Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp1106228lqo; Fri, 17 May 2024 10:47:50 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVqLu0908Rxp04KWukRtINQNgMj8pgx8AGbczbreQ8ms1kQL2N7jmxqOcq5Iiswk/oRTk9Myej1CN6gE2WsHr6IRY10Vr5yMgpcgZM3Fg== X-Google-Smtp-Source: AGHT+IFZgv26ynm5iwaH+Odxff8ErkprZZ21oHNtC0oMRf2DGo3wIqW8ONO2aYPB5Rx64QMbg+la X-Received: by 2002:a05:622a:2c7:b0:439:b41a:56c1 with SMTP id d75a77b69052e-43dfdb503f1mr297305131cf.34.1715968070482; Fri, 17 May 2024 10:47:50 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715968070; cv=pass; d=google.com; s=arc-20160816; b=oV93n2hAwAUazvsXdapWmGKi3hIMNMWwFgJuXuRpbKZOmZyjvyySayOhJQ83gAgm+D pf93ig5sSP4P/w1QM9Eo3WIRzCfsMgh6w1fr37nF/FhvrvmjRKebohCvNBbp8kQ3SJdr SPrLywWxttM0Tnn53piV4nEoGZYMWrvkvYPdz8GGxZzpO3MgeruSb9YgY20wwy4aVgc2 nm9y9E4YlY72TQKG6EH/7yCe+tcHJywMAqA6ztwuldEUpj+kvf61lkpISVYM3kW7wZn/ MCDFb/TjDgN5WPfZcjd/mGB3xt0cCsL4q5+LQryRdMQXoJ39bud/0GpoHnQCuqDYDHoM +/Ew== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:from:subject:message-id:references:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:in-reply-to:date :reply-to:dkim-signature; bh=afJWK5FLO96r/JX5VZZ/glVEZp394HL111OEQ71TOyU=; fh=G4QKSRSMCUH8VZ273oqfuESyk3nNxItQ7uenkNLbotg=; b=fDxEpsp1ByvThgFiGfR7Z6MfLSIzwgAgMxfcwVV+e/Y8fp5sXpDqG4CLOkiSOdv5er EE29AdTyUvCihCYjVeRsZLhBWLwJSwOkUp8dNXSdslOpsStvUqxPhcRb9MwPryK7/Vhl pShooLuwUKDgAqHCSD9JjjOCF0vx7FOogTvcP1Q2+CT0KLHo4L8qNd4OSQojVmn1oMaB gVV8dQl8pBHcjdYbJ2kOrTeySb3Pdc9F/EBWlryOiuaGcw/zMmcHvs08usLZmnWfIFRp NYEeMqNNtQSuNtRWDX7qEqPltUOGeOXfMsoTpm5FJhZOrjQawLCNQfZHbEEgWciRniFh s2bA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=a5FjFnp1; arc=pass (i=1 spf=pass spfdomain=flex--seanjc.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-182458-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182458-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id d75a77b69052e-43df87cdc3fsi181213581cf.771.2024.05.17.10.47.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 10:47:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-182458-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=a5FjFnp1; arc=pass (i=1 spf=pass spfdomain=flex--seanjc.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-182458-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182458-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 278191C20CEF for ; Fri, 17 May 2024 17:47:50 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CF33015250E; Fri, 17 May 2024 17:40:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="a5FjFnp1" Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4EB981514C6 for ; Fri, 17 May 2024 17:40:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715967633; cv=none; b=sH7Th50e0Uv1jx5MooFvvJoSE2dGz2j8g5zx9KIFH6y3T8ZnJidKq1p+VSoyKoLtFEJCCoKZKZ5bulloFp4BXZk6Apsj0RF6/qYV7da5VNNERBmIsIqFxL+kiJ9Jyc/hmbkbxJ8nuhuOakAYDTQkPgDrMc1NVLI3eYqYz1pyfNs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715967633; c=relaxed/simple; bh=NqsRgHWRN6F44HPpFxnftLqdK5RpQV2+BDjK35Q0DRk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=kTc++v/tXsuF7zo3ayt73HuTfZ0arx3bThYjku6FkM8BBrdnjCWxFxxYBNtQcQq7Xs/w03OtzCmHofhcaOI4N2iln1yzkgWJSRVIXaDN7X9GLbH0fyfPBN6iekZepMsV/OH+b8Zh8yKWmV7JtINOyV209+by5Xta9YjAvlZuFEc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=a5FjFnp1; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-61be23bb01aso199165627b3.2 for ; Fri, 17 May 2024 10:40:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1715967631; x=1716572431; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=afJWK5FLO96r/JX5VZZ/glVEZp394HL111OEQ71TOyU=; b=a5FjFnp1Bg5CKZHs7JdTMQX9kWpDCxxXPvvlC+J/im9hOuJTDGyN2RohASe4fuIIqD h6yQ0rgoQ7vy9dwLHav3GT6XO8P6ZtRlhjQ6X6ySQ7MUC++cAmZVIPSYBE90QTiq2P6b Wacya9p03eks1DJctOc5eDTkI3TD0andW/zS28Y80Z0OceJY8Kb2zgX3Qupiv0RMVVJf k/vmxTfYF6PwYItgMPIQs0rYAv3kDK8YowEDgW9GZHLBEgrLQ7ytXTkw+d8Oc4ssV7GI r6NJSBV0nFwD+DC/wUmeaa1RFnjbX4YACWwJ65M1z75A4epmDkSOpAN51f12q1x1h+dY 92PA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715967631; x=1716572431; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=afJWK5FLO96r/JX5VZZ/glVEZp394HL111OEQ71TOyU=; b=Z3n7iX9FRMzkw/+xqikiHKRPqak2TtKBCE7UhtTU+Ci5VFacifXHCgLgtvVbiPBsKV NyDuY0wQVshokjtG/I45mKXv2imTDO4OR9KyvC3aJ2fEqdtwqOk5omdEAraLEIz+sLHW FAEcjdmCZCsKEeDm728tlekeH+oGdopf0Lto2ifV09STZjxsoagSeVLiI40fUVASbMYr fc0olUjVzGxeAgwKlbU/8Eudjgf+8qmrLX82sjwx2+Iy7xAFG8xvbVpbTW/kl0rHfKnG nckeIRRSnU5uh2wWUHavHjGCfbkH59a084apyl/5hAYZvjDFTYag+LbhcLhDAtZ2v6P1 GVmg== X-Forwarded-Encrypted: i=1; AJvYcCUyNcCMwVRZWSjV1o3Q4LB2ZyBb7FumsUVIq4VvJkhfUzHSBh9wDsaIXO4kIO5NTz7ee4Xg3Avo7Q64ggHF1hTc124cgkHxW8NHWGLc X-Gm-Message-State: AOJu0YxUGaWpKoItQ781NBhg2k3fXOteRRHdxeqn99UFIpWOzMbAg9BH Y+sVq6Wu98igCitZyoo4mDo3W3SDxy9Xj0eW261aGDMpXgPEtXA0CB0FUnEbF1nKo/3dOZ5vTiA sBg== X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a05:690c:6687:b0:61b:e73d:bea2 with SMTP id 00721157ae682-622aff9bee6mr55768057b3.5.1715967631297; Fri, 17 May 2024 10:40:31 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 17 May 2024 10:39:02 -0700 In-Reply-To: <20240517173926.965351-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240517173926.965351-1-seanjc@google.com> X-Mailer: git-send-email 2.45.0.215.g3402c0e53f-goog Message-ID: <20240517173926.965351-26-seanjc@google.com> Subject: [PATCH v2 25/49] KVM: x86: Harden CPU capabilities processing against out-of-scope features From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson , Vitaly Kuznetsov Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Hou Wenlong , Kechen Lu , Oliver Upton , Maxim Levitsky , Binbin Wu , Yang Weijiang , Robert Hoo Content-Type: text/plain; charset="UTF-8" Add compile-time assertions to verify that usage of F() and friends in kvm_set_cpu_caps() is scoped to the correct CPUID word, e.g. to detect bugs where KVM passes a feature bit from word X into word y. Add a one-off assertion in the aliased feature macro to ensure that only word 0x8000_0001.EDX aliased the features defined for 0x1.EDX. To do so, convert kvm_cpu_cap_init() to a macro and have it define a local variable to track which CPUID word is being initialized that is then used to validate usage of F() (all of the inputs are compile-time constants and thus can be fed into BUILD_BUG_ON()). Redefine KVM_VALIDATE_CPU_CAP_USAGE after kvm_set_cpu_caps() to be a nop so that F() can be used in other flows that aren't as easily hardened, e.g. __do_cpuid_func_emulated() and __do_cpuid_func(). Invoke KVM_VALIDATE_CPU_CAP_USAGE() in SF() and X86_64_F() to ensure the validation occurs, e.g. if the usage of F() is completely compiled out (which shouldn't happen for boot_cpu_has(), but could happen in the future, e.g. if KVM were to use cpu_feature_enabled()). Signed-off-by: Sean Christopherson --- arch/x86/kvm/cpuid.c | 55 +++++++++++++++++++++++++++++++------------- 1 file changed, 39 insertions(+), 16 deletions(-) diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index a16d6e070c11..1064e4d68718 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -61,18 +61,24 @@ u32 xstate_required_size(u64 xstate_bv, bool compacted) return ret; } -#define F feature_bit +#define F(name) \ +({ \ + KVM_VALIDATE_CPU_CAP_USAGE(name); \ + feature_bit(name); \ +}) /* Scattered Flag - For features that are scattered by cpufeatures.h. */ #define SF(name) \ ({ \ BUILD_BUG_ON(X86_FEATURE_##name >= MAX_CPU_FEATURES); \ + KVM_VALIDATE_CPU_CAP_USAGE(name); \ (boot_cpu_has(X86_FEATURE_##name) ? F(name) : 0); \ }) /* Features that KVM supports only on 64-bit kernels. */ #define X86_64_F(name) \ ({ \ + KVM_VALIDATE_CPU_CAP_USAGE(name); \ (IS_ENABLED(CONFIG_X86_64) ? F(name) : 0); \ }) @@ -95,6 +101,7 @@ u32 xstate_required_size(u64 xstate_bv, bool compacted) #define AF(name) \ ({ \ BUILD_BUG_ON(__feature_leaf(X86_FEATURE_##name) != CPUID_1_EDX); \ + BUILD_BUG_ON(kvm_cpu_cap_init_in_progress != CPUID_8000_0001_EDX); \ feature_bit(name); \ }) @@ -622,22 +629,34 @@ static __always_inline u32 raw_cpuid_get(struct cpuid_reg cpuid) return *__cpuid_entry_get_reg(&entry, cpuid.reg); } -static __always_inline void kvm_cpu_cap_init(u32 leaf, u32 mask) -{ - const struct cpuid_reg cpuid = x86_feature_cpuid(leaf * 32); +/* + * Assert that the feature bit being declared, e.g. via F(), is in the CPUID + * word that's being initialized. Exempt 0x8000_0001.EDX usage of 0x1.EDX + * features, as AMD duplicated many 0x1.EDX features into 0x8000_0001.EDX. + */ +#define KVM_VALIDATE_CPU_CAP_USAGE(name) \ +do { \ + u32 __leaf = __feature_leaf(X86_FEATURE_##name); \ + \ + BUILD_BUG_ON(__leaf != kvm_cpu_cap_init_in_progress); \ +} while (0) - /* - * For kernel-defined leafs, mask the boot CPU's pre-populated value. - * For KVM-defined leafs, explicitly set the leaf, as KVM is the one - * and only authority. - */ - if (leaf < NCAPINTS) - kvm_cpu_caps[leaf] &= mask; - else - kvm_cpu_caps[leaf] = mask; - - kvm_cpu_caps[leaf] &= raw_cpuid_get(cpuid); -} +/* + * For kernel-defined leafs, mask the boot CPU's pre-populated value. For KVM- + * defined leafs, explicitly set the leaf, as KVM is the one and only authority. + */ +#define kvm_cpu_cap_init(leaf, mask) \ +do { \ + const struct cpuid_reg cpuid = x86_feature_cpuid(leaf * 32); \ + const u32 __maybe_unused kvm_cpu_cap_init_in_progress = leaf; \ + \ + if (leaf < NCAPINTS) \ + kvm_cpu_caps[leaf] &= (mask); \ + else \ + kvm_cpu_caps[leaf] = (mask); \ + \ + kvm_cpu_caps[leaf] &= raw_cpuid_get(cpuid); \ +} while (0) /* * Undefine the MSR bit macro to avoid token concatenation issues when @@ -870,6 +889,10 @@ void kvm_set_cpu_caps(void) } EXPORT_SYMBOL_GPL(kvm_set_cpu_caps); +#undef kvm_cpu_cap_init +#undef KVM_VALIDATE_CPU_CAP_USAGE +#define KVM_VALIDATE_CPU_CAP_USAGE(name) + struct kvm_cpuid_array { struct kvm_cpuid_entry2 *entries; int maxnent; -- 2.45.0.215.g3402c0e53f-goog