From patchwork Tue Jun 13 20:30:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 107545 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp815589vqr; Tue, 13 Jun 2023 13:50:46 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4ZRucqUs4i8NjklhiWCoM2ftyxfippe5w6/5eoQ6ZjCKUstyxMCMvgQ8cCOF8OQRgfwzDW X-Received: by 2002:a17:907:1c83:b0:982:501a:62be with SMTP id nb3-20020a1709071c8300b00982501a62bemr1028373ejc.39.1686689445986; Tue, 13 Jun 2023 13:50:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686689445; cv=none; d=google.com; s=arc-20160816; b=LW7XetPOUTFdI+dnZvpQlZoQO/WMNvR9xLqXKDF4jQEVez+WFcKPNUeqhfJZzcDg0H quPg5HOJLBNCsFMNNCdjqG+M1LkHimFZuFUauYXfy+i8gtM64M9J4sJm3NXggU6MYX1B usPaZhqsS8fKfdDlLk2xbn0rYPArsu4ZO/I1EhzzHHHCU7cJXEnt6IvLbuyWaK1DKMBM GmJix2/aXk0IVvpNQuoitFDgGM/Y1UbZmmf9qMTcDKe1kYQTVpINfjgW//tiJ/oamxXI ws9NtYxS+A2PkwZKYyozs/3zJAfwSulSFf93wAfXjFon9LzC4TCmnR5zJAKjXWpkuUL1 RqDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=llQxiqazIrrY9ArKhlO1TXQJ0qyoGq6rPK40xWZQyKE=; b=nFVfoFSSoPveFsWEshYAzrQIlcKDb4JCIOlju1i8/1v+Xgk8SKJ49iJT5Rm4cA/bIn +1xI1x2AFbewiZVrVhfZVxUwObLS1N9u2D0PjLDnc2h5QQJbZCgPXaHJ8imQkFJQYCbW 48H17dUCVeDs0xFF3sn2PjTFLebumSXBmjPHkJpKzjrzA9hUzlAsupRhviCM2VBRvKFP tJjraXSIoWsdtzC7zgj999O/hPJ1Ps2AgAtxsMRYkEPObdk4B1ABta8Vk1N4Vwi3ds6z /v7SfC3u2ps5MOUf1+xyEr/rZKJx0+0jffzW0vz6aN6JtsHkMXBl2Yr8sINcG+sK/QGm Verg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=yJsoSKyA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x1-20020a170906b08100b009787f2a8ae2si5782599ejy.148.2023.06.13.13.50.18; Tue, 13 Jun 2023 13:50:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=yJsoSKyA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239267AbjFMUar (ORCPT + 99 others); Tue, 13 Jun 2023 16:30:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39382 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236080AbjFMUao (ORCPT ); Tue, 13 Jun 2023 16:30:44 -0400 Received: from mail-pg1-x54a.google.com (mail-pg1-x54a.google.com [IPv6:2607:f8b0:4864:20::54a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0DDAA199C for ; Tue, 13 Jun 2023 13:30:43 -0700 (PDT) Received: by mail-pg1-x54a.google.com with SMTP id 41be03b00d2f7-528ab71c95cso2717621a12.0 for ; Tue, 13 Jun 2023 13:30:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1686688242; x=1689280242; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=llQxiqazIrrY9ArKhlO1TXQJ0qyoGq6rPK40xWZQyKE=; b=yJsoSKyAWJRDzI9UPTdKJsFctH3IunKpYW1UI3rSvc6H8oUPWlMMAa7vhxqXbMrwXN tefqqxfGdZmH/utvcJSHGi2lMsHrS67YcTB3P+J9w7/owKNvcbvchvdVwfRiWRcFDDo3 GP8RoaLqC8Fi4XsDHJlF43IHZyZpk+bLxroGMj6Na5LbMN0tOAqE3FBel4MTOASWJjim Fq5s2vnXG3Luw5VVpgrRoFmZ7yTkKRnqYcB5A762S5M1FGcdknnDUD+Uy7XzD6UirB2t J0cYhFmapln4+NlXNd+/qyhjSFwopByw9IFpZ7HcOIXzyRg6k5O2q6zo+PFrW5GFSw7T g8Pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686688242; x=1689280242; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=llQxiqazIrrY9ArKhlO1TXQJ0qyoGq6rPK40xWZQyKE=; b=Qe6i6GGn6doxMKA//ZOKjtUEC4Z/LkHQ4co7cHdy0xCCzV1/OoXLecEuhvFwvqfQYV 3wmmB/wlEuZO0eKV2q0h+9LF1jxFaJYPr7nxxKQkMAl/bTBHkg9fFy6wwv9auyhwTNOr 5JOxed5kxighuFo1IkO1Fyfdj5RFXjp5jhRjfgLgGj06iJBV+xqHdcBIM6x/Jjyhl0iT UpMX8K4X1QaTa03Zkp6fieSYVNYgWost5M5w0+Hj99uLxEpwGdaNxP18rl4Ps34VO4M9 x0OJbdUT7PCUoWsCdJ+lSn4G30j+ipaLzKl+Jt7Wrc3Zq0ZayaDW25T8QHEGsZGPtMuV pE6A== X-Gm-Message-State: AC+VfDxcFTPMqZ6+alcTUoN9A2LXRnz0j5/anx4TMbo86YjuiHz3+oF6 g1FcBP3jK2QmHXl0iU3+uEL9LZofT1Y= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a65:670e:0:b0:534:81e0:1d7a with SMTP id u14-20020a65670e000000b0053481e01d7amr1932621pgf.1.1686688242568; Tue, 13 Jun 2023 13:30:42 -0700 (PDT) Reply-To: Sean Christopherson Date: Tue, 13 Jun 2023 13:30:35 -0700 In-Reply-To: <20230613203037.1968489-1-seanjc@google.com> Mime-Version: 1.0 References: <20230613203037.1968489-1-seanjc@google.com> X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog Message-ID: <20230613203037.1968489-2-seanjc@google.com> Subject: [PATCH 1/3] KVM: x86: Disallow KVM_SET_SREGS{2} if incoming CR0 is invalid From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+5feef0b9ee9c8e9e5689@syzkaller.appspotmail.com, Jim Mattson X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1768622072652790855?= X-GMAIL-MSGID: =?utf-8?q?1768622072652790855?= Reject KVM_SET_SREGS{2} with -EINVAL if the incoming CR0 is invalid, e.g. due to setting bits 63:32, illegal combinations, or to a value that isn't allowed in VMX (non-)root mode. The VMX checks in particular are "fun" as failure to disallow Real Mode for an L2 that is configured with unrestricted guest disabled, when KVM itself has unrestricted guest enabled, will result in KVM forcing VM86 mode to virtual Real Mode for L2, but then fail to unwind the related metadata when synthesizing a nested VM-Exit back to L1 (which has unrestricted guest enabled). Opportunistically fix a benign typo in the prototype for is_valid_cr4(). Cc: stable@vger.kernel.org Reported-by: syzbot+5feef0b9ee9c8e9e5689@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000f316b705fdf6e2b4@google.com Signed-off-by: Sean Christopherson --- arch/x86/include/asm/kvm-x86-ops.h | 1 + arch/x86/include/asm/kvm_host.h | 3 ++- arch/x86/kvm/svm/svm.c | 6 ++++++ arch/x86/kvm/vmx/vmx.c | 28 ++++++++++++++++++------ arch/x86/kvm/x86.c | 34 +++++++++++++++++++----------- 5 files changed, 52 insertions(+), 20 deletions(-) diff --git a/arch/x86/include/asm/kvm-x86-ops.h b/arch/x86/include/asm/kvm-x86-ops.h index 13bc212cd4bc..e3054e3e46d5 100644 --- a/arch/x86/include/asm/kvm-x86-ops.h +++ b/arch/x86/include/asm/kvm-x86-ops.h @@ -37,6 +37,7 @@ KVM_X86_OP(get_segment) KVM_X86_OP(get_cpl) KVM_X86_OP(set_segment) KVM_X86_OP(get_cs_db_l_bits) +KVM_X86_OP(is_valid_cr0) KVM_X86_OP(set_cr0) KVM_X86_OP_OPTIONAL(post_set_cr3) KVM_X86_OP(is_valid_cr4) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index 28bd38303d70..3bc146dfd38d 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1566,9 +1566,10 @@ struct kvm_x86_ops { void (*set_segment)(struct kvm_vcpu *vcpu, struct kvm_segment *var, int seg); void (*get_cs_db_l_bits)(struct kvm_vcpu *vcpu, int *db, int *l); + bool (*is_valid_cr0)(struct kvm_vcpu *vcpu, unsigned long cr0); void (*set_cr0)(struct kvm_vcpu *vcpu, unsigned long cr0); void (*post_set_cr3)(struct kvm_vcpu *vcpu, unsigned long cr3); - bool (*is_valid_cr4)(struct kvm_vcpu *vcpu, unsigned long cr0); + bool (*is_valid_cr4)(struct kvm_vcpu *vcpu, unsigned long cr4); void (*set_cr4)(struct kvm_vcpu *vcpu, unsigned long cr4); int (*set_efer)(struct kvm_vcpu *vcpu, u64 efer); void (*get_idt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index e265834fe859..b29d0650582e 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -1786,6 +1786,11 @@ static void sev_post_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3) } } +static bool svm_is_valid_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) +{ + return true; +} + void svm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) { struct vcpu_svm *svm = to_svm(vcpu); @@ -4815,6 +4820,7 @@ static struct kvm_x86_ops svm_x86_ops __initdata = { .set_segment = svm_set_segment, .get_cpl = svm_get_cpl, .get_cs_db_l_bits = svm_get_cs_db_l_bits, + .is_valid_cr0 = svm_is_valid_cr0, .set_cr0 = svm_set_cr0, .post_set_cr3 = sev_post_set_cr3, .is_valid_cr4 = svm_is_valid_cr4, diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 0ecf4be2c6af..355b0e8c9b00 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -3037,6 +3037,15 @@ static void enter_rmode(struct kvm_vcpu *vcpu) struct vcpu_vmx *vmx = to_vmx(vcpu); struct kvm_vmx *kvm_vmx = to_kvm_vmx(vcpu->kvm); + /* + * KVM should never use VM86 to virtualize Real Mode when L2 is active, + * as using VM86 is unnecessary if unrestricted guest is enabled, and + * if unrestricted guest is disabled, VM-Enter (from L1) with CR0.PG=0 + * should VM-Fail and KVM should reject userspace attempts to stuff + * CR0.PG=0 when L2 is active. + */ + WARN_ON_ONCE(is_guest_mode(vcpu)); + vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_TR], VCPU_SREG_TR); vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_ES], VCPU_SREG_ES); vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_DS], VCPU_SREG_DS); @@ -3226,6 +3235,17 @@ void ept_save_pdptrs(struct kvm_vcpu *vcpu) #define CR3_EXITING_BITS (CPU_BASED_CR3_LOAD_EXITING | \ CPU_BASED_CR3_STORE_EXITING) +static bool vmx_is_valid_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) +{ + if (is_guest_mode(vcpu)) + return nested_guest_cr0_valid(vcpu, cr0); + + if (to_vmx(vcpu)->nested.vmxon) + return nested_host_cr0_valid(vcpu, cr0); + + return true; +} + void vmx_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) { struct vcpu_vmx *vmx = to_vmx(vcpu); @@ -5364,18 +5384,11 @@ static int handle_set_cr0(struct kvm_vcpu *vcpu, unsigned long val) val = (val & ~vmcs12->cr0_guest_host_mask) | (vmcs12->guest_cr0 & vmcs12->cr0_guest_host_mask); - if (!nested_guest_cr0_valid(vcpu, val)) - return 1; - if (kvm_set_cr0(vcpu, val)) return 1; vmcs_writel(CR0_READ_SHADOW, orig_val); return 0; } else { - if (to_vmx(vcpu)->nested.vmxon && - !nested_host_cr0_valid(vcpu, val)) - return 1; - return kvm_set_cr0(vcpu, val); } } @@ -8203,6 +8216,7 @@ static struct kvm_x86_ops vmx_x86_ops __initdata = { .set_segment = vmx_set_segment, .get_cpl = vmx_get_cpl, .get_cs_db_l_bits = vmx_get_cs_db_l_bits, + .is_valid_cr0 = vmx_is_valid_cr0, .set_cr0 = vmx_set_cr0, .is_valid_cr4 = vmx_is_valid_cr4, .set_cr4 = vmx_set_cr4, diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 9e7186864542..2703eb734bca 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -906,6 +906,22 @@ int load_pdptrs(struct kvm_vcpu *vcpu, unsigned long cr3) } EXPORT_SYMBOL_GPL(load_pdptrs); +static bool kvm_is_valid_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) +{ +#ifdef CONFIG_X86_64 + if (cr0 & 0xffffffff00000000UL) + return false; +#endif + + if ((cr0 & X86_CR0_NW) && !(cr0 & X86_CR0_CD)) + return false; + + if ((cr0 & X86_CR0_PG) && !(cr0 & X86_CR0_PE)) + return false; + + return static_call(kvm_x86_is_valid_cr0)(vcpu, cr0); +} + void kvm_post_set_cr0(struct kvm_vcpu *vcpu, unsigned long old_cr0, unsigned long cr0) { /* @@ -952,21 +968,14 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) { unsigned long old_cr0 = kvm_read_cr0(vcpu); + if (!kvm_is_valid_cr0(vcpu, cr0)) + return 1; + cr0 |= X86_CR0_ET; -#ifdef CONFIG_X86_64 - if (cr0 & 0xffffffff00000000UL) - return 1; -#endif - + /* Write to CR0 reserved bits are ignored, even on Intel. */ cr0 &= ~CR0_RESERVED_BITS; - if ((cr0 & X86_CR0_NW) && !(cr0 & X86_CR0_CD)) - return 1; - - if ((cr0 & X86_CR0_PG) && !(cr0 & X86_CR0_PE)) - return 1; - #ifdef CONFIG_X86_64 if ((vcpu->arch.efer & EFER_LME) && !is_paging(vcpu) && (cr0 & X86_CR0_PG)) { @@ -11459,7 +11468,8 @@ static bool kvm_is_valid_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs) return false; } - return kvm_is_valid_cr4(vcpu, sregs->cr4); + return kvm_is_valid_cr4(vcpu, sregs->cr4) && + kvm_is_valid_cr0(vcpu, sregs->cr0); } static int __set_sregs_common(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs, From patchwork Tue Jun 13 20:30:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 107546 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp816694vqr; Tue, 13 Jun 2023 13:53:22 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7IDvGwsndbbvysdKBSF2C0DveRVFCbH7KxxpVhM4Bt++44eUyflqZoecFWlhIIvL2SiKZE X-Received: by 2002:a17:907:97c6:b0:961:800b:3f1e with SMTP id js6-20020a17090797c600b00961800b3f1emr15318245ejc.73.1686689602288; Tue, 13 Jun 2023 13:53:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686689602; cv=none; d=google.com; s=arc-20160816; b=xafLm30+X/TU94k21KPP3sdzT97meZRRL8q0r2viRQgCSLrleJzPor4vKfHLixVPsy GSHUklQmWfKORE+9mG1OauSRw4jNBz2wdvHGIvMH7WdY7+VrUn9cA2nwql43sbZ2UA90 GaS0YzGbtPb5V0UVpiU7N0wLz70la1v/lH9SLGAFO5Tziqa/+74IsdHICsTz+2odZBiY 5OPaATUZRs29UMxufoqeUhWdn2S/lDKuE8CKacV2vQk0jmFk/j8VSpLLmi1QCJ6U/lwK TMJUk5MgZiQf1+4FiOt7YUXCnbWDz0+yM7nzvX1dPdnVcsomaPju/DWaHqX0VpJC9Of3 HnXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=nhgzjrJ4PRGX7uFIL4jmdB6VsD0CAYOCqUeVAnJCyuw=; b=R2c3GanXxqRAuhJnJJLcxuVPvUz1DJcdujOwOAQKvlnZkIIQqpzzsZMT4z6rYSLwu1 bW3T1xMGXp5g3Et3cojgj6hq2D9g/rXvZ+j5RvpflntJde7yXh8B6cJqsx6aDhsF0kMG xGP990vTHei7E/rv+7WX3H/pgxqmac72CSSa8WiIW+FdeHqPh8CuTn7fztS2VSm/ABB/ KFgWRmuyulw8WFDwqRcBRpa3D70y7E8eqhkLCtQch9lqb8UbkgAUP2tg0qe7BEu/IvLY RPS8EOcoq8TPoakVAd3Echob5XaA/z63jHafN02/c58emh+LbiIWeQkcmoI2ZFwrVMU/ ZQ1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=HJ9VefWM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g3-20020a170906198300b00957179f2362si7298590ejd.597.2023.06.13.13.52.57; Tue, 13 Jun 2023 13:53:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=HJ9VefWM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231284AbjFMUa6 (ORCPT + 99 others); Tue, 13 Jun 2023 16:30:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39430 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239029AbjFMUaq (ORCPT ); Tue, 13 Jun 2023 16:30:46 -0400 Received: from mail-pl1-x64a.google.com (mail-pl1-x64a.google.com [IPv6:2607:f8b0:4864:20::64a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC1A4199A for ; Tue, 13 Jun 2023 13:30:44 -0700 (PDT) Received: by mail-pl1-x64a.google.com with SMTP id d9443c01a7336-1b3b39539b2so18191035ad.2 for ; Tue, 13 Jun 2023 13:30:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1686688244; x=1689280244; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=nhgzjrJ4PRGX7uFIL4jmdB6VsD0CAYOCqUeVAnJCyuw=; b=HJ9VefWMJ7lh6t668VWFhwCWP36Oo4m5sAiE2zPCBPiEnR5+TS1FxRv3DpECJ9e6O4 whjjMVdgT+k5R6r2n75VQh0lAWXSf1712ImE1wwXz+kbCBgjAUwkw7o+ftMOkUxThkM1 JQ6H3r3VR/XrrCXzgGulx3yu9BYHUjiGx4E71Gi88XthzMhFukc50vBFQc6ok8mAAEes sTFceaBbDMnkd4xn3YEKTGccGcGOfjd7dVqJ6ezBuXvGcuXS0FIJCYiL96wfdHRvckuK fIbMDVM13VgOJU0bPBhFcAi9i/0QLwmjYhHYEF3aza0T6OT0Iu79eCDepZdzCX2Xwm/5 On+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686688244; x=1689280244; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nhgzjrJ4PRGX7uFIL4jmdB6VsD0CAYOCqUeVAnJCyuw=; b=FdXcudAvN7sQWtfbj02K72prOUEV7FU4X/iUPR+Sg4ZPZa+Y8NNsfhZu6pnEORF3Hw DWuYuY6B5CJTAKWSo6rK9HSs4/xLYO9TlwVWMM1IsnEL3bEe+0+9NfgZxil5U4QmUDuS PHax/X+aHuqVuSDdAKbl47dun6K+wNtji3gT0vJWiFecF9d/75ka2JofcY8SbTq0pQ1f cI8dqdYn+GbgHZB1+RX3CUFsOCywrqUnhr6PRY8C/uduY7s37B0NeGa7UlB+XnXqf6bB OlGgt2Ns7SETi2SH4oOSWrzfUwQZTIC5ZE4MU12zcXICXxqylPyuvEgvj2n/Kg19grb4 fHYg== X-Gm-Message-State: AC+VfDxuxAJ6ZnC0UTJROEuGycRfXf5HqhpvN2weTcaeJv+CmZbY+hKp 8Uwm1uhWo2KgBeDk0m+VExZ9qVw9yH0= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a17:90a:f988:b0:25b:c272:ab34 with SMTP id cq8-20020a17090af98800b0025bc272ab34mr1570327pjb.7.1686688244295; Tue, 13 Jun 2023 13:30:44 -0700 (PDT) Reply-To: Sean Christopherson Date: Tue, 13 Jun 2023 13:30:36 -0700 In-Reply-To: <20230613203037.1968489-1-seanjc@google.com> Mime-Version: 1.0 References: <20230613203037.1968489-1-seanjc@google.com> X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog Message-ID: <20230613203037.1968489-3-seanjc@google.com> Subject: [PATCH 2/3] KVM: VMX: Don't fudge CR0 and CR4 for restricted L2 guest From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+5feef0b9ee9c8e9e5689@syzkaller.appspotmail.com, Jim Mattson X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1768622236556590789?= X-GMAIL-MSGID: =?utf-8?q?1768622236556590789?= Stuff CR0 and/or CR4 to be compliant with a restricted guest if and only if KVM itself is not configured to utilize unrestricted guests, i.e. don't stuff CR0/CR4 for a restricted L2 that is running as the guest of an unrestricted L1. Any attempt to VM-Enter a restricted guest with invalid CR0/CR4 values should fail, i.e. in a nested scenario, KVM (as L0) should never observe a restricted L2 with incompatible CR0/CR4, since nested VM-Enter from L1 should have failed. And if KVM does observe an active, restricted L2 with incompatible state, e.g. due to a KVM bug, fudging CR0/CR4 instead of letting VM-Enter fail does more harm than good, as KVM will often neglect to undo the side effects, e.g. won't clear rmode.vm86_active on nested VM-Exit, and thus the damage can easily spill over to L1. On the other hand, letting VM-Enter fail due to bad guest state is more likely to contain the damage to L2 as KVM relies on hardware to perform most guest state consistency checks, i.e. KVM needs to be able to reflect a failed nested VM-Enter into L1 irrespective of (un)restricted guest behavior. Cc: Jim Mattson Cc: stable@vger.kernel.org Fixes: bddd82d19e2e ("KVM: nVMX: KVM needs to unset "unrestricted guest" VM-execution control in vmcs02 if vmcs12 doesn't set it") Signed-off-by: Sean Christopherson --- arch/x86/kvm/vmx/vmx.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 355b0e8c9b00..6969a7728972 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -1503,6 +1503,11 @@ void vmx_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags) struct vcpu_vmx *vmx = to_vmx(vcpu); unsigned long old_rflags; + /* + * Unlike CR0 and CR4, RFLAGS handling requires checking if the vCPU + * is an unrestricted guest in order to mark L2 as needing emulation + * if L1 runs L2 as a restricted guest. + */ if (is_unrestricted_guest(vcpu)) { kvm_register_mark_available(vcpu, VCPU_EXREG_RFLAGS); vmx->rflags = rflags; @@ -3255,7 +3260,7 @@ void vmx_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) old_cr0_pg = kvm_read_cr0_bits(vcpu, X86_CR0_PG); hw_cr0 = (cr0 & ~KVM_VM_CR0_ALWAYS_OFF); - if (is_unrestricted_guest(vcpu)) + if (enable_unrestricted_guest) hw_cr0 |= KVM_VM_CR0_ALWAYS_ON_UNRESTRICTED_GUEST; else { hw_cr0 |= KVM_VM_CR0_ALWAYS_ON; @@ -3283,7 +3288,7 @@ void vmx_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) } #endif - if (enable_ept && !is_unrestricted_guest(vcpu)) { + if (enable_ept && !enable_unrestricted_guest) { /* * Ensure KVM has an up-to-date snapshot of the guest's CR3. If * the below code _enables_ CR3 exiting, vmx_cache_reg() will @@ -3414,7 +3419,7 @@ void vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) * this bit, even if host CR4.MCE == 0. */ hw_cr4 = (cr4_read_shadow() & X86_CR4_MCE) | (cr4 & ~X86_CR4_MCE); - if (is_unrestricted_guest(vcpu)) + if (enable_unrestricted_guest) hw_cr4 |= KVM_VM_CR4_ALWAYS_ON_UNRESTRICTED_GUEST; else if (vmx->rmode.vm86_active) hw_cr4 |= KVM_RMODE_VM_CR4_ALWAYS_ON; @@ -3434,7 +3439,7 @@ void vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) vcpu->arch.cr4 = cr4; kvm_register_mark_available(vcpu, VCPU_EXREG_CR4); - if (!is_unrestricted_guest(vcpu)) { + if (!enable_unrestricted_guest) { if (enable_ept) { if (!is_paging(vcpu)) { hw_cr4 &= ~X86_CR4_PAE; From patchwork Tue Jun 13 20:30:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 107544 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp811459vqr; Tue, 13 Jun 2023 13:40:56 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6HvuXowv4qVv/u8bVlAhcz8JS0m6M2E9Wv1BL3ccOCAWVbSEPeROzUyY1opu1zdvgZj+tO X-Received: by 2002:aa7:ca46:0:b0:513:fa61:397a with SMTP id j6-20020aa7ca46000000b00513fa61397amr11398765edt.12.1686688856608; Tue, 13 Jun 2023 13:40:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686688856; cv=none; d=google.com; s=arc-20160816; b=WIxTmBifj71C5IxXBdVpPXLHJGrZfqw5VvJRyGmf7lf2nurX3DhjQ6hUdR78EUYED1 IlR3oD1TmqYs8kqXTMI493UQDhKdZzbbkUSxWlD0FUvbg8zp2Zd2Y8mw/0tBmGLIkOSP t3wp1f0tVNAIN+DxSEaqysJTa43BMl98rsHLsBjh6ZerxJK/52iDa+mOXQiNKlqzdHCB Rk8bHAgEIsEgmHyxB10cXogB8C+KqUXmcqGtCydgk70xzuvCZzOc3bmSr0JBeLNj8TMz EUOnxbeQTJ1WvxNhV0mKVCg41DH1BP5hYJAxqqcx4aQnVkCvJbj0JLn1IJnvJ7wm7B0J PFMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=Zzdys5k5KJj6ZEXXs45R2qHcPA65FOjyHbJm9EXzp+k=; b=U6h1DYZy7qEaxatnEtRMofO0mgBjr1vjLYUmAqexmXl/chdkL9hUFbT4czD7vxWwv+ TWcUWmAl5oKvgHfCZBMo0ypG6qyMxLY1iN3wqErnj3nzhCszoNnEEzkFbK/eCGJ7z6dA jrlYOst6U/iryLta3FkRAS7UWzhxE8+ZNiRv8YDSANmpldo/OP5SpARFldqeAWzeU10p MB1c1Jfxi9mYEY9EkWiHxD9aGDt4CFf46LK5TnydDow5JPCYVOjKALqjEelWeVzshsVB MGmZlEsqmjal4gSQBWbwnCTd9C2IfJZOXcqim/qL1ijiqUVG1JlcKCL3pZjhcVhwSF6u olRg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=PryqDWmk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h1-20020aa7de01000000b00516a196cd21si7476534edv.691.2023.06.13.13.40.31; Tue, 13 Jun 2023 13:40:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=PryqDWmk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235289AbjFMUbA (ORCPT + 99 others); Tue, 13 Jun 2023 16:31:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39412 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239117AbjFMUau (ORCPT ); Tue, 13 Jun 2023 16:30:50 -0400 Received: from mail-pf1-x449.google.com (mail-pf1-x449.google.com [IPv6:2607:f8b0:4864:20::449]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FF3C1BD3 for ; Tue, 13 Jun 2023 13:30:47 -0700 (PDT) Received: by mail-pf1-x449.google.com with SMTP id d2e1a72fcca58-6537ff2c93fso2943425b3a.2 for ; Tue, 13 Jun 2023 13:30:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1686688246; x=1689280246; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=Zzdys5k5KJj6ZEXXs45R2qHcPA65FOjyHbJm9EXzp+k=; b=PryqDWmks+6mZSV+2BVD4P2SSeys4GtwYV5Nul3IEElaQHaf6MlF5Ebz3mJeJ0W2Kx iZpOIDa0H13TYxDdWa+hri7CXMpD6WGjE+gDbGMhWCfAogHp84BYcAJ+EyMozC+hoN0R DYFnigYazKizwapeNOcfDeRbCjOMJUJsQqGRTrEiOP1avVUcM5aLeLysn0hPIzjk9suz xApuvaIRVjTiIT7vPcr25z61lmYuAgT2FwP6RrAt3IsR0yY76EzVweWV7hQ4YKSi+/Fk WPY8Rr1J/1G8PiHQvM2xaZyurDRHROv2Uv3s88soz4AER3HHFRXtwOjTAUSbgoJAne3G mmRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686688246; x=1689280246; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Zzdys5k5KJj6ZEXXs45R2qHcPA65FOjyHbJm9EXzp+k=; b=ZHOSVq/uh4hUGDYtQ5AteSeWWIO5r2rPb+h4cGGNakorUiJlYZsBL+lqSHmqHd8gIQ NxxqbhkFftN+SdeiBNLCOqJmjFBD0+G5gYuAsYA/GsDCIAaoo5GsA5mu70/1zbmqqKaI sHwTKL2vUcC7I4BoVYoY6L79SiMLcWeaKvtAiMyM9IpB96k5IMEsfToyEkOGxM046NHt RLpSEoY+oNkNg0MmoRWgQe51qO3OAVpN1eHcR9nMrbXIW5eYPowRxF2MFFVLb5uqTEdd AL5937HpWVEx7HfxdDFIM07XDaHkNO9lhbWnX7taM/xNwMdlKuWTlsdOdPW0RWGaq/fP aelQ== X-Gm-Message-State: AC+VfDztdqVLW7EZaKJnw6T2vuu9g60r2Pqrmrl/MuY/H+OYNBiSvO/a 0kbh+NZn3UKX5Me1dDcpK+1ZrMAwtwc= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a05:6a00:3a1c:b0:666:43b2:7021 with SMTP id fj28-20020a056a003a1c00b0066643b27021mr18956pfb.3.1686688246476; Tue, 13 Jun 2023 13:30:46 -0700 (PDT) Reply-To: Sean Christopherson Date: Tue, 13 Jun 2023 13:30:37 -0700 In-Reply-To: <20230613203037.1968489-1-seanjc@google.com> Mime-Version: 1.0 References: <20230613203037.1968489-1-seanjc@google.com> X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog Message-ID: <20230613203037.1968489-4-seanjc@google.com> Subject: [PATCH 3/3] KVM: selftests: Expand x86's sregs test to cover illegal CR0 values From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+5feef0b9ee9c8e9e5689@syzkaller.appspotmail.com, Jim Mattson X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1768621454716063310?= X-GMAIL-MSGID: =?utf-8?q?1768621454716063310?= Add coverage to x86's set_sregs_test to verify KVM rejects vendor-agnostic illegal CR0 values, i.e. CR0 values whose legality doesn't depend on the current VMX mode. KVM historically has neglected to reject bad CR0s from userspace, i.e. would happily accept a completely bogus CR0 via KVM_SET_SREGS{2}. Punt VMX specific subtests to future work, as they would require quite a bit more effort, and KVM gets coverage for CR0 checks in general through other means, e.g. KVM-Unit-Tests. Signed-off-by: Sean Christopherson --- .../selftests/kvm/x86_64/set_sregs_test.c | 70 +++++++++++-------- 1 file changed, 39 insertions(+), 31 deletions(-) diff --git a/tools/testing/selftests/kvm/x86_64/set_sregs_test.c b/tools/testing/selftests/kvm/x86_64/set_sregs_test.c index a284fcef6ed7..3610981d9162 100644 --- a/tools/testing/selftests/kvm/x86_64/set_sregs_test.c +++ b/tools/testing/selftests/kvm/x86_64/set_sregs_test.c @@ -22,26 +22,25 @@ #include "kvm_util.h" #include "processor.h" -static void test_cr4_feature_bit(struct kvm_vcpu *vcpu, struct kvm_sregs *orig, - uint64_t feature_bit) -{ - struct kvm_sregs sregs; - int rc; - - /* Skip the sub-test, the feature is supported. */ - if (orig->cr4 & feature_bit) - return; - - memcpy(&sregs, orig, sizeof(sregs)); - sregs.cr4 |= feature_bit; - - rc = _vcpu_sregs_set(vcpu, &sregs); - TEST_ASSERT(rc, "KVM allowed unsupported CR4 bit (0x%lx)", feature_bit); - - /* Sanity check that KVM didn't change anything. */ - vcpu_sregs_get(vcpu, &sregs); - TEST_ASSERT(!memcmp(&sregs, orig, sizeof(sregs)), "KVM modified sregs"); -} +#define TEST_INVALID_CR_BIT(vcpu, cr, orig, bit) \ +do { \ + struct kvm_sregs new; \ + int rc; \ + \ + /* Skip the sub-test, the feature/bit is supported. */ \ + if (orig.cr & bit) \ + break; \ + \ + memcpy(&new, &orig, sizeof(sregs)); \ + new.cr |= bit; \ + \ + rc = _vcpu_sregs_set(vcpu, &new); \ + TEST_ASSERT(rc, "KVM allowed invalid " #cr " bit (0x%lx)", bit); \ + \ + /* Sanity check that KVM didn't change anything. */ \ + vcpu_sregs_get(vcpu, &new); \ + TEST_ASSERT(!memcmp(&new, &orig, sizeof(new)), "KVM modified sregs"); \ +} while (0) static uint64_t calc_supported_cr4_feature_bits(void) { @@ -80,7 +79,7 @@ int main(int argc, char *argv[]) struct kvm_vcpu *vcpu; struct kvm_vm *vm; uint64_t cr4; - int rc; + int rc, i; /* * Create a dummy VM, specifically to avoid doing KVM_SET_CPUID2, and @@ -92,6 +91,7 @@ int main(int argc, char *argv[]) vcpu_sregs_get(vcpu, &sregs); + sregs.cr0 = 0; sregs.cr4 |= calc_supported_cr4_feature_bits(); cr4 = sregs.cr4; @@ -103,16 +103,24 @@ int main(int argc, char *argv[]) sregs.cr4, cr4); /* Verify all unsupported features are rejected by KVM. */ - test_cr4_feature_bit(vcpu, &sregs, X86_CR4_UMIP); - test_cr4_feature_bit(vcpu, &sregs, X86_CR4_LA57); - test_cr4_feature_bit(vcpu, &sregs, X86_CR4_VMXE); - test_cr4_feature_bit(vcpu, &sregs, X86_CR4_SMXE); - test_cr4_feature_bit(vcpu, &sregs, X86_CR4_FSGSBASE); - test_cr4_feature_bit(vcpu, &sregs, X86_CR4_PCIDE); - test_cr4_feature_bit(vcpu, &sregs, X86_CR4_OSXSAVE); - test_cr4_feature_bit(vcpu, &sregs, X86_CR4_SMEP); - test_cr4_feature_bit(vcpu, &sregs, X86_CR4_SMAP); - test_cr4_feature_bit(vcpu, &sregs, X86_CR4_PKE); + TEST_INVALID_CR_BIT(vcpu, cr4, sregs, X86_CR4_UMIP); + TEST_INVALID_CR_BIT(vcpu, cr4, sregs, X86_CR4_LA57); + TEST_INVALID_CR_BIT(vcpu, cr4, sregs, X86_CR4_VMXE); + TEST_INVALID_CR_BIT(vcpu, cr4, sregs, X86_CR4_SMXE); + TEST_INVALID_CR_BIT(vcpu, cr4, sregs, X86_CR4_FSGSBASE); + TEST_INVALID_CR_BIT(vcpu, cr4, sregs, X86_CR4_PCIDE); + TEST_INVALID_CR_BIT(vcpu, cr4, sregs, X86_CR4_OSXSAVE); + TEST_INVALID_CR_BIT(vcpu, cr4, sregs, X86_CR4_SMEP); + TEST_INVALID_CR_BIT(vcpu, cr4, sregs, X86_CR4_SMAP); + TEST_INVALID_CR_BIT(vcpu, cr4, sregs, X86_CR4_PKE); + + for (i = 32; i < 64; i++) + TEST_INVALID_CR_BIT(vcpu, cr0, sregs, BIT(i)); + + /* NW without CD is illegal, as is PG without PE. */ + TEST_INVALID_CR_BIT(vcpu, cr0, sregs, X86_CR0_NW); + TEST_INVALID_CR_BIT(vcpu, cr0, sregs, X86_CR0_PG); + kvm_vm_free(vm); /* Create a "real" VM and verify APIC_BASE can be set. */