| Message ID | 20230420133724.11398-1-guang.zeng@intel.com |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp383068vqo;
Thu, 20 Apr 2023 07:34:46 -0700 (PDT)
X-Google-Smtp-Source:
AKy350YWk4stdiYHAKq/V4sZJVJFJNGtL8jV/vXf54YQvfngpENkxK3e6wUZFx0MNvPbXZjamV6H
X-Received: by 2002:a92:c0c2:0:b0:32b:7087:c428 with SMTP id
t2-20020a92c0c2000000b0032b7087c428mr1536740ilf.6.1682001286006;
Thu, 20 Apr 2023 07:34:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1682001285; cv=none;
d=google.com; s=arc-20160816;
b=BZ0Pnw9RPNsBJPD5+xMSowwcfzA5o96xdrQl7lEN47fNUpvQsWeMJ8g9kReFYr42Wa
sWc1HEZuZ7jkn3Knuwc97CETKFo4ZAGdpADj9fK378XWScMfcMM4vufh5CPD3JmA5EY/
LU482aRkAWduD+FekeMwUB3Td603Wh/pCYhVLvDJ5VBPBDuJenUWOXa0h98xfDD/NFe1
jsoO3tPanfep9J3P+qph10MXBxcCAHuX64VOFwC15TORAhgDSuNpktquCUoDgAj37NJc
z5xl6QR1PqoxWfIM5zcJbBt3+wxXCZfL79TGOljRVPdkipnjXCzqyYIJ0z6GgkHstfpJ
VVjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:message-id:date:subject:cc:to:from
:dkim-signature;
bh=X6tHjwSXmlFl2GZVWPofVEYnKgpJRLISgNgtVv/IuoM=;
b=S65zvj9mNa7W2zGX1xCJVAIqjY7lKHcio6tV7TwY8Fb+vd271Hzre6dpCdk004+b1a
0wfVEZMvYrQ6XtNC4+CE1txJVZ3U7yQyOCq6oRw5QLYUYAXb5YaS4gND9+7gwdUOm1PY
tGJBP1FycQGOmGoE/tPiMfJTdj0NGUkdnkSvjitNPcUJuV/SaY3t9SFsq1cY8ZkjQdl6
BXUK66R3+xOseCCd7v56eLIcesSvlewozcVIZJ5XmCg4fdxx6vV5Lt5+/G2qXsyWMIT9
o/prcatffVieEPgIRycngBBgjep8sYtlnyzL0MZVVtQiQ50vepD4QGFcCLkHjatreNbV
TXww==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=DgFl3KMC;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
g35-20020a028526000000b0040f6694877fsi1601274jai.106.2023.04.20.07.34.24;
Thu, 20 Apr 2023 07:34:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=DgFl3KMC;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231954AbjDTOQT (ORCPT <rfc822;cjcooper78@gmail.com> + 99 others);
Thu, 20 Apr 2023 10:16:19 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39524 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230459AbjDTOQO (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 20 Apr 2023 10:16:14 -0400
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC4A240DB;
Thu, 20 Apr 2023 07:16:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
t=1682000173; x=1713536173;
h=from:to:cc:subject:date:message-id;
bh=Rwr5CeFQ61aTbP5d7pe753QwhuSBeTN+SBYWhcSkS7A=;
b=DgFl3KMCb7fYydrRgGdD8MNogg+rmw2sQY545aQq7shV+Znvz+40w/dk
G+aoSkUxilkHQ8t0yZcgqKWfjGqKwwEzoHeZTzjAcV5Zh2yu/jl55fPJI
ptn3d15lon/TUBKZBiDFrzXbwYlip8FYEPdaroHLN78kksfr+ZcW3GO3i
ShnZDeYSyl0jsRNZsZKyqRVErrJKmYPVdI01BPTdEorwMQFBr00w+889X
++B770+Hx7O1hRG/6YbQ+grKy7L1hCynUugz2lj13KzRo0ZjN+zyE6EZR
NmLnA7aGzvFOqPB1B0itOHgiSNK7lszP30Vh1HadLexSGKzpwxv3jkUQR
g==;
X-IronPort-AV: E=McAfee;i="6600,9927,10686"; a="343217764"
X-IronPort-AV: E=Sophos;i="5.99,212,1677571200";
d="scan'208";a="343217764"
Received: from orsmga004.jf.intel.com ([10.7.209.38])
by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
20 Apr 2023 07:16:00 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10686"; a="816028785"
X-IronPort-AV: E=Sophos;i="5.99,212,1677571200";
d="scan'208";a="816028785"
Received: from arthur-vostro-3668.sh.intel.com ([10.238.200.53])
by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
20 Apr 2023 07:15:57 -0700
From: Zeng Guang <guang.zeng@intel.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
Sean Christopherson <seanjc@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
H Peter Anvin <hpa@zytor.com>, kvm@vger.kernel.org
Cc: x86@kernel.org, linux-kernel@vger.kernel.org,
Gao Chao <chao.gao@intel.com>,
Zeng Guang <guang.zeng@intel.com>
Subject: [PATCH 0/6] LASS KVM virtualization support
Date: Thu, 20 Apr 2023 21:37:18 +0800
Message-Id: <20230420133724.11398-1-guang.zeng@intel.com>
X-Mailer: git-send-email 2.17.1
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1763706180184235857?=
X-GMAIL-MSGID: =?utf-8?q?1763706180184235857?=
|
| Series |
LASS KVM virtualization support
|
|
Message
Zeng Guang
April 20, 2023, 1:37 p.m. UTC
Linear Address Space Separation (LASS)[1] is a new mechanism that
enforces the same mode-based protections as paging, i.e. SMAP/SMEP but
without traversing the paging structures. Because the protections
enforced by LASS are applied before paging, "probes" by malicious
software will provide no paging-based timing information.
LASS works in long mode and partitions the 64-bit canonical linear
address space into two halves:
1. Lower half (LA[63]=0) --> user space
2. Upper half (LA[63]=1) --> kernel space
When LASS is enabled, a general protection #GP fault or a stack fault
#SS will be generated if software accesses the address from the half
in which it resides to another half, e.g., either from user space to
upper half, or from kernel space to lower half. This protection applies
to data access, code execution.
This series add KVM LASS virtualization support.
When platform has LASS capability, KVM requires to expose this feature
to guest VM enumerated by CPUID.(EAX=07H.ECX=1):EAX.LASS[bit 6], and
allow guest to enable it via CR4.LASS[bit 27] on demand. For instruction
executed in the guest directly, hardware will perform the LASS violation
check, while KVM also needs to apply LASS to instructions emulated by
software and injects #GP or #SS fault to the guest.
Following LASS voilations check will be taken on KVM emulation path.
User-mode access to supervisor space address:
LA[bit 63] && (CPL == 3)
Supervisor-mode access to user space address:
Instruction fetch: !LA[bit 63] && (CPL < 3)
Data access: !LA[bit 63] && (CR4.SMAP==1) && ((RFLAGS.AC == 0 &&
CPL < 3) || Implicit supervisor access)
We tested the basic function of LASS virtualization including LASS
enumeration and enabling in non-root and nested environment. As current
KVM unittest framework is not compatible to LASS rule that kernel should
run in the upper half, we use kernel module and application test to verify
LASS functionalities in guest instead. The data access related x86 emulator
code is verified with forced emulation prefix (FEP) mechanism. Other test
cases are working in progress.
How to add tests for LASS in KUT or kselftest is still under investigation.
[1] Intel Architecutre Instruction Set Extensions and Future Features
Programming Reference: Chapter Linear Address Space Separation (LASS)
https://cdrdv2.intel.com/v1/dl/getContent/671368
Zeng Guang (6):
KVM: x86: Virtualize CR4.LASS
KVM: VMX: Add new ops in kvm_x86_ops for LASS violation check
KVM: x86: Add emulator helper for LASS violation check
KVM: x86: LASS protection on KVM emulation when LASS enabled
KVM: x86: Advertise LASS CPUID to user space
KVM: x86: Set KVM LASS based on hardware capability
arch/x86/include/asm/cpuid.h | 36 +++++++++++++++++++
arch/x86/include/asm/kvm-x86-ops.h | 1 +
arch/x86/include/asm/kvm_host.h | 7 +++-
arch/x86/kvm/cpuid.c | 8 +++--
arch/x86/kvm/emulate.c | 36 ++++++++++++++++---
arch/x86/kvm/kvm_emulate.h | 1 +
arch/x86/kvm/vmx/nested.c | 3 ++
arch/x86/kvm/vmx/sgx.c | 2 ++
arch/x86/kvm/vmx/vmx.c | 58 ++++++++++++++++++++++++++++++
arch/x86/kvm/vmx/vmx.h | 2 ++
arch/x86/kvm/x86.c | 9 +++++
arch/x86/kvm/x86.h | 2 ++
12 files changed, 157 insertions(+), 8 deletions(-)
Comments
On 4/20/2023 9:37 PM, Zeng Guang wrote: > Linear Address Space Separation (LASS)[1] is a new mechanism that > enforces the same mode-based protections as paging, i.e. SMAP/SMEP but > without traversing the paging structures. Because the protections > enforced by LASS are applied before paging, "probes" by malicious > software will provide no paging-based timing information. > > LASS works in long mode and partitions the 64-bit canonical linear > address space into two halves: > 1. Lower half (LA[63]=0) --> user space > 2. Upper half (LA[63]=1) --> kernel space > > When LASS is enabled, a general protection #GP fault or a stack fault > #SS will be generated if software accesses the address from the half > in which it resides to another half, The accessor's mode is based on CPL, not the address range, so it feels a bit inaccurate of descripton "in which it resides". > e.g., either from user space to > upper half, or from kernel space to lower half. This protection applies > to data access, code execution. > > This series add KVM LASS virtualization support. > > When platform has LASS capability, KVM requires to expose this feature > to guest VM enumerated by CPUID.(EAX=07H.ECX=1):EAX.LASS[bit 6], and > allow guest to enable it via CR4.LASS[bit 27] on demand. For instruction > executed in the guest directly, hardware will perform the LASS violation > check, while KVM also needs to apply LASS to instructions emulated by > software and injects #GP or #SS fault to the guest. > > Following LASS voilations check will be taken on KVM emulation path. /s/voilations/violations > User-mode access to supervisor space address: > LA[bit 63] && (CPL == 3) > Supervisor-mode access to user space address: > Instruction fetch: !LA[bit 63] && (CPL < 3) > Data access: !LA[bit 63] && (CR4.SMAP==1) && ((RFLAGS.AC == 0 && > CPL < 3) || Implicit supervisor access) > > We tested the basic function of LASS virtualization including LASS > enumeration and enabling in non-root and nested environment. As current > KVM unittest framework is not compatible to LASS rule that kernel should > run in the upper half, we use kernel module and application test to verify > LASS functionalities in guest instead. The data access related x86 emulator > code is verified with forced emulation prefix (FEP) mechanism. Other test > cases are working in progress. > > How to add tests for LASS in KUT or kselftest is still under investigation. > > [1] Intel Architecutre Instruction Set Extensions and Future Features /s/Architecutre/Architecture > Programming Reference: Chapter Linear Address Space Separation (LASS) > https://cdrdv2.intel.com/v1/dl/getContent/671368 > > Zeng Guang (6): > KVM: x86: Virtualize CR4.LASS > KVM: VMX: Add new ops in kvm_x86_ops for LASS violation check > KVM: x86: Add emulator helper for LASS violation check > KVM: x86: LASS protection on KVM emulation when LASS enabled > KVM: x86: Advertise LASS CPUID to user space > KVM: x86: Set KVM LASS based on hardware capability > > arch/x86/include/asm/cpuid.h | 36 +++++++++++++++++++ > arch/x86/include/asm/kvm-x86-ops.h | 1 + > arch/x86/include/asm/kvm_host.h | 7 +++- > arch/x86/kvm/cpuid.c | 8 +++-- > arch/x86/kvm/emulate.c | 36 ++++++++++++++++--- > arch/x86/kvm/kvm_emulate.h | 1 + > arch/x86/kvm/vmx/nested.c | 3 ++ > arch/x86/kvm/vmx/sgx.c | 2 ++ > arch/x86/kvm/vmx/vmx.c | 58 ++++++++++++++++++++++++++++++ > arch/x86/kvm/vmx/vmx.h | 2 ++ > arch/x86/kvm/x86.c | 9 +++++ > arch/x86/kvm/x86.h | 2 ++ > 12 files changed, 157 insertions(+), 8 deletions(-) >
On 4/24/2023 9:20 AM, Binbin Wu wrote: > On 4/20/2023 9:37 PM, Zeng Guang wrote: >> Linear Address Space Separation (LASS)[1] is a new mechanism that >> enforces the same mode-based protections as paging, i.e. SMAP/SMEP but >> without traversing the paging structures. Because the protections >> enforced by LASS are applied before paging, "probes" by malicious >> software will provide no paging-based timing information. >> >> LASS works in long mode and partitions the 64-bit canonical linear >> address space into two halves: >> 1. Lower half (LA[63]=0) --> user space >> 2. Upper half (LA[63]=1) --> kernel space >> >> When LASS is enabled, a general protection #GP fault or a stack fault >> #SS will be generated if software accesses the address from the half >> in which it resides to another half, > The accessor's mode is based on CPL, not the address range, > so it feels a bit inaccurate of descripton "in which it resides". > This is alternative description to implicitly signify the privilege level, i.e. code running in upper half means it is in supervisor mode, otherwise it's in user mode. :) >> e.g., either from user space to >> upper half, or from kernel space to lower half. This protection applies >> to data access, code execution. >> >> This series add KVM LASS virtualization support. >> >> When platform has LASS capability, KVM requires to expose this feature >> to guest VM enumerated by CPUID.(EAX=07H.ECX=1):EAX.LASS[bit 6], and >> allow guest to enable it via CR4.LASS[bit 27] on demand. For instruction >> executed in the guest directly, hardware will perform the LASS violation >> check, while KVM also needs to apply LASS to instructions emulated by >> software and injects #GP or #SS fault to the guest. >> >> Following LASS voilations check will be taken on KVM emulation path. > /s/voilations/violations > > >> User-mode access to supervisor space address: >> LA[bit 63] && (CPL == 3) >> Supervisor-mode access to user space address: >> Instruction fetch: !LA[bit 63] && (CPL < 3) >> Data access: !LA[bit 63] && (CR4.SMAP==1) && ((RFLAGS.AC == 0 && >> CPL < 3) || Implicit supervisor access) >> >> We tested the basic function of LASS virtualization including LASS >> enumeration and enabling in non-root and nested environment. As current >> KVM unittest framework is not compatible to LASS rule that kernel should >> run in the upper half, we use kernel module and application test to verify >> LASS functionalities in guest instead. The data access related x86 emulator >> code is verified with forced emulation prefix (FEP) mechanism. Other test >> cases are working in progress. >> >> How to add tests for LASS in KUT or kselftest is still under investigation. >> >> [1] Intel Architecutre Instruction Set Extensions and Future Features > /s/Architecutre/Architecture > Sorry for typos above. Thanks. >> Programming Reference: Chapter Linear Address Space Separation (LASS) >> https://cdrdv2.intel.com/v1/dl/getContent/671368 >> >> Zeng Guang (6): >> KVM: x86: Virtualize CR4.LASS >> KVM: VMX: Add new ops in kvm_x86_ops for LASS violation check >> KVM: x86: Add emulator helper for LASS violation check >> KVM: x86: LASS protection on KVM emulation when LASS enabled >> KVM: x86: Advertise LASS CPUID to user space >> KVM: x86: Set KVM LASS based on hardware capability >> >> arch/x86/include/asm/cpuid.h | 36 +++++++++++++++++++ >> arch/x86/include/asm/kvm-x86-ops.h | 1 + >> arch/x86/include/asm/kvm_host.h | 7 +++- >> arch/x86/kvm/cpuid.c | 8 +++-- >> arch/x86/kvm/emulate.c | 36 ++++++++++++++++--- >> arch/x86/kvm/kvm_emulate.h | 1 + >> arch/x86/kvm/vmx/nested.c | 3 ++ >> arch/x86/kvm/vmx/sgx.c | 2 ++ >> arch/x86/kvm/vmx/vmx.c | 58 ++++++++++++++++++++++++++++++ >> arch/x86/kvm/vmx/vmx.h | 2 ++ >> arch/x86/kvm/x86.c | 9 +++++ >> arch/x86/kvm/x86.h | 2 ++ >> 12 files changed, 157 insertions(+), 8 deletions(-) >>