 22 Jan 2018 10:56:06 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.128.7 with HTTP; Mon, 22 Jan 2018 10:56:05 -0800 (PST)
In-Reply-To: <1516476182-5153-3-git-send-email-karahmed@amazon.de>
References: <1516476182-5153-1-git-send-email-karahmed@amazon.de> <1516476182-5153-3-git-send-email-karahmed@amazon.de>
From:   Jim Mattson <jmattson@google.com>
Date:   Mon, 22 Jan 2018 10:56:05 -0800
Message-ID: <CALMp9eSdKyaAgxS1CLXgQ7GzFns7Agvr5kx67v87O9JT=1ypmA@mail.gmail.com>
Subject: Re: [RFC 02/10] x86/kvm: Add IBPB support
To:     KarimAllah Ahmed <karahmed@amazon.de>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Andi Kleen <ak@linux.intel.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Andy Lutomirski <luto@kernel.org>,
        Arjan van de Ven <arjan@linux.intel.com>,
        Ashok Raj <ashok.raj@intel.com>,
        Asit Mallick <asit.k.mallick@intel.com>,
        Borislav Petkov <bp@suse.de>,
        Dan Williams <dan.j.williams@intel.com>,
        Dave Hansen <dave.hansen@intel.com>,
        David Woodhouse <dwmw@amazon.co.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "H . Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
        Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>,
        Joerg Roedel <joro@8bytes.org>,
        Jun Nakajima <jun.nakajima@intel.com>,
        Laura Abbott <labbott@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Tim Chen <tim.c.chen@linux.intel.com>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        kvm list <kvm@vger.kernel.org>,
        "the arch/x86 maintainers" <x86@kernel.org>,
        Arjan Van De Ven <arjan.van.de.ven@intel.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Jan 20, 2018 at 11:22 AM, KarimAllah Ahmed <karahmed@amazon.de> wrote:
> From: Ashok Raj <ashok.raj@intel.com>
>
> Add MSR passthrough for MSR_IA32_PRED_CMD and place branch predictor
> barriers on switching between VMs to avoid inter VM specte-v2 attacks.
>
> [peterz: rebase and changelog rewrite]
> [dwmw2: fixes]
> [karahmed: - vmx: expose PRED_CMD whenever it is available
>            - svm: only pass through IBPB if it is available]
>
> Cc: Asit Mallick <asit.k.mallick@intel.com>
> Cc: Dave Hansen <dave.hansen@intel.com>
> Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
> Cc: Tim Chen <tim.c.chen@linux.intel.com>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Andrea Arcangeli <aarcange@redhat.com>
> Cc: Andi Kleen <ak@linux.intel.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Dan Williams <dan.j.williams@intel.com>
> Cc: Jun Nakajima <jun.nakajima@intel.com>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Greg KH <gregkh@linuxfoundation.org>
> Cc: David Woodhouse <dwmw@amazon.co.uk>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Signed-off-by: Ashok Raj <ashok.raj@intel.com>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> Link: http://lkml.kernel.org/r/1515720739-43819-6-git-send-email-ashok.raj@intel.com
>
> Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
> Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
> ---
>  arch/x86/kvm/svm.c | 14 ++++++++++++++
>  arch/x86/kvm/vmx.c |  4 ++++
>  2 files changed, 18 insertions(+)
>
> diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
> index 2744b973..cfdb9ab 100644
> --- a/arch/x86/kvm/svm.c
> +++ b/arch/x86/kvm/svm.c
> @@ -529,6 +529,7 @@ struct svm_cpu_data {
>         struct kvm_ldttss_desc *tss_desc;
>
>         struct page *save_area;
> +       struct vmcb *current_vmcb;
>  };
>
>  static DEFINE_PER_CPU(struct svm_cpu_data *, svm_data);
> @@ -918,6 +919,9 @@ static void svm_vcpu_init_msrpm(u32 *msrpm)
>
>                 set_msr_interception(msrpm, direct_access_msrs[i].index, 1, 1);
>         }
> +
> +       if (boot_cpu_has(X86_FEATURE_AMD_PRED_CMD))
> +               set_msr_interception(msrpm, MSR_IA32_PRED_CMD, 1, 1);
>  }
>
>  static void add_msr_offset(u32 offset)
> @@ -1706,11 +1710,17 @@ static void svm_free_vcpu(struct kvm_vcpu *vcpu)
>         __free_pages(virt_to_page(svm->nested.msrpm), MSRPM_ALLOC_ORDER);
>         kvm_vcpu_uninit(vcpu);
>         kmem_cache_free(kvm_vcpu_cache, svm);
> +       /*
> +        * The vmcb page can be recycled, causing a false negative in
> +        * svm_vcpu_load(). So do a full IBPB now.
> +        */
> +       indirect_branch_prediction_barrier();
>  }
>
>  static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
>  {
>         struct vcpu_svm *svm = to_svm(vcpu);
> +       struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
>         int i;
>
>         if (unlikely(cpu != vcpu->cpu)) {
> @@ -1739,6 +1749,10 @@ static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
>         if (static_cpu_has(X86_FEATURE_RDTSCP))
>                 wrmsrl(MSR_TSC_AUX, svm->tsc_aux);
>
> +       if (sd->current_vmcb != svm->vmcb) {
> +               sd->current_vmcb = svm->vmcb;
> +               indirect_branch_prediction_barrier();
> +       }
>         avic_vcpu_load(vcpu, cpu);
>  }
>
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index d1e25db..3b64de2 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -2279,6 +2279,7 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
>         if (per_cpu(current_vmcs, cpu) != vmx->loaded_vmcs->vmcs) {
>                 per_cpu(current_vmcs, cpu) = vmx->loaded_vmcs->vmcs;
>                 vmcs_load(vmx->loaded_vmcs->vmcs);
> +               indirect_branch_prediction_barrier();
>         }
>
>         if (!already_loaded) {
> @@ -6791,6 +6792,9 @@ static __init int hardware_setup(void)
>                 kvm_tsc_scaling_ratio_frac_bits = 48;
>         }
>
> +       if (boot_cpu_has(X86_FEATURE_SPEC_CTRL))

I think the condition here should be:

if (guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))

__do_cpuid_ent should pass through X86_FEATURE_SPEC_CTRL from the
host, but userspace should be allowed to clear it.
(Userspace should not be allowed to set it if the host doesn't support it.)

> +               vmx_disable_intercept_for_msr(MSR_IA32_PRED_CMD, false);
> +
>         vmx_disable_intercept_for_msr(MSR_FS_BASE, false);
>         vmx_disable_intercept_for_msr(MSR_GS_BASE, false);
>         vmx_disable_intercept_for_msr(MSR_KERNEL_GS_BASE, true);
> --
> 2.7.4
>