Received: by 10.223.176.46 with SMTP id f43csp3290306wra;
        Mon, 22 Jan 2018 11:31:57 -0800 (PST)
X-Google-Smtp-Source: AH8x224KpFwlflp3m2Xlmaz8UFu67UFHzSRldtBl9q5c6Z0n0g0L0mRINBZpWIhcj8KI0ngYfJUP
X-Received: by 10.36.65.92 with SMTP id x89mr9456337ita.3.1516649517255;
        Mon, 22 Jan 2018 11:31:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516649517; cv=none;
        d=google.com; s=arc-20160816;
        b=wEvPCYeFkzLK0e2TBRs3ikCvWLPFPZBr/mOkEy5OYjtwwfKF710zr4l96CS3oqQKDc
         YajseCk/gb2AEnjLYHgp8Vnlob+3FysEyv1BGjnWdAFJVzin3nLWjqtCg8gWl23PVrx4
         txX2CxzAUFc9M1T/6NqUEyVOTQWTSI3fgRe5lmHoVX2YbuH6+e3fMz+nGakv95cYVY2Y
         V0CDw8D3/JrD/FPeBX97+UDfS11iTlyzJSNJUn+NDCv9IpG/yXfG7Fy3vcwioS/9H8ep
         XJEHK6AYUX965NMlcppDe+WqmQxcnnTQw8EGf8s8bOj8U1ZrDU65+SjVGddLnYmV8yJu
         D3Zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=RjRP9LEouH4XJkbu1Q1eb5GXMYJj7RWzFCO1wlQZY1g=;
        b=ACwj22feqAeU86oLi+tECyvfrjOZmndd0oW3danL82b1mKHlVhLXGswfSxyV+1CkPn
         1xpndk6Y+xUXGP9FScPTEqHVU3fnX74sWorlg68I6qzWRHnD7+j2cR8ik9HWKvsNSn4j
         1j5feOgFgVEsBId1Z0jaILOj4it6sh4403VLz0EApbwdNAVS2x4K6oS/a1oo/dFA3FAn
         E3CqSZz4fKwdDy09Q8cC0xriFagf8sI7FhfFYIidLPgX72ZshFDNKB+mkK3we+11H+sL
         Jfi1m9/gAJ05Qtcnc3rNcpzgQ/qdxcOLp5EcjhI/hmp9pCs15BMdM1d+M9pvL3gzMfQL
         vp/g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=V5tVmEYd;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f67si6545716itb.164.2018.01.22.11.31.43;
        Mon, 22 Jan 2018 11:31:57 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=V5tVmEYd;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1750996AbeAVTbU (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Mon, 22 Jan 2018 14:31:20 -0500
Received: from mail-it0-f65.google.com ([209.85.214.65]:34898 "EHLO
        mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750832AbeAVTbS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 22 Jan 2018 14:31:18 -0500
Received: by mail-it0-f65.google.com with SMTP id e1so11005991ita.0
        for <linux-kernel@vger.kernel.org>; Mon, 22 Jan 2018 11:31:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=RjRP9LEouH4XJkbu1Q1eb5GXMYJj7RWzFCO1wlQZY1g=;
        b=V5tVmEYd/5cAGEQwdAwvH7GXAVi3LYxieQr0QMopkF75NpzpL7n5tB5Na/pULUvKMk
         IOXNyi2QRLbgzfNKAu3f4t6w+aTvQP3MoyXBNRagRMN8vv/mlVK5geWhilQJwbIOua8+
         hTFwTNx3CpKoTvAZJiN9fnzm8oYJMJU+fEle3IwgWa/FDWRcqEv+oB90eKcvaXo0FevI
         vuWKoiHLwvaov6jMy9w2V4C+CZpz+t53oRuGV2Sj8QGGkEeTgar43/FO7l1QJ9De3279
         knqDMpNZA8jlxqQAzxFAmv6r6a6Y1iTwLEB5O+LPqkjOyU+Nibi2Imv0UdAUO08zFYF/
         7rsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=RjRP9LEouH4XJkbu1Q1eb5GXMYJj7RWzFCO1wlQZY1g=;
        b=doA88z/nDnNtP4NrfLkpU/xh+vQa61Xj1Kj7/PDH5E8x2dR1LVinZhFNKKjuotl38R
         TwrrVzqjHhhaWbrY+5zUcZ7IhEpAqf1dhYtxfU4xzu+lnKo/lw+kqnjd/82waCk7XBZ4
         iwoYygwaEBMplZ6yCS+VXsinWkHofae0Y9Mwum1HRF/ljEV3yfknID24exxEi814Alc5
         WZKuwLSJ6OuwFvPvaW3P9RmDdjNxU25x1mw4SoEcLqanl198jS3T/md6tUBTmj+mEr2k
         tbEqDH4wg33Y/lGFMYRUyPJNz5491rKf+HyPowq4hO8wcvXa3qulwDBMjMHsrNCgCDqg
         MTdA==
X-Gm-Message-State: AKwxytdzNJWvZF2lGuoCQqjzJ8N6n8z5hZ4CiyFvIkr62ETDQN2f/P+B
        iQRNv7rYXLnOGDaxsYx9QBBjPUbtzQ7+GnQwrTNggg==
X-Received: by 10.36.39.138 with SMTP id g132mr9538112ita.89.1516649477032;
 Mon, 22 Jan 2018 11:31:17 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.128.7 with HTTP; Mon, 22 Jan 2018 11:31:16 -0800 (PST)
In-Reply-To: <CALMp9eSdKyaAgxS1CLXgQ7GzFns7Agvr5kx67v87O9JT=1ypmA@mail.gmail.com>
References: <1516476182-5153-1-git-send-email-karahmed@amazon.de>
 <1516476182-5153-3-git-send-email-karahmed@amazon.de> <CALMp9eSdKyaAgxS1CLXgQ7GzFns7Agvr5kx67v87O9JT=1ypmA@mail.gmail.com>
From:   Jim Mattson <jmattson@google.com>
Date:   Mon, 22 Jan 2018 11:31:16 -0800
Message-ID: <CALMp9eTrzJ6gdBF9XvU5bg1=rN1U4Y-C30Z+c3pcf0iNpfzqdA@mail.gmail.com>
Subject: Re: [RFC 02/10] x86/kvm: Add IBPB support
To:     KarimAllah Ahmed <karahmed@amazon.de>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Andi Kleen <ak@linux.intel.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Andy Lutomirski <luto@kernel.org>,
        Arjan van de Ven <arjan@linux.intel.com>,
        Ashok Raj <ashok.raj@intel.com>,
        Asit Mallick <asit.k.mallick@intel.com>,
        Borislav Petkov <bp@suse.de>,
        Dan Williams <dan.j.williams@intel.com>,
        Dave Hansen <dave.hansen@intel.com>,
        David Woodhouse <dwmw@amazon.co.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "H . Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
        Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>,
        Joerg Roedel <joro@8bytes.org>,
        Jun Nakajima <jun.nakajima@intel.com>,
        Laura Abbott <labbott@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Tim Chen <tim.c.chen@linux.intel.com>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        kvm list <kvm@vger.kernel.org>,
        "the arch/x86 maintainers" <x86@kernel.org>,
        Arjan Van De Ven <arjan.van.de.ven@intel.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Oh, but to do that properly, you need one of the per-vCPU bitmap
implementations that Paolo and I have independently posted.

On Mon, Jan 22, 2018 at 10:56 AM, Jim Mattson <jmattson@google.com> wrote:
> On Sat, Jan 20, 2018 at 11:22 AM, KarimAllah Ahmed <karahmed@amazon.de> wrote:
>> From: Ashok Raj <ashok.raj@intel.com>
>>
>> Add MSR passthrough for MSR_IA32_PRED_CMD and place branch predictor
>> barriers on switching between VMs to avoid inter VM specte-v2 attacks.
>>
>> [peterz: rebase and changelog rewrite]
>> [dwmw2: fixes]
>> [karahmed: - vmx: expose PRED_CMD whenever it is available
>>            - svm: only pass through IBPB if it is available]
>>
>> Cc: Asit Mallick <asit.k.mallick@intel.com>
>> Cc: Dave Hansen <dave.hansen@intel.com>
>> Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
>> Cc: Tim Chen <tim.c.chen@linux.intel.com>
>> Cc: Linus Torvalds <torvalds@linux-foundation.org>
>> Cc: Andrea Arcangeli <aarcange@redhat.com>
>> Cc: Andi Kleen <ak@linux.intel.com>
>> Cc: Thomas Gleixner <tglx@linutronix.de>
>> Cc: Dan Williams <dan.j.williams@intel.com>
>> Cc: Jun Nakajima <jun.nakajima@intel.com>
>> Cc: Andy Lutomirski <luto@kernel.org>
>> Cc: Greg KH <gregkh@linuxfoundation.org>
>> Cc: David Woodhouse <dwmw@amazon.co.uk>
>> Cc: Paolo Bonzini <pbonzini@redhat.com>
>> Signed-off-by: Ashok Raj <ashok.raj@intel.com>
>> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
>> Link: http://lkml.kernel.org/r/1515720739-43819-6-git-send-email-ashok.raj@intel.com
>>
>> Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
>> Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
>> ---
>>  arch/x86/kvm/svm.c | 14 ++++++++++++++
>>  arch/x86/kvm/vmx.c |  4 ++++
>>  2 files changed, 18 insertions(+)
>>
>> diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
>> index 2744b973..cfdb9ab 100644
>> --- a/arch/x86/kvm/svm.c
>> +++ b/arch/x86/kvm/svm.c
>> @@ -529,6 +529,7 @@ struct svm_cpu_data {
>>         struct kvm_ldttss_desc *tss_desc;
>>
>>         struct page *save_area;
>> +       struct vmcb *current_vmcb;
>>  };
>>
>>  static DEFINE_PER_CPU(struct svm_cpu_data *, svm_data);
>> @@ -918,6 +919,9 @@ static void svm_vcpu_init_msrpm(u32 *msrpm)
>>
>>                 set_msr_interception(msrpm, direct_access_msrs[i].index, 1, 1);
>>         }
>> +
>> +       if (boot_cpu_has(X86_FEATURE_AMD_PRED_CMD))
>> +               set_msr_interception(msrpm, MSR_IA32_PRED_CMD, 1, 1);
>>  }
>>
>>  static void add_msr_offset(u32 offset)
>> @@ -1706,11 +1710,17 @@ static void svm_free_vcpu(struct kvm_vcpu *vcpu)
>>         __free_pages(virt_to_page(svm->nested.msrpm), MSRPM_ALLOC_ORDER);
>>         kvm_vcpu_uninit(vcpu);
>>         kmem_cache_free(kvm_vcpu_cache, svm);
>> +       /*
>> +        * The vmcb page can be recycled, causing a false negative in
>> +        * svm_vcpu_load(). So do a full IBPB now.
>> +        */
>> +       indirect_branch_prediction_barrier();
>>  }
>>
>>  static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
>>  {
>>         struct vcpu_svm *svm = to_svm(vcpu);
>> +       struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
>>         int i;
>>
>>         if (unlikely(cpu != vcpu->cpu)) {
>> @@ -1739,6 +1749,10 @@ static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
>>         if (static_cpu_has(X86_FEATURE_RDTSCP))
>>                 wrmsrl(MSR_TSC_AUX, svm->tsc_aux);
>>
>> +       if (sd->current_vmcb != svm->vmcb) {
>> +               sd->current_vmcb = svm->vmcb;
>> +               indirect_branch_prediction_barrier();
>> +       }
>>         avic_vcpu_load(vcpu, cpu);
>>  }
>>
>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>> index d1e25db..3b64de2 100644
>> --- a/arch/x86/kvm/vmx.c
>> +++ b/arch/x86/kvm/vmx.c
>> @@ -2279,6 +2279,7 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
>>         if (per_cpu(current_vmcs, cpu) != vmx->loaded_vmcs->vmcs) {
>>                 per_cpu(current_vmcs, cpu) = vmx->loaded_vmcs->vmcs;
>>                 vmcs_load(vmx->loaded_vmcs->vmcs);
>> +               indirect_branch_prediction_barrier();
>>         }
>>
>>         if (!already_loaded) {
>> @@ -6791,6 +6792,9 @@ static __init int hardware_setup(void)
>>                 kvm_tsc_scaling_ratio_frac_bits = 48;
>>         }
>>
>> +       if (boot_cpu_has(X86_FEATURE_SPEC_CTRL))
>
> I think the condition here should be:
>
> if (guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))
>
> __do_cpuid_ent should pass through X86_FEATURE_SPEC_CTRL from the
> host, but userspace should be allowed to clear it.
> (Userspace should not be allowed to set it if the host doesn't support it.)
>
>> +               vmx_disable_intercept_for_msr(MSR_IA32_PRED_CMD, false);
>> +
>>         vmx_disable_intercept_for_msr(MSR_FS_BASE, false);
>>         vmx_disable_intercept_for_msr(MSR_GS_BASE, false);
>>         vmx_disable_intercept_for_msr(MSR_KERNEL_GS_BASE, true);
>> --
>> 2.7.4
>>