Received: by 10.223.176.5 with SMTP id f5csp3611351wra; Mon, 29 Jan 2018 16:12:34 -0800 (PST) X-Google-Smtp-Source: AH8x227dic8YkyBa1F/XaJ0JT8UD2vjPRnhw2LtayWi9nbrFp4POHBE2xBBubadTdW20bo/FL0Xd X-Received: by 10.99.114.81 with SMTP id c17mr22945683pgn.173.1517271154048; Mon, 29 Jan 2018 16:12:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517271154; cv=none; d=google.com; s=arc-20160816; b=iIrwbU73rzjaA4ZxzS5rc/UlpHZoOYmxQVgALXgyx/IOAz+LuQpzgBBxgYVvaoHlJD l7S0q+iTVcMSYLv/lzDS1qudoqb8QYcZPQvB3bEw+It5uVvnP28gh9JSbyLK8w/3D4LC 3ZsPtTerUJ/20jUWCrFuOKHah+5Rm3R/9dF/g2JEZqNlJZQiMaU7BV1AyjE/TtvIGDIb sr8VN9hjT9sbXMGJzr7AnfQmAklrrtyGVP3V1DpLNEUDZ+MlpO6CfKjoW4EA9VjHkQ2N GsqPxpEpRUqu5oK9Oz6GiD57cahwSDJ+0TA6NTlRT30OVlieQZlEwRiS1mqhHcTYEUfP 0D1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=LB+PvOSXPgmYNvZyROtsDaavYo6Dr9e4Hkg601hpvJQ=; b=WO8Fbdiwd08h6Mn/KUsrgCmxF2i7G/nOiasdllRz5pXb1qGjosyFK4PMDn7GCOeYYS 8EkFTlLJOFn53wiShbEfYrRPMR6wOeQ51/ZKSdDMIhAzON0ulmMrwJmRmlk3LrMhMtW5 JHt5wTg/N0g6kZWV11PPxthwm1cKE4k6/d9yL1dbo858TeFE588QLswzgDCxDawxkUmU Av7IVvKeb1O/fpn+07WHTIeYjoqaqyYd+U7ptXgNKvZlBrXJxNdr/M57e9RHQCi+1A+u N1QT9h8WGK37C9kTDQB0gB8OPWQMkIObknSrx+ix8wyapwvFmRi76W64AdzuGpczA1/+ VaVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=u3DRA6T2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r9si12861521pfk.216.2018.01.29.16.12.19; Mon, 29 Jan 2018 16:12:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=u3DRA6T2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752131AbeA3ALx (ORCPT + 99 others); Mon, 29 Jan 2018 19:11:53 -0500 Received: from smtp-fw-4101.amazon.com ([72.21.198.25]:8986 "EHLO smtp-fw-4101.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751394AbeA3ALu (ORCPT ); Mon, 29 Jan 2018 19:11:50 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1517271109; x=1548807109; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=LB+PvOSXPgmYNvZyROtsDaavYo6Dr9e4Hkg601hpvJQ=; b=u3DRA6T2hiXkLBs7iCExhSPl1C74gLuXYZwdrUTyDaTlJ13fvs86mwqI fJokn26mKaZjsVDVAW8/k+GlH2gu9nEVKEWK/oXH0b8N0KpJEiT/fLTNr QqaorjvrihFhtLm/7D8Q7afCNMgAQO0T3tXR0Px2XWDMchzRy7OB+EoT0 I=; X-IronPort-AV: E=Sophos;i="5.46,433,1511827200"; d="scan'208";a="705859212" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2c-87a10be6.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 30 Jan 2018 00:11:46 +0000 Received: from u54e1ad5160425a4b64ea.ant.amazon.com (pdx2-ws-svc-lb17-vlan3.amazon.com [10.247.140.70]) by email-inbound-relay-2c-87a10be6.us-west-2.amazon.com (8.14.7/8.14.7) with ESMTP id w0U0BfJF103713 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Jan 2018 00:11:43 GMT Received: from u54e1ad5160425a4b64ea.ant.amazon.com (localhost [127.0.0.1]) by u54e1ad5160425a4b64ea.ant.amazon.com (8.15.2/8.15.2/Debian-3) with ESMTP id w0U0Bdth016128; Tue, 30 Jan 2018 01:11:40 +0100 Received: (from karahmed@localhost) by u54e1ad5160425a4b64ea.ant.amazon.com (8.15.2/8.15.2/Submit) id w0U0Bchn016127; Tue, 30 Jan 2018 01:11:38 +0100 From: KarimAllah Ahmed To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, x86@kernel.org Cc: Ashok Raj , Asit Mallick , Dave Hansen , Arjan Van De Ven , Tim Chen , Linus Torvalds , Andrea Arcangeli , Andi Kleen , Thomas Gleixner , Dan Williams , Jun Nakajima , Andy Lutomirski , Greg KH , Paolo Bonzini , Peter Zijlstra , David Woodhouse , KarimAllah Ahmed Subject: [PATCH v3 2/4] KVM: x86: Add IBPB support Date: Tue, 30 Jan 2018 01:10:26 +0100 Message-Id: <1517271028-15916-3-git-send-email-karahmed@amazon.de> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1517271028-15916-1-git-send-email-karahmed@amazon.de> References: <1517271028-15916-1-git-send-email-karahmed@amazon.de> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ashok Raj Add MSR passthrough for MSR_IA32_PRED_CMD and place branch predictor barriers on switching between VMs to avoid inter VM Spectre-v2 attacks. [peterz: rebase and changelog rewrite] [karahmed: - rebase - vmx: expose PRED_CMD whenever it is available - svm: only pass through IBPB if it is available - vmx: support !cpu_has_vmx_msr_bitmap()] [dwmw2: Expose CPUID bit too (AMD IBPB only for now as we lack IBRS) PRED_CMD is a write-only MSR] Cc: Asit Mallick Cc: Dave Hansen Cc: Arjan Van De Ven Cc: Tim Chen Cc: Linus Torvalds Cc: Andrea Arcangeli Cc: Andi Kleen Cc: Thomas Gleixner Cc: Dan Williams Cc: Jun Nakajima Cc: Andy Lutomirski Cc: Greg KH Cc: Paolo Bonzini Signed-off-by: Ashok Raj Signed-off-by: Peter Zijlstra (Intel) Link: http://lkml.kernel.org/r/1515720739-43819-6-git-send-email-ashok.raj@intel.com Signed-off-by: David Woodhouse Signed-off-by: KarimAllah Ahmed --- arch/x86/kvm/cpuid.c | 11 ++++++++++- arch/x86/kvm/svm.c | 14 ++++++++++++++ arch/x86/kvm/vmx.c | 12 ++++++++++++ 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index c0eb337..033004d 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -365,6 +365,10 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function, F(3DNOWPREFETCH) | F(OSVW) | 0 /* IBS */ | F(XOP) | 0 /* SKINIT, WDT, LWP */ | F(FMA4) | F(TBM); + /* cpuid 0x80000008.ebx */ + const u32 kvm_cpuid_8000_0008_ebx_x86_features = + F(IBPB); + /* cpuid 0xC0000001.edx */ const u32 kvm_cpuid_C000_0001_edx_x86_features = F(XSTORE) | F(XSTORE_EN) | F(XCRYPT) | F(XCRYPT_EN) | @@ -625,7 +629,12 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function, if (!g_phys_as) g_phys_as = phys_as; entry->eax = g_phys_as | (virt_as << 8); - entry->ebx = entry->edx = 0; + entry->edx = 0; + /* IBPB isn't necessarily present in hardware cpuid */ + if (boot_cpu_has(X86_FEATURE_IBPB)) + entry->ebx |= F(IBPB); + entry->ebx &= kvm_cpuid_8000_0008_ebx_x86_features; + cpuid_mask(&entry->ebx, CPUID_8000_0008_EBX); break; } case 0x80000019: diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c index 2744b973..c886e46 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -529,6 +529,7 @@ struct svm_cpu_data { struct kvm_ldttss_desc *tss_desc; struct page *save_area; + struct vmcb *current_vmcb; }; static DEFINE_PER_CPU(struct svm_cpu_data *, svm_data); @@ -918,6 +919,9 @@ static void svm_vcpu_init_msrpm(u32 *msrpm) set_msr_interception(msrpm, direct_access_msrs[i].index, 1, 1); } + + if (boot_cpu_has(X86_FEATURE_IBPB)) + set_msr_interception(msrpm, MSR_IA32_PRED_CMD, 1, 1); } static void add_msr_offset(u32 offset) @@ -1706,11 +1710,17 @@ static void svm_free_vcpu(struct kvm_vcpu *vcpu) __free_pages(virt_to_page(svm->nested.msrpm), MSRPM_ALLOC_ORDER); kvm_vcpu_uninit(vcpu); kmem_cache_free(kvm_vcpu_cache, svm); + /* + * The vmcb page can be recycled, causing a false negative in + * svm_vcpu_load(). So do a full IBPB now. + */ + indirect_branch_prediction_barrier(); } static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu) { struct vcpu_svm *svm = to_svm(vcpu); + struct svm_cpu_data *sd = per_cpu(svm_data, cpu); int i; if (unlikely(cpu != vcpu->cpu)) { @@ -1739,6 +1749,10 @@ static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu) if (static_cpu_has(X86_FEATURE_RDTSCP)) wrmsrl(MSR_TSC_AUX, svm->tsc_aux); + if (sd->current_vmcb != svm->vmcb) { + sd->current_vmcb = svm->vmcb; + indirect_branch_prediction_barrier(); + } avic_vcpu_load(vcpu, cpu); } diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index aa8638a..ea278ce 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -2272,6 +2272,7 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu) if (per_cpu(current_vmcs, cpu) != vmx->loaded_vmcs->vmcs) { per_cpu(current_vmcs, cpu) = vmx->loaded_vmcs->vmcs; vmcs_load(vmx->loaded_vmcs->vmcs); + indirect_branch_prediction_barrier(); } if (!already_loaded) { @@ -3330,6 +3331,14 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) case MSR_IA32_TSC: kvm_write_tsc(vcpu, msr_info); break; + case MSR_IA32_PRED_CMD: + if (!msr_info->host_initiated && + !guest_cpuid_has(vcpu, X86_FEATURE_IBPB)) + return 1; + + if (data & PRED_CMD_IBPB) + wrmsrl(MSR_IA32_PRED_CMD, PRED_CMD_IBPB); + break; case MSR_IA32_CR_PAT: if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) { if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data)) @@ -9548,6 +9557,9 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id) goto free_msrs; msr_bitmap = vmx->vmcs01.msr_bitmap; + + if (boot_cpu_has(X86_FEATURE_IBPB)) + vmx_disable_intercept_for_msr(msr_bitmap, MSR_IA32_PRED_CMD, MSR_TYPE_W); vmx_disable_intercept_for_msr(msr_bitmap, MSR_FS_BASE, MSR_TYPE_RW); vmx_disable_intercept_for_msr(msr_bitmap, MSR_GS_BASE, MSR_TYPE_RW); vmx_disable_intercept_for_msr(msr_bitmap, MSR_KERNEL_GS_BASE, MSR_TYPE_RW); -- 2.7.4