Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38;
Message-ID: <7531921a-e7b2-4027-86c4-75fc91a45f26@intel.com>
Date:   Mon, 4 Dec 2023 08:45:13 +0800
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH v7 21/26] KVM: x86: Save and reload SSP to/from SMRAM
To:     Chao Gao <chao.gao@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>
CC:     <seanjc@google.com>, <pbonzini@redhat.com>,
        <dave.hansen@intel.com>, <kvm@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>, <peterz@infradead.org>,
        <rick.p.edgecombe@intel.com>, <john.allen@amd.com>
References: <20231124055330.138870-1-weijiang.yang@intel.com>
 <20231124055330.138870-22-weijiang.yang@intel.com>
 <d2be8a787969b76f71194ce65bd6f35426b60dcc.camel@redhat.com>
 <ZWlDhYBYGiX7ir4X@chao-email>
Content-Language: en-US
From:   "Yang, Weijiang" <weijiang.yang@intel.com>
In-Reply-To: <ZWlDhYBYGiX7ir4X@chao-email>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?Z1hUQkFlbWlManhFN2hJa1gzdEpPczYvRmtNbWVLNC9pY2xjRUxpckZGMVYx?=
 =?utf-8?B?NlplZjhTS3ZKWkV3cXFsdDhiQ1RTakdoVUx3azVTbnk3SVpzSzdYS3hYOExP?=
 =?utf-8?B?SXZ4OTdpRGg5L0x3WE9lb3Fkblg4aHdPeDEvdlBheDBRVm5PSGU0OHJqUGZp?=
 =?utf-8?B?cGZCNzgrdkJTNzZvNHcwRmc2WVZmR2tQTGFldjVBUDJva081cjJvcHVob1F0?=
 =?utf-8?B?YUF4ZWt3V1ZZMmZsQ09lOW9kUGpPd3dudWdhTmlhL3lkR0VXNE15ZlpZakpl?=
 =?utf-8?B?TDVSQWlBZVl4dXptdTdZRzZCOW4zSmE4NXBXZTNQSHNnQnVzTE1NazRPeU5J?=
 =?utf-8?B?T0pYRHBRWkxpY2tydEZTY3BDY3dkWVpkVDdkdFRNOXB5UHc2VzFwOVAxV2V2?=
 =?utf-8?B?WmhnYzlUbkE1Q1UwUVlER29HTWR4TU45bWhmSlZKUG1Lcmp5eEN2RGJ2RDND?=
 =?utf-8?B?YnJNT3UybFRNQVZSY1ZDSVYwaGQ0Mlk1WjkwWnVwNXJwTGY1ZkJmK3dxUmpF?=
 =?utf-8?B?RHQ4bjR5WjQ3c0hXTERnbXkzTzczZWtDSWdEUmJpRnBZMWVNL3E1djQ1dUcv?=
 =?utf-8?B?S2Y3c1VIUHJ6dkFLaGFxRDVhNW9uSjJKZUhDVnU0R0tGK2xWUnNYYThCY3ZL?=
 =?utf-8?B?cGJOd2ZWRDdmbUdYZjJOa3gxSlNhOW5uZEhYVUVxdTQrV0V6S1cxMi9hQUNN?=
 =?utf-8?B?UE5xeEZYWkUvSVp1Zi85YmJvSzFyemlGVklldFN1V2ZTTkI0cXlQd0d2Ylhr?=
 =?utf-8?B?NWV1YkRydWE3NE9SclZNeldpZFd5QXZnQnpiTys4dlJVeXdVWkJTRVBza093?=
 =?utf-8?B?VFJWb2liOEJiY0pZWk5NTEZIY0FHblZBZjFCaEkvNDdET2l6TThsRGRCbG9m?=
 =?utf-8?B?d0d4TWl1SUlxT3d1R0pHTGU2bjV0Ynd2WEozNnhTOHE2TFZTc0pTQWNXaCt5?=
 =?utf-8?B?d29NTlc4TmI2TDdaNEdqWFF1bUdKTzQ2TC83dVBuKzFjTmtKaGV2ZzVyTklr?=
 =?utf-8?B?YmdtRTNoZ1M3ZDlkdDBXOFZJMVJSTXJ0MTRzN0M1d3pVWXdLbW45REVkNk5B?=
 =?utf-8?B?TUhkTjZBZlNxak1qSWFON1lsUDZOeVV5SjlvaWRWaHZIL1pYcjA5eFFJZHk2?=
 =?utf-8?B?VmFLUlV2RkE0WXp5Tkw2U2d3bEZ6VHJjUEZPVEo3c01Fd2pHbUtDaVRMODht?=
 =?utf-8?B?UHlDTm9jYTZQNW1GOGR3Y21qdzBXMEpVYzZNblRCdnhPK2ZaYWhwNXU2QVZS?=
 =?utf-8?B?dTQ4SGE1ZWZRRllVb01vaEVzVFZLc3I2c2NKcEEyYjVpV1dHWTdsRFZtZ2pz?=
 =?utf-8?B?YjJjMlUvMU0yeFVvTGRDS3BBdEdzbUwzcEZ3STlkSko4NzNTdGp6N1lPeTcw?=
 =?utf-8?B?azhQQmg1V2FLaHltbGlFMzAybmpMT1IvU1l6QnZueXR3alAreUxDNjFXdGFW?=
 =?utf-8?B?dXB2am8rOG1LaTBBcXlEcmRLYmJ5ZzJhdmt3WFlJeUtLQktITWo3cUxhMFph?=
 =?utf-8?B?WEQwRkovNWttclQzdTdZVmNpb0xKQ2JscHRRUkNFbHV0L255TTVtOTI0bWgx?=
 =?utf-8?B?MUIrSnhtZnBXTFdGNWlja3hpVVJyN0N6dkxTV0xGZzNTNHR0bm9qbVFJNG9H?=
 =?utf-8?B?ME5OUHg2blJINWhYY0ZtQXNoZ1h5UXJzclZscXFQNDBETkI1OTVtWWRFaFIz?=
 =?utf-8?B?cVgwYjdxWkQwbUpiMHU5UmtVTkpGSUptanpKNFE1MjNoR2RhaHVJZmJqTzl6?=
 =?utf-8?B?Q3QzQWZGMHNaSmpyNmcvK3JUWVpxNGRLR3AzQnhBMFRLaGNrZytjU0NTdk1m?=
 =?utf-8?B?cHl3SjBmWk9iMWNFVjd2Uk1YbWVCMDNNV0NnY2JUN204TWYzTmk0SHZLbytI?=
 =?utf-8?B?MXJaUU1XM2pDWmVpa25kRFRKVVJzWUlYWS9EYjFEVm4waVpoWDBmcFBFTzg3?=
 =?utf-8?B?c2FHWlVMSEdOM0REWEEvWmFxM0hkdEhpUjZpOEY2NnVMSmN4N1BMUGJOK01r?=
 =?utf-8?B?U3Y0cUxueHFHanJJbytEdWpGNmJvY0Rta0JxRklpVEVTdExTbzR3WWV1ZFFj?=
 =?utf-8?B?SGhrNmZrR1l6VDBmSGNTQUZORVdRNHVWNHdyS3k1bDdUcVRYbUx0YjJkY2xp?=
 =?utf-8?B?WHVhWE9oVkJOWTJuNkpBdUlIU0d6ZzNaeWVsY1FJMkRpNGc1djh6NjQ5a1dp?=
 =?utf-8?B?UFE9PQ==?=
X-MS-Exchange-CrossTenant-Network-Message-Id: 38326acc-39f2-4e3e-3e95-08dbf4624ddf
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4965.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Dec 2023 00:45:25.7482
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: UbEqhXpgUgQhY5YFGyDc0sXZf3DKGr/XTVPi0O3gLnRrETRkqovzX7VFkL5vvZVrPRelhVskiqiEH3f+d+xlYg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR11MB8087
X-OriginatorOrg: intel.com
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Sun, 03 Dec 2023 16:45:48 -0800 (PST)

On 12/1/2023 10:23 AM, Chao Gao wrote:
> On Thu, Nov 30, 2023 at 07:42:44PM +0200, Maxim Levitsky wrote:
>> On Fri, 2023-11-24 at 00:53 -0500, Yang Weijiang wrote:
>>> Save CET SSP to SMRAM on SMI and reload it on RSM. KVM emulates HW arch
>>> behavior when guest enters/leaves SMM mode,i.e., save registers to SMRAM
>>> at the entry of SMM and reload them at the exit to SMM. Per SDM, SSP is
>>> one of such registers on 64bit Arch, so add the support for SSP.
>>>
>>> Suggested-by: Sean Christopherson <seanjc@google.com>
>>> Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
>>> ---
>>>   arch/x86/kvm/smm.c | 8 ++++++++
>>>   arch/x86/kvm/smm.h | 2 +-
>>>   2 files changed, 9 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/arch/x86/kvm/smm.c b/arch/x86/kvm/smm.c
>>> index 45c855389ea7..7aac9c54c353 100644
>>> --- a/arch/x86/kvm/smm.c
>>> +++ b/arch/x86/kvm/smm.c
>>> @@ -275,6 +275,10 @@ static void enter_smm_save_state_64(struct kvm_vcpu *vcpu,
>>>   	enter_smm_save_seg_64(vcpu, &smram->gs, VCPU_SREG_GS);
>>>   
>>>   	smram->int_shadow = static_call(kvm_x86_get_interrupt_shadow)(vcpu);
>>> +
>>> +	if (guest_can_use(vcpu, X86_FEATURE_SHSTK))
>>> +		KVM_BUG_ON(kvm_msr_read(vcpu, MSR_KVM_SSP, &smram->ssp),
>>> +			   vcpu->kvm);
>>>   }
>>>   #endif
>>>   
>>> @@ -564,6 +568,10 @@ static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt,
>>>   	static_call(kvm_x86_set_interrupt_shadow)(vcpu, 0);
>>>   	ctxt->interruptibility = (u8)smstate->int_shadow;
>>>   
>>> +	if (guest_can_use(vcpu, X86_FEATURE_SHSTK))
>>> +		KVM_BUG_ON(kvm_msr_write(vcpu, MSR_KVM_SSP, smstate->ssp),
>>> +			   vcpu->kvm);
>>> +
>>>   	return X86EMUL_CONTINUE;
>>>   }
>>>   #endif
>>> diff --git a/arch/x86/kvm/smm.h b/arch/x86/kvm/smm.h
>>> index a1cf2ac5bd78..1e2a3e18207f 100644
>>> --- a/arch/x86/kvm/smm.h
>>> +++ b/arch/x86/kvm/smm.h
>>> @@ -116,8 +116,8 @@ struct kvm_smram_state_64 {
>>>   	u32 smbase;
>>>   	u32 reserved4[5];
>>>   
>>> -	/* ssp and svm_* fields below are not implemented by KVM */
>>>   	u64 ssp;
>>> +	/* svm_* fields below are not implemented by KVM */
>>>   	u64 svm_guest_pat;
>>>   	u64 svm_host_efer;
>>>   	u64 svm_host_cr4;
>>
>> My review feedback from the previous patch series still applies, and I don't
>> know why it was not addressed/replied to:
>>
>> I still think that it is worth it to have a check that CET is not enabled in
>> enter_smm_save_state_32 which is called for pure 32 bit guests (guests that don't
>> have X86_FEATURE_LM enabled)
> can KVM just reject a KVM_SET_CPUID ioctl which attempts to expose shadow stack
> (or even any CET feature) to 32-bit guest in the first place? I think it is simpler.

I favor adding an early defensive check for the issue under discussion if we want to handle the case.
Crashing the VM at runtime when guest SMI is kicked seems not user friendly.