[v10,034/108] KVM: x86/mmu: Add Suppress VE bit to shadow_mmio_{value, mask}

Message ID 1c480a48c2697054b1cfe068fa073f4035648f9a.1667110240.git.isaku.yamahata@intel.com
State New
Headers
Series KVM TDX basic feature support |

Commit Message

Isaku Yamahata Oct. 30, 2022, 6:22 a.m. UTC
  From: Isaku Yamahata <isaku.yamahata@intel.com>

Because TDX will need shadow_mmio_mask to be VMX_SUPPRESS_VE | RWX and
shadow_mmio_value to be 0, make VMX EPT case use same value for TDX
shadow_mmio_mask.  For VMX, VMX_SUPPRESS_VE doesn't matter, it doesn't
affect VMX logic to add the bit to shadow_mmio_{value, mask}.  Note that
shadow_mmio_value will be per-VM value.

Signed-off-by: Isaku Yamahata <isaku.yamahata@intel.com>
---
 arch/x86/kvm/mmu/spte.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
  

Comments

Kai Huang Nov. 9, 2022, 11:48 a.m. UTC | #1
On Sat, 2022-10-29 at 23:22 -0700, isaku.yamahata@intel.com wrote:
> From: Isaku Yamahata <isaku.yamahata@intel.com>
> 
> Because TDX will need shadow_mmio_mask to be VMX_SUPPRESS_VE | RWX	
> shadow_mmio_value to be 0, make VMX EPT case use same value for TDX
> shadow_mmio_mask.  
> 

TDX need to use different mmio_mask/value doesn't mean they need to be changed
for VMX guest.  I think the true purpose here is to still be able to use a
global shadow_mmio_mask for both TDX and VMX guests.  So please explicitly call
out.  


> For VMX, VMX_SUPPRESS_VE doesn't matter, it doesn't
> affect VMX logic to add the bit to shadow_mmio_{value, mask}.  Note that
> shadow_mmio_value will be per-VM value.

Not sure why the last sentence matters.

> 
> Signed-off-by: Isaku Yamahata <isaku.yamahata@intel.com>
> ---
>  arch/x86/kvm/mmu/spte.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/kvm/mmu/spte.c b/arch/x86/kvm/mmu/spte.c
> index 0b97a045c5f0..5d5c06d4fd89 100644
> --- a/arch/x86/kvm/mmu/spte.c
> +++ b/arch/x86/kvm/mmu/spte.c
> @@ -437,8 +437,8 @@ void kvm_mmu_set_ept_masks(bool has_ad_bits, bool has_exec_only)
>  	 * EPT Misconfigurations are generated if the value of bits 2:0
>  	 * of an EPT paging-structure entry is 110b (write/execute).
>  	 */
> -	kvm_mmu_set_mmio_spte_mask(VMX_EPT_MISCONFIG_WX_VALUE,
> -				   VMX_EPT_RWX_MASK, 0);
> +	kvm_mmu_set_mmio_spte_mask(VMX_EPT_MISCONFIG_WX_VALUE | VMX_EPT_SUPPRESS_VE_BIT,

Is "suppress #VE" bit required for mmio_value for VMX guest? Why adding it?

> +				   VMX_EPT_RWX_MASK | VMX_EPT_SUPPRESS_VE_BIT, 0);
>  }
>  EXPORT_SYMBOL_GPL(kvm_mmu_set_ept_masks);
>
  
Isaku Yamahata Nov. 17, 2022, 6:02 p.m. UTC | #2
On Wed, Nov 09, 2022 at 11:48:30AM +0000,
"Huang, Kai" <kai.huang@intel.com> wrote:

> On Sat, 2022-10-29 at 23:22 -0700, isaku.yamahata@intel.com wrote:
> > From: Isaku Yamahata <isaku.yamahata@intel.com>
> > 
> > Because TDX will need shadow_mmio_mask to be VMX_SUPPRESS_VE | RWX	
> > shadow_mmio_value to be 0, make VMX EPT case use same value for TDX
> > shadow_mmio_mask.  
> > 
> 
> TDX need to use different mmio_mask/value doesn't mean they need to be changed
> for VMX guest.  I think the true purpose here is to still be able to use a
> global shadow_mmio_mask for both TDX and VMX guests.  So please explicitly call
> out.  

That's right. With this change, per-VM shadow_mmio_{value, mask} can be avoided.
The common value can be used for both VMX and TDX.
  
Sean Christopherson Nov. 28, 2022, 11:51 p.m. UTC | #3
On Thu, Nov 17, 2022, Isaku Yamahata wrote:
> On Wed, Nov 09, 2022 at 11:48:30AM +0000,
> "Huang, Kai" <kai.huang@intel.com> wrote:
> 
> > On Sat, 2022-10-29 at 23:22 -0700, isaku.yamahata@intel.com wrote:
> > > From: Isaku Yamahata <isaku.yamahata@intel.com>
> > > 
> > > Because TDX will need shadow_mmio_mask to be VMX_SUPPRESS_VE | RWX	
> > > shadow_mmio_value to be 0, make VMX EPT case use same value for TDX
> > > shadow_mmio_mask.  
> > > 
> > 
> > TDX need to use different mmio_mask/value doesn't mean they need to be changed
> > for VMX guest.  I think the true purpose here is to still be able to use a
> > global shadow_mmio_mask for both TDX and VMX guests.  So please explicitly call
> > out.  
> 
> That's right. With this change, per-VM shadow_mmio_{value, mask} can be avoided.
> The common value can be used for both VMX and TDX.

No, the mask can be global, but the value needs to be per-VM.  VMX needs to
generate an EPT misconfig, but TDX needs to generate an EPT violation to get the
automagic #VE reflection.
  

Patch

diff --git a/arch/x86/kvm/mmu/spte.c b/arch/x86/kvm/mmu/spte.c
index 0b97a045c5f0..5d5c06d4fd89 100644
--- a/arch/x86/kvm/mmu/spte.c
+++ b/arch/x86/kvm/mmu/spte.c
@@ -437,8 +437,8 @@  void kvm_mmu_set_ept_masks(bool has_ad_bits, bool has_exec_only)
 	 * EPT Misconfigurations are generated if the value of bits 2:0
 	 * of an EPT paging-structure entry is 110b (write/execute).
 	 */
-	kvm_mmu_set_mmio_spte_mask(VMX_EPT_MISCONFIG_WX_VALUE,
-				   VMX_EPT_RWX_MASK, 0);
+	kvm_mmu_set_mmio_spte_mask(VMX_EPT_MISCONFIG_WX_VALUE | VMX_EPT_SUPPRESS_VE_BIT,
+				   VMX_EPT_RWX_MASK | VMX_EPT_SUPPRESS_VE_BIT, 0);
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_set_ept_masks);