Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp777063pxb; Tue, 12 Apr 2022 13:10:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwCWhELuknzzIwJXkkYjY7LCtVEmNAx+VunAYqXJ+BV62hE854N0O4y5dig1WesCP9FnaMV X-Received: by 2002:a17:902:bb8d:b0:156:51a1:3f5a with SMTP id m13-20020a170902bb8d00b0015651a13f5amr39075810pls.65.1649794233810; Tue, 12 Apr 2022 13:10:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649794233; cv=none; d=google.com; s=arc-20160816; b=pO+wCqEU5UUjWHNKe6xXPfKzLlTkSgP8PoqoCZHbEvvHug0rCICOM1cDu1Kfh/mTHC ne8zHcIBqTLMeZ0kyqFAmVMhC3pP6467kf+wQbnVOOoDoOobI8ugiNJ5FZIGIRkTTWSl 1IboJExlsoPPbD8u43BvgCQ4W9tM+DN+DDy7t5qEgPTQphFCnuFc7lfr0mzwBrdKXrQw 4OP/l6HXLmjTodVYBheft7oKhIZReu1anwy0aAihjNJ7QQUySLBXwNOF2nYEkKSJF3z2 HjaaMSwITG/ACvuXjKr6KfohDxwZXPjqAwNhTfG/LAA34Nq8Mih+oPzgIy6zTwvTjaCq /F0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:references:mime-version :message-id:in-reply-to:date:dkim-signature; bh=dXlFBD0LldYOfRc7OaKD0wMXPzi3maZCvF8rPD26eTI=; b=sRBsrqvH824Nk0MKLsbYpiEgKh+2n/W82bCNJIrhcvSdBAHG15q2grvoP4weYdz1/L doVlqRZHw9XEBYGADgGRnar9hs6yw+WaTcev8Fe8fbIA1crt9fdYGmNDz3KGYV6ha9ys F2Q7aBSuWTP4TYGEFSt7NrmjFbh2Pc6mJA2E5FXaU3i7/hoEK+4pkJ0cg618pZWbypK7 1cYXoNpj4WXv9VEuZg+zTEXmbU1brAv5cYmAzEx6AOinBRp87e9YiqNuHIxbkAsQtF8R jGOeQN3EQbem/FAVNo5hz37eY7DuF4OVD0IMqIYW9RBE/pCr5sOCUZrSXPHUEzEh8yj9 wdig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=od645DgD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id b33-20020a631b21000000b0039d59d47179si3633550pgb.225.2022.04.12.13.10.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Apr 2022 13:10:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=od645DgD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7ABA774853; Tue, 12 Apr 2022 12:58:12 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240818AbiDKVNh (ORCPT + 99 others); Mon, 11 Apr 2022 17:13:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39212 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350106AbiDKVNM (ORCPT ); Mon, 11 Apr 2022 17:13:12 -0400 Received: from mail-pg1-x549.google.com (mail-pg1-x549.google.com [IPv6:2607:f8b0:4864:20::549]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D7E282B1BD for ; Mon, 11 Apr 2022 14:10:53 -0700 (PDT) Received: by mail-pg1-x549.google.com with SMTP id q13-20020a638c4d000000b003821725ad66so9429484pgn.23 for ; Mon, 11 Apr 2022 14:10:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=dXlFBD0LldYOfRc7OaKD0wMXPzi3maZCvF8rPD26eTI=; b=od645DgDIiqdxXTXIqTecH/cdEHvdo6xF2qu5T02FMQ19MQNLm9xVN/ZO9o0v93qEW 6kpH4zKRGD2sT+LExaIzj5l4Hp7CRMRF8bLpq6s5ihDNFvAbSv4zOT9ywEHYI53vyLTR jCz9NWc9KdYyem5akZTphuk/sjQ6Tde/iYyfxkuxBjXqop1zMCiSZo7KfPuJm6MACxQU oglTlvRr2XBhY42HCju5FgQRrDnZAsCB7vq3ca9jbt2wTTIBNWEM6zvV3lTVHmQOJ7Dy uYZ4A4QY+6CqedZGz+Q5ng6Q9du0pBMjStji3X/hcVlUKbT3KfYkLQUsCvdH/R4Ku66X 4gnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=dXlFBD0LldYOfRc7OaKD0wMXPzi3maZCvF8rPD26eTI=; b=w6jEbkSlkLpVWwhD0fo/MM11zMMHUMZOq2hlaGDyc0iL42seP6u/dkpfnXQBe2IteV Qml3b/FjJB9eLGazfDXuG0BLEK9Q3FKFyLRCnZ8uS4A4ZpA+K8G0+wjYLhCc/PgjAKMe hMMuEFcP1STJkGyITEyOrGquWUQeMKNrGjkIj5ZaJCoz1rzH8uw9ApRmm3Vpyz9Gdlzl ANORu1tPxn+jU6O3EXvOAkFDpon5zoM19oyrmchF2IzEZdxc4FyDFP/2851xD4o3Eak2 m6QcW+7Q3S0ilgdXInuUYBMzNPT495RnAj7vdi/phAjVEo+HXy/ZnRb0fdYapI8u/5D7 9GYg== X-Gm-Message-State: AOAM532LHsNBbXg+6qR9MS7lHQdhF15FjX4tSGwByDAkyQsC5Ig9s7pI TLQNizsO6hLOw8yTVG+4fqNAUELFQoIYLnSuidX1qK8+8RN97OuzFgrnxajHXA28YuHp7H3Kskg EWbOGubvY5lHaojX9IQ3KY0EuZEnmhRHsky50qyqQD39KA7K0WW2zyp3HqvF2yiI7MeSYOgbL X-Received: from bgardon.sea.corp.google.com ([2620:15c:100:202:a2d0:faec:7d8b:2e0b]) (user=bgardon job=sendgmr) by 2002:a17:90b:1c87:b0:1ca:f4e:4fbe with SMTP id oo7-20020a17090b1c8700b001ca0f4e4fbemr1168462pjb.159.1649711452989; Mon, 11 Apr 2022 14:10:52 -0700 (PDT) Date: Mon, 11 Apr 2022 14:10:14 -0700 In-Reply-To: <20220411211015.3091615-1-bgardon@google.com> Message-Id: <20220411211015.3091615-10-bgardon@google.com> Mime-Version: 1.0 References: <20220411211015.3091615-1-bgardon@google.com> X-Mailer: git-send-email 2.35.1.1178.g4f1659d476-goog Subject: [PATCH v4 09/10] KVM: x86/MMU: Require reboot permission to disable NX hugepages From: Ben Gardon To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Paolo Bonzini , Peter Xu , Sean Christopherson , Peter Shier , David Dunn , Junaid Shahid , Jim Mattson , David Matlack , Mingwei Zhang , Jing Zhang , Ben Gardon Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Ensure that the userspace actor attempting to disable NX hugepages has permission to reboot the system. Since disabling NX hugepages would allow a guest to crash the system, it is similar to reboot permissions. This approach is the simplest permission gating, but passing a file descriptor opened for write for the module parameter would also work well and be more precise. The latter approach was suggested by Sean Christopherson. Suggested-by: Jim Mattson Signed-off-by: Ben Gardon --- Documentation/virt/kvm/api.rst | 2 ++ arch/x86/kvm/x86.c | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index 31fb002632bb..021452a9fa91 100644 --- a/Documentation/virt/kvm/api.rst +++ b/Documentation/virt/kvm/api.rst @@ -7861,6 +7861,8 @@ should adjust CPUID leaf 0xA to reflect that the PMU is disabled. :Capability KVM_CAP_PMU_CAPABILITY :Architectures: x86 :Type: vm +:Returns 0 on success, -EPERM if the userspace process does not + have CAP_SYS_BOOT This capability disables the NX huge pages mitigation for iTLB MULTIHIT. diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index de1d211f8aa3..8d3d6c48c5ec 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -6081,6 +6081,15 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm, mutex_unlock(&kvm->lock); break; case KVM_CAP_VM_DISABLE_NX_HUGE_PAGES: + /* + * Since the risk of disabling NX hugepages is a guest crashing + * the system, ensure the userspace process has permission to + * reboot the system. + */ + if (!capable(CAP_SYS_BOOT)) { + r = -EPERM; + break; + } kvm->arch.disable_nx_huge_pages = true; kvm_update_nx_huge_pages(kvm); r = 0; -- 2.35.1.1178.g4f1659d476-goog