From patchwork Thu Jun 15 06:37:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Kardashevskiy X-Patchwork-Id: 108278 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp440680vqr; Thu, 15 Jun 2023 00:02:10 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6x0AFvLmXJlo0KOnWINzNJTi3caiqHpIC5Wg0WiNSRAxEQGXcYZy0JwmFQx3OLSW53yS59 X-Received: by 2002:a05:6402:1e89:b0:510:e8dc:f2a7 with SMTP id f9-20020a0564021e8900b00510e8dcf2a7mr3911740edf.7.1686812529712; Thu, 15 Jun 2023 00:02:09 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1686812529; cv=pass; d=google.com; s=arc-20160816; b=a6wp85/06b9pwaI82PXm0zFl+VBLyj/E4xHDS/O+ekXPEmnv4j1lcn7SGFjvtjZL4/ iIYyHM6FL6L3x5dyZ0n/ZW+Buolj8E2mYYyH+QuU3KAt0nEzX4EYnLAP6UahdQCgAMb0 +GZaX5tyrIfBmuZbEh2wiAhOSx7igLrv0SC1b4XgL5B4dI7ozTFKR/eTRj6C6VJBneZW PgbIxK0aUiv/bc7MO0VZwuB7vMyhqb5gw7wQ6v9HpfwEeWjhIxNtYDTSMHgkdhSUT9A9 nw719WNjRaLgoJkey9ih19dsYtfgFh/9xyHuBWFSYpZD/Y6bCFjbH429TbNOXnGFJmH3 UJ5A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=WFig3m3GZo4xcuo46AjjaGz5wr8vSn8NjIqI6ME3K5g=; b=O1TvFbSocE/ye0rvG/Ex9BP21KihSV2BTnvRO2OUBefkKkoLw6JBCuWq+RyjtaFo75 FeAZPVVfyJK9uA0PpZwiXrvCfWOqHJ2QeO5jNHcUhctmB4JRmJayYs3m7I+K/s0ZRL6c uCXcXSHdoxnsqdFINsTITONtyp7pLuh9scoMmO2X392/yugVNDInoenfMEmIrJDWLGE5 3qoBHzZ9sHd9IcVj8wnlzso935W3zl+a5IYbWMGZa5hAjiIwmiMuPxYwyMqQ2VkypqrE bgcoF0ou+oTNymiajxUWFy+6mSJF+sdZWnn4YRW8rxqxPtunWgIFJ3KcJKKCslixRXWm IFXg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@amd.com header.s=selector1 header.b=Hf4k63g6; arc=pass (i=1 spf=pass spfdomain=amd.com dmarc=pass fromdomain=amd.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amd.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y13-20020aa7cccd000000b0051633021221si5295253edt.468.2023.06.15.00.01.44; Thu, 15 Jun 2023 00:02:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@amd.com header.s=selector1 header.b=Hf4k63g6; arc=pass (i=1 spf=pass spfdomain=amd.com dmarc=pass fromdomain=amd.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amd.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243895AbjFOGpL (ORCPT + 99 others); Thu, 15 Jun 2023 02:45:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53604 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244085AbjFOGoX (ORCPT ); Thu, 15 Jun 2023 02:44:23 -0400 Received: from NAM04-DM6-obe.outbound.protection.outlook.com (mail-dm6nam04on2061b.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8b::61b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D11C735A2; Wed, 14 Jun 2023 23:42:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XRd/I8cRayPT1Rm85BY1tkt2NtYef09uW9MXj//ow6GWcDhX0w+dkr44VmoYpxvMd7ExHYONSkCErJ4kcqV+lmiNr3JecJ/shgq0bqQc/sy25imr/9Vw8xdDfvRJuxc7WL+lQFPQQDrnhIBkofQDBFEd9LL4QrX9Or7kmL0cqtDKyV4N6gRq1rItL5G10+RUDlTTH2Xrtjgam/+P5d+68D1dK0czbfvVbOOjzeVN+nodEDMJA2rhoNRrBhTnvO+Gzg4bxneQ4AT9FZts6u3Bm5PRj5T2XKPAAE0ocLmlPL6iopaiNt+daTABy8R10xpHL5ClT5LdMKqAW8N5WWCsdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WFig3m3GZo4xcuo46AjjaGz5wr8vSn8NjIqI6ME3K5g=; b=eX8UStRQZKCkzwnuyb2eSKNSeD9Uzq05aqGM3a9Fm0jgv0WUKMmLTuehkrzx8jdMxvu+ISxCIA3be5Skc2X5smWdl2tFbtFBDg3NlQWr0Y0ob+7mmrvgeYjLEM23y7FIvLcx+gkrBgHcshy5c23YGo96EKveEWC1JFpu1+Fi1udDB4mHjYqdIGRU0Nr9vV9EG1ZS9qUAm64i37s6S8BNPlbPYJZyH5wVvBCZnd0ttIzcc4jnHfwAA4JCRMYt1jeBxD4vmZwiUx71aduZuWa/mbV5J6r2hXpm5KMRt/CWKaYTMsMz4bZ87j6Khsioo3d4RlhPc+IXNjbykUD7TLOTxA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WFig3m3GZo4xcuo46AjjaGz5wr8vSn8NjIqI6ME3K5g=; b=Hf4k63g67b7ZOeWnhWgaiisQriakKcCbNxvNJwEJQJylk26wnYpZXNsjPWUA0SKL5l5ailKLP815SJP3+rw/jfGMseq6Ze1HKdrSLQmKu8xMVgs+uUV+GXJmydEqzTLOdGIoJmEHDw1SqA0GQzIx7Smt/Me2+7caDR/joXhYG+M= Received: from PH8PR07CA0009.namprd07.prod.outlook.com (2603:10b6:510:2cd::27) by PH0PR12MB8030.namprd12.prod.outlook.com (2603:10b6:510:28d::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6500.25; Thu, 15 Jun 2023 06:42:55 +0000 Received: from SN1PEPF000252A1.namprd05.prod.outlook.com (2603:10b6:510:2cd:cafe::3d) by PH8PR07CA0009.outlook.office365.com (2603:10b6:510:2cd::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6500.25 via Frontend Transport; Thu, 15 Jun 2023 06:42:55 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by SN1PEPF000252A1.mail.protection.outlook.com (10.167.242.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.6500.27 via Frontend Transport; Thu, 15 Jun 2023 06:42:55 +0000 Received: from aiemdeew.1.ozlabs.ru (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 15 Jun 2023 01:41:48 -0500 From: Alexey Kardashevskiy To: CC: , , Tom Lendacky , Sean Christopherson , "Alexey Kardashevskiy" , Santosh Shukla Subject: [PATCH kernel 5/9] KVM: SVM/SEV/SEV-ES: Rework intercepts Date: Thu, 15 Jun 2023 16:37:53 +1000 Message-ID: <20230615063757.3039121-6-aik@amd.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230615063757.3039121-1-aik@amd.com> References: <20230615063757.3039121-1-aik@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN1PEPF000252A1:EE_|PH0PR12MB8030:EE_ X-MS-Office365-Filtering-Correlation-Id: d84c6f1d-879f-403b-1962-08db6d6bc00f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 5FBFzCiBFHu3SUju6e6+DryKm47pLbE3f6sLHbocN4Piy9HwklI+W5zULSCfg5/ahF0dzhvyPZxVeEQQYBxWRH/pCFNHw0fLLxsgOHS5K9nkoB+Mc/PZxP3Pg+xc2ewnmCpAdSoxxL4FqVZ1E3dF1teHfqt3Q7W4auizPscmfCm9g7RfdwNWPUfbiP3GwFdtaGnNcWlKg9uxz/R/iLryGV9OfBwTQIbHHb4WMHZ+1RLUs4+zd6Ie5JI673vYwRcGtXWH+vqRQa4UHud344VyxiPw5tL+TsAvnaBWNMAIIUsbSr68EJAqAwcCiLjLvKFFC1BQqDXt580sAp0mhmbEUabsheQ07/J4XYzxakwtogFclroDTK/kfcuwPHP4f55A9MGEl++Ssl9L1d/klCiM/MmxDnTQA/x54Q+reDbnfTZVGbhJRZEe6SS5qw2iVF+9FjQ5YePRp4ZaDXu3oRdovrfShH4J2yfN/HKSzAbSU69H5e8Zd0Yi0akc5j77wz7flQx0vuJZvPSmu2yos0UVUxgdkisyHtlDabprVOrSUrt+Q0wYqnBwDgoXw2YRoHqxiQiVLmX8wt/WloY2KqVkPAGZ7D9Bch/STQWAqw2W6lLc6I+FB5tO3w7jhcGT+zih4PFXO04noaPmroI905Rr9WAsx0qUY+tQB5U9O81+m+0JfffQBap6REIjQtJhUbSomZYK1nCw98AcmUadtYRarJfHbKXXBdGkbARirvpHPy9q2vX9PYZeIt2FLjdpL8sC X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(376002)(136003)(39860400002)(346002)(396003)(451199021)(36840700001)(46966006)(40470700004)(1076003)(26005)(16526019)(478600001)(36756003)(186003)(966005)(40480700001)(6666004)(40460700003)(2906002)(8936002)(316002)(41300700001)(8676002)(356005)(81166007)(82310400005)(5660300002)(82740400003)(336012)(426003)(54906003)(47076005)(83380400001)(2616005)(6916009)(4326008)(70206006)(70586007)(36860700001)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2023 06:42:55.3575 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: d84c6f1d-879f-403b-1962-08db6d6bc00f X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF000252A1.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR12MB8030 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO,SPF_HELO_PASS, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1768751135208004076?= X-GMAIL-MSGID: =?utf-8?q?1768751135208004076?= Currently SVM setup is done sequentially in init_vmcb() -> sev_init_vmcb() -> sev_es_init_vmcb() and tries keeping SVM/SEV/SEV-ES bits separated. One of the exceptions is DR intercepts which is for SEV-ES before sev_es_init_vmcb() runs. Move the SEV-ES intercept setup to sev_es_init_vmcb(). From now on set_dr_intercepts()/clr_dr_intercepts() handle SVM/SEV only. Extend the comment about intercepting DR7 which is to prevent the CPU from getting stuck in an infinite #DB loop as described in https://bugzilla.redhat.com/show_bug.cgi?id=1278496 No functional change intended. Suggested-by: Sean Christopherson Signed-off-by: Alexey Kardashevskiy Reviewed-by: Santosh Shukla Reviewed-by: Tom Lendacky --- Changes: v6: * updated the commit log * updated the DR7 intercept comment in the code v5: * updated the comments * removed sev_es_guest() checks from set_dr_intercepts()/clr_dr_intercepts() * removed remaining intercepts from clr_dr_intercepts() --- arch/x86/kvm/svm/sev.c | 11 ++++++ arch/x86/kvm/svm/svm.c | 37 ++++++++------------ 2 files changed, 25 insertions(+), 23 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 981286359b72..744bcc2e6a05 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2948,6 +2948,7 @@ int sev_es_string_io(struct vcpu_svm *svm, int size, unsigned int port, int in) static void sev_es_init_vmcb(struct vcpu_svm *svm) { + struct vmcb *vmcb = svm->vmcb01.ptr; struct kvm_vcpu *vcpu = &svm->vcpu; svm->vmcb->control.nested_ctl |= SVM_NESTED_CTL_SEV_ES_ENABLE; @@ -2976,6 +2977,16 @@ static void sev_es_init_vmcb(struct vcpu_svm *svm) svm_set_intercept(svm, TRAP_CR4_WRITE); svm_set_intercept(svm, TRAP_CR8_WRITE); + /* + * DR7 access must remain intercepted for an SEV-ES guest to disallow + * the guest kernel set up a #DB on memory that's needed to vector a #DB + * as otherwise the CPU gets stuck in an infinite #DB loop. + */ + vmcb->control.intercepts[INTERCEPT_DR] = 0; + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE); + recalc_intercepts(svm); + /* Can't intercept XSETBV, HV can't modify XCR0 directly */ svm_clr_intercept(svm, INTERCEPT_XSETBV); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index bec6fb82f494..1df99e9f8655 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -694,23 +694,20 @@ static void set_dr_intercepts(struct vcpu_svm *svm) { struct vmcb *vmcb = svm->vmcb01.ptr; - if (!sev_es_guest(svm->vcpu.kvm)) { - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR0_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR1_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR2_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR3_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR4_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR5_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR6_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR0_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR1_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR2_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR3_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR4_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR5_WRITE); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR6_WRITE); - } - + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR0_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR1_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR2_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR3_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR4_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR5_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR6_READ); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR0_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR1_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR2_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR3_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR4_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR5_WRITE); + vmcb_set_intercept(&vmcb->control, INTERCEPT_DR6_WRITE); vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ); vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE); @@ -723,12 +720,6 @@ static void clr_dr_intercepts(struct vcpu_svm *svm) vmcb->control.intercepts[INTERCEPT_DR] = 0; - /* DR7 access must remain intercepted for an SEV-ES guest */ - if (sev_es_guest(svm->vcpu.kvm)) { - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ); - vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE); - } - recalc_intercepts(svm); }