From patchwork Thu Nov 10 00:57:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 17883 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp653701wru; Wed, 9 Nov 2022 17:06:41 -0800 (PST) X-Google-Smtp-Source: AMsMyM4b+glhJMecP0MWqywsLUk26Dw/a76UgNeWC7RBXqOkf/ST7q+pTBB+VvWI0uE4TpcbiQ3O X-Received: by 2002:a05:6a00:a05:b0:563:5d36:ccd4 with SMTP id p5-20020a056a000a0500b005635d36ccd4mr62261236pfh.25.1668042400993; Wed, 09 Nov 2022 17:06:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668042400; cv=none; d=google.com; s=arc-20160816; b=xhpKAjNt5WBUHdXxAln9/ohDTyfjXiDPPLUrHKO+ubqtwvltsOr6PVHjaRBGsYaiAm pnl2Qa+w5O7zP+odE/R8XogrbVoXPpOG2MuYN9hUA00lv4MgIdh84XIId4IBb+JZ9rW4 1jO+Nk7IBPdX8kjC9BmWEHpmLJ+e4k7v1r6y3yOZOE165CG4VKtcIBle18uDItzg0Kzg mRVnjBGsJJH+64CuXlc6uHZmeGEwNIKOcU2Mwx39xIduTQA6mRVUqsfDcu7ZhhA9jCMr BAdJXz5RU+ehOYxMEkkuqgAm6JT5ZKQS3lQpJVUyYP3wDr14m0iJVCUql4OsKtavkdNY 0gVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=sfZqtehmJAKW3XdILp4Pa+j/G6SeiEXkrRjwBXbPNQ4=; b=ISPH8HWAu4n9XEiAh9DoRJiMX4Ytm1uKkdDc810pTW4zRi7/Obz6jGXP7DS0mrD9aU 2EmWpR6MKoSoh7356fFGpHQXcRDWiyBahKvmfXPLWYQ2bEQZA2IdbfClJ0JuoKhxpjix WgA3DxRvJsXa3aQ+8Vd0omq7eagDutdFsXnjkeM03YkG01VZxSyhmSHBpJ+yriGAbM5y 6zqgUx18MWjMIOKQsfrA5pxOHzxgG0HFeHR5wtCLNHMiUg0lGAQyckNCpfZ20o4ce+8T QwiMRfb53QLYf0IJC98XRyf+74VhEs+MhvYqqWgk/8AwDIgBX0DBOTKoD1glFubXDGmY J9Bg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=R7MO5UZg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u14-20020a170902e5ce00b0016f5e7d0febsi8862013plf.244.2022.11.09.17.06.26; Wed, 09 Nov 2022 17:06:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=R7MO5UZg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232158AbiKJA50 (ORCPT + 99 others); Wed, 9 Nov 2022 19:57:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46282 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232040AbiKJA5L (ORCPT ); Wed, 9 Nov 2022 19:57:11 -0500 Received: from mail-pf1-x44a.google.com (mail-pf1-x44a.google.com [IPv6:2607:f8b0:4864:20::44a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F7D6209BF for ; Wed, 9 Nov 2022 16:57:10 -0800 (PST) Received: by mail-pf1-x44a.google.com with SMTP id k11-20020aa792cb000000b00558674e8e7fso176556pfa.6 for ; Wed, 09 Nov 2022 16:57:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=sfZqtehmJAKW3XdILp4Pa+j/G6SeiEXkrRjwBXbPNQ4=; b=R7MO5UZg7uZuGhIBEVZ0K4sBRl8uHVbSzpOR8CzrHMoASp/lJy34BFMEJHsE8QIqZ+ sGptJIr7AgU4nzsg/w0iyGjWoaNtEPB3XPsCTmvjm0wVVuHpbtlG982CUVHn8CnDy5CA sjkyyVXgKgtz3Zttb/ukzdRtLTijU4LiFs7fGlnv+JSvcEbqHn0kmD1dAFd2X4kJPF+x jzF4z1P9e1xclKp9nHV5MLieEWO+nZ2pb9SH6c06g6yeVbTDqkJaXZdUIuW+bMpVbx1o tOAUda2uGLt459EygROZFC4+2hwWi0rjATlKT0xIuw8ScDvX5JeqNiBqNSTx3oEXA9FU 4zqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=sfZqtehmJAKW3XdILp4Pa+j/G6SeiEXkrRjwBXbPNQ4=; b=oq23tuG9WaF3bvfNtHTBtI4s1vVDGwjcusTTZXUAZVmNLYMt0DK3InF5nvlcIBaOmn h/jElDlPhSr1SPQYKSJi/GGvoWw4BQVESQZrATtJTYyNPaDvsmxEjMu83j22rQ61ifIh qcdaC+KXG8lKtMXTK1ot4a9ZdUoCIdbpoUTm2whTI3Dq9wWgPhrSxPraubbu4OpoqoQR RVFsfH7FNTSFInY4hADVjhGwBwk2/JIVWErbdunqelXI4+AAw2nqzCa45KP1Ko04VF8J DEEtfShXj7HqjOO+FCo1L/wQhe4YivsUWJJmpfF5odH4cA2bCdgUq3QZnl0m86c8MROq rJmw== X-Gm-Message-State: ACrzQf0xXLSaaUCT/9FSIlNy2XObEPR0AGoz3kI7sKnTgtOWCa3QmmTq 2mQyABf13vFu2aCvnfFPAiG3wIFcuHA= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a17:902:ce88:b0:186:b345:97c0 with SMTP id f8-20020a170902ce8800b00186b34597c0mr64227380plg.13.1668041830237; Wed, 09 Nov 2022 16:57:10 -0800 (PST) Reply-To: Sean Christopherson Date: Thu, 10 Nov 2022 00:57:05 +0000 In-Reply-To: <20221110005706.1064832-1-seanjc@google.com> Mime-Version: 1.0 References: <20221110005706.1064832-1-seanjc@google.com> X-Mailer: git-send-email 2.38.1.431.g37b22c650d-goog Message-ID: <20221110005706.1064832-2-seanjc@google.com> Subject: [PATCH 1/2] KVM: nVMX: Don't muck with allowed sec exec controls on CPUID changes From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Yu Zhang X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1749069228826295585?= X-GMAIL-MSGID: =?utf-8?q?1749069228826295585?= Don't modify the set of allowed secondary execution controls, i.e. the virtual MSR_IA32_VMX_PROCBASED_CTLS2, in response to guest CPUID changes. To avoid breaking old userspace that never sets the VMX MSRs, i.e. relies on KVM to provide a consistent vCPU model, keep the existing behavior if userspace has never written MSR_IA32_VMX_PROCBASED_CTLS2. KVM should not modify the VMX capabilities presented to L1 based on CPUID as doing so may discard explicit settings provided by userspace. E.g. if userspace does KVM_SET_MSRS => KVM_SET_CPUID and disables a feature in the VMX MSRs but not CPUID (to prevent exposing the feature to L2), then stuffing the VMX MSRs during KVM_SET_CPUID will expose the feature to L2 against userspace's wishes. Alternatively, KVM could add a quirk, but that's less than ideal as a VMM that is affected by the bug would need to be updated in order to opt out of the buggy behavior. The "has the MSR ever been written" logic handles both the case where an enlightened userspace sets the MSR during setup, and the case where userspace blindly migrates the MSR, as the migrated value will already have been sanitized by the source KVM or explicitly set by the source VMM. Reported-by: Yu Zhang Signed-off-by: Sean Christopherson --- arch/x86/kvm/vmx/capabilities.h | 1 + arch/x86/kvm/vmx/nested.c | 3 +++ arch/x86/kvm/vmx/vmx.c | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/vmx/capabilities.h b/arch/x86/kvm/vmx/capabilities.h index cd2ac9536c99..7b08d6006f52 100644 --- a/arch/x86/kvm/vmx/capabilities.h +++ b/arch/x86/kvm/vmx/capabilities.h @@ -51,6 +51,7 @@ struct nested_vmx_msrs { u64 cr4_fixed1; u64 vmcs_enum; u64 vmfunc_controls; + bool secondary_set_by_userspace; }; struct vmcs_config { diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 61a2e551640a..e537526d996c 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -1256,6 +1256,9 @@ vmx_restore_control_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data) if (!is_bitwise_subset(supported, data, GENMASK_ULL(63, 32))) return -EINVAL; + if (msr_index == MSR_IA32_VMX_PROCBASED_CTLS2) + vmx->nested.msrs.secondary_set_by_userspace = true; + vmx_get_control_msr(&vmx->nested.msrs, msr_index, &lowp, &highp); *lowp = data; *highp = data >> 32; diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index aca88524fd1e..e5eec41bc1d5 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -4428,7 +4428,7 @@ vmx_adjust_secondary_exec_control(struct vcpu_vmx *vmx, u32 *exec_control, * Update the nested MSR settings so that a nested VMM can/can't set * controls for features that are/aren't exposed to the guest. */ - if (nested) { + if (nested && !vmx->nested.msrs.secondary_set_by_userspace) { if (enabled) vmx->nested.msrs.secondary_ctls_high |= control; else From patchwork Thu Nov 10 00:57:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 17882 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp652855wru; Wed, 9 Nov 2022 17:04:44 -0800 (PST) X-Google-Smtp-Source: AMsMyM6Bj3hebW4rHNrLNdoZdaG3DF/fWlOLwbAA91ypkO322vgbhnYgUEhAH6CVbPMw574Vhcdx X-Received: by 2002:a17:902:c941:b0:187:734:2626 with SMTP id i1-20020a170902c94100b0018707342626mr60365046pla.73.1668042284651; Wed, 09 Nov 2022 17:04:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668042284; cv=none; d=google.com; s=arc-20160816; b=qpTu+1ayn+EhK0hLyZsdfSZvo+E+4vHOeWHwLk0wP/WyHo/rBWgdBqtKXj5Slgw4X/ 95CjyRZgeg/xbnt8u93e/ypLOCAGOhINl3TctMMuu/QN0D6ZFfRXS7OvGB8PiuXRwxOR xLkPMcuGAL24zikBL6gucxPLXqcNM1ZRtQ7bludOWqRxIlC+CIy5waoquzlnS46aThx1 T/JzW8Lhq92MVPMg3v4fC5Tu2YicCOgb/LXUiBHA2g7KUeSNFX4hK5/AL3VjBygAvQa3 pobU7lwfE1mFFrCbKcPZ6KQ8rNHw4XkuwuDYnUOUP1wtOdkUfK4cG+a3JxepXAkl5UbP ug9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=BdmLOLo8ckIk/eD8WeKbjTM/d1aHn6rPzktWT2f3TMg=; b=qLTt6mSmdRjLavUJ7dLE+DbrnNrRt+qVzKC7XAQfm4ujSDTIIygCyjex2EcsWkZvOQ AO0QAMI5HDFDT/d16OYTOqWoVy2VvkoPauLflGMS67cienPMCbnbCNwnZ7M3ow+tyt5L jbNchJ3TKD7TjTLlbpLJbFqcdFkt52vy0m4Ouf/yxCiAD1K6AReRGekgTC4LLqNdLHki hQHMGFNW0ekjfFU5ZayC3zlKpl5pjyAAFSqf4oB9MhsGyQ91gnk3oUBTeJUcTwHBgpOY fPUKAKtPPy/FQuws1M1YWxQ4QD1KQZn4MzIYReRvT41bxEiO0UFimVMoKqO/UEM6m8KP utSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=nInUs4Yc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bd10-20020a170902830a00b00186f9d4400esi16616294plb.346.2022.11.09.17.04.30; Wed, 09 Nov 2022 17:04:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=nInUs4Yc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232134AbiKJA5Y (ORCPT + 99 others); Wed, 9 Nov 2022 19:57:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46294 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232055AbiKJA5N (ORCPT ); Wed, 9 Nov 2022 19:57:13 -0500 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 721EA20353 for ; Wed, 9 Nov 2022 16:57:12 -0800 (PST) Received: by mail-yb1-xb49.google.com with SMTP id 204-20020a250fd5000000b006ccc0e91098so464216ybp.13 for ; Wed, 09 Nov 2022 16:57:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=BdmLOLo8ckIk/eD8WeKbjTM/d1aHn6rPzktWT2f3TMg=; b=nInUs4Ycp74MNj1eD35CUJaL9lY8Eyb/h/dJTD9lddbutaqGfVtOhuNKr6/aqataUf D+LG0Us77KMejXtXhg74og6a+QN9BvagZO3ckJPxn4UkqL3/S2Z9oDvlUyxkNBIzIO23 R3uyrfeG60VquBerxrXE+yn8BZLDTdFyHXoSL3lVGE1mjfiHVRKqXhhZkWPDI64BCd9V GE1DKPPeHrX2AVw8RDWpstDiRB4R6twhE4WhGcEoF6LV9eYeNshRmLjbK8yhd4mRBtvo XtFih4V+i+5V5Jmkh7TuYVAQ/a7gMCWJnjGWN9ebSY2gHYfGZAs86db01pTbAyMu7W6a IXTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BdmLOLo8ckIk/eD8WeKbjTM/d1aHn6rPzktWT2f3TMg=; b=f4uX1WDYI8d31b+x97+iJKyRkRMbBU8abBAonIdZir5exPxvPnoFO12DonkBJx6lAg xBmyQPmC2J4GmtDQkEmUVuUQo+e45bP4tCLYO6K9B43R+ODZjSpwsLIlTB4MWM1CG+yg 7ngGNGhVtCIiMo193jOYwyw8X7ZUP52V8ThNFRm9h4JqcZn+sh/8fvw4e/EqtaDRWhMi mPPVPXoUXQtfEKCjW4XYL2Wa5OU5MtKmtj0h+HY5dYWOgQHC6Tc/GMXG0CDQbcdRVdsp wQ9LljOaRX0K51lkunyvY6+1GltiRgdpkmgOClrpHEUrCIV7X8ba2kbSPrhFO4lGs2i+ S3Pw== X-Gm-Message-State: ACrzQf3KzDot0vj0siLpRP2v6z1VKxOzewsXSA1DR9is8dyWnBa6WyEN n7TAcC5L09BDMZtoIGy3LzRPYi9oToE= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a25:cf4f:0:b0:6cc:5c06:ab92 with SMTP id f76-20020a25cf4f000000b006cc5c06ab92mr61037330ybg.295.1668041831797; Wed, 09 Nov 2022 16:57:11 -0800 (PST) Reply-To: Sean Christopherson Date: Thu, 10 Nov 2022 00:57:06 +0000 In-Reply-To: <20221110005706.1064832-1-seanjc@google.com> Mime-Version: 1.0 References: <20221110005706.1064832-1-seanjc@google.com> X-Mailer: git-send-email 2.38.1.431.g37b22c650d-goog Message-ID: <20221110005706.1064832-3-seanjc@google.com> Subject: [PATCH 2/2] KVM: selftests: Test KVM's handling of VMX's sec exec MSR on KVM_SET_CPUID From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Yu Zhang X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1749069106847649821?= X-GMAIL-MSGID: =?utf-8?q?1749069106847649821?= Verify that KVM does, and does not, modify the allowed set of VMX's secondary execution controls during KVM_SET_CPUID. Historically, KVM has modified select bits in response to guest CPUID changes to try and force a consistent CPU model. KVM's meddling causes problems if userspace invokes KVM_SET_CPUID after explicitly setting the MSR, as KVM may end up overriding a legal userspace config. Newer, fixed KVM versions maintain the historical meddling for backwards compatibility, but only if userspace has never set the MSR for the vCPU. I.e. KVM transfers ownership to userspace on the first write. Opportunistically fix some funky names in tools' definitions for a few secondary execution controls. Signed-off-by: Sean Christopherson --- .../selftests/kvm/include/x86_64/processor.h | 1 + .../selftests/kvm/include/x86_64/vmx.h | 4 +- .../selftests/kvm/x86_64/vmx_msrs_test.c | 92 +++++++++++++++++++ 3 files changed, 95 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/kvm/include/x86_64/processor.h b/tools/testing/selftests/kvm/include/x86_64/processor.h index e8ca0d8a6a7e..d01de81fc0ed 100644 --- a/tools/testing/selftests/kvm/include/x86_64/processor.h +++ b/tools/testing/selftests/kvm/include/x86_64/processor.h @@ -101,6 +101,7 @@ struct kvm_x86_cpu_feature { #define X86_FEATURE_INVPCID KVM_X86_CPU_FEATURE(0x7, 0, EBX, 10) #define X86_FEATURE_RTM KVM_X86_CPU_FEATURE(0x7, 0, EBX, 11) #define X86_FEATURE_MPX KVM_X86_CPU_FEATURE(0x7, 0, EBX, 14) +#define X86_FEATURE_RDSEED KVM_X86_CPU_FEATURE(0x7, 0, EBX, 18) #define X86_FEATURE_SMAP KVM_X86_CPU_FEATURE(0x7, 0, EBX, 20) #define X86_FEATURE_PCOMMIT KVM_X86_CPU_FEATURE(0x7, 0, EBX, 22) #define X86_FEATURE_CLFLUSHOPT KVM_X86_CPU_FEATURE(0x7, 0, EBX, 23) diff --git a/tools/testing/selftests/kvm/include/x86_64/vmx.h b/tools/testing/selftests/kvm/include/x86_64/vmx.h index 71b290b6469d..56c1771ba6b8 100644 --- a/tools/testing/selftests/kvm/include/x86_64/vmx.h +++ b/tools/testing/selftests/kvm/include/x86_64/vmx.h @@ -61,8 +61,8 @@ #define SECONDARY_EXEC_SHADOW_VMCS 0x00004000 #define SECONDARY_EXEC_RDSEED_EXITING 0x00010000 #define SECONDARY_EXEC_ENABLE_PML 0x00020000 -#define SECONDARY_EPT_VE 0x00040000 -#define SECONDARY_ENABLE_XSAV_RESTORE 0x00100000 +#define SECONDARY_EXEC_EPT_VE 0x00040000 +#define SECONDARY_EXEC_ENABLE_XSAVES 0x00100000 #define SECONDARY_EXEC_TSC_SCALING 0x02000000 #define PIN_BASED_EXT_INTR_MASK 0x00000001 diff --git a/tools/testing/selftests/kvm/x86_64/vmx_msrs_test.c b/tools/testing/selftests/kvm/x86_64/vmx_msrs_test.c index 322d561b4260..dbd60a989b28 100644 --- a/tools/testing/selftests/kvm/x86_64/vmx_msrs_test.c +++ b/tools/testing/selftests/kvm/x86_64/vmx_msrs_test.c @@ -12,6 +12,96 @@ #include "kvm_util.h" #include "vmx.h" +static void vmx_sec_exec_assert_allowed(struct kvm_vcpu *vcpu, + const char *name, uint64_t ctrl) +{ + TEST_ASSERT(vcpu_get_msr(vcpu, MSR_IA32_VMX_PROCBASED_CTLS2) & ctrl, + "Expected '%s' to be allowed in sec exec controls", name); +} + +static void vmx_sec_exec_assert_denied(struct kvm_vcpu *vcpu, + const char *name, uint64_t ctrl) +{ + TEST_ASSERT(!(vcpu_get_msr(vcpu, MSR_IA32_VMX_PROCBASED_CTLS2) & ctrl), + "Expected '%s' to be denied in sec exec controls", name); +} + +static void vmx_sec_exec_control_test(struct kvm_vcpu *vcpu, + const char *name, + struct kvm_x86_cpu_feature feature, + uint64_t ctrl, bool kvm_owned) +{ + /* Allowed-1 settings are in the upper 32 bits. */ + ctrl <<= 32; + + if (!this_cpu_has(feature)) + return; + + if (kvm_owned) { + vcpu_set_cpuid_feature(vcpu, feature); + vmx_sec_exec_assert_allowed(vcpu, name, ctrl); + + vcpu_clear_cpuid_feature(vcpu, feature); + vmx_sec_exec_assert_denied(vcpu, name, ctrl); + + /* Make sure KVM is actually toggling the bit. */ + vcpu_set_cpuid_feature(vcpu, feature); + vmx_sec_exec_assert_allowed(vcpu, name, ctrl); + } else { + vcpu_set_msr(vcpu, MSR_IA32_VMX_PROCBASED_CTLS2, + vcpu_get_msr(vcpu, MSR_IA32_VMX_PROCBASED_CTLS2) | ctrl); + vmx_sec_exec_assert_allowed(vcpu, name, ctrl); + + vcpu_set_cpuid_feature(vcpu, feature); + vmx_sec_exec_assert_allowed(vcpu, name, ctrl); + + vcpu_clear_cpuid_feature(vcpu, feature); + vmx_sec_exec_assert_allowed(vcpu, name, ctrl); + + vcpu_set_msr(vcpu, MSR_IA32_VMX_PROCBASED_CTLS2, + vcpu_get_msr(vcpu, MSR_IA32_VMX_PROCBASED_CTLS2) & ~ctrl); + vmx_sec_exec_assert_denied(vcpu, name, ctrl); + + vcpu_set_cpuid_feature(vcpu, feature); + vmx_sec_exec_assert_denied(vcpu, name, ctrl); + + vcpu_clear_cpuid_feature(vcpu, feature); + vmx_sec_exec_assert_denied(vcpu, name, ctrl); + } +} + +#define vmx_sec_exec_feature_test(vcpu, name, kvm_owned) \ + vmx_sec_exec_control_test(vcpu, #name, X86_FEATURE_##name, \ + SECONDARY_EXEC_ENABLE_##name, kvm_owned) + +#define vmx_sec_exec_exiting_test(vcpu, name, kvm_owned) \ + vmx_sec_exec_control_test(vcpu, #name, X86_FEATURE_##name, \ + SECONDARY_EXEC_##name##_EXITING, kvm_owned) + +static void vmx_sec_exec_controls_test(struct kvm_vcpu *vcpu) +{ + int i; + + if (this_cpu_has(X86_FEATURE_XSAVE)) + vcpu_set_cpuid_feature(vcpu, X86_FEATURE_XSAVE); + + if (this_cpu_has(X86_FEATURE_RDPID)) + vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_RDPID); + + /* + * Verify that for features KVM has historically taken control of, KVM + * updates PROCBASED_CTLS2 during KVM_SET_CPUID if userspace has never + * set the MSR, but leaves it alone once userspace writes the MSR. + */ + for (i = 0; i < 2; i++) { + vmx_sec_exec_feature_test(vcpu, XSAVES, !i); + vmx_sec_exec_feature_test(vcpu, RDTSCP, !i); + vmx_sec_exec_feature_test(vcpu, INVPCID, !i); + vmx_sec_exec_exiting_test(vcpu, RDRAND, !i); + vmx_sec_exec_exiting_test(vcpu, RDSEED, !i); + } +} + static void vmx_fixed1_msr_test(struct kvm_vcpu *vcpu, uint32_t msr_index, uint64_t mask) { @@ -78,6 +168,8 @@ int main(void) /* No need to actually do KVM_RUN, thus no guest code. */ vm = vm_create_with_one_vcpu(&vcpu, NULL); + vmx_sec_exec_controls_test(vcpu); + vmx_save_restore_msrs_test(vcpu); kvm_vm_free(vm);