Subject: Re: [PATCH] KVM: x86: Always set kvm_run->if_flag
To:     Marc Orr <marcorr@google.com>, pbonzini@redhat.com,
        seanjc@google.com, vkuznets@redhat.com, wanpengli@tencent.com,
        jmattson@google.com, joro@8bytes.org, tglx@linutronix.de,
        mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com,
        x86@kernel.org, hpa@zytor.com, kvm@vger.kernel.org,
        linux-kernel@vger.kernel.org
References: <20211207043100.3357474-1-marcorr@google.com>
From:   Tom Lendacky <thomas.lendacky@amd.com>
Message-ID: <c8889028-9c4e-cade-31b6-ea92a32e4f66@amd.com>
Date:   Tue, 7 Dec 2021 08:43:43 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.14.0
In-Reply-To: <20211207043100.3357474-1-marcorr@google.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?MkZkTzNaQUVDQ05GdVR1dVA3dVFab2xVdHlCQUpvV0x3TWlpTFg3NWhoZysv?=
 =?utf-8?B?T0VZbXlpdTZSSmxuS2hSM2p5eFdEVGs4NWtWaWxvZm5nRGpnNkdhazlYNisz?=
 =?utf-8?B?a0p6dnpoanVUVU9lK0VxcTg4aEZFbmpsVzUzWDVEcTJ6TS85V1RBcHBzUFls?=
 =?utf-8?B?bGVIcG5rWFNDVFVrKzhsNVpQRVZzZnNwbUVPNmZ2SVVOQS9QU1Z5R0lqRnlo?=
 =?utf-8?B?YVVXYXl5NVo0T3J2REU3ampnRi9XRHhVd3VxUXBlYzl1MFhjdWNXanh4UVM4?=
 =?utf-8?B?UUlkbThoU0NCVDk4RUN0Z3dzN0syY3ZlZ1Z2RE5TVUpjTUVmSWJaa0RwL0V0?=
 =?utf-8?B?dnpXdzBSUjlXWGpyUkorQTUwWnoxUmd4aFlDeU1wcGMvK09MM0JXNEl0UnVs?=
 =?utf-8?B?c1VGUW9Hc2o5Ry9ST3NIdXVKVzIrdk00YXMyYld2VVVkYmtkWjBoMXcyTzJV?=
 =?utf-8?B?OWF6elMwQ3ozMkgxZWhrMGU0Y2hlU3VEZm1oYWQrYzA2dk95VzgwV0Q5Ui92?=
 =?utf-8?B?S0xiY2l4TVY3bXc3MXhyaW10Z1BFYzROR3pTbDZlYkpnemU1MTN2NnJIVUxI?=
 =?utf-8?B?L0kveXhhand6bno4SUNJbVV3a0RtUmRLNnFZN0tOMTJqUkRieTM0a1hDK2ZF?=
 =?utf-8?B?azUvbitVdkdiU2l2TndRV3g2NEJYTi9YSCs4aGt3QjhJYU85dzl4b0JXeFcz?=
 =?utf-8?B?aEtaWVQ3SmRWWTZ4WDV1d21lOFpuVkw3SGlXVzFuUkRoY0JSc3lMUUJ2L1lL?=
 =?utf-8?B?WGYrUUlOYUZkWS81aDBseEE1bmpWTHFRZUNxSXdnenVxTFc5YnhZWHJKSmRD?=
 =?utf-8?B?STVXVk9abytGenJ5N0c5dGlzcVpIREFEanJkNnVaUEtwS1dZcWo5bXNCdXJ2?=
 =?utf-8?B?UG9qb2xIai9TRHhUMlBWSUxCd0duNE5hYkpoVDBXbjZ3ZWNvdFcydnRjaCs5?=
 =?utf-8?B?bEhHWlpXbUZhWlZLLzIvUS9JYWt6R2o4SE0rS1BxVnNOQjZ2aUwvaXBndnVZ?=
 =?utf-8?B?M2Vab1p5R0xCL2dmZ0piY25rUEwrck9CcExTaW00bTlKV1pxaTBGTVIwTklr?=
 =?utf-8?B?SkJab3FtVGhEN1dSOEtYS0JpejI5N1R1bnk2STlvL0I1TmdHVWw1ajFSVTRQ?=
 =?utf-8?B?QmZ3ckpwTXhOS1o0YmRVUTlFSnFzQzA1T2NDN1BIdDdPd1hkTStXa0lsMk9s?=
 =?utf-8?B?OVAzVDNPajFNeS8rVGdzWkgvR2UvdkhjaXBmQU83UEJXNTFPVnRIdWwxM1Fs?=
 =?utf-8?B?TUJiWFhOZG00YWhCQlZwL3J0RUlVRFZnZU9sSUZhMDNmTHpIUC9wYWpDNHdo?=
 =?utf-8?B?eEwxSWVJMEJTeFhvcVBqY3JzK2kzdVFjZ2t4Nm5MVHp0ZVJXUi8xQjFrV0Uy?=
 =?utf-8?B?WFFhU3BjcWpEVFpGRFhVdFJqeERwOHpYMjdFQ0tFekpjaW45dE9HZEwxbm1k?=
 =?utf-8?B?bmIyaC9HSXRTdDN5Z1RVUkJOaEcyUXpMK2JhZyt2ZjlEK0NsQ0FDQnN4YU9E?=
 =?utf-8?B?dVlTS2lKaWQ0MTBCSjBnY2M1cnprMExNTE16Z1FueHR6b0Nhcys5SFJNY2FO?=
 =?utf-8?B?REtYdWxTQlVJbjg1RkdrMTIxREVZM0l4dmpDS1R3bVRnRmZBa2NjRUlwaUlV?=
 =?utf-8?B?Z3ptYnlzQ0MvNjRhZExXOXVkR3dQZ2ZNQlNvbnQ3b2pTWnZoczJMUFB4SWZi?=
 =?utf-8?B?K20rQTkvZ3RlL3RFZzdnVzh3S1Q2dmNrVVZKaGY1TCsxZ2FjSVd4TmVWZ0RC?=
 =?utf-8?B?RVBDVi8zbGhQL3JYRVJTSzFSL3U4UWpjMVZ2Y2VnRFNmUElwU0tSeXV1ZXRq?=
 =?utf-8?B?bkJTaExBcjVTL3BxTnk1TG93eDlqUXVWbkRmcDFDSEJxc3h2U2VDS3llSmp0?=
 =?utf-8?B?RUgzRWcwcjdubWNPUS9aeHdIOWI5aEZVa0VDUm5OYk1PN09PWUZuMEY1OTNW?=
 =?utf-8?B?cVp2NXFLY051ekp2WFVZZEdMWUxlUEFTdHRNZnpqdUtUZmFqUml5ZG03bjVh?=
 =?utf-8?B?V2RpS1lsN3VJQ0RaQWl3SmY4QldWa2JGMU5nS3c1RU80S1VVUDRTYkhiT0I1?=
 =?utf-8?B?UUxHYmtWNktoM2o5WXpmS2MrL1VQMTJicFZwbEdFSVhPWks0QXgrKzkyZVUw?=
 =?utf-8?B?eEdid1QxNzQ2am9FYk1BRDdDTis2YnVMZHBLOTJ5T2loYWM1MW8vYUVMa0Jw?=
 =?utf-8?Q?TfTNlzz7gq1T9DYvlVbe4Hs=3D?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a7dcb25-ad05-437b-0d60-08d9b98ff8f5
X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2021 14:43:46.2427
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: ddsmub7dlbF0GvVKVwoxtgB52Sk81iVFnBTHWGJBLBgZsnL06rApGzLzdyCGkYR2susUV9iDPHTUwYIj8DXtnw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR12MB5495
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 12/6/21 10:31 PM, Marc Orr wrote:
> The kvm_run struct's if_flag is apart of the userspace/kernel API. The
> SEV-ES patches failed to set this flag because it's no longer needed by
> QEMU (according to the comment in the source code). However, other
> hypervisors may make use of this flag. Therefore, set the flag for
> guests with encrypted regiesters (i.e., with guest_state_protected set).
> 
> Fixes: f1c6366e3043 ("KVM: SVM: Add required changes to support intercepts under SEV-ES")
> Signed-off-by: Marc Orr <marcorr@google.com>
> ---
>   arch/x86/include/asm/kvm-x86-ops.h | 1 +
>   arch/x86/include/asm/kvm_host.h    | 1 +
>   arch/x86/kvm/svm/svm.c             | 8 ++++++++
>   arch/x86/kvm/vmx/vmx.c             | 6 ++++++
>   arch/x86/kvm/x86.c                 | 9 +--------
>   5 files changed, 17 insertions(+), 8 deletions(-)
> 
> diff --git a/arch/x86/include/asm/kvm-x86-ops.h b/arch/x86/include/asm/kvm-x86-ops.h
> index cefe1d81e2e8..9e50da3ed01a 100644
> --- a/arch/x86/include/asm/kvm-x86-ops.h
> +++ b/arch/x86/include/asm/kvm-x86-ops.h
> @@ -47,6 +47,7 @@ KVM_X86_OP(set_dr7)
>   KVM_X86_OP(cache_reg)
>   KVM_X86_OP(get_rflags)
>   KVM_X86_OP(set_rflags)
> +KVM_X86_OP(get_if_flag)
>   KVM_X86_OP(tlb_flush_all)
>   KVM_X86_OP(tlb_flush_current)
>   KVM_X86_OP_NULL(tlb_remote_flush)
> diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
> index 860ed500580c..a7f868ff23e7 100644
> --- a/arch/x86/include/asm/kvm_host.h
> +++ b/arch/x86/include/asm/kvm_host.h
> @@ -1349,6 +1349,7 @@ struct kvm_x86_ops {
>   	void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg);
>   	unsigned long (*get_rflags)(struct kvm_vcpu *vcpu);
>   	void (*set_rflags)(struct kvm_vcpu *vcpu, unsigned long rflags);
> +	bool (*get_if_flag)(struct kvm_vcpu *vcpu);
>   
>   	void (*tlb_flush_all)(struct kvm_vcpu *vcpu);
>   	void (*tlb_flush_current)(struct kvm_vcpu *vcpu);
> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
> index d0f68d11ec70..91608f8c0cde 100644
> --- a/arch/x86/kvm/svm/svm.c
> +++ b/arch/x86/kvm/svm/svm.c
> @@ -1585,6 +1585,13 @@ static void svm_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags)
>   	to_svm(vcpu)->vmcb->save.rflags = rflags;
>   }
>   
> +static bool svm_get_if_flag(struct kvm_vcpu *vcpu)
> +{
> +	struct vmcb *vmcb = to_svm(vcpu)->vmcb;
> +
> +	return !!(vmcb->control.int_state & SVM_GUEST_INTERRUPT_MASK);

I'm not sure if this is always valid to use for non SEV-ES guests. Maybe
the better thing would be:

	return sev_es_guest(vcpu->kvm) ? vmcb->control.int_state & SVM_GUEST_INTERRUPT_MASK
				       : kvm_get_rflags(vcpu) & X86_EFLAGS_IF;

(Since this function returns a bool, I don't think you need the !!)

Thanks,
Tom

> +}
> +
>   static void svm_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg)
>   {
>   	switch (reg) {
> @@ -4621,6 +4628,7 @@ static struct kvm_x86_ops svm_x86_ops __initdata = {
>   	.cache_reg = svm_cache_reg,
>   	.get_rflags = svm_get_rflags,
>   	.set_rflags = svm_set_rflags,
> +	.get_if_flag = svm_get_if_flag,
>   
>   	.tlb_flush_all = svm_flush_tlb,
>   	.tlb_flush_current = svm_flush_tlb,
> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> index 9453743ce0c4..6056baa13977 100644
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
> @@ -1363,6 +1363,11 @@ void vmx_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags)
>   		vmx->emulation_required = vmx_emulation_required(vcpu);
>   }
>   
> +static bool vmx_get_if_flag(struct kvm_vcpu *vcpu)
> +{
> +	return !!(vmx_get_rflags(vcpu) & X86_EFLAGS_IF);
> +}
> +
>   u32 vmx_get_interrupt_shadow(struct kvm_vcpu *vcpu)
>   {
>   	u32 interruptibility = vmcs_read32(GUEST_INTERRUPTIBILITY_INFO);
> @@ -7575,6 +7580,7 @@ static struct kvm_x86_ops vmx_x86_ops __initdata = {
>   	.cache_reg = vmx_cache_reg,
>   	.get_rflags = vmx_get_rflags,
>   	.set_rflags = vmx_set_rflags,
> +	.get_if_flag = vmx_get_if_flag,
>   
>   	.tlb_flush_all = vmx_flush_tlb_all,
>   	.tlb_flush_current = vmx_flush_tlb_current,
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index e0aa4dd53c7f..45e836db5bcd 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -8995,14 +8995,7 @@ static void post_kvm_run_save(struct kvm_vcpu *vcpu)
>   {
>   	struct kvm_run *kvm_run = vcpu->run;
>   
> -	/*
> -	 * if_flag is obsolete and useless, so do not bother
> -	 * setting it for SEV-ES guests.  Userspace can just
> -	 * use kvm_run->ready_for_interrupt_injection.
> -	 */
> -	kvm_run->if_flag = !vcpu->arch.guest_state_protected
> -		&& (kvm_get_rflags(vcpu) & X86_EFLAGS_IF) != 0;
> -
> +	kvm_run->if_flag = static_call(kvm_x86_get_if_flag)(vcpu);
>   	kvm_run->cr8 = kvm_get_cr8(vcpu);
>   	kvm_run->apic_base = kvm_get_apic_base(vcpu);
>   
>