Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp3666910imd;
        Mon, 29 Oct 2018 10:27:05 -0700 (PDT)
X-Google-Smtp-Source: AJdET5cHgWYOvbof3tOULgUE417a3GDdw6/5mrFvNun2qB6r08jmmrqPYxVe/L2X1JBUdOSLuYdB
X-Received: by 2002:a17:902:c01:: with SMTP id 1-v6mr4165696pls.15.1540834025312;
        Mon, 29 Oct 2018 10:27:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540834025; cv=none;
        d=google.com; s=arc-20160816;
        b=L5/iAMimo2y+j9MhOCYLxHMal0cg61ZRaCHaGXVShFooVUOu5lrdNdkJDz3P4cqxaQ
         hlssC2IedhRVAZ4Usu8Z/ItD+aJ/lAQaj5h51mK7m1WP1Hf3cM1SHBULvctW543ectPL
         m4iPLkO8B2WEeWmKY/8Jx5t+Nvx73VUfe8w8k1a17DpPn9AqXbn0txrgqWW99ZPpiAHP
         sIOpJJ1NY83pbHkA1eLpsRWuemCuX8RDcCLlDo1TQTp9Jh8EOYxsCawAs+KDlb/mW/ti
         XcSTbNMtU4jMCbvCZ6vPt6+Aiko+k9dNaujInZfy4tPUmQuFveejN4ISX7qhKa5p2En8
         wp+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date;
        bh=AioP6YfxU9tsfTKqp05u5jGwRpcVzwj2JSl4EHmm5lw=;
        b=pTX7/20U4H5vAzlQ0CTkQAWxRe/DxlCknwPdUPwpsyy6/o7U0ceQHU0ioNYRecrtyi
         TTQfK4JW/hyuPYShGfus5he//Ro+ALCsymdNWYt2PqlKGh9bCc9NMpBXEgzQOWwWNbKz
         0shl22bRUXsFwotBNcMmZ4mVfme7vdtH4pv1IIT9+/PDb2ODWJJuiOgCuycb0KQ1In3i
         SmbpXtP4oel44qkgnONmdU4gm7QfesEn/pYUjS9LZ15NyiFxlDPVe7H/q4UIzZFHA+PR
         rueeD1GFj3ih8N15xxxLAhcZnsDluXMCbeX/xs1eI1iVVgT8gfzPbGlB0zA6VEa7XFjK
         oc/w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l5-v6si20761517pgg.277.2018.10.29.10.26.49;
        Mon, 29 Oct 2018 10:27:05 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727386AbeJ3CPl (ORCPT <rfc822;xc.haze2010@gmail.com>
        + 99 others); Mon, 29 Oct 2018 22:15:41 -0400
Received: from mga17.intel.com ([192.55.52.151]:11357 "EHLO mga17.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726300AbeJ3CPl (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 29 Oct 2018 22:15:41 -0400
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Oct 2018 10:26:08 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,441,1534834800"; 
   d="scan'208";a="269744565"
Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.193])
  by orsmga005.jf.intel.com with ESMTP; 29 Oct 2018 10:26:08 -0700
Date:   Mon, 29 Oct 2018 10:26:08 -0700
From:   Sean Christopherson <sean.j.christopherson@intel.com>
To:     Julian Stecklina <jsteckli@amazon.de>
Cc:     kvm@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
        Julian Stecklina <js@alien8.de>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 2/3] kvm, vmx: move register clearing out of assembly
 path
Message-ID: <20181029172608.GB27762@linux.intel.com>
References: <74fa3809ea293cc05d37b1449b16e08480c4ddbd.1540822350.git.jsteckli@amazon.de>
 <33085f6c98496ed8094ce68855b49851abb86406.1540822350.git.jsteckli@amazon.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <33085f6c98496ed8094ce68855b49851abb86406.1540822350.git.jsteckli@amazon.de>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Oct 29, 2018 at 04:40:43PM +0100, Julian Stecklina wrote:
> Split the security related register clearing out of the large inline
> assembly VM entry path. This results in two slightly less complicated
> inline assembly statements, where it is clearer what each one does.
> 
> Signed-off-by: Julian Stecklina <jsteckli@amazon.de>
> Reviewed-by: Jan H. Sch?nherr <jschoenh@amazon.de>
> Reviewed-by: Konrad Jan Miller <kjm@amazon.de>
> Reviewed-by: Jim Mattson <jmattson@google.com>
> ---
>  arch/x86/kvm/vmx.c | 45 ++++++++++++++++++++++++++++-----------------
>  1 file changed, 28 insertions(+), 17 deletions(-)
> 
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index a6e5a5c..29a2ee7 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -11281,24 +11281,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
>  		"mov %%r13, %c[r13](%0) \n\t"
>  		"mov %%r14, %c[r14](%0) \n\t"
>  		"mov %%r15, %c[r15](%0) \n\t"
> -		/*
> -		* Clear host registers marked as clobbered to prevent
> -		* speculative use.
> -		*/
> -		"xor %%r8d,  %%r8d \n\t"
> -		"xor %%r9d,  %%r9d \n\t"
> -		"xor %%r10d, %%r10d \n\t"
> -		"xor %%r11d, %%r11d \n\t"
> -		"xor %%r12d, %%r12d \n\t"
> -		"xor %%r13d, %%r13d \n\t"
> -		"xor %%r14d, %%r14d \n\t"
> -		"xor %%r15d, %%r15d \n\t"
>  #endif
> -
> -		"xor %%eax, %%eax \n\t"
> -		"xor %%ebx, %%ebx \n\t"
> -		"xor %%esi, %%esi \n\t"
> -		"xor %%edi, %%edi \n\t"
>  		"pop  %%" _ASM_BP "; pop  %%" _ASM_DX " \n\t"
>  		".pushsection .rodata \n\t"
>  		".global vmx_return \n\t"
> @@ -11336,6 +11319,34 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
>  	      );
>  
>  	/*
> +	 * Don't let guest register values survive. Registers that cannot
> +	 * contain guest values anymore are not touched.

I think it's a good idea to explicitly call out that clearing the GPRs
is done to prevent speculative use.  Simply stating that we don't want
to let guest register values survive doesn't explain *why*.

What about:

	/*
	 * Explicitly clear (in addition to marking them as clobbered) all GPRs
	 * that have not been loaded with host state to prevent speculatively
	 * using the guest's values.
	 */

> +	 */
> +	asm volatile (
> +		"xor %%eax, %%eax \n\t"
> +		"xor %%ebx, %%ebx \n\t"
> +		"xor %%esi, %%esi \n\t"
> +		"xor %%edi, %%edi \n\t"
> +#ifdef CONFIG_X86_64
> +		"xor %%r8d,  %%r8d \n\t"
> +		"xor %%r9d,  %%r9d \n\t"
> +		"xor %%r10d, %%r10d \n\t"
> +		"xor %%r11d, %%r11d \n\t"
> +		"xor %%r12d, %%r12d \n\t"
> +		"xor %%r13d, %%r13d \n\t"
> +		"xor %%r14d, %%r14d \n\t"
> +		"xor %%r15d, %%r15d \n\t"
> +#endif
> +		::: "cc"
> +#ifdef CONFIG_X86_64
> +		 , "rax", "rbx", "rsi", "rdi"
> +		 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
> +#else
> +		 , "eax", "ebx", "esi", "edi"
> +#endif
> +		);
> +
> +	/*
>  	 * We do not use IBRS in the kernel. If this vCPU has used the
>  	 * SPEC_CTRL MSR it may have left it on; save the value and
>  	 * turn it off. This is much more efficient than blindly adding
> -- 
> 2.7.4
>