Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp1723469rwn; Thu, 15 Sep 2022 22:52:19 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4XFVn9PWjmjyyMyHYEn44cv3SsCHvjXH0DrhoAxnJSTrzibSsqOgMWxGsoqCPOFi3FrBkZ X-Received: by 2002:a17:907:7f1e:b0:77c:8028:80c8 with SMTP id qf30-20020a1709077f1e00b0077c802880c8mr2401269ejc.430.1663307539109; Thu, 15 Sep 2022 22:52:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663307539; cv=none; d=google.com; s=arc-20160816; b=vzYL5GKPJGgACavi2ylRp2+bJUsF/OeGwTQIHNZkz5O+BryUMs0VZQjziPKw9MQzj0 g4DJ6Z1IHeFDn0KbQYjeIRlV7HXCX39EbWiM5qwd729xlz5MgfaY1Q6f5HA5LF4RirR6 dWUWOY8BPabQfKnBeV76B/jXldigsx0PH4b5lLtcOAqacPmZ7fVoNAsfpiGoMdWU7/GB ZPmhMk1VBuhvY+qBX43XfHulyYwYmpY2EBTQWc56Gx5gdBxBH3N3Wu6PAz4gRZoS/pgs 4D2a6ZkXEwY11QMrH8zRNyttRXjiHRed/KKQ3Rc1aZzKhmWm+AKslpLYHpN7fPRW4o1f rOOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=d5LwRjV7DdKcsn5XLPeYFH5ubqhtVVQS6ixOFLlJHpc=; b=hLL9ZFGYNhBzGTWWgvF9nMb7szW0Uc/Jn5q3ab/4qZ0YPT5lYIFLRh5BFAIQZaD2fl /lupQAQrDTCPd1pAfMoEtgyuQoZ/T3UPPqMk+Sy+qLUAI8wRKeAnJ5C1SqrDB0wPIG5u ZRU9WVzD4194vTH3HrEhUnWNwLntQT1UkNkTFL79abhUACKts9k/xMFMcdW878KNauTv aoTgdxk4SMPxk6iJlLBacme3FQPUvesRGy/44fnss6DllB0H4EfCEbwOb4e01uDWt5Zu SgieEHZQk1WehHdM8rkdBDz0WWP4V2hHemF+GMW5V+q6e/u1fSCbQZoxIqv/wsHhZdHy Zmmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=pjGkeZS1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hd17-20020a170907969100b00780024e0d1asi9588097ejc.150.2022.09.15.22.51.54; Thu, 15 Sep 2022 22:52:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=pjGkeZS1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229889AbiIPE7E (ORCPT + 99 others); Fri, 16 Sep 2022 00:59:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57572 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229711AbiIPE66 (ORCPT ); Fri, 16 Sep 2022 00:58:58 -0400 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 286E9A0601 for ; Thu, 15 Sep 2022 21:58:56 -0700 (PDT) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-34546b03773so177971967b3.9 for ; Thu, 15 Sep 2022 21:58:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date; bh=d5LwRjV7DdKcsn5XLPeYFH5ubqhtVVQS6ixOFLlJHpc=; b=pjGkeZS1M0pZn5rxAC8u92BEcb2IZzGh+0bZhIqBGD5HIJTKOAhqW8QE1t3WdJLYj+ HqitiywleZaCUEF6XMF1qPDqSZMOSCOmScsguwxfTUoZfBe4QwolRcAstG89qMdR0+x4 4Oa63kdrJdu5kdXhEPi2WMvvXlnbL3Ebd4SAdUYEuLR16gCGEag2ePA7E2FyFF2sTQHM x8r9uxORJ5Hd/GJ7zPF4kwl9IkyQoHOw92FFA4xVllzSXErODfNLT6z5hxzXr+Z4Mr0J hub6x5qdbg8olJhsoahrPZth6XtMK+9xyVawD7H6EAAp6lE194e5QW/qCI9I65wrRqAf y45g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date; bh=d5LwRjV7DdKcsn5XLPeYFH5ubqhtVVQS6ixOFLlJHpc=; b=dW9sSUGbmbIO+86ZjYb2XqB8yXOJWEtbLsR8CPVPL8xrBQfIsHKhAvg0YKWAC188UR FgSRWfsIMYPmEalsq3kMVHVgnq9MVb7GODdAPofgcaSvBYjCg1v4d0DnXmfa552TWzVU WGKMqjyvnrMgNaNPl7l0mxzzfl4vOxGWcKyvddjXvHjaedCiOeptHTTONbUm5JBBf7bQ vVktOqLuXcBVatcObtDP0BJ2BgDLZ2WnE5Ib13QKAz1YxQrn9ZYzZ5IQ7kAXotZR64s6 Khd2mw4eU3TKTP05ivVm7bQlJmOfW/pYIX5YS1PL0WAH5Wfd7s6AjgqDbt4Letjnh/kq IPEQ== X-Gm-Message-State: ACrzQf1gv27A8SWzJp4u+5aCM1yJY/EBeoGVSxkMqxDJ+waknSYswtSG c6xuKzRZAI4d6Vz7bITQZ269G53G5KM9Iw== X-Received: from loggerhead.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:29a]) (user=jmattson job=sendgmr) by 2002:a25:2e50:0:b0:669:9a76:beb with SMTP id b16-20020a252e50000000b006699a760bebmr2846065ybn.597.1663304335461; Thu, 15 Sep 2022 21:58:55 -0700 (PDT) Date: Thu, 15 Sep 2022 21:58:29 -0700 In-Reply-To: <20220916045832.461395-1-jmattson@google.com> Mime-Version: 1.0 References: <20220916045832.461395-1-jmattson@google.com> X-Mailer: git-send-email 2.37.3.968.ga6b4b080e4-goog Message-ID: <20220916045832.461395-3-jmattson@google.com> Subject: [PATCH 2/5] KVM: svm: Disallow EFER.LMSLE on hardware that doesn't support it From: Jim Mattson To: Avi Kivity , Babu Moger , Borislav Petkov , "Chang S. Bae" , Dave Hansen , "H. Peter Anvin" , Ingo Molnar , Joerg Roedel , Josh Poimboeuf , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Paolo Bonzini , Pawan Gupta , Peter Zijlstra , Sean Christopherson , Thomas Gleixner , Wyes Karny , x86@kernel.org Cc: Jim Mattson Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org KVM has never properly virtualized EFER.LMSLE. When the "nested" module parameter is true, it allows an SVM guest to set EFER.LMSLE, and it passes the bit through in the VMCB, but the KVM emulator doesn't perform the required data segment limit checks in 64-bit mode. With Zen3, AMD has dropped support for EFER.LMSLE. Hence, if a Zen3 guest sets EFER.LMSLE, the next VMRUN will fail with "invalid VMCB." When the host reports X86_FEATURE_NO_LMSLE, treat EFER.LMSLE as a reserved bit in the guest. Now, if a guest tries to set EFER.LMSLE on a host without support for EFER.LMSLE, the WRMSR will raise a #GP. At the moment, the #GP may come as a surprise, but it's an improvement over the failed VMRUN. The #GP will be vindicated anon. Fixes: eec4b140c924 ("KVM: SVM: Allow EFER.LMSLE to be set with nested svm") Signed-off-by: Jim Mattson --- arch/x86/kvm/svm/svm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index f3813dbacb9f..7c4fd594166c 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -5012,7 +5012,9 @@ static __init int svm_hardware_setup(void) if (nested) { printk(KERN_INFO "kvm: Nested Virtualization enabled\n"); - kvm_enable_efer_bits(EFER_SVME | EFER_LMSLE); + kvm_enable_efer_bits(EFER_SVME); + if (!boot_cpu_has(X86_FEATURE_NO_LMSLE)) + kvm_enable_efer_bits(EFER_LMSLE); } /* -- 2.37.3.968.ga6b4b080e4-goog