Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp712458pxf; Wed, 31 Mar 2021 14:14:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz4+hpoTHX/d7PYbNRyQyLdVNgAKME/pvqHewDSY6mmwAnSjiTQyQIV9aJASvdXHAZ60Xsc X-Received: by 2002:a17:906:ad4:: with SMTP id z20mr5623989ejf.496.1617225253690; Wed, 31 Mar 2021 14:14:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617225253; cv=none; d=google.com; s=arc-20160816; b=vq83uObsrjUlKoZ2A3h1l6LWWhvCvJpW/rDOITEZ1v2244XXueDxn7rWA4fsQIdu72 Efoom9Gh8Rfm3YN0pHV2fL99CNbR3Z/dL0e3xek8teUYAj6Xrfmsyok63L7W2WtC0SOW 09Iu/ok5d7lrPknDRj46kOvvMvTjEKoyRunaT4++aLEtsG5ZhrfKfESoj478mE+RZQam yPxi+rBb8yruILrutp2MCIHu4udtFBnkrBqqM1pWtIeCKIJsf0R0NR0JNdcSy/2lYGjg 1UNiqjr4LYbrETN9DFYJ3pFkzd4ymxMiyu7wkccLbMJGsjDeaNMvZfeUubuCpBbRc+xX QivQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :ironport-sdr:ironport-sdr; bh=OwVQlOy1RnkzrrBdsSmEgQ68uKZi845CVXTh9k/S7fA=; b=UTdu4X/GBkHfEaFPpxnK4WMx41oEIzHtai4fVETFJr4Oj2g9HEAERRddQHcPQBmc56 hO7M0VPfRZ5ibNr7R9bfCoy+bum9cs0WbDdEgTcm/XfVujmveqa3+FgbMuW+DpBJWUww XEJf+aflAYcNrSKY/cOvj/+PV+VWpHmwCXdU0hlyaFFREqww0EI5YDp6LJMSH8asS7ue amGz/Zi/OMIjKx5pE/84FpX5HMQdF9oPdVvsHoAi8Ie0IL8sT/ma6OPMrhQyDUHeiPPv qZFjU9g4S09fJCChrsDslnJLFk5RePaZyHFxv7s/r1CoxnNTkpn2sG1m1MRsBTT+VE+A FBzA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t13si2591348ejf.189.2021.03.31.14.13.50; Wed, 31 Mar 2021 14:14:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231488AbhCaVK0 (ORCPT + 99 others); Wed, 31 Mar 2021 17:10:26 -0400 Received: from mga04.intel.com ([192.55.52.120]:47630 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233291AbhCaVKT (ORCPT ); Wed, 31 Mar 2021 17:10:19 -0400 IronPort-SDR: oZegbmosS8oeMsEHK6esgpfQTy3r8y45rEraGFDSs2QptKr36mAAc8MF1cR89HeTD4e9XLWRa4 asyYncauybrw== X-IronPort-AV: E=McAfee;i="6000,8403,9940"; a="189860375" X-IronPort-AV: E=Sophos;i="5.81,293,1610438400"; d="scan'208";a="189860375" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Mar 2021 14:10:11 -0700 IronPort-SDR: SmGk/Jaofhn11Elbj0KQMbIBGFtymvgsCuuvONoHwZCDjk4HeGXve99bX775xN0fO03/0AThea w0cx9UQuq3AA== X-IronPort-AV: E=Sophos;i="5.81,293,1610438400"; d="scan'208";a="412355353" Received: from sjard-mobl.amr.corp.intel.com (HELO skuppusw-mobl5.amr.corp.intel.com) ([10.212.174.17]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Mar 2021 14:10:09 -0700 From: Kuppuswamy Sathyanarayanan To: Peter Zijlstra , Andy Lutomirski , Dave Hansen Cc: Andi Kleen , Kirill Shutemov , Kuppuswamy Sathyanarayanan , Dan Williams , Raj Ashok , Sean Christopherson , linux-kernel@vger.kernel.org, Kuppuswamy Sathyanarayanan Subject: [PATCH v4 1/1] x86/tdx: Handle MWAIT, MONITOR and WBINVD Date: Wed, 31 Mar 2021 14:09:59 -0700 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: <2FE32855-EA5D-44E4-AACC-25E9B1476547@amacapital.net> References: <2FE32855-EA5D-44E4-AACC-25E9B1476547@amacapital.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As per Guest-Host Communication Interface (GHCI) Specification for Intel TDX, sec 2.4.1, TDX architecture does not support MWAIT, MONITOR and WBINVD instructions. So in non-root TDX mode, if MWAIT/MONITOR instructions are executed with CPL != 0 it will trigger #UD, and for CPL = 0 case, virtual exception (#VE) is triggered. WBINVD instruction behavior is also similar to MWAIT/MONITOR, but for CPL != 0 case, it will trigger #GP instead of #UD. To prevent TD guest from using these unsupported instructions, following measures are adapted: 1. For MWAIT/MONITOR instructions, support for these instructions are already disabled by TDX module (SEAM). So CPUID flags for these instructions should be in disabled state. Also, just to be sure that these instructions are disabled, forcefully unset X86_FEATURE_MWAIT CPU cap in OS. 2. For WBINVD instruction, we use audit to find the code that uses this instruction and disable them for TD. After the above mentioned preventive measures, if TD guest still execute these instructions, add appropriate warning messages in #VE handler. Signed-off-by: Kuppuswamy Sathyanarayanan Reviewed-by: Andi Kleen --- Changes since v3: * WARN user if SEAM does not disable MONITOR/MWAIT instruction. * Fix the commit log and comments to address review comments from from Dave & Sean. Changes since v2: * Added BUG() for WBINVD, WARN for MONITOR instructions. * Fixed comments as per Dave's review. Changes since v1: * Added WARN() for MWAIT #VE exception. Changes since previous series: * Suppressed MWAIT feature as per Andi's comment. * Added warning debug log for MWAIT #VE exception. arch/x86/kernel/tdx.c | 44 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/tdx.c b/arch/x86/kernel/tdx.c index e936b2f88bf6..82b411b828a5 100644 --- a/arch/x86/kernel/tdx.c +++ b/arch/x86/kernel/tdx.c @@ -63,6 +63,14 @@ static inline bool cpuid_has_tdx_guest(void) return true; } +static inline bool cpuid_has_mwait(void) +{ + if (cpuid_ecx(1) & (1 << (X86_FEATURE_MWAIT % 32))) + return true; + + return false; +} + bool is_tdx_guest(void) { return static_cpu_has(X86_FEATURE_TDX_GUEST); @@ -301,12 +309,25 @@ static int tdg_handle_mmio(struct pt_regs *regs, struct ve_info *ve) return insn.length; } +/* Initialize TDX specific CPU capabilities */ +static void __init tdx_cpu_cap_init(void) +{ + setup_force_cpu_cap(X86_FEATURE_TDX_GUEST); + + if (cpuid_has_mwait()) { + WARN(1, "TDX Module failed to disable MWAIT\n"); + /* MWAIT is not supported in TDX platform, so suppress it */ + setup_clear_cpu_cap(X86_FEATURE_MWAIT); + } + +} + void __init tdx_early_init(void) { if (!cpuid_has_tdx_guest()) return; - setup_force_cpu_cap(X86_FEATURE_TDX_GUEST); + tdx_cpu_cap_init(); tdg_get_info(); @@ -362,6 +383,27 @@ int tdg_handle_virtualization_exception(struct pt_regs *regs, case EXIT_REASON_EPT_VIOLATION: ve->instr_len = tdg_handle_mmio(regs, ve); break; + case EXIT_REASON_WBINVD: + /* + * TDX architecture does not support WBINVD instruction. + * Currently, usage of this instruction is prevented by + * disabling the drivers which uses it. So if we still + * reach here, it needs user attention. + */ + pr_err("TD Guest used unsupported WBINVD instruction\n"); + BUG(); + break; + case EXIT_REASON_MONITOR_INSTRUCTION: + case EXIT_REASON_MWAIT_INSTRUCTION: + /* + * MWAIT/MONITOR features are disabled by TDX Module (SEAM) + * and also re-suppressed in kernel by clearing + * X86_FEATURE_MWAIT CPU feature flag in tdx_early_init(). So + * if TD guest still executes MWAIT/MONITOR instruction with + * above suppression, it needs user attention. + */ + WARN(1, "TD Guest used unsupported MWAIT/MONITOR instruction\n"); + break; default: pr_warn("Unexpected #VE: %d\n", ve->exit_reason); return -EFAULT; -- 2.25.1