Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp3365399ybk; Tue, 19 May 2020 02:52:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxNKUWpZIpvYncS+HZBaSom5+NIFZllYWC27ewNaqK2GLz70hBrNq8P1xM0fCMW7KvZktgr X-Received: by 2002:a17:906:724f:: with SMTP id n15mr5502675ejk.266.1589881932575; Tue, 19 May 2020 02:52:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589881932; cv=none; d=google.com; s=arc-20160816; b=idLfqJEdDbRXcIftBnDqnZKhwr5qGd9Vmwm2cT/fT/HV4XbbHT362es6JPAj3DzEv4 lKME4ZfKI91ujHTOW9o401eq5fuzSeXOzECHJ2i4dL76XH9KXLfK/j1TtQ1AAqLvwBYu ijyhxhL36BSCc1wcteJQWL0OZrXXUSBzgkG9RiTf19xybIa2ff9pr6c07YnIGGsCJmbb PAZJdedN7MLwmdDFM045n6oguGF4Px4upfQTVPL3l2lfwjqTVjXbrTJ7aSbNsXcOskdl 8dtB4pBI9aGoBDrZi0F4uo9Ufw0Q86NbcZd3jPdpza4iGl9tAl/b0J3sMlPYsq3KfX3k G7sQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=SIVLP0DRrlKxQ6SwkqhvlChjQm02/QELWNEmHf7Q4zw=; b=imgKKbkHd6cqIrjFcDZbVdjJgeaey5qJ8av+uTPKBAj/EIRvA77W+hXhnDb/smkKes QwFbo+4SWtvaASovzByj8ki7VaCHQmC2mjyoAmm0BsKK32KdE/tCu2y6mWyIkHm1vI0C 37Wd+6zyXNol1jgQs8OjgpxnX0i/I48GATV1OgtASHRIjSSUHikSvYHWCGY9bzmXLLz2 4DRa6VBa0ESeO4XxC2HKLmClveLG39YTSueB7y6m6veZOQkAQ7X5NWl4puIdR0XnaXlT ejl2gQ/CTlCW2UJdLsp/+9BofYKj2LhQ5rLA383yB81Gb4J8upIktaHNT6P9rYW1PEud KU/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=O4oyjzzi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ck14si7219233edb.67.2020.05.19.02.51.49; Tue, 19 May 2020 02:52:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=O4oyjzzi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727822AbgESJuP (ORCPT + 99 others); Tue, 19 May 2020 05:50:15 -0400 Received: from us-smtp-2.mimecast.com ([207.211.31.81]:42545 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726504AbgESJuO (ORCPT ); Tue, 19 May 2020 05:50:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1589881813; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=SIVLP0DRrlKxQ6SwkqhvlChjQm02/QELWNEmHf7Q4zw=; b=O4oyjzziHXnwkfER/hTLGOUuDPaPHuV8wR7LSpjwZ962H4qVCdB4mhmpjzcgJES8+U05Q3 t3r8VSoqd1JR1ufBf/NnRQSfI2Ragf7c7lRSE2O5LHYZrDN6PJR8CvyFUPGoIvtR6YpQbZ grEDEBNr6QX6ahOLTrcq1LlVE3WZ0bk= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-471-CihpbDhtN7SvRQGJ7bl_JA-1; Tue, 19 May 2020 05:50:11 -0400 X-MC-Unique: CihpbDhtN7SvRQGJ7bl_JA-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E966B1800D42; Tue, 19 May 2020 09:50:09 +0000 (UTC) Received: from virtlab701.virt.lab.eng.bos.redhat.com (virtlab701.virt.lab.eng.bos.redhat.com [10.19.152.228]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1775710013D9; Tue, 19 May 2020 09:50:08 +0000 (UTC) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Tom Lendacky , Maxim Levitsky , stable@vger.kernel.org Subject: [PATCH] KVM: x86: only do L1TF workaround on affected processors Date: Tue, 19 May 2020 05:50:08 -0400 Message-Id: <20200519095008.1212-1-pbonzini@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org KVM stores the gfn in MMIO SPTEs as a caching optimization. These are split in two parts, as in "[high 11111 low]", to thwart any attempt to use these bits in an L1TF attack. This works as long as there are 5 free bits between MAXPHYADDR and bit 50 (inclusive), leaving bit 51 free so that the MMIO access triggers a reserved-bit-set page fault. The bit positions however were computed wrongly for AMD processors that have encryption support. In this case, x86_phys_bits is reduced (for example from 48 to 43, to account for the C bit at position 47 and four bits used internally to store the SEV ASID and other stuff) while x86_cache_bits in would remain set to 48, and _all_ bits between the reduced MAXPHYADDR and bit 51 are set. Then low_phys_bits would also cover some of the bits that are set in the shadow_mmio_value, terribly confusing the gfn caching mechanism. To fix this, avoid splitting gfns as long as the processor does not have the L1TF bug (which includes all AMD processors). When there is no splitting, low_phys_bits can be set to the reduced MAXPHYADDR removing the overlap. This fixes "npt=0" operation on EPYC processors. Thanks to Maxim Levitsky for bisecting this bug. Cc: stable@vger.kernel.org Fixes: 52918ed5fcf0 ("KVM: SVM: Override default MMIO mask if memory encryption is enabled") Signed-off-by: Paolo Bonzini --- arch/x86/kvm/mmu/mmu.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c index 8071952e9cf2..86619631ff6a 100644 --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c @@ -335,6 +335,8 @@ void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask, u64 mmio_value, u64 access_mask) { BUG_ON((u64)(unsigned)access_mask != access_mask); BUG_ON((mmio_mask & mmio_value) != mmio_value); + WARN_ON(mmio_value & (shadow_nonpresent_or_rsvd_mask << shadow_nonpresent_or_rsvd_mask_len)); + WARN_ON(mmio_value & shadow_nonpresent_or_rsvd_lower_gfn_mask); shadow_mmio_value = mmio_value | SPTE_MMIO_MASK; shadow_mmio_mask = mmio_mask | SPTE_SPECIAL_MASK; shadow_mmio_access_mask = access_mask; @@ -583,16 +585,15 @@ static void kvm_mmu_reset_all_pte_masks(void) * the most significant bits of legal physical address space. */ shadow_nonpresent_or_rsvd_mask = 0; - low_phys_bits = boot_cpu_data.x86_cache_bits; - if (boot_cpu_data.x86_cache_bits < - 52 - shadow_nonpresent_or_rsvd_mask_len) { + low_phys_bits = boot_cpu_data.x86_phys_bits; + if (boot_cpu_has_bug(X86_BUG_L1TF) && + !WARN_ON_ONCE(boot_cpu_data.x86_cache_bits >= + 52 - shadow_nonpresent_or_rsvd_mask_len)) { + low_phys_bits = boot_cpu_data.x86_cache_bits + - shadow_nonpresent_or_rsvd_mask_len; shadow_nonpresent_or_rsvd_mask = - rsvd_bits(boot_cpu_data.x86_cache_bits - - shadow_nonpresent_or_rsvd_mask_len, - boot_cpu_data.x86_cache_bits - 1); - low_phys_bits -= shadow_nonpresent_or_rsvd_mask_len; - } else - WARN_ON_ONCE(boot_cpu_has_bug(X86_BUG_L1TF)); + rsvd_bits(low_phys_bits, boot_cpu_data.x86_cache_bits - 1); + } shadow_nonpresent_or_rsvd_lower_gfn_mask = GENMASK_ULL(low_phys_bits - 1, PAGE_SHIFT); -- 2.18.2