Received: by 2002:a05:6358:53a8:b0:117:f937:c515 with SMTP id z40csp3435893rwe; Sun, 16 Apr 2023 20:22:01 -0700 (PDT) X-Google-Smtp-Source: AKy350aGIipf+0oiojj5Z+wsUYx4OTpB7RbUAoR3mra65WbLTkyV4sGAD5I5BJG11+HGyGDvRn8A X-Received: by 2002:a05:6a21:3281:b0:ef:67c4:2719 with SMTP id yt1-20020a056a21328100b000ef67c42719mr4539694pzb.22.1681701721375; Sun, 16 Apr 2023 20:22:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681701721; cv=none; d=google.com; s=arc-20160816; b=AAOG/6wjvXQD1dUnWXOti5QKCY143DxCElx4M4n2e+VE0i5KWEZuPCW2RXwewycHKn qiPLuB+QvpcLtEOnsEEbuskzWU9YBoTsN2TGiyheol7R9Ax66BmbUT1EZ+UDAzV+FAFH 3RIUB33cMc/znamdU3c9YM85QDmkJMi9ajw9i5/ArAcJk1YcoKx8ck1ZpRVKY9qJiCJr K3yMyKWN7IhAKgw9nkZJ3WQiZm+t4SW/d7+IVDF6WbXkiLdR0xr9ehyRNibt3J9AiysS jrpsu1zt3RiM+cxg6EeCT13VcWDvoosPZp26E2yUZYPDv21H5L9aa30gHAw109RDhBb8 YSvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id :dkim-signature; bh=tYTofTljQ0U+JB9oh5R40BBHM5KKZNA4A4mRZ3tKQvw=; b=BK0HRl8U3EgxnFl5NizLHPt4rkRk58Vv52gDyfmzQAiBS0VxZ5z/+OMoVle2/3Uj7Z MecsRSd/RUQ/DNflHsN4TXMsQYye6vRfeFVMIdTHZ2PADfq1s9stf2/eb+sDdXaDMipM v/VlCDpWSoAEh0mKwH7CIXQZ/G0cXDA86mQQQx/sz5WZueIJ3C1dItFiSZjHz/3Cc997 ou+yh7yfM4r4vEj9dNKEtxdG29fGmGeHDGOLu75Ycyp6QIcs6+7huLyEIxAlctD+7ntO LrhPHP+mll4u98EQG6FFK7pjSQBM2Ih7Vrh4RZrzAL5RQGC/WC2P1IJT9RSbr/+FUuZw Qg8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=Veeuyssw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o6-20020a63f146000000b0051b7d4ff03csi6626311pgk.874.2023.04.16.20.21.44; Sun, 16 Apr 2023 20:22:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=Veeuyssw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230072AbjDQDRo (ORCPT + 99 others); Sun, 16 Apr 2023 23:17:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42838 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229547AbjDQDRn (ORCPT ); Sun, 16 Apr 2023 23:17:43 -0400 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F81B1FE8; Sun, 16 Apr 2023 20:17:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1681701462; x=1713237462; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=BIGXHvmfwanLSioUPx3H5y5bX16YMkfJyknDFdNRixA=; b=Veeuyssw4rncA6JbKt0K9V7/ExD2rxVuani4pNahqecQ3/vIBMxMzcUX +MRlJy+pJjsqRMy4fRCFDzZLW13TMKvM1gmAQ+8MT0YWD0rEcCqJrfiZN ydJ3Maa5kjR4dWQDHDbAzV8kahdX3NaTsgJQb4iQxYyqCVHL+GFFCB1eZ oyF8PwSLS2lG8juUTA6DBDL+OHrRe+hrN/QiOVYOpj2wp/f4huqomvX2R z6ASR6dAA+l+T+6hhRtFGCR7Jbsvh69c49NH/9mK1VyEHXfi5YAfs2Lr0 4mZ0008HUM01LWAXQoqA4icp0Pn+bT14S02fRMr14ONVtqVJEhwn/J0mz Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10682"; a="431085373" X-IronPort-AV: E=Sophos;i="5.99,203,1677571200"; d="scan'208";a="431085373" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Apr 2023 20:17:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10682"; a="779905728" X-IronPort-AV: E=Sophos;i="5.99,203,1677571200"; d="scan'208";a="779905728" Received: from binbinwu-mobl.ccr.corp.intel.com (HELO [10.238.8.125]) ([10.238.8.125]) by fmsmga003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Apr 2023 20:17:38 -0700 Message-ID: <35b92d89-3eb1-368e-3804-e3ce9ad9c81f@linux.intel.com> Date: Mon, 17 Apr 2023 11:17:36 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [RFC PATCH v2 04/11] KVM: VMX: Add IA32_SPEC_CTRL virtualization support To: Chao Gao , kvm@vger.kernel.org Cc: Jiaan Lu , Zhang Chen , Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , linux-kernel@vger.kernel.org References: <20230414062545.270178-1-chao.gao@intel.com> <20230414062545.270178-5-chao.gao@intel.com> From: Binbin Wu In-Reply-To: <20230414062545.270178-5-chao.gao@intel.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/14/2023 2:25 PM, Chao Gao wrote: > From: Zhang Chen > > Currently KVM disables interception of IA32_SPEC_CTRL after a non-0 is > written to IA32_SPEC_CTRL by guest. Then, guest is allowed to write any > value to hardware. > > "virtualize IA32_SPEC_CTRL" is a new tertiary vm-exec control. This > feature allows KVM to specify that certain bits of the IA32_SPEC_CTRL > MSR cannot be modified by guest software. > > Two VMCS fields are added: > > IA32_SPEC_CTRL_MASK: bits that guest software cannot modify > IA32_SPEC_CTRL_SHADOW: value that guest software expects to be in the > IA32_SPEC_CTRL MSR > > On rdmsr, the shadow value is returned. on wrmsr, EDX:EAX is written > to the IA32_SPEC_CTRL_SHADOW and (cur_val & mask) | (EDX:EAX & ~mask) > is written to the IA32_SPEC_CTRL MSR, where > * cur_val is the original value of IA32_SPEC_CTRL MSR > * mask is the value of IA32_SPEC_CTRL_MASK > > Add a mask e.g., e.g. or i.e. ? > loaded_vmcs->spec_ctrl_mask to represent the bits guest > shouldn't change. It is 0 for now and some bits will be added by > following patches. Use per-vmcs cache to avoid unnecessary vmcs_write() > on nested transition because the mask is expected to be rarely changed > and the same for vmcs01 and vmcs02. > > To prevent guest from changing the bits in the mask, enable "virtualize > IA32_SPEC_CTRL" if supported or emulate its behavior by intercepting > the IA32_SPEC_CTRL msr. Emulating "virtualize IA32_SPEC_CTRL" behavior > is mainly to give the same capability to KVM running on potential broken > hardware or L1 guests. > > To avoid L2 evading the enforcement, enable "virtualize IA32_SPEC_CTRL" > in vmcs02. Always update the guest (shadow) value of IA32_SPEC_CTRL MSR > and the mask to preserve them across nested transitions. Note that the > shadow value may be changed because L2 may access the IA32_SPEC_CTRL > directly and the mask may be changed due to migration when L2 vCPUs are > running. > > Co-developed-by: Chao Gao > Signed-off-by: Chao Gao > Signed-off-by: Zhang Chen > Signed-off-by: Chao Gao > Tested-by: Jiaan Lu > --- > arch/x86/include/asm/vmx.h | 5 ++++ > arch/x86/include/asm/vmxfeatures.h | 2 ++ > arch/x86/kvm/vmx/capabilities.h | 5 ++++ > arch/x86/kvm/vmx/nested.c | 13 ++++++++++ > arch/x86/kvm/vmx/vmcs.h | 2 ++ > arch/x86/kvm/vmx/vmx.c | 34 ++++++++++++++++++++----- > arch/x86/kvm/vmx/vmx.h | 40 +++++++++++++++++++++++++++++- > 7 files changed, 94 insertions(+), 7 deletions(-) > [...] > @@ -750,4 +766,26 @@ static inline bool guest_cpuid_has_evmcs(struct kvm_vcpu *vcpu) > to_vmx(vcpu)->nested.enlightened_vmcs_enabled; > } > > +static inline u64 vmx_get_guest_spec_ctrl(struct vcpu_vmx *vmx) > +{ > + return vmx->guest_spec_ctrl; > +} > + > +static inline void vmx_set_guest_spec_ctrl(struct vcpu_vmx *vmx, u64 val) > +{ > + vmx->guest_spec_ctrl = val; > + > + /* > + * For simplicity, always keep IA32_SPEC_CTRL_SHADOW up-to-date, > + * regardless of the MSR intercept state. It is better to use "IA32_SPEC_CTRL"  explicitly instead of "the MSR" to avoid misunderstand. > + */ > + if (cpu_has_spec_ctrl_virt()) > + vmcs_write64(IA32_SPEC_CTRL_SHADOW, val); > + > + /* > + * Update the effective value of IA32_SPEC_CTRL to reflect changes to > + * guest's IA32_SPEC_CTRL. Bits in the mask should always be set. > + */ > + vmx->spec_ctrl = val | vmx_get_spec_ctrl_mask(vmx); > +} > #endif /* __KVM_X86_VMX_H */