Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp170778rwl; Thu, 30 Mar 2023 14:01:47 -0700 (PDT) X-Google-Smtp-Source: AKy350ZcqarNK4xEERnnWloQ5tAL8rBtqtYPyR8PyBM9H6ZmXgNh659AmC1sf86y0UKNAlKN7DsX X-Received: by 2002:a05:6a20:7da7:b0:d9:f4e9:546d with SMTP id v39-20020a056a207da700b000d9f4e9546dmr4192899pzj.6.1680210107629; Thu, 30 Mar 2023 14:01:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680210107; cv=none; d=google.com; s=arc-20160816; b=Q9/zdqYkZ+Qxge9rIRg/kNlihsTddCZScVwUcMm+9SCitWPrXra9Gpaz2733sktBeI CSIBZDbvt6vOVVd66bhxjGPV3Zq2wvvt+Bx5MDUwtRtYaafwKZcQrXU+oqAZFeYxOUWC FonY/AYhfcK5nViXept26yxyOElLryl53KXaCI790GJPzAg7XRNywaVDzDsiD8iwQiiE 1/Iz9SzoMBFcoDuvwn+T26T7B2UE3jWRMpjx971MuOj3aJ9EYbRJxIxBC4FkOdCgpgvu V7o8NvXm0fvQQSWxhWZ5+MOvLJXk/z4CCRdUK6zNfSf9EzY9bru3Are88VbZ8mavYFxQ MMlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=zoygelJTY/opdM34De9Gr6EJqe4Hin8pGQNMKB0ESO8=; b=UqAZZ4bjRBh0S/7CkkaUP7alhIXDvJukq9nMudMgFgrNO9z48JtONu2f1DD9OzT4AV WAZ3jJ1twMsvMgAnc8N8c+8xSni1FjneLFZjbY9zwZ3eoAlu3g9s6dELTOYFSiII632i RHCVFUBwJnM3Cta9NIOBY3ZYR5DAlxr6zWodEYKWB6rA8h7PEt5tC//iSQdtKgAYtgCf t4QA0AWt5H8RrAqcIAm2n25JxpbG/jdqQfd+eCQ1GRCl/CfzUo8KHlaldlHH5tIcmc3A +rL6BlfmhLNsorf5MoE+8x5SH4G1hTrRiYC1a+ei92gBrTuVbVphI/raqjf829kcTx4+ lxNg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@grsecurity.net header.s=grsec header.b=UHMCFgvi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=grsecurity.net Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i4-20020a635404000000b00513173c4529si531419pgb.404.2023.03.30.14.01.35; Thu, 30 Mar 2023 14:01:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@grsecurity.net header.s=grsec header.b=UHMCFgvi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=grsecurity.net Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229963AbjC3UzT (ORCPT + 99 others); Thu, 30 Mar 2023 16:55:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53180 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229646AbjC3UzS (ORCPT ); Thu, 30 Mar 2023 16:55:18 -0400 Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0F3B1A26C for ; Thu, 30 Mar 2023 13:55:17 -0700 (PDT) Received: by mail-ed1-x52f.google.com with SMTP id b20so81678372edd.1 for ; Thu, 30 Mar 2023 13:55:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=grsecurity.net; s=grsec; t=1680209715; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=zoygelJTY/opdM34De9Gr6EJqe4Hin8pGQNMKB0ESO8=; b=UHMCFgvi4ls3VETItz9xEUB5CMaXPppEj6UjuVwRCcEKQENZ1JAnm8gD1/5GLw/BFw t5b62Y3X++xzAya4uglorT+PXsE1uIyR7pGqpUqc4NWtrZKADmTyGXHwvDoky5jitF30 I0DwjR3LwIoxgnRGR8ye6SigUDw9spg3o67mINwus6+TPUOCwUQeSQVKOWg54mCvkP5d 3JKg01YSBQGTCzODNQabzoyF5SyXo+A5UHSIDBqgJWr25F04MGxFxwL/JP9nAH6AF+43 F8XzoPQ7LN8E9dAyrz6pnS4F+tsKGntQMS+CoEqNCx1J/ddlaATIqO8xFzEAKDnE4un7 VC2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680209715; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zoygelJTY/opdM34De9Gr6EJqe4Hin8pGQNMKB0ESO8=; b=RGTXyKh0LLo34y5KCScQWLJHLEqVtqrQv5x+DXzgiX+qWXmaZGYIroTImQasKlMyRu Js+f5LPbbLK2jpDjH1iOeUWQWPK0yHcN/LA3frNgSypbvn69wCmFJEDCL492Xk/sDsin fhMcUF4Blg/wJ0AuM9VSSsnw9Ay++s8psfPTyX9qJh6+U7ptYSPJOfGF0vmOn65b2p4d AYSA8CJeuHFMc2fB4JYqi2bDiXVyJ+TfB5KdUdx8lQy6DPPhK85fsmu7xzYVunQ2KOa6 j7Ps7E7i6tTWJArNO8q1oFXcAK+IjROxKjOnp0FHCivH51ePna9Rb6JevO3XXjf6ho5O aQHg== X-Gm-Message-State: AAQBX9eRugBMwxkSZeM2VO2wXbaWtpRJ6n897AO/vR9grWhJUw+eQw1h tsP3k1vJoaiZhc5FwQSxTiegO4E2YzcmYT0XERs= X-Received: by 2002:a17:906:738a:b0:933:4ca3:9678 with SMTP id f10-20020a170906738a00b009334ca39678mr22836204ejl.24.1680209715456; Thu, 30 Mar 2023 13:55:15 -0700 (PDT) Received: from ?IPV6:2003:f6:af13:8b00:c684:f698:a009:dbf2? (p200300f6af138b00c684f698a009dbf2.dip0.t-ipconnect.de. [2003:f6:af13:8b00:c684:f698:a009:dbf2]) by smtp.gmail.com with ESMTPSA id b10-20020a1709065e4a00b0093dbb008281sm202117eju.130.2023.03.30.13.55.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Mar 2023 13:55:15 -0700 (PDT) Message-ID: <9a51bd67-13cf-909a-8740-2a2f08fb42b8@grsecurity.net> Date: Thu, 30 Mar 2023 22:55:13 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 Subject: Re: [PATCH v4 6/6] KVM: VMX: Make CR0.WP a guest owned bit Content-Language: en-US, de-DE To: Sean Christopherson Cc: kvm@vger.kernel.org, Paolo Bonzini , linux-kernel@vger.kernel.org References: <20230322013731.102955-1-minipli@grsecurity.net> <20230322013731.102955-7-minipli@grsecurity.net> <677169b4-051f-fcae-756b-9a3e1bb9f8fe@grsecurity.net> From: Mathias Krause In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 30.03.23 22:33, Sean Christopherson wrote: > Duh, this is likely a KVM bug. I expect the issue will go away if you revert > > fb509f76acc8 ("KVM: VMX: Make CR0.WP a guest owned bit") > > KVM doesn't consume CR0.WP for _its_ MMU, but it does consume CR0.WP for the > guest walker. By passing through CR0.WP, toggling only CR0.WP will not trap > (obviously) and thus won't run through kvm_post_set_cr0(), thus resulting in stle > information due to not invoking kvm_init_mmu(). That reasoning sounds familiar ;) > > I'm preetty sure I even called that we needed to refresh the permissions, but then > obviously forgot to actually make that happen. :( > > I believe this will remedy the issue. If it does, I'll post a proper patch > (likely won't be until next week). Compile tested only. > > --- > arch/x86/kvm/mmu.h | 8 +++++++- > arch/x86/kvm/mmu/mmu.c | 14 ++++++++++++++ > 2 files changed, 21 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h > index 89f532516a45..4a303aa735dd 100644 > --- a/arch/x86/kvm/mmu.h > +++ b/arch/x86/kvm/mmu.h > @@ -113,6 +113,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly, > bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu); > int kvm_handle_page_fault(struct kvm_vcpu *vcpu, u64 error_code, > u64 fault_address, char *insn, int insn_len); > +void kvm_mmu_refresh_passthrough_bits(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu); > > int kvm_mmu_load(struct kvm_vcpu *vcpu); > void kvm_mmu_unload(struct kvm_vcpu *vcpu); > @@ -184,8 +185,13 @@ static inline u8 permission_fault(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, > u64 implicit_access = access & PFERR_IMPLICIT_ACCESS; > bool not_smap = ((rflags & X86_EFLAGS_AC) | implicit_access) == X86_EFLAGS_AC; > int index = (pfec + (not_smap << PFERR_RSVD_BIT)) >> 1; > - bool fault = (mmu->permissions[index] >> pte_access) & 1; > u32 errcode = PFERR_PRESENT_MASK; > + bool fault; > + > + if (tdp_enabled) > + kvm_mmu_refresh_passthrough_bits(vcpu, mmu); > + > + fault = (mmu->permissions[index] >> pte_access) & 1; > > WARN_ON(pfec & (PFERR_PK_MASK | PFERR_RSVD_MASK)); > if (unlikely(mmu->pkru_mask)) { > diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c > index 4c874d4ec68f..2a63b5725f36 100644 > --- a/arch/x86/kvm/mmu/mmu.c > +++ b/arch/x86/kvm/mmu/mmu.c > @@ -5186,6 +5186,20 @@ static union kvm_cpu_role kvm_calc_cpu_role(struct kvm_vcpu *vcpu, > return role; > } > > +void kvm_mmu_refresh_passthrough_bits(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu) > +{ > + const bool cr0_wp = kvm_is_cr0_bit_set(vcpu, X86_CR0_WP); > + > + BUILD_BUG_ON((KVM_MMU_CR0_ROLE_BITS & KVM_POSSIBLE_CR0_GUEST_BITS) != X86_CR0_WP); > + BUILD_BUG_ON((KVM_MMU_CR4_ROLE_BITS & KVM_POSSIBLE_CR4_GUEST_BITS)); > + > + if (is_cr0_wp(mmu) == cr0_wp) > + return; > + > + mmu->cpu_role.base.cr0_wp = cr0_wp; > + reset_guest_paging_metadata(vcpu, mmu); > +} > + > static inline int kvm_mmu_get_tdp_level(struct kvm_vcpu *vcpu) > { > /* tdp_root_level is architecture forced level, use it if nonzero */ > > base-commit: 27d6845d258b67f4eb3debe062b7dacc67e0c393 I tested a backported version of this patch on v6.1 as that's what I was testing with and it worked fine. :) I'll do more thorough tests tomorrow and actually on kvm-x86/next's HEAD. Thanks a lot, Sean! Mathias