Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp14086pxb; Wed, 30 Mar 2022 21:28:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJws7R5RUDH1riYQtMpAzOCJ/X8z85AgM1uOavRs1XctnIzdJcpumS6FsrDfRCUEdSQcecqs X-Received: by 2002:a17:902:a502:b0:151:8289:b19 with SMTP id s2-20020a170902a50200b0015182890b19mr3412983plq.149.1648700915309; Wed, 30 Mar 2022 21:28:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648700915; cv=none; d=google.com; s=arc-20160816; b=lOrWuI2q6Z/mz5jAN1ZRE7Qp8gH9g44lvLG2hI9leTTk7G83DVrdceWSGh9PXrdaJu 0cf/fT7SK+XOy7wexp6vBomalpVbrByVPSpFjK1SF2YIZMnPaONWItL9oPWdOXtBpdE6 T1C27odjoLHYPy2GTYMBiN+5na8wOlMCxG27+EjY1dOU5+UvFpUzQgd9n7MGkI/bgVsp wvF1NiKQzjCa7DhqnauSQao2DI8JeBQtXNvN5MXtYIFzfibgh4x+vHgmN4oI2kHJpAMD X/A6mi4LSXHIMQ4LmGVMRs3ZX+ALGNcSS6p9tuaZKt/Ihp8KmiSXenObG1j/g7+vDDaI KHPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:references:mime-version :message-id:in-reply-to:date:dkim-signature; bh=Ul6Ma4gHiGHUUFFN0Ss0kI5gDJJFL1ZbwQGPK0O1vx8=; b=tEfLUOrEBKJ22Rp1y+Q0un31ZSmf2gfiA4UZsv7wqhtKD9pmicbkvlgrqgCImMtEP5 WCkt5/BitnzQkQCM/JRq0qfK3eSPFcyvGN1wsBzrFE2ETLczfONgtOE3thZc1sEXfjbM 0GskYMe1AvyTjL9QYEbpAV7U9X+NjRVp8F/rIbYL4WuGouZzi2YcR49L2+1HFkN10a/e tvFiyiSyG2bfOU/nAHstHF7uB3dz8H654vthtiKHr1tv5v9J9abQN+vxGBH+TvBbk6UB gsGoj+v2nN3xUR64Uzo5TtrN2tK1+Pk8SczZaJEUNdFlVUN8dHb2CrrwGlsVq25qGOi3 q4eQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=B+aRw7sR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id x24-20020a17090a789800b001c71583fda1si2105781pjk.29.2022.03.30.21.28.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Mar 2022 21:28:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=B+aRw7sR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E1ED71C9B48; Wed, 30 Mar 2022 20:23:22 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346295AbiC3RtD (ORCPT + 99 others); Wed, 30 Mar 2022 13:49:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58220 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349682AbiC3Rsb (ORCPT ); Wed, 30 Mar 2022 13:48:31 -0400 Received: from mail-pj1-x104a.google.com (mail-pj1-x104a.google.com [IPv6:2607:f8b0:4864:20::104a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2AAF10AF for ; Wed, 30 Mar 2022 10:46:45 -0700 (PDT) Received: by mail-pj1-x104a.google.com with SMTP id q21-20020a17090a2e1500b001c44f70fd38so10983638pjd.6 for ; Wed, 30 Mar 2022 10:46:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Ul6Ma4gHiGHUUFFN0Ss0kI5gDJJFL1ZbwQGPK0O1vx8=; b=B+aRw7sRQQio/NBwKOkSz9cJGEEpCcW4ZWUqJia2kFcmDFmV46Qzc/yLqAP1pNOK8E YTV0rUIiKdTazuyodeKKEIRp7/ou9TFv7jTtK6qEbhtHQeWgZDxuWuk1XUWQn4rntsNY BEYnODwfph6f/eaaM4am2CynQd/7oUlSMdq9mjZR1xG/DFHcpCGWewISxACP+81cYM5y GsNHAitYqp/TIjYTKez0i/yLrmWYZdKmGmIB3yTusNC6rLybEG2hijRcaBYoKjD3ydUU /RhPaQjePjGrgMWadc2659Lb7QRgq5BlVItN4xEawWOTviWA2zrl58DXA8jU+bW/DCYt lQ+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Ul6Ma4gHiGHUUFFN0Ss0kI5gDJJFL1ZbwQGPK0O1vx8=; b=i7oTlg1LKaidBihKtcjwYYnRGzP6WxwoSkCXRtsffXquYmS4G0zoFrGX9bywjEydjZ i7XjWF9SFg/ksl4nvkBzkqcZq8iGvk4WhtTqaHDefsk5L0vtjbjSI/923QFnBeGztFan XqQjg0oHYeXpJj1cAeAV3p4Ay7/iIpbLKhkCbRndwKYwixWBOXVP9JN84ZSX4XaM6do/ K17gm1W/j7BFCwDbqrN4An5xKEUXYMbn0Te5AxZlBRRcKH0QQb8ZMnbMjjDSd3zDonCa ZhR4csnbrC1LlodDRSDSc6Ny8D7TjIHDrnhZR2NxVbNvaRP/hOrFFDohXZy+jQCqkw9i AwJA== X-Gm-Message-State: AOAM531JvFl0PPh6sNMLUrZHQqbpWksRh/mAl34EPVH3a+jRreDo39zX eCK66kjj66KNZ9o3nKnGNaoSMKxithbRvrB2KzU+Q9KcIuu4YiqIIKr9UCHpUyvPWO9CKP+wWyF GurUfIQ+8VAmsqJ3OfO754h6pSPwF4oYLKSrKxqKM5QTcyWco3hOBVu6V9PO+H6L/hbxijYsj X-Received: from bgardon.sea.corp.google.com ([2620:15c:100:202:7c53:ec2f:bd26:b69c]) (user=bgardon job=sendgmr) by 2002:aa7:8d47:0:b0:4f6:a7f9:1ead with SMTP id s7-20020aa78d47000000b004f6a7f91eadmr576049pfe.42.1648662405089; Wed, 30 Mar 2022 10:46:45 -0700 (PDT) Date: Wed, 30 Mar 2022 10:46:20 -0700 In-Reply-To: <20220330174621.1567317-1-bgardon@google.com> Message-Id: <20220330174621.1567317-11-bgardon@google.com> Mime-Version: 1.0 References: <20220330174621.1567317-1-bgardon@google.com> X-Mailer: git-send-email 2.35.1.1021.g381101b075-goog Subject: [PATCH v3 10/11] KVM: x86/MMU: Require reboot permission to disable NX hugepages From: Ben Gardon To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Paolo Bonzini , Peter Xu , Sean Christopherson , David Matlack , Jim Mattson , David Dunn , Jing Zhang , Junaid Shahid , Ben Gardon Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Ensure that the userspace actor attempting to disable NX hugepages has permission to reboot the system. Since disabling NX hugepages would allow a guest to crash the system, it is similar to reboot permissions. This approach is the simplest permission gating, but passing a file descriptor opened for write for the module parameter would also work well and be more precise. The latter approach was suggested by Sean Christopherson. Suggested-by: Jim Mattson Signed-off-by: Ben Gardon --- Documentation/virt/kvm/api.rst | 2 ++ arch/x86/kvm/x86.c | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index b40c3113b14b..ca5674e04474 100644 --- a/Documentation/virt/kvm/api.rst +++ b/Documentation/virt/kvm/api.rst @@ -7850,6 +7850,8 @@ should adjust CPUID leaf 0xA to reflect that the PMU is disabled. :Capability KVM_CAP_PMU_CAPABILITY :Architectures: x86 :Type: vm +:Returns 0 on success, -EPERM if the userspace process does not + have CAP_SYS_BOOT This capability disables the NX huge pages mitigation for iTLB MULTIHIT. diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index e00dcf19f826..81e7d825639e 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -6063,6 +6063,15 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm, mutex_unlock(&kvm->lock); break; case KVM_CAP_VM_DISABLE_NX_HUGE_PAGES: + /* + * Since the risk of disabling NX hugepages is a guest crashing + * the system, ensure the userspace process has permission to + * reboot the system. + */ + if (!capable(CAP_SYS_BOOT)) { + r = -EPERM; + break; + } kvm->arch.disable_nx_huge_pages = true; kvm_update_nx_huge_pages(kvm); r = 0; -- 2.35.1.1021.g381101b075-goog