Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp3666910imd; Mon, 29 Oct 2018 10:27:05 -0700 (PDT) X-Google-Smtp-Source: AJdET5cHgWYOvbof3tOULgUE417a3GDdw6/5mrFvNun2qB6r08jmmrqPYxVe/L2X1JBUdOSLuYdB X-Received: by 2002:a17:902:c01:: with SMTP id 1-v6mr4165696pls.15.1540834025312; Mon, 29 Oct 2018 10:27:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540834025; cv=none; d=google.com; s=arc-20160816; b=L5/iAMimo2y+j9MhOCYLxHMal0cg61ZRaCHaGXVShFooVUOu5lrdNdkJDz3P4cqxaQ hlssC2IedhRVAZ4Usu8Z/ItD+aJ/lAQaj5h51mK7m1WP1Hf3cM1SHBULvctW543ectPL m4iPLkO8B2WEeWmKY/8Jx5t+Nvx73VUfe8w8k1a17DpPn9AqXbn0txrgqWW99ZPpiAHP sIOpJJ1NY83pbHkA1eLpsRWuemCuX8RDcCLlDo1TQTp9Jh8EOYxsCawAs+KDlb/mW/ti XcSTbNMtU4jMCbvCZ6vPt6+Aiko+k9dNaujInZfy4tPUmQuFveejN4ISX7qhKa5p2En8 wp+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=AioP6YfxU9tsfTKqp05u5jGwRpcVzwj2JSl4EHmm5lw=; b=pTX7/20U4H5vAzlQ0CTkQAWxRe/DxlCknwPdUPwpsyy6/o7U0ceQHU0ioNYRecrtyi TTQfK4JW/hyuPYShGfus5he//Ro+ALCsymdNWYt2PqlKGh9bCc9NMpBXEgzQOWwWNbKz 0shl22bRUXsFwotBNcMmZ4mVfme7vdtH4pv1IIT9+/PDb2ODWJJuiOgCuycb0KQ1In3i SmbpXtP4oel44qkgnONmdU4gm7QfesEn/pYUjS9LZ15NyiFxlDPVe7H/q4UIzZFHA+PR rueeD1GFj3ih8N15xxxLAhcZnsDluXMCbeX/xs1eI1iVVgT8gfzPbGlB0zA6VEa7XFjK oc/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l5-v6si20761517pgg.277.2018.10.29.10.26.49; Mon, 29 Oct 2018 10:27:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727386AbeJ3CPl (ORCPT + 99 others); Mon, 29 Oct 2018 22:15:41 -0400 Received: from mga17.intel.com ([192.55.52.151]:11357 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726300AbeJ3CPl (ORCPT ); Mon, 29 Oct 2018 22:15:41 -0400 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Oct 2018 10:26:08 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,441,1534834800"; d="scan'208";a="269744565" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.193]) by orsmga005.jf.intel.com with ESMTP; 29 Oct 2018 10:26:08 -0700 Date: Mon, 29 Oct 2018 10:26:08 -0700 From: Sean Christopherson To: Julian Stecklina Cc: kvm@vger.kernel.org, Paolo Bonzini , Julian Stecklina , linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 2/3] kvm, vmx: move register clearing out of assembly path Message-ID: <20181029172608.GB27762@linux.intel.com> References: <74fa3809ea293cc05d37b1449b16e08480c4ddbd.1540822350.git.jsteckli@amazon.de> <33085f6c98496ed8094ce68855b49851abb86406.1540822350.git.jsteckli@amazon.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <33085f6c98496ed8094ce68855b49851abb86406.1540822350.git.jsteckli@amazon.de> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 29, 2018 at 04:40:43PM +0100, Julian Stecklina wrote: > Split the security related register clearing out of the large inline > assembly VM entry path. This results in two slightly less complicated > inline assembly statements, where it is clearer what each one does. > > Signed-off-by: Julian Stecklina > Reviewed-by: Jan H. Sch?nherr > Reviewed-by: Konrad Jan Miller > Reviewed-by: Jim Mattson > --- > arch/x86/kvm/vmx.c | 45 ++++++++++++++++++++++++++++----------------- > 1 file changed, 28 insertions(+), 17 deletions(-) > > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c > index a6e5a5c..29a2ee7 100644 > --- a/arch/x86/kvm/vmx.c > +++ b/arch/x86/kvm/vmx.c > @@ -11281,24 +11281,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) > "mov %%r13, %c[r13](%0) \n\t" > "mov %%r14, %c[r14](%0) \n\t" > "mov %%r15, %c[r15](%0) \n\t" > - /* > - * Clear host registers marked as clobbered to prevent > - * speculative use. > - */ > - "xor %%r8d, %%r8d \n\t" > - "xor %%r9d, %%r9d \n\t" > - "xor %%r10d, %%r10d \n\t" > - "xor %%r11d, %%r11d \n\t" > - "xor %%r12d, %%r12d \n\t" > - "xor %%r13d, %%r13d \n\t" > - "xor %%r14d, %%r14d \n\t" > - "xor %%r15d, %%r15d \n\t" > #endif > - > - "xor %%eax, %%eax \n\t" > - "xor %%ebx, %%ebx \n\t" > - "xor %%esi, %%esi \n\t" > - "xor %%edi, %%edi \n\t" > "pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t" > ".pushsection .rodata \n\t" > ".global vmx_return \n\t" > @@ -11336,6 +11319,34 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) > ); > > /* > + * Don't let guest register values survive. Registers that cannot > + * contain guest values anymore are not touched. I think it's a good idea to explicitly call out that clearing the GPRs is done to prevent speculative use. Simply stating that we don't want to let guest register values survive doesn't explain *why*. What about: /* * Explicitly clear (in addition to marking them as clobbered) all GPRs * that have not been loaded with host state to prevent speculatively * using the guest's values. */ > + */ > + asm volatile ( > + "xor %%eax, %%eax \n\t" > + "xor %%ebx, %%ebx \n\t" > + "xor %%esi, %%esi \n\t" > + "xor %%edi, %%edi \n\t" > +#ifdef CONFIG_X86_64 > + "xor %%r8d, %%r8d \n\t" > + "xor %%r9d, %%r9d \n\t" > + "xor %%r10d, %%r10d \n\t" > + "xor %%r11d, %%r11d \n\t" > + "xor %%r12d, %%r12d \n\t" > + "xor %%r13d, %%r13d \n\t" > + "xor %%r14d, %%r14d \n\t" > + "xor %%r15d, %%r15d \n\t" > +#endif > + ::: "cc" > +#ifdef CONFIG_X86_64 > + , "rax", "rbx", "rsi", "rdi" > + , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15" > +#else > + , "eax", "ebx", "esi", "edi" > +#endif > + ); > + > + /* > * We do not use IBRS in the kernel. If this vCPU has used the > * SPEC_CTRL MSR it may have left it on; save the value and > * turn it off. This is much more efficient than blindly adding > -- > 2.7.4 >