Received: by 10.223.176.5 with SMTP id f5csp165958wra; Tue, 30 Jan 2018 09:35:31 -0800 (PST) X-Google-Smtp-Source: AH8x225R6EQKp53pEYeOt/HskaHqccEQ8LG8bJO6XubE6JHZignCakKGmJ65fkR2xoMdILr74Phf X-Received: by 10.98.27.5 with SMTP id b5mr31205647pfb.103.1517333731687; Tue, 30 Jan 2018 09:35:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517333731; cv=none; d=google.com; s=arc-20160816; b=Y3kyT6ikzOytLIEk1OdMCBzryq5wQRtLPieCg4UUnyiOOt1cpJOWctiBhTyzY+n/m8 DhGZ2I3Bb8MEorjUOGrokkSdk/SfbgXlFaShtHiFcJEjf9bSb6mqwOY/LKS6005OOIcs L37Y3F75OFIiekbxQc8GTFN8K07XIqG/q2+4ygk/DC8+WCviNPDADCtzTBTHR/tTFNLJ +whChCevVS+xxRH7xdswrM0rsjLj5tH2hdfT+rqZXNrgoAW2VB+lWicAScUCSOfPq7xn x03hpirhS4fGZ2D/ki8bVr6D4jg2VsEXG+2idX1ftmv4IT3A7M79C/sPVYaI6A5Zbcq+ Eweg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=kKgjoQcc9T+tPYqt9ATay1eM7fVE25KJkoWKDYEryoA=; b=uUXs6JgXsRUdwyJCuXpEnBjkBrkTVzE+OsN9R4PkxLQWUjxkFilm+z7Ed4DKt1/7uw z7MtEuW848j0N5UU1653p4YoEBA0XQoabYr1x3sQafdVI2Ki8yMOiw/4UGduZ46Fq67M aFSjlgXQZ0mzmnKTBrSaxzNoTnboGX6vl46MsfngnF06H074qNPGi15B7wf8S7Z4YyX3 K1Sf2In/k0Ym9pdcmcWqIDMcYqMifOyyEB+V+rpQJRuekJj6t1itVeX9UmOTEjpbbzaN bq9+lIgrQI56R8SdN9pIGNHyPkQ0izD+S6usaCBh9gz3+rze7Bx5Vl7mi4wcqd2pK9Lo OQdQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=r1atah1e; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h24si9590945pgn.41.2018.01.30.09.35.16; Tue, 30 Jan 2018 09:35:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=r1atah1e; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753516AbeA3Q5m (ORCPT + 99 others); Tue, 30 Jan 2018 11:57:42 -0500 Received: from mail-it0-f68.google.com ([209.85.214.68]:34325 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753502AbeA3Q5j (ORCPT ); Tue, 30 Jan 2018 11:57:39 -0500 Received: by mail-it0-f68.google.com with SMTP id m11so3151205iti.1 for ; Tue, 30 Jan 2018 08:57:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kKgjoQcc9T+tPYqt9ATay1eM7fVE25KJkoWKDYEryoA=; b=r1atah1e2hOJtBqtiUImhQ/Fb3v7qsK/PhU8fAQZjqsasmAc5V42KiYHkFNlz+/uSs OU6fuYswwuZ/r1ouOEcqWQyhBshbSZmPfCoo+YLa1yyeHFzkHt3ihYFkkqoXMnzaPmcL qN/y6GumQdHZqZB8f23qA2TloEtbk+bTFWyt45XVixKu4H9s/3E8R8ZDhH5aaE2ENBXR cKPXRNdV5vYfsggROmykU2a02GBEm404Cif5ppp+jZP9mjNtqyuut8aUcIB4ggY7Kj5u QvTSYICowSw9+eCx5OSrNP5tv4dUiZV3rD+SBWXQcMTE5EyOykKi3QuHwyCpxxrHSwtq egdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kKgjoQcc9T+tPYqt9ATay1eM7fVE25KJkoWKDYEryoA=; b=l/iNkxNK6hwD5aaq5P0j469GvLr8VWXoL2ldwwcTIiQoGq3P+HuCQwOeksDGQ7KuFo jYoFZ6GROXaMfD0WbnTDjGmbFwKoEkYiZwXWbsbdnxlnSCCatTmG5ElQs6GtjgOfXT/3 WnTWKtMyaSvfieba0Rb2os9iJvi9lQjTY18Dlc2w3i5mqP0VyhAeofh+ruo3hA0AuuQ1 KnMJSFUGcqohOwBbrz06h4p8xdUtU3Rz7Y3TzRzsC+vTeme60Jq8WCvH4+madEQYmz4x TUhi+uuxcaT84AlTV2rXkKDIUL2mPCeM0e5lVmS2+VJCBlO0Y7N1BJ1Rfh+bhNgvEIOF c97Q== X-Gm-Message-State: AKwxyteN09UxBCpNirxu7wGM1Yu1qUy3jQMp5SJ791xf0pehHJIILYKt 27cR7rJlAsp9TAJTFfb2lbf5LWqciQOYw2TU4Ce3Dw== X-Received: by 10.36.10.20 with SMTP id 20mr30963085itw.127.1517331458336; Tue, 30 Jan 2018 08:57:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.128.7 with HTTP; Tue, 30 Jan 2018 08:57:37 -0800 (PST) In-Reply-To: References: <20180109120311.27565-10-pbonzini@redhat.com> <6dc02278-7004-1794-3705-69c8cad86be4@oracle.com> From: Jim Mattson Date: Tue, 30 Jan 2018 08:57:37 -0800 Message-ID: Subject: Re: [9/8] KVM: x86: limit MSR_IA32_SPEC_CTRL access based on CPUID availability To: Mihai Carabas Cc: Paolo Bonzini , LKML , kvm list , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Liran Alon , Anthony Liguori , Tom Lendacky , David Woodhouse , Borislav Petkov , "the arch/x86 maintainers" , Konrad Rzeszutek Wilk Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org It's really hard to tell which patches are being proposed for which repositories, but assuming that everything else is correct, I don't think your condition is adequate. What if the physical CPU and the virtual CPU both have CPUID.(EAX=7H,ECX=0):EDX[26], but only the physical CPU has CPUID.(EAX=7H,ECX=0):EDX[27]? If the guest has write access to MSR_IA32_SPEC_CTRL, it can set MSR_IA32_SPEC_CTRL[1] (STIBP), even though setting that bit in the guest should raise #GP. On Tue, Jan 30, 2018 at 8:43 AM, Mihai Carabas wrote: > On 30.01.2018 18:33, Jim Mattson wrote: >> >> All MSR intercepts are enabled by default, so I don't think this patch >> does anything at all, unless I'm missing some context. >> > > Currently on upstream some MSR are intercepted: > https://github.com/torvalds/linux/blob/master/arch/x86/kvm/vmx.c#L6838 > > In particular to this patch, the MSR_IA32_SPEC_CTRL intercept is disabled in > 3/8: https://patchwork.kernel.org/patch/10151889/ > > > >> On Tue, Jan 30, 2018 at 5:21 AM, Mihai Carabas >> wrote: >>> >>> Hello Paolo, >>> >>> I've back ported this patch on 4.1, after adding the per-vcpu MSR bitmap. >>> Also enabled the SPEC_CTRL_MSR intercept if qemu instructed so [1]. >>> >>> Reviewed-by: Mihai Carabas >>> >>> [1] >>> +++ b/arch/x86/kvm/vmx.c >>> @@ -8391,6 +8391,16 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm >>> *kvm, unsigned int id) >>> vmx_disable_intercept_for_msr(msr_bitmap, MSR_IA32_PRED_CMD, >>> MSR_TYPE_R | MSR_TYPE_W); >>> vmx_disable_intercept_for_msr(msr_bitmap, MSR_IA32_BNDCFGS, >>> MSR_TYPE_R | MSR_TYPE_W); >>> >>> + /* >>> + * If the physical CPU or the vCPU of this VM doesn't >>> + * support SPEC_CTRL feature, catch each access to it. >>> + */ >>> + if (!static_cpu_has(X86_FEATURE_SPEC_CTRL) || >>> + !guest_cpuid_has_spec_ctrl(&vmx->vcpu)) >>> + vmx_enable_intercept_for_msr( >>> + msr_bitmap, >>> + MSR_IA32_SPEC_CTRL, >>> + MSR_TYPE_R | MSR_TYPE_W); >>> >>> /* >>> * If PML is turned on, failure on enabling PML just results in >>> failure >>> >>> >>> >>> On 09.01.2018 14:03, Paolo Bonzini wrote: >>>> >>>> >>>> MSR_IA32_SPEC_CTRL is not available unless CPU[7,0].EDX[26] is 1. >>>> Check that against host CPUID or guest CPUID, respectively for >>>> host-initiated and guest-initiated accesses. >>>> >>>> Suggested-by: Jim Mattson >>>> Signed-off-by: Paolo Bonzini >>>> --- >>>> This is for after X86_FEATURE_SPEC_CTRL is added to Linux, but >>>> I still wanted to ack Jim's improvement. >>>> >>>> arch/x86/kvm/svm.c | 8 ++++++++ >>>> arch/x86/kvm/vmx.c | 8 ++++++++ >>>> 2 files changed, 16 insertions(+) >>>> >>>> diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c >>>> index 97126c2bd663..3a646580d7c5 100644 >>>> --- a/arch/x86/kvm/svm.c >>>> +++ b/arch/x86/kvm/svm.c >>>> @@ -3648,6 +3648,10 @@ static int svm_get_msr(struct kvm_vcpu *vcpu, >>>> struct msr_data *msr_info) >>>> msr_info->data = svm->nested.vm_cr_msr; >>>> break; >>>> case MSR_IA32_SPEC_CTRL: >>>> + if (!static_cpu_has(X86_FEATURE_SPEC_CTRL) || >>>> + (!msr_info->host_initiated && >>>> + !guest_cpuid_has(vcpu, >>>> X86_FEATURE_SPEC_CTRL))) >>>> + return 1; >>>> msr_info->data = svm->spec_ctrl; >>>> break; >>>> case MSR_IA32_UCODE_REV: >>>> @@ -3806,6 +3810,10 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, >>>> struct msr_data *msr) >>>> vcpu_unimpl(vcpu, "unimplemented wrmsr: 0x%x data >>>> 0x%llx\n", ecx, data); >>>> break; >>>> case MSR_IA32_SPEC_CTRL: >>>> + if (!static_cpu_has(X86_FEATURE_SPEC_CTRL) || >>>> + (!msr_info->host_initiated && >>>> + !guest_cpuid_has(vcpu, >>>> X86_FEATURE_SPEC_CTRL))) >>>> + return 1; >>>> svm->spec_ctrl = data; >>>> break; >>>> case MSR_IA32_APICBASE: >>>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c >>>> index 49b4a2d61603..42bc7ee293e4 100644 >>>> --- a/arch/x86/kvm/vmx.c >>>> +++ b/arch/x86/kvm/vmx.c >>>> @@ -3368,6 +3368,10 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, >>>> struct msr_data *msr_info) >>>> msr_info->data = guest_read_tsc(vcpu); >>>> break; >>>> case MSR_IA32_SPEC_CTRL: >>>> + if (!static_cpu_has(X86_FEATURE_SPEC_CTRL) || >>>> + (!msr_info->host_initiated && >>>> + !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))) >>>> + return 1; >>>> msr_info->data = to_vmx(vcpu)->spec_ctrl; >>>> break; >>>> case MSR_IA32_SYSENTER_CS: >>>> @@ -3510,6 +3514,10 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, >>>> struct msr_data *msr_info) >>>> kvm_write_tsc(vcpu, msr_info); >>>> break; >>>> case MSR_IA32_SPEC_CTRL: >>>> + if (!static_cpu_has(X86_FEATURE_SPEC_CTRL) || >>>> + (!msr_info->host_initiated && >>>> + !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))) >>>> + return 1; >>>> to_vmx(vcpu)->spec_ctrl = data; >>>> break; >>>> case MSR_IA32_CR_PAT: >>>> >>> >