From patchwork Wed Apr 5 23:45:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 79979 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp661030vqo; Wed, 5 Apr 2023 16:50:34 -0700 (PDT) X-Google-Smtp-Source: AKy350YBz1TwP4JGTt6GEUnHkJVROq61DJ3odPNwWld+bOdaEEVUf7l2T76XCwCPLzRpWt6qu2Ax X-Received: by 2002:a05:6a00:1ca9:b0:62d:d85b:fcfc with SMTP id y41-20020a056a001ca900b0062dd85bfcfcmr3878388pfw.8.1680738633776; Wed, 05 Apr 2023 16:50:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680738633; cv=none; d=google.com; s=arc-20160816; b=VXzDIwIYvfqeB6Afj7vCCIlR5mWCDYNvR04d12fwESf9ahDzW/rhhBpwp3mkNzeJOj qCthK7XKxKB13ME9qfOGZpmBSSKsDTmjTOvNef/Juwph25MUhG2nPXxAJtEy5ELgS3eI joT3WH87Vc1sfYFsaEXdp5ocQEVfDTlX1NYqwsDZu7TEqFUCRpBT67jf1VusyDdagkla cGBA2qDRyOlqCik+qMRPB93kVQ8TQbSDPeY4BvmHR7qpLC1py/IFO+b2cL/Ht5+6Ri1R f2k6snP8tGq3xv6DKTEPsxrNKrNIAgyp/FOXxBvS6e0NaTCUrlZypwkiGRnecbp5Vagl rQ3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=xNGeRDIkTtMwdpUunk/LJQ+eOn2n7u25QTc+Qc8ujPk=; b=fW00CbtpoEd8UR8EFvMd+LTtVPLvnuSdPxFtxebWOJN5IB5k2ufZjt+rH7u+bHv023 wE+yu29qaNTb5SRoKLAt8jmmWfmzlOMW/5+B2zZ0KiQvHradNioeSePwyedY67q1DDqJ Uqzi7rGbpswzcZx9VLD2ORb3IjIELG2fmyw5QQs2wEVcOPrZ1moMn0LFnAhk1EUZVktx jmtbLBdgufgzFhKGJyxHi6+MeNVjOtqRPIOgew5AOGY4Fao2TwfMhft0OOt9LMxsP7Fg kK9Yxq2SDLIpLJ9ysEe3bDyu7oIgjr7izJ0VSYx5zosWAwIFlj9Xba1aQUT49XvZEOYk Gzpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=rJK561Ep; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q25-20020aa78439000000b00622bad41034si13904728pfn.95.2023.04.05.16.50.21; Wed, 05 Apr 2023 16:50:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=rJK561Ep; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233939AbjDEXqI (ORCPT + 99 others); Wed, 5 Apr 2023 19:46:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36752 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229709AbjDEXqE (ORCPT ); Wed, 5 Apr 2023 19:46:04 -0400 Received: from mail-pl1-x649.google.com (mail-pl1-x649.google.com [IPv6:2607:f8b0:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8FF107695 for ; Wed, 5 Apr 2023 16:46:01 -0700 (PDT) Received: by mail-pl1-x649.google.com with SMTP id l14-20020a170902f68e00b001a1a9a1d326so21650617plg.9 for ; Wed, 05 Apr 2023 16:46:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; t=1680738361; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=xNGeRDIkTtMwdpUunk/LJQ+eOn2n7u25QTc+Qc8ujPk=; b=rJK561EpCQv795FsTyfhoO8EAqpBp3c/KWtvnLOSvr6gn69lCDd/7vu+sQnI8tTMN6 j5DX+bzYSCpbMfudYzJiUim8gStbYAm1J0n9Levs3BOB0cLiHOjcEq1hlTouBhYKlV1o XaiW1yUXvQyn+2u0NrQTAFP7clkPz3y9CdkDIp7VWDLUVRmrMEO2JHFJKgg5rBh67YTo yTy0JD0cttYZQBg9Y3jqd5ReibwvcjX2QuOiSn3bgS2l3mSHWCFz0EhNXWBCN3exGXk8 o6/bvbyjNfYr4kOGrfaDYRm75zwXUZihsXBbFUQnO90b90sGQLPxjtEafdQLpB3g0XFj FfVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680738361; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xNGeRDIkTtMwdpUunk/LJQ+eOn2n7u25QTc+Qc8ujPk=; b=2Sj/K2N21F0F3V1dZeoflR7m7NN0fnmiSAyaLinQ0dWOXG4+Lve52NyuhvJz55JjPu sKVmXwmm8HqAZ5rhIMet9VXlfl3F8bpE01hgaEpmH0zHZ58xI1IHUj/07cQm2mK2hGZ1 o4P3MJjC+SmR8VjEz6g3u16mpbnKw9wh/PTppynbFuzLGyuF3wtaQC0+0Obty6SWbYCY deg39qBvzqu7l0L9cz+q7wp52ohRdX7ggc4s+H1Zb5lV4ADpervql9mA5FDIIPn1JGvA PtZrx7aSWf0xjOwF+Ntxv9bAvH4zmkGGlS2uyRrzsgm6vdqZmnutW/Sw/IZoOFypJTPx rEHQ== X-Gm-Message-State: AAQBX9cyobnrYBHvBRvoUTNJbMrZMguWuZgaNYoNNpHrUDwvTwTss+Sb KfG7DAzmsQ61Xz1OLJQwgKuZU5M+pE0= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a63:7108:0:b0:513:5162:a692 with SMTP id m8-20020a637108000000b005135162a692mr1674064pgc.5.1680738360888; Wed, 05 Apr 2023 16:46:00 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 5 Apr 2023 16:45:55 -0700 In-Reply-To: <20230405234556.696927-1-seanjc@google.com> Mime-Version: 1.0 References: <20230405234556.696927-1-seanjc@google.com> X-Mailer: git-send-email 2.40.0.348.gf938b09366-goog Message-ID: <20230405234556.696927-2-seanjc@google.com> Subject: [PATCH 1/2] KVM: VMX: Inject #GP on ENCLS if vCPU has paging disabled (CR0.PG==0) From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Binbin Wu , Kai Huang X-Spam-Status: No, score=-7.7 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1762382193986373221?= X-GMAIL-MSGID: =?utf-8?q?1762382193986373221?= Inject a #GP when emulating/forwarding a valid ENCLS leaf if the vCPU has paging disabled, e.g. if KVM is intercepting ECREATE to enforce additional restrictions. The pseudocode in the SDM lists all #GP triggers, including CR0.PG=0, as being checked after the ENLCS-exiting checks, i.e. the VM-Exit will occur before the CPU performs the CR0.PG check. Fixes: 70210c044b4e ("KVM: VMX: Add SGX ENCLS[ECREATE] handler to enforce CPUID restrictions") Cc: Binbin Wu Cc: Kai Huang Signed-off-by: Sean Christopherson Reviewed-by: Kai Huang Tested-by: Kai Huang --- arch/x86/kvm/vmx/sgx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kvm/vmx/sgx.c b/arch/x86/kvm/vmx/sgx.c index aa53c98034bf..f881f6ff6408 100644 --- a/arch/x86/kvm/vmx/sgx.c +++ b/arch/x86/kvm/vmx/sgx.c @@ -375,7 +375,7 @@ int handle_encls(struct kvm_vcpu *vcpu) if (!encls_leaf_enabled_in_guest(vcpu, leaf)) { kvm_queue_exception(vcpu, UD_VECTOR); - } else if (!sgx_enabled_in_guest_bios(vcpu)) { + } else if (!sgx_enabled_in_guest_bios(vcpu) || !is_paging(vcpu)) { kvm_inject_gp(vcpu, 0); } else { if (leaf == ECREATE)