From patchwork Tue Jun 13 20:30:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 107546 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp816694vqr; Tue, 13 Jun 2023 13:53:22 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7IDvGwsndbbvysdKBSF2C0DveRVFCbH7KxxpVhM4Bt++44eUyflqZoecFWlhIIvL2SiKZE X-Received: by 2002:a17:907:97c6:b0:961:800b:3f1e with SMTP id js6-20020a17090797c600b00961800b3f1emr15318245ejc.73.1686689602288; Tue, 13 Jun 2023 13:53:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686689602; cv=none; d=google.com; s=arc-20160816; b=xafLm30+X/TU94k21KPP3sdzT97meZRRL8q0r2viRQgCSLrleJzPor4vKfHLixVPsy GSHUklQmWfKORE+9mG1OauSRw4jNBz2wdvHGIvMH7WdY7+VrUn9cA2nwql43sbZ2UA90 GaS0YzGbtPb5V0UVpiU7N0wLz70la1v/lH9SLGAFO5Tziqa/+74IsdHICsTz+2odZBiY 5OPaATUZRs29UMxufoqeUhWdn2S/lDKuE8CKacV2vQk0jmFk/j8VSpLLmi1QCJ6U/lwK TMJUk5MgZiQf1+4FiOt7YUXCnbWDz0+yM7nzvX1dPdnVcsomaPju/DWaHqX0VpJC9Of3 HnXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=nhgzjrJ4PRGX7uFIL4jmdB6VsD0CAYOCqUeVAnJCyuw=; b=R2c3GanXxqRAuhJnJJLcxuVPvUz1DJcdujOwOAQKvlnZkIIQqpzzsZMT4z6rYSLwu1 bW3T1xMGXp5g3Et3cojgj6hq2D9g/rXvZ+j5RvpflntJde7yXh8B6cJqsx6aDhsF0kMG xGP990vTHei7E/rv+7WX3H/pgxqmac72CSSa8WiIW+FdeHqPh8CuTn7fztS2VSm/ABB/ KFgWRmuyulw8WFDwqRcBRpa3D70y7E8eqhkLCtQch9lqb8UbkgAUP2tg0qe7BEu/IvLY RPS8EOcoq8TPoakVAd3Echob5XaA/z63jHafN02/c58emh+LbiIWeQkcmoI2ZFwrVMU/ ZQ1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=HJ9VefWM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g3-20020a170906198300b00957179f2362si7298590ejd.597.2023.06.13.13.52.57; Tue, 13 Jun 2023 13:53:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=HJ9VefWM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231284AbjFMUa6 (ORCPT + 99 others); Tue, 13 Jun 2023 16:30:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39430 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239029AbjFMUaq (ORCPT ); Tue, 13 Jun 2023 16:30:46 -0400 Received: from mail-pl1-x64a.google.com (mail-pl1-x64a.google.com [IPv6:2607:f8b0:4864:20::64a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC1A4199A for ; Tue, 13 Jun 2023 13:30:44 -0700 (PDT) Received: by mail-pl1-x64a.google.com with SMTP id d9443c01a7336-1b3b39539b2so18191035ad.2 for ; Tue, 13 Jun 2023 13:30:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1686688244; x=1689280244; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=nhgzjrJ4PRGX7uFIL4jmdB6VsD0CAYOCqUeVAnJCyuw=; b=HJ9VefWMJ7lh6t668VWFhwCWP36Oo4m5sAiE2zPCBPiEnR5+TS1FxRv3DpECJ9e6O4 whjjMVdgT+k5R6r2n75VQh0lAWXSf1712ImE1wwXz+kbCBgjAUwkw7o+ftMOkUxThkM1 JQ6H3r3VR/XrrCXzgGulx3yu9BYHUjiGx4E71Gi88XthzMhFukc50vBFQc6ok8mAAEes sTFceaBbDMnkd4xn3YEKTGccGcGOfjd7dVqJ6ezBuXvGcuXS0FIJCYiL96wfdHRvckuK fIbMDVM13VgOJU0bPBhFcAi9i/0QLwmjYhHYEF3aza0T6OT0Iu79eCDepZdzCX2Xwm/5 On+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686688244; x=1689280244; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nhgzjrJ4PRGX7uFIL4jmdB6VsD0CAYOCqUeVAnJCyuw=; b=FdXcudAvN7sQWtfbj02K72prOUEV7FU4X/iUPR+Sg4ZPZa+Y8NNsfhZu6pnEORF3Hw DWuYuY6B5CJTAKWSo6rK9HSs4/xLYO9TlwVWMM1IsnEL3bEe+0+9NfgZxil5U4QmUDuS PHax/X+aHuqVuSDdAKbl47dun6K+wNtji3gT0vJWiFecF9d/75ka2JofcY8SbTq0pQ1f cI8dqdYn+GbgHZB1+RX3CUFsOCywrqUnhr6PRY8C/uduY7s37B0NeGa7UlB+XnXqf6bB OlGgt2Ns7SETi2SH4oOSWrzfUwQZTIC5ZE4MU12zcXICXxqylPyuvEgvj2n/Kg19grb4 fHYg== X-Gm-Message-State: AC+VfDxuxAJ6ZnC0UTJROEuGycRfXf5HqhpvN2weTcaeJv+CmZbY+hKp 8Uwm1uhWo2KgBeDk0m+VExZ9qVw9yH0= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a17:90a:f988:b0:25b:c272:ab34 with SMTP id cq8-20020a17090af98800b0025bc272ab34mr1570327pjb.7.1686688244295; Tue, 13 Jun 2023 13:30:44 -0700 (PDT) Reply-To: Sean Christopherson Date: Tue, 13 Jun 2023 13:30:36 -0700 In-Reply-To: <20230613203037.1968489-1-seanjc@google.com> Mime-Version: 1.0 References: <20230613203037.1968489-1-seanjc@google.com> X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog Message-ID: <20230613203037.1968489-3-seanjc@google.com> Subject: [PATCH 2/3] KVM: VMX: Don't fudge CR0 and CR4 for restricted L2 guest From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+5feef0b9ee9c8e9e5689@syzkaller.appspotmail.com, Jim Mattson X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1768622236556590789?= X-GMAIL-MSGID: =?utf-8?q?1768622236556590789?= Stuff CR0 and/or CR4 to be compliant with a restricted guest if and only if KVM itself is not configured to utilize unrestricted guests, i.e. don't stuff CR0/CR4 for a restricted L2 that is running as the guest of an unrestricted L1. Any attempt to VM-Enter a restricted guest with invalid CR0/CR4 values should fail, i.e. in a nested scenario, KVM (as L0) should never observe a restricted L2 with incompatible CR0/CR4, since nested VM-Enter from L1 should have failed. And if KVM does observe an active, restricted L2 with incompatible state, e.g. due to a KVM bug, fudging CR0/CR4 instead of letting VM-Enter fail does more harm than good, as KVM will often neglect to undo the side effects, e.g. won't clear rmode.vm86_active on nested VM-Exit, and thus the damage can easily spill over to L1. On the other hand, letting VM-Enter fail due to bad guest state is more likely to contain the damage to L2 as KVM relies on hardware to perform most guest state consistency checks, i.e. KVM needs to be able to reflect a failed nested VM-Enter into L1 irrespective of (un)restricted guest behavior. Cc: Jim Mattson Cc: stable@vger.kernel.org Fixes: bddd82d19e2e ("KVM: nVMX: KVM needs to unset "unrestricted guest" VM-execution control in vmcs02 if vmcs12 doesn't set it") Signed-off-by: Sean Christopherson --- arch/x86/kvm/vmx/vmx.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 355b0e8c9b00..6969a7728972 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -1503,6 +1503,11 @@ void vmx_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags) struct vcpu_vmx *vmx = to_vmx(vcpu); unsigned long old_rflags; + /* + * Unlike CR0 and CR4, RFLAGS handling requires checking if the vCPU + * is an unrestricted guest in order to mark L2 as needing emulation + * if L1 runs L2 as a restricted guest. + */ if (is_unrestricted_guest(vcpu)) { kvm_register_mark_available(vcpu, VCPU_EXREG_RFLAGS); vmx->rflags = rflags; @@ -3255,7 +3260,7 @@ void vmx_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) old_cr0_pg = kvm_read_cr0_bits(vcpu, X86_CR0_PG); hw_cr0 = (cr0 & ~KVM_VM_CR0_ALWAYS_OFF); - if (is_unrestricted_guest(vcpu)) + if (enable_unrestricted_guest) hw_cr0 |= KVM_VM_CR0_ALWAYS_ON_UNRESTRICTED_GUEST; else { hw_cr0 |= KVM_VM_CR0_ALWAYS_ON; @@ -3283,7 +3288,7 @@ void vmx_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) } #endif - if (enable_ept && !is_unrestricted_guest(vcpu)) { + if (enable_ept && !enable_unrestricted_guest) { /* * Ensure KVM has an up-to-date snapshot of the guest's CR3. If * the below code _enables_ CR3 exiting, vmx_cache_reg() will @@ -3414,7 +3419,7 @@ void vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) * this bit, even if host CR4.MCE == 0. */ hw_cr4 = (cr4_read_shadow() & X86_CR4_MCE) | (cr4 & ~X86_CR4_MCE); - if (is_unrestricted_guest(vcpu)) + if (enable_unrestricted_guest) hw_cr4 |= KVM_VM_CR4_ALWAYS_ON_UNRESTRICTED_GUEST; else if (vmx->rmode.vm86_active) hw_cr4 |= KVM_RMODE_VM_CR4_ALWAYS_ON; @@ -3434,7 +3439,7 @@ void vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) vcpu->arch.cr4 = cr4; kvm_register_mark_available(vcpu, VCPU_EXREG_CR4); - if (!is_unrestricted_guest(vcpu)) { + if (!enable_unrestricted_guest) { if (enable_ept) { if (!is_paging(vcpu)) { hw_cr4 &= ~X86_CR4_PAE;