Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp4454967rwb;
        Sat, 10 Dec 2022 08:35:32 -0800 (PST)
X-Google-Smtp-Source: AA0mqf4CwvbCjxlMqUtS8fxfxZSmKATTgOPt0KVCseVMfCrdMN9XRHqtIJNrVSYASWn/RHJ9LuiC
X-Received: by 2002:a17:902:b60f:b0:188:a6ea:279f with SMTP id b15-20020a170902b60f00b00188a6ea279fmr11214793pls.12.1670690132129;
        Sat, 10 Dec 2022 08:35:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670690132; cv=none;
        d=google.com; s=arc-20160816;
        b=u2ksGZfxJVbSN25Kx5uYwmz53s+SuWjUsX4VvKSMbZKjlF1TdQXJzI/r3E70JClSTV
         rl6WiTOE1tIP+MBUMC7ZhX/3fqHbtAhcPQUzlT+8PIbxBJRALW76z96e9kTUgw+lNKOd
         wMebMKUsNQSI+F01a6gWfegvaO4mNaimy1hXwxxthwN/rSiZMjxl8QS1iVgfLazKLrRc
         Jw7WRGVnlXQ90KbZZuSwMKu6Q5X8qccgldSQsFkmQYW4HM94HdxMvM4koyejmUGBxAfl
         76thqi/RGnTE4kCMZ+R4IRW/2jGr7arRrZuoIAGOQaFB8xhe4SNHp2iVW1weDZl53XZW
         rqGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=1f/smKnwmtiRK2P5LgSy6KZCg5RzuJqS5cHeXb+1RLQ=;
        b=vx0bTxmtPUrnMHWRcJgVSRYXGSWFOWYIvUCowt8YKDuV6966sGEGlOO1M50+JPW55t
         iFrj3cX6Wfx+8uOEFINVTD4yd2QEKQO4MpUsbxAERiL9qApG1+NHpHd1P8dv4lU7bCCd
         R6BnLoJruhSETsUcRnW+4JvK3zmTY5DMVmUG22MiBTLvrzfnhzh1IYtluh6DPKu1/VCv
         24fNO4pJKkZNNsVwu+9Pb+fT+qQlJxkQIQJwiG2NnkYzOzIMDV83IQt1ntiNbtyfv8YH
         Umgbuxfe7AaWMhVa6/OTgtHI94jgajkzKshq2rS5Md6G7H9SDr24VzrdLsaIJRu29ukU
         IOPg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=XIH8lIlg;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id q5-20020a170902bd8500b001895a1d382dsi4274686pls.451.2022.12.10.08.35.22;
        Sat, 10 Dec 2022 08:35:32 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=XIH8lIlg;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229844AbiLJQSx (ORCPT <rfc822;4ak.abc@gmail.com> + 75 others);
        Sat, 10 Dec 2022 11:18:53 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45380 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229529AbiLJQSv (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 10 Dec 2022 11:18:51 -0500
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6C6861837A;
        Sat, 10 Dec 2022 08:18:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1670689130; x=1702225130;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=hD60OSAbPLPeraC9NOnUQoDCC37vFgn4cF6EBQlwzlA=;
  b=XIH8lIlg1AzqxUkthCwJDyPyhNdeG3MI2kcwK+3hKmAxASjXR8rVjVUf
   W3qD7uLt9z9p/MjcjRPHS6Hmoxrkgulid4YAe2TuTHLurB5cwGmTPDcyI
   +VslTN22JHWm0nmux6x1lmx1PP1DnUgBaAfxh+2Stdokh4z5mYAHX8MQ7
   OuKy0xkRCMWYuEvUrbtcWFdS7/XDHWXfjwj9962m5DEVUr3NhzS8Hfuzj
   uHaraZMivatNCgVBdI8Z2mxW+oO1wICMlVZQKY4h65nVTyM+HCUU/Y48X
   DBbVLbJ2Fha3BmLtZbbaOiEnjhDQdzdnzTAb8ZsXm2W/4lIz9/PGiiwe6
   w==;
X-IronPort-AV: E=McAfee;i="6500,9779,10557"; a="318780413"
X-IronPort-AV: E=Sophos;i="5.96,234,1665471600"; 
   d="scan'208";a="318780413"
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
  by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Dec 2022 08:18:49 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10557"; a="711208603"
X-IronPort-AV: E=Sophos;i="5.96,234,1665471600"; 
   d="scan'208";a="711208603"
Received: from unknown (HELO localhost.localdomain) ([10.239.161.133])
  by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Dec 2022 08:18:46 -0800
From:   Zhang Chen <chen.zhang@intel.com>
To:     x86@kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Cc:     Zhang Chen <chen.zhang@intel.com>, Chao Gao <chao.gao@intel.com>,
        Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Sean Christopherson <seanjc@google.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Borislav Petkov <bp@alien8.de>, Ingo Molnar <mingo@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>
Subject: [RFC PATCH 0/9] Intel SPEC CTRL virtualization support
Date:   Sun, 11 Dec 2022 00:00:37 +0800
Message-Id: <20221210160046.2608762-1-chen.zhang@intel.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This series introduces "virtual IA32_SPEC_CTRL" support. Here are introduction
and use cases of this new feature.

### Virtual IA32_SPEC_CTRL

Virtual IA32_SPEC_CTRL [1] is a new VMX feature on Intel CPUs.
This feature allows VMM to fix some bits of IA32_SPEC_CTRL MSR even when
the MSR is pass-thru'd to a guest.


### Use cases of virtual IA32_SPEC_CTRL

Software mitigations like Retpoline and software BHB-clearing sequence
depend on CPU microarchitectures. And guest cannot know exactly
the underlying microarchitecture. When a guest is migrated between
processors of different microarchitectures, software mitigations which
work perfectly on previous microachitecture may be not effective on the
new one. To fix the problem, some hardware mitigations should be used in
conjunction with software mitigations. Using virtual IA32_SPEC_CTRL,
VMM can enforce hardware mitigations transparently to guests and avoid
those hardware mitigations being accidentally disabled when guest
changes IA32_SPEC_CTRL MSR.


### Intention of this series

This series adds the capability of enforcing hardware mitigations for
guests transparently and efficiently (i.e., without intecepting
IA32_SPEC_CTRL MSR accesses) to kvm. The capability can be used to solve
the VM migration issue in a pool consisting of processors of different
microarchitectures.

Specifically, below are two target scenarios of this series:

Scenario 1: If retpoline is used by a VM to mitigate IMBTI in CPL0, VMM
            can set RRSBA_DIS_S on parts enumerates RRSBA. Note that
            the VM is presented with a microarchitecture doesn't enumerate
            RRSBA.

Scenario 2: If a VM uses software BHB-clearing sequence on transitions
            into CPL0 to mitigate BHI, VMM can use "virtual
            IA32_SPEC_CTRL" to set BHI_DIS_S on newer
            hardware which doesn't enumerate BHI_NO.

Intel defines some virtual MSRs for guests to notify VMM of software
mitigations in use. Such information allows VMM to enable hardware
mitigations only when necessary (i.e., VMs care about the vulnerability
and are using software mitigiation) to minimize the performance impact
to other VMs. The support of the virtual MSRs also added in this series.

### Organization of this series

This series is developed based on v6.1-rc7 (commit ef4d3ea40565a781c25847e9cb96c1bd9f462bc6)

1. Patch 1 introduce Intel SPEC_CTRL BHI related definition.
2. Patch 2/3 advertises {RRSBA/BHI}_CTRL for retpoline/BHB-clearing
sequence mitigations for KVM.
3. Patch 4 introduce Intel virtual IA32_SPEC_CTRL
4. Patch 5-7 virtualize a set of virtual MSRs for guests to communicate
   software mitigations in use.
5. Patch 8-9 enable "virtual IA32_SPEC_CTRL" VMX feature with virtual
   MSRs support in KVM.

### Documentation

Refer to below link for more information:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html



Pawan Gupta (1):
  x86/bugs: Use Virtual MSRs to request hardware mitigations

Zhang Chen (8):
  x86/speculation: Introduce Intel SPEC_CTRL BHI related definition
  KVM: x86: Add a kvm-only leaf for RRSBA_CTRL
  KVM: x86: Add a kvm-only leaf for BHI_CTRL
  x86/kvm/vmx: Virtualize Intel IA32_SPEC_CTRL
  kvm/x86: Add ARCH_CAP_VIRTUAL_ENUM for guest
    MSR_IA32_ARCH_CAPABILITIES
  kvm/x86: Add MSR_VIRTUAL_MITIGATION_ENUM/CTRL emulation
  x86/kvm/vmx: Initialize SPEC_CTRL MASK for RRSBA
  x86/kvm/vmx: Initialize SPEC_CTRL MASK for BHI

 arch/x86/include/asm/msr-index.h       |  29 +++++++
 arch/x86/include/asm/vmx.h             |   5 ++
 arch/x86/include/asm/vmxfeatures.h     |   2 +
 arch/x86/kernel/cpu/bugs.c             |  24 ++++++
 arch/x86/kvm/cpuid.c                   |   4 +
 arch/x86/kvm/reverse_cpuid.h           |   9 ++
 arch/x86/kvm/vmx/capabilities.h        |   5 ++
 arch/x86/kvm/vmx/vmx.c                 | 109 ++++++++++++++++++++++++-
 arch/x86/kvm/vmx/vmx.h                 |  27 +++++-
 arch/x86/kvm/x86.c                     |  23 +++++-
 tools/arch/x86/include/asm/msr-index.h |   6 ++
 11 files changed, 238 insertions(+), 5 deletions(-)

-- 
2.25.1