2020-03-24 10:41:52 +01:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
|
/*
|
|
|
|
|
* Kernel-based Virtual Machine driver for Linux
|
|
|
|
|
*
|
|
|
|
|
* AMD SVM support
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2006 Qumranet, Inc.
|
|
|
|
|
* Copyright 2010 Red Hat, Inc. and/or its affiliates.
|
|
|
|
|
*
|
|
|
|
|
* Authors:
|
|
|
|
|
* Yaniv Kamay <yaniv@qumranet.com>
|
|
|
|
|
* Avi Kivity <avi@qumranet.com>
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __SVM_SVM_H
|
|
|
|
|
#define __SVM_SVM_H
|
|
|
|
|
|
|
|
|
|
#include <linux/kvm_types.h>
|
|
|
|
|
#include <linux/kvm_host.h>
|
2020-12-10 11:09:47 -06:00
|
|
|
#include <linux/bits.h>
|
2020-03-24 10:41:52 +01:00
|
|
|
|
|
|
|
|
#include <asm/svm.h>
|
2021-04-27 06:16:35 -05:00
|
|
|
#include <asm/sev-common.h>
|
2020-03-24 10:41:52 +01:00
|
|
|
|
2023-08-15 13:36:51 -07:00
|
|
|
#include "cpuid.h"
|
2022-03-04 08:10:32 -08:00
|
|
|
#include "kvm_cache_regs.h"
|
|
|
|
|
|
2024-08-02 13:45:09 -07:00
|
|
|
/*
|
|
|
|
|
* Helpers to convert to/from physical addresses for pages whose address is
|
|
|
|
|
* consumed directly by hardware. Even though it's a physical address, SVM
|
|
|
|
|
* often restricts the address to the natural width, hence 'unsigned long'
|
|
|
|
|
* instead of 'hpa_t'.
|
|
|
|
|
*/
|
|
|
|
|
static inline unsigned long __sme_page_pa(struct page *page)
|
|
|
|
|
{
|
|
|
|
|
return __sme_set(page_to_pfn(page) << PAGE_SHIFT);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline struct page *__sme_pa_to_page(unsigned long pa)
|
|
|
|
|
{
|
|
|
|
|
return pfn_to_page(__sme_clr(pa) >> PAGE_SHIFT);
|
|
|
|
|
}
|
2020-12-10 11:10:04 -06:00
|
|
|
|
2021-04-12 17:56:05 -04:00
|
|
|
#define IOPM_SIZE PAGE_SIZE * 3
|
|
|
|
|
#define MSRPM_SIZE PAGE_SIZE * 2
|
|
|
|
|
|
2020-03-24 10:41:52 +01:00
|
|
|
extern bool npt_enabled;
|
2023-08-24 18:36:19 -07:00
|
|
|
extern int nrips;
|
2022-03-22 19:24:49 +02:00
|
|
|
extern int vgif;
|
2021-07-07 15:51:00 +03:00
|
|
|
extern bool intercept_smi;
|
2023-01-06 01:12:44 +00:00
|
|
|
extern bool x2avic_enabled;
|
KVM: x86: Add support for SVM's Virtual NMI
Add support for SVM's Virtual NMIs implementation, which adds proper
tracking of virtual NMI blocking, and an intr_ctrl flag that software can
set to mark a virtual NMI as pending. Pending virtual NMIs are serviced
by hardware if/when virtual NMIs become unblocked, i.e. act more or less
like real NMIs.
Introduce two new kvm_x86_ops callbacks so to support SVM's vNMI, as KVM
needs to treat a pending vNMI as partially injected. Specifically, if
two NMIs (for L1) arrive concurrently in KVM's software model, KVM's ABI
is to inject one and pend the other. Without vNMI, KVM manually tracks
the pending NMI and uses NMI windows to detect when the NMI should be
injected.
With vNMI, the pending NMI is simply stuffed into the VMCB and handed
off to hardware. This means that KVM needs to be able to set a vNMI
pending on-demand, and also query if a vNMI is pending, e.g. to honor the
"at most one NMI pending" rule and to preserve all NMIs across save and
restore.
Warn if KVM attempts to open an NMI window when vNMI is fully enabled,
as the above logic should prevent KVM from ever getting to
kvm_check_and_inject_events() with two NMIs pending _in software_, and
the "at most one NMI pending" logic should prevent having an NMI pending
in hardware and an NMI pending in software if NMIs are also blocked, i.e.
if KVM can't immediately inject the second NMI.
Signed-off-by: Santosh Shukla <Santosh.Shukla@amd.com>
Co-developed-by: Maxim Levitsky <mlevitsk@redhat.com>
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20230227084016.3368-11-santosh.shukla@amd.com
[sean: rewrite shortlog and changelog, massage code comments]
Signed-off-by: Sean Christopherson <seanjc@google.com>
2023-02-27 14:10:15 +05:30
|
|
|
extern bool vnmi;
|
2024-05-31 04:46:43 +00:00
|
|
|
extern int lbrv;
|
2022-05-19 05:26:55 -05:00
|
|
|
|
2021-06-03 15:14:37 +00:00
|
|
|
/*
|
|
|
|
|
* Clean bits in VMCB.
|
|
|
|
|
* VMCB_ALL_CLEAN_MASK might also need to
|
|
|
|
|
* be updated if this enum is modified.
|
|
|
|
|
*/
|
2020-03-24 10:41:52 +01:00
|
|
|
enum {
|
|
|
|
|
VMCB_INTERCEPTS, /* Intercept vectors, TSC offset,
|
|
|
|
|
pause filter count */
|
|
|
|
|
VMCB_PERM_MAP, /* IOPM Base and MSRPM Base */
|
|
|
|
|
VMCB_ASID, /* ASID */
|
|
|
|
|
VMCB_INTR, /* int_ctl, int_vector */
|
|
|
|
|
VMCB_NPT, /* npt_en, nCR3, gPAT */
|
|
|
|
|
VMCB_CR, /* CR0, CR3, CR4, EFER */
|
|
|
|
|
VMCB_DR, /* DR6, DR7 */
|
|
|
|
|
VMCB_DT, /* GDT, IDT */
|
|
|
|
|
VMCB_SEG, /* CS, DS, SS, ES, CPL */
|
|
|
|
|
VMCB_CR2, /* CR2 only */
|
|
|
|
|
VMCB_LBR, /* DBGCTL, BR_FROM, BR_TO, LAST_EX_FROM, LAST_EX_TO */
|
|
|
|
|
VMCB_AVIC, /* AVIC APIC_BAR, AVIC APIC_BACKING_PAGE,
|
|
|
|
|
* AVIC PHYSICAL_TABLE pointer,
|
|
|
|
|
* AVIC LOGICAL_TABLE pointer
|
|
|
|
|
*/
|
2021-06-03 15:14:37 +00:00
|
|
|
VMCB_SW = 31, /* Reserved for hypervisor/software use */
|
2020-03-24 10:41:52 +01:00
|
|
|
};
|
|
|
|
|
|
2021-06-03 15:14:37 +00:00
|
|
|
#define VMCB_ALL_CLEAN_MASK ( \
|
|
|
|
|
(1U << VMCB_INTERCEPTS) | (1U << VMCB_PERM_MAP) | \
|
|
|
|
|
(1U << VMCB_ASID) | (1U << VMCB_INTR) | \
|
|
|
|
|
(1U << VMCB_NPT) | (1U << VMCB_CR) | (1U << VMCB_DR) | \
|
|
|
|
|
(1U << VMCB_DT) | (1U << VMCB_SEG) | (1U << VMCB_CR2) | \
|
|
|
|
|
(1U << VMCB_LBR) | (1U << VMCB_AVIC) | \
|
|
|
|
|
(1U << VMCB_SW))
|
|
|
|
|
|
2020-03-24 10:41:52 +01:00
|
|
|
/* TPR and CR2 are always written before VMRUN */
|
|
|
|
|
#define VMCB_ALWAYS_DIRTY_MASK ((1U << VMCB_INTR) | (1U << VMCB_CR2))
|
|
|
|
|
|
|
|
|
|
struct kvm_sev_info {
|
|
|
|
|
bool active; /* SEV enabled guest */
|
2020-12-10 11:09:38 -06:00
|
|
|
bool es_active; /* SEV-ES enabled guest */
|
2024-04-04 08:13:20 -04:00
|
|
|
bool need_init; /* waiting for SEV_INIT2 */
|
2020-03-24 10:41:52 +01:00
|
|
|
unsigned int asid; /* ASID used for this guest */
|
|
|
|
|
unsigned int handle; /* SEV firmware handle */
|
|
|
|
|
int fd; /* SEV device fd */
|
2025-03-20 08:26:49 -05:00
|
|
|
unsigned long policy;
|
2020-03-24 10:41:52 +01:00
|
|
|
unsigned long pages_locked; /* Number of pages locked */
|
|
|
|
|
struct list_head regions_list; /* List of registered regions */
|
2020-12-15 12:44:07 -05:00
|
|
|
u64 ap_jump_table; /* SEV-ES AP Jump Table address */
|
2024-04-04 08:13:16 -04:00
|
|
|
u64 vmsa_features;
|
2024-05-01 02:10:48 -05:00
|
|
|
u16 ghcb_version; /* Highest guest GHCB protocol version allowed */
|
2021-04-08 22:32:14 +00:00
|
|
|
struct kvm *enc_context_owner; /* Owner of copied encryption context */
|
2022-02-11 11:36:34 -08:00
|
|
|
struct list_head mirror_vms; /* List of VMs mirroring */
|
|
|
|
|
struct list_head mirror_entry; /* Use as a list entry of mirrors */
|
2021-03-29 21:42:06 -07:00
|
|
|
struct misc_cg *misc_cg; /* For misc cgroup accounting */
|
2021-10-21 10:43:00 -07:00
|
|
|
atomic_t migration_in_progress;
|
2024-05-01 03:51:55 -05:00
|
|
|
void *snp_context; /* SNP guest context page */
|
KVM: SEV: Provide support for SNP_GUEST_REQUEST NAE event
Version 2 of GHCB specification added support for the SNP Guest Request
Message NAE event. The event allows for an SEV-SNP guest to make
requests to the SEV-SNP firmware through the hypervisor using the
SNP_GUEST_REQUEST API defined in the SEV-SNP firmware specification.
This is used by guests primarily to request attestation reports from
firmware. There are other request types are available as well, but the
specifics of what guest requests are being made generally does not
affect how they are handled by the hypervisor, which only serves as a
proxy for the guest requests and firmware responses.
Implement handling for these events.
When an SNP Guest Request is issued, the guest will provide its own
request/response pages, which could in theory be passed along directly
to firmware. However, these pages would need special care:
- Both pages are from shared guest memory, so they need to be
protected from migration/etc. occurring while firmware reads/writes
to them. At a minimum, this requires elevating the ref counts and
potentially needing an explicit pinning of the memory. This places
additional restrictions on what type of memory backends userspace
can use for shared guest memory since there would be some reliance
on using refcounted pages.
- The response page needs to be switched to Firmware-owned state
before the firmware can write to it, which can lead to potential
host RMP #PFs if the guest is misbehaved and hands the host a
guest page that KVM is writing to for other reasons (e.g. virtio
buffers).
Both of these issues can be avoided completely by using
separately-allocated bounce pages for both the request/response pages
and passing those to firmware instead. So that's the approach taken
here.
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Co-developed-by: Alexey Kardashevskiy <aik@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
Co-developed-by: Ashish Kalra <ashish.kalra@amd.com>
Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
[mdr: ensure FW command failures are indicated to guest, drop extended
request handling to be re-written as separate patch, massage commit]
Signed-off-by: Michael Roth <michael.roth@amd.com>
Message-ID: <20240701223148.3798365-2-michael.roth@amd.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-07-01 17:31:46 -05:00
|
|
|
void *guest_req_buf; /* Bounce buffer for SNP Guest Request input */
|
|
|
|
|
void *guest_resp_buf; /* Bounce buffer for SNP Guest Request output */
|
|
|
|
|
struct mutex guest_req_mutex; /* Must acquire before using bounce buffers */
|
KVM: SVM: Flush cache only on CPUs running SEV guest
On AMD CPUs without ensuring cache consistency, each memory page
reclamation in an SEV guest triggers a call to do WBNOINVD/WBINVD on all
CPUs, thereby affecting the performance of other programs on the host.
Typically, an AMD server may have 128 cores or more, while the SEV guest
might only utilize 8 of these cores. Meanwhile, host can use qemu-affinity
to bind these 8 vCPUs to specific physical CPUs.
Therefore, keeping a record of the physical core numbers each time a vCPU
runs can help avoid flushing the cache for all CPUs every time.
Take care to allocate the cpumask used to track which CPUs have run a
vCPU when copying or moving an "encryption context", as nothing guarantees
memory in a mirror VM is a strict subset of the ASID owner, and the
destination VM for intrahost migration needs to maintain it's own set of
CPUs. E.g. for intrahost migration, if a CPU was used for the source VM
but not the destination VM, then it can only have cached memory that was
accessible to the source VM. And a CPU that was run in the source is also
used by the destination is no different than a CPU that was run in the
destination only.
Note, KVM is guaranteed to do flush caches prior to sev_vm_destroy(),
thanks to kvm_arch_guest_memory_reclaimed for SEV and SEV-ES, and
kvm_arch_gmem_invalidate() for SEV-SNP. I.e. it's safe to free the
cpumask prior to unregistering encrypted regions and freeing the ASID.
Opportunistically clean up sev_vm_destroy()'s comment regarding what is
(implicitly, what isn't) skipped for mirror VMs.
Cc: Srikanth Aithal <sraithal@amd.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Zheyun Shen <szy0127@sjtu.edu.cn>
Link: https://lore.kernel.org/r/20250522233733.3176144-9-seanjc@google.com
Link: https://lore.kernel.org/all/935a82e3-f7ad-47d7-aaaf-f3d2b62ed768@amd.com
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
2025-05-22 16:37:32 -07:00
|
|
|
cpumask_var_t have_run_cpus; /* CPUs that have done VMRUN for this VM. */
|
2020-03-24 10:41:52 +01:00
|
|
|
};
|
|
|
|
|
|
2025-03-20 08:26:49 -05:00
|
|
|
#define SEV_POLICY_NODBG BIT_ULL(0)
|
|
|
|
|
#define SNP_POLICY_DEBUG BIT_ULL(19)
|
|
|
|
|
|
2020-03-24 10:41:52 +01:00
|
|
|
struct kvm_svm {
|
|
|
|
|
struct kvm kvm;
|
|
|
|
|
|
|
|
|
|
/* Struct members for AVIC */
|
|
|
|
|
u32 avic_vm_id;
|
2025-06-11 15:45:17 -07:00
|
|
|
u32 *avic_logical_id_table;
|
|
|
|
|
u64 *avic_physical_id_table;
|
2020-03-24 10:41:52 +01:00
|
|
|
struct hlist_node hnode;
|
|
|
|
|
|
|
|
|
|
struct kvm_sev_info sev_info;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct kvm_vcpu;
|
|
|
|
|
|
2021-01-13 07:07:52 -05:00
|
|
|
struct kvm_vmcb_info {
|
|
|
|
|
struct vmcb *ptr;
|
|
|
|
|
unsigned long pa;
|
2021-01-12 11:43:12 -05:00
|
|
|
int cpu;
|
2021-01-12 11:43:13 -05:00
|
|
|
uint64_t asid_generation;
|
2021-01-13 07:07:52 -05:00
|
|
|
};
|
|
|
|
|
|
2021-11-03 10:05:22 -04:00
|
|
|
struct vmcb_save_area_cached {
|
|
|
|
|
u64 efer;
|
|
|
|
|
u64 cr4;
|
|
|
|
|
u64 cr3;
|
|
|
|
|
u64 cr0;
|
|
|
|
|
u64 dr7;
|
|
|
|
|
u64 dr6;
|
|
|
|
|
};
|
|
|
|
|
|
2021-11-03 10:05:26 -04:00
|
|
|
struct vmcb_ctrl_area_cached {
|
|
|
|
|
u32 intercepts[MAX_INTERCEPT];
|
|
|
|
|
u16 pause_filter_thresh;
|
|
|
|
|
u16 pause_filter_count;
|
|
|
|
|
u64 iopm_base_pa;
|
|
|
|
|
u64 msrpm_base_pa;
|
|
|
|
|
u64 tsc_offset;
|
|
|
|
|
u32 asid;
|
|
|
|
|
u8 tlb_ctl;
|
|
|
|
|
u32 int_ctl;
|
|
|
|
|
u32 int_vector;
|
|
|
|
|
u32 int_state;
|
|
|
|
|
u32 exit_code;
|
|
|
|
|
u32 exit_code_hi;
|
|
|
|
|
u64 exit_info_1;
|
|
|
|
|
u64 exit_info_2;
|
|
|
|
|
u32 exit_int_info;
|
|
|
|
|
u32 exit_int_info_err;
|
|
|
|
|
u64 nested_ctl;
|
|
|
|
|
u32 event_inj;
|
|
|
|
|
u32 event_inj_err;
|
2022-05-02 00:07:25 +02:00
|
|
|
u64 next_rip;
|
2021-11-03 10:05:26 -04:00
|
|
|
u64 nested_cr3;
|
|
|
|
|
u64 virt_ext;
|
2022-02-02 10:51:00 +01:00
|
|
|
u32 clean;
|
KVM: SVM: Add support for KVM_CAP_X86_BUS_LOCK_EXIT on SVM CPUs
Add support for KVM_CAP_X86_BUS_LOCK_EXIT on SVM CPUs with Bus Lock
Threshold, which is close enough to VMX's Bus Lock Detection VM-Exit to
allow reusing KVM_CAP_X86_BUS_LOCK_EXIT.
The biggest difference between the two features is that Threshold is
fault-like, whereas Detection is trap-like. To allow the guest to make
forward progress, Threshold provides a per-VMCB counter which is
decremented every time a bus lock occurs, and a VM-Exit is triggered if
and only if the counter is '0'.
To provide Detection-like semantics, initialize the counter to '0', i.e.
exit on every bus lock, and when re-executing the guilty instruction, set
the counter to '1' to effectively step past the instruction.
Note, in the unlikely scenario that re-executing the instruction doesn't
trigger a bus lock, e.g. because the guest has changed memory types or
patched the guilty instruction, the bus lock counter will be left at '1',
i.e. the guest will be able to do a bus lock on a different instruction.
In a perfect world, KVM would ensure the counter is '0' if the guest has
made forward progress, e.g. if RIP has changed. But trying to close that
hole would incur non-trivial complexity, for marginal benefit; the intent
of KVM_CAP_X86_BUS_LOCK_EXIT is to allow userspace rate-limit bus locks,
not to allow for precise detection of problematic guest code. And, it's
simply not feasible to fully close the hole, e.g. if an interrupt arrives
before the original instruction can re-execute, the guest could step past
a different bus lock.
Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Manali Shukla <manali.shukla@amd.com>
Link: https://lore.kernel.org/r/20250502050346.14274-5-manali.shukla@amd.com
[sean: fix typo in comment]
Signed-off-by: Sean Christopherson <seanjc@google.com>
2025-05-02 05:03:45 +00:00
|
|
|
u64 bus_lock_rip;
|
2022-11-01 15:53:41 +01:00
|
|
|
union {
|
2023-12-05 11:36:30 +01:00
|
|
|
#if IS_ENABLED(CONFIG_HYPERV) || IS_ENABLED(CONFIG_KVM_HYPERV)
|
2022-11-01 15:53:42 +01:00
|
|
|
struct hv_vmcb_enlightenments hv_enlightenments;
|
2023-12-05 11:36:30 +01:00
|
|
|
#endif
|
2022-11-01 15:53:41 +01:00
|
|
|
u8 reserved_sw[32];
|
|
|
|
|
};
|
2021-11-03 10:05:26 -04:00
|
|
|
};
|
|
|
|
|
|
2020-06-25 10:03:22 +02:00
|
|
|
struct svm_nested_state {
|
2021-01-13 07:07:52 -05:00
|
|
|
struct kvm_vmcb_info vmcb02;
|
2020-03-24 10:41:52 +01:00
|
|
|
u64 hsave_msr;
|
|
|
|
|
u64 vm_cr_msr;
|
2020-08-27 20:11:39 +03:00
|
|
|
u64 vmcb12_gpa;
|
2021-03-01 15:08:44 -05:00
|
|
|
u64 last_vmcb12_gpa;
|
2020-03-24 10:41:52 +01:00
|
|
|
|
2025-06-10 15:57:31 -07:00
|
|
|
/*
|
|
|
|
|
* The MSR permissions map used for vmcb02, which is the merge result
|
|
|
|
|
* of vmcb01 and vmcb12
|
|
|
|
|
*/
|
|
|
|
|
void *msrpm;
|
2020-03-24 10:41:52 +01:00
|
|
|
|
2020-04-23 13:22:27 -04:00
|
|
|
/* A VMRUN has started but has not yet been performed, so
|
|
|
|
|
* we cannot inject a nested vmexit yet. */
|
|
|
|
|
bool nested_run_pending;
|
|
|
|
|
|
2020-05-13 13:16:12 -04:00
|
|
|
/* cache for control fields of the guest */
|
2021-11-03 10:05:26 -04:00
|
|
|
struct vmcb_ctrl_area_cached ctl;
|
2020-10-01 14:29:54 +03:00
|
|
|
|
2021-11-03 10:05:22 -04:00
|
|
|
/*
|
|
|
|
|
* Note: this struct is not kept up-to-date while L2 runs; it is only
|
|
|
|
|
* valid within nested_svm_vmrun.
|
|
|
|
|
*/
|
|
|
|
|
struct vmcb_save_area_cached save;
|
|
|
|
|
|
2020-10-01 14:29:54 +03:00
|
|
|
bool initialized;
|
2022-02-02 10:50:57 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Indicates whether MSR bitmap for L2 needs to be rebuilt due to
|
|
|
|
|
* changes in MSR bitmap for L1 or switching to a different L2. Note,
|
|
|
|
|
* this flag can only be used reliably in conjunction with a paravirt L1
|
|
|
|
|
* which informs L0 whether any changes to MSR bitmap for L2 were done
|
|
|
|
|
* on its side.
|
|
|
|
|
*/
|
|
|
|
|
bool force_msr_bitmap_recalc;
|
2020-03-24 10:41:52 +01:00
|
|
|
};
|
|
|
|
|
|
2021-10-21 10:42:59 -07:00
|
|
|
struct vcpu_sev_es_state {
|
|
|
|
|
/* SEV-ES support */
|
2022-04-05 13:27:43 -05:00
|
|
|
struct sev_es_save_area *vmsa;
|
2021-10-21 10:42:59 -07:00
|
|
|
struct ghcb *ghcb;
|
2023-08-04 12:42:45 -04:00
|
|
|
u8 valid_bitmap[16];
|
2021-10-21 10:42:59 -07:00
|
|
|
struct kvm_host_map ghcb_map;
|
|
|
|
|
bool received_first_sipi;
|
2024-05-01 02:10:45 -05:00
|
|
|
unsigned int ap_reset_hold_type;
|
2021-10-21 10:42:59 -07:00
|
|
|
|
|
|
|
|
/* SEV-ES scratch area support */
|
2023-08-04 12:42:45 -04:00
|
|
|
u64 sw_scratch;
|
2021-10-21 10:42:59 -07:00
|
|
|
void *ghcb_sa;
|
2021-11-11 10:52:26 -05:00
|
|
|
u32 ghcb_sa_len;
|
2021-10-21 10:42:59 -07:00
|
|
|
bool ghcb_sa_sync;
|
|
|
|
|
bool ghcb_sa_free;
|
2024-05-01 03:51:58 -05:00
|
|
|
|
2024-05-01 03:52:00 -05:00
|
|
|
/* SNP Page-State-Change buffer entries currently being processed */
|
|
|
|
|
u16 psc_idx;
|
|
|
|
|
u16 psc_inflight;
|
|
|
|
|
bool psc_2m;
|
|
|
|
|
|
2024-05-01 03:51:58 -05:00
|
|
|
u64 ghcb_registered_gpa;
|
2024-05-01 03:52:02 -05:00
|
|
|
|
|
|
|
|
struct mutex snp_vmsa_mutex; /* Used to handle concurrent updates of VMSA. */
|
|
|
|
|
gpa_t snp_vmsa_gpa;
|
|
|
|
|
bool snp_ap_waiting_for_reset;
|
|
|
|
|
bool snp_has_guest_vmsa;
|
2021-10-21 10:42:59 -07:00
|
|
|
};
|
|
|
|
|
|
2020-03-24 10:41:52 +01:00
|
|
|
struct vcpu_svm {
|
|
|
|
|
struct kvm_vcpu vcpu;
|
2021-04-06 10:18:10 -07:00
|
|
|
/* vmcb always points at current_vmcb->ptr, it's purely a shorthand. */
|
2020-03-24 10:41:52 +01:00
|
|
|
struct vmcb *vmcb;
|
2021-01-13 07:07:52 -05:00
|
|
|
struct kvm_vmcb_info vmcb01;
|
|
|
|
|
struct kvm_vmcb_info *current_vmcb;
|
2020-10-11 14:48:17 -04:00
|
|
|
u32 asid;
|
2021-04-01 14:19:28 +03:00
|
|
|
u32 sysenter_esp_hi;
|
|
|
|
|
u32 sysenter_eip_hi;
|
2020-03-24 10:41:52 +01:00
|
|
|
uint64_t tsc_aux;
|
|
|
|
|
|
|
|
|
|
u64 msr_decfg;
|
|
|
|
|
|
|
|
|
|
u64 next_rip;
|
|
|
|
|
|
|
|
|
|
u64 spec_ctrl;
|
2021-09-14 18:48:24 +03:00
|
|
|
|
|
|
|
|
u64 tsc_ratio_msr;
|
2020-03-24 10:41:52 +01:00
|
|
|
/*
|
|
|
|
|
* Contains guest-controlled bits of VIRT_SPEC_CTRL, which will be
|
|
|
|
|
* translated into the appropriate L2_CFG bits on the host to
|
|
|
|
|
* perform speculative control.
|
|
|
|
|
*/
|
|
|
|
|
u64 virt_spec_ctrl;
|
|
|
|
|
|
2025-06-10 15:57:31 -07:00
|
|
|
void *msrpm;
|
2020-03-24 10:41:52 +01:00
|
|
|
|
|
|
|
|
ulong nmi_iret_rip;
|
|
|
|
|
|
2020-06-25 10:03:22 +02:00
|
|
|
struct svm_nested_state nested;
|
2020-03-24 10:41:52 +01:00
|
|
|
|
2023-01-30 17:20:03 -08:00
|
|
|
/* NMI mask value, used when vNMI is not enabled */
|
|
|
|
|
bool nmi_masked;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* True when NMIs are still masked but guest IRET was just intercepted
|
|
|
|
|
* and KVM is waiting for RIP to change, which will signal that the
|
|
|
|
|
* intercepted IRET was retired and thus NMI can be unmasked.
|
|
|
|
|
*/
|
|
|
|
|
bool awaiting_iret_completion;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set when KVM is awaiting IRET completion and needs to inject NMIs as
|
|
|
|
|
* soon as the IRET completes (e.g. NMI is pending injection). KVM
|
|
|
|
|
* temporarily steals RFLAGS.TF to single-step the guest in this case
|
|
|
|
|
* in order to regain control as soon as the NMI-blocking condition
|
|
|
|
|
* goes away.
|
|
|
|
|
*/
|
2020-03-24 10:41:52 +01:00
|
|
|
bool nmi_singlestep;
|
|
|
|
|
u64 nmi_singlestep_guest_rflags;
|
2023-01-30 17:20:03 -08:00
|
|
|
|
2022-05-02 00:07:34 +02:00
|
|
|
bool nmi_l1_to_l2;
|
2020-03-24 10:41:52 +01:00
|
|
|
|
KVM: SVM: Re-inject INT3/INTO instead of retrying the instruction
Re-inject INT3/INTO instead of retrying the instruction if the CPU
encountered an intercepted exception while vectoring the software
exception, e.g. if vectoring INT3 encounters a #PF and KVM is using
shadow paging. Retrying the instruction is architecturally wrong, e.g.
will result in a spurious #DB if there's a code breakpoint on the INT3/O,
and lack of re-injection also breaks nested virtualization, e.g. if L1
injects a software exception and vectoring the injected exception
encounters an exception that is intercepted by L0 but not L1.
Due to, ahem, deficiencies in the SVM architecture, acquiring the next
RIP may require flowing through the emulator even if NRIPS is supported,
as the CPU clears next_rip if the VM-Exit is due to an exception other
than "exceptions caused by the INT3, INTO, and BOUND instructions". To
deal with this, "skip" the instruction to calculate next_rip (if it's
not already known), and then unwind the RIP write and any side effects
(RFLAGS updates).
Save the computed next_rip and use it to re-stuff next_rip if injection
doesn't complete. This allows KVM to do the right thing if next_rip was
known prior to injection, e.g. if L1 injects a soft event into L2, and
there is no backing INTn instruction, e.g. if L1 is injecting an
arbitrary event.
Note, it's impossible to guarantee architectural correctness given SVM's
architectural flaws. E.g. if the guest executes INTn (no KVM injection),
an exit occurs while vectoring the INTn, and the guest modifies the code
stream while the exit is being handled, KVM will compute the incorrect
next_rip due to "skipping" the wrong instruction. A future enhancement
to make this less awful would be for KVM to detect that the decoded
instruction is not the correct INTn and drop the to-be-injected soft
event (retrying is a lesser evil compared to shoving the wrong RIP on the
exception stack).
Reported-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
Message-Id: <65cb88deab40bc1649d509194864312a89bbe02e.1651440202.git.maciej.szmigiero@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-05-02 00:07:29 +02:00
|
|
|
unsigned long soft_int_csbase;
|
|
|
|
|
unsigned long soft_int_old_rip;
|
|
|
|
|
unsigned long soft_int_next_rip;
|
|
|
|
|
bool soft_int_injected;
|
2020-03-24 10:41:52 +01:00
|
|
|
|
|
|
|
|
u32 ldr_reg;
|
|
|
|
|
u32 dfr_reg;
|
|
|
|
|
|
KVM: SVM: Add enable_ipiv param, never set IsRunning if disabled
Let userspace "disable" IPI virtualization for AVIC via the enable_ipiv
module param, by never setting IsRunning. SVM doesn't provide a way to
disable IPI virtualization in hardware, but by ensuring CPUs never see
IsRunning=1, every IPI in the guest (except for self-IPIs) will generate a
VM-Exit.
To avoid setting the real IsRunning bit, while still allowing KVM to use
each vCPU's entry to update GA log entries, simply maintain a shadow of
the entry, without propagating IsRunning updates to the real table when
IPI virtualization is disabled.
Providing a way to effectively disable IPI virtualization will allow KVM
to safely enable AVIC on hardware that is susceptible to erratum #1235,
which causes hardware to sometimes fail to detect that the IsRunning bit
has been cleared by software.
Note, the table _must_ be fully populated, as broadcast IPIs skip invalid
entries, i.e. won't generate VM-Exit if every entry is invalid, and so
simply pointing the VMCB at a common dummy table won't work.
Alternatively, KVM could allocate a shadow of the entire table, but that'd
be a waste of 4KiB since the per-vCPU entry doesn't actually consume an
additional 8 bytes of memory (vCPU structures are large enough that they
are backed by order-N pages).
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
[sean: keep "entry" variables, reuse enable_ipiv, split from erratum]
Link: https://lore.kernel.org/r/20250611224604.313496-19-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
2025-06-11 15:45:20 -07:00
|
|
|
/* This is essentially a shadow of the vCPU's actual entry in the
|
|
|
|
|
* Physical ID table that is programmed into the VMCB, i.e. that is
|
|
|
|
|
* seen by the CPU. If IPI virtualization is disabled, IsRunning is
|
|
|
|
|
* only ever set in the shadow, i.e. is never propagated to the "real"
|
|
|
|
|
* table, so that hardware never sees IsRunning=1.
|
|
|
|
|
*/
|
|
|
|
|
u64 avic_physical_id_entry;
|
|
|
|
|
|
2020-03-24 10:41:52 +01:00
|
|
|
/*
|
2025-06-11 15:45:07 -07:00
|
|
|
* Per-vCPU list of irqfds that are eligible to post IRQs directly to
|
|
|
|
|
* the vCPU (a.k.a. device posted IRQs, a.k.a. IRQ bypass). The list
|
|
|
|
|
* is used to reconfigure IRTEs when the vCPU is loaded/put (to set the
|
|
|
|
|
* target pCPU), when AVIC is toggled on/off (to (de)activate bypass),
|
|
|
|
|
* and if the irqfd becomes ineligible for posting (to put the IRTE
|
|
|
|
|
* back into remapped mode).
|
2020-03-24 10:41:52 +01:00
|
|
|
*/
|
|
|
|
|
struct list_head ir_list;
|
|
|
|
|
spinlock_t ir_list_lock;
|
2020-09-25 16:34:19 +02:00
|
|
|
|
2021-10-21 10:42:59 -07:00
|
|
|
struct vcpu_sev_es_state sev_es;
|
2021-02-02 13:01:26 -06:00
|
|
|
|
|
|
|
|
bool guest_state_loaded;
|
2022-05-19 05:27:09 -05:00
|
|
|
|
|
|
|
|
bool x2avic_msrs_intercepted;
|
2023-01-30 16:32:53 -08:00
|
|
|
|
|
|
|
|
/* Guest GIF value, used when vGIF is not enabled */
|
|
|
|
|
bool guest_gif;
|
2020-03-24 10:41:52 +01:00
|
|
|
};
|
|
|
|
|
|
2020-03-24 10:41:54 +01:00
|
|
|
struct svm_cpu_data {
|
|
|
|
|
u64 asid_generation;
|
|
|
|
|
u32 max_asid;
|
|
|
|
|
u32 next_asid;
|
|
|
|
|
u32 min_asid;
|
|
|
|
|
|
2025-05-05 11:03:00 -07:00
|
|
|
bool bp_spec_reduce_set;
|
|
|
|
|
|
2024-08-02 13:45:11 -07:00
|
|
|
struct vmcb *save_area;
|
2022-11-07 03:49:59 -05:00
|
|
|
unsigned long save_area_pa;
|
|
|
|
|
|
2020-03-24 10:41:54 +01:00
|
|
|
/* index = sev_asid, value = vmcb pointer */
|
|
|
|
|
struct vmcb **sev_vmcbs;
|
|
|
|
|
};
|
|
|
|
|
|
2022-11-09 09:07:55 -05:00
|
|
|
DECLARE_PER_CPU(struct svm_cpu_data, svm_data);
|
2020-03-24 10:41:54 +01:00
|
|
|
|
2020-03-24 10:41:52 +01:00
|
|
|
void recalc_intercepts(struct vcpu_svm *svm);
|
|
|
|
|
|
2021-06-24 11:41:03 +02:00
|
|
|
static __always_inline struct kvm_svm *to_kvm_svm(struct kvm *kvm)
|
2020-03-31 12:17:38 -04:00
|
|
|
{
|
|
|
|
|
return container_of(kvm, struct kvm_svm, kvm);
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-04 08:13:19 -04:00
|
|
|
static __always_inline struct kvm_sev_info *to_kvm_sev_info(struct kvm *kvm)
|
|
|
|
|
{
|
|
|
|
|
return &to_kvm_svm(kvm)->sev_info;
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-27 15:46:59 -08:00
|
|
|
#ifdef CONFIG_KVM_AMD_SEV
|
2021-06-24 11:41:03 +02:00
|
|
|
static __always_inline bool sev_guest(struct kvm *kvm)
|
2020-12-10 11:09:38 -06:00
|
|
|
{
|
2025-01-23 11:21:40 +05:30
|
|
|
return to_kvm_sev_info(kvm)->active;
|
2020-12-10 11:09:38 -06:00
|
|
|
}
|
2021-06-24 11:41:03 +02:00
|
|
|
static __always_inline bool sev_es_guest(struct kvm *kvm)
|
2020-12-10 11:09:38 -06:00
|
|
|
{
|
2025-01-23 11:21:40 +05:30
|
|
|
struct kvm_sev_info *sev = to_kvm_sev_info(kvm);
|
2020-12-10 11:09:38 -06:00
|
|
|
|
2021-11-09 21:50:59 +00:00
|
|
|
return sev->es_active && !WARN_ON_ONCE(!sev->active);
|
2020-12-10 11:09:38 -06:00
|
|
|
}
|
|
|
|
|
|
2024-05-01 03:51:54 -05:00
|
|
|
static __always_inline bool sev_snp_guest(struct kvm *kvm)
|
|
|
|
|
{
|
2025-01-23 11:21:40 +05:30
|
|
|
struct kvm_sev_info *sev = to_kvm_sev_info(kvm);
|
2024-05-01 03:51:54 -05:00
|
|
|
|
|
|
|
|
return (sev->vmsa_features & SVM_SEV_FEAT_SNP_ACTIVE) &&
|
|
|
|
|
!WARN_ON_ONCE(!sev_es_guest(kvm));
|
2024-11-27 15:46:59 -08:00
|
|
|
}
|
2024-05-01 03:51:54 -05:00
|
|
|
#else
|
2024-11-27 15:46:59 -08:00
|
|
|
#define sev_guest(kvm) false
|
|
|
|
|
#define sev_es_guest(kvm) false
|
|
|
|
|
#define sev_snp_guest(kvm) false
|
2024-05-01 03:51:54 -05:00
|
|
|
#endif
|
|
|
|
|
|
2024-05-01 03:51:58 -05:00
|
|
|
static inline bool ghcb_gpa_is_registered(struct vcpu_svm *svm, u64 val)
|
|
|
|
|
{
|
|
|
|
|
return svm->sev_es.ghcb_registered_gpa == val;
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-25 10:03:23 +02:00
|
|
|
static inline void vmcb_mark_all_dirty(struct vmcb *vmcb)
|
2020-03-24 10:41:52 +01:00
|
|
|
{
|
|
|
|
|
vmcb->control.clean = 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-25 10:03:23 +02:00
|
|
|
static inline void vmcb_mark_all_clean(struct vmcb *vmcb)
|
2020-03-24 10:41:52 +01:00
|
|
|
{
|
2021-06-03 15:14:37 +00:00
|
|
|
vmcb->control.clean = VMCB_ALL_CLEAN_MASK
|
2020-03-24 10:41:52 +01:00
|
|
|
& ~VMCB_ALWAYS_DIRTY_MASK;
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-25 10:03:23 +02:00
|
|
|
static inline void vmcb_mark_dirty(struct vmcb *vmcb, int bit)
|
2020-03-24 10:41:52 +01:00
|
|
|
{
|
|
|
|
|
vmcb->control.clean &= ~(1 << bit);
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-01 15:08:44 -05:00
|
|
|
static inline bool vmcb_is_dirty(struct vmcb *vmcb, int bit)
|
|
|
|
|
{
|
|
|
|
|
return !test_bit(bit, (unsigned long *)&vmcb->control.clean);
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-24 11:41:06 +02:00
|
|
|
static __always_inline struct vcpu_svm *to_svm(struct kvm_vcpu *vcpu)
|
2020-03-24 10:41:52 +01:00
|
|
|
{
|
|
|
|
|
return container_of(vcpu, struct vcpu_svm, vcpu);
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-26 07:00:15 -05:00
|
|
|
/*
|
|
|
|
|
* Only the PDPTRs are loaded on demand into the shadow MMU. All other
|
2022-01-28 00:52:07 +00:00
|
|
|
* fields are synchronized on VM-Exit, because accessing the VMCB is cheap.
|
2021-11-26 07:00:15 -05:00
|
|
|
*
|
|
|
|
|
* CR3 might be out of date in the VMCB but it is not marked dirty; instead,
|
|
|
|
|
* KVM_REQ_LOAD_MMU_PGD is always requested when the cached vcpu->arch.cr3
|
|
|
|
|
* is changed. svm_load_mmu_pgd() then syncs the new CR3 value into the VMCB.
|
|
|
|
|
*/
|
|
|
|
|
#define SVM_REGS_LAZY_LOAD_SET (1 << VCPU_EXREG_PDPTR)
|
|
|
|
|
|
2020-09-11 14:27:58 -05:00
|
|
|
static inline void vmcb_set_intercept(struct vmcb_control_area *control, u32 bit)
|
|
|
|
|
{
|
|
|
|
|
WARN_ON_ONCE(bit >= 32 * MAX_INTERCEPT);
|
|
|
|
|
__set_bit(bit, (unsigned long *)&control->intercepts);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void vmcb_clr_intercept(struct vmcb_control_area *control, u32 bit)
|
|
|
|
|
{
|
|
|
|
|
WARN_ON_ONCE(bit >= 32 * MAX_INTERCEPT);
|
|
|
|
|
__clear_bit(bit, (unsigned long *)&control->intercepts);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline bool vmcb_is_intercept(struct vmcb_control_area *control, u32 bit)
|
|
|
|
|
{
|
|
|
|
|
WARN_ON_ONCE(bit >= 32 * MAX_INTERCEPT);
|
|
|
|
|
return test_bit(bit, (unsigned long *)&control->intercepts);
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-03 10:05:26 -04:00
|
|
|
static inline bool vmcb12_is_intercept(struct vmcb_ctrl_area_cached *control, u32 bit)
|
|
|
|
|
{
|
|
|
|
|
WARN_ON_ONCE(bit >= 32 * MAX_INTERCEPT);
|
|
|
|
|
return test_bit(bit, (unsigned long *)&control->intercepts);
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-11 14:28:20 -05:00
|
|
|
static inline void set_exception_intercept(struct vcpu_svm *svm, u32 bit)
|
2020-03-24 10:41:52 +01:00
|
|
|
{
|
2021-01-13 07:07:52 -05:00
|
|
|
struct vmcb *vmcb = svm->vmcb01.ptr;
|
2020-03-24 10:41:52 +01:00
|
|
|
|
2020-09-11 14:28:20 -05:00
|
|
|
WARN_ON_ONCE(bit >= 32);
|
|
|
|
|
vmcb_set_intercept(&vmcb->control, INTERCEPT_EXCEPTION_OFFSET + bit);
|
2020-03-24 10:41:52 +01:00
|
|
|
|
|
|
|
|
recalc_intercepts(svm);
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-11 14:28:20 -05:00
|
|
|
static inline void clr_exception_intercept(struct vcpu_svm *svm, u32 bit)
|
2020-03-24 10:41:52 +01:00
|
|
|
{
|
2021-01-13 07:07:52 -05:00
|
|
|
struct vmcb *vmcb = svm->vmcb01.ptr;
|
2020-03-24 10:41:52 +01:00
|
|
|
|
2020-09-11 14:28:20 -05:00
|
|
|
WARN_ON_ONCE(bit >= 32);
|
|
|
|
|
vmcb_clr_intercept(&vmcb->control, INTERCEPT_EXCEPTION_OFFSET + bit);
|
2020-03-24 10:41:52 +01:00
|
|
|
|
|
|
|
|
recalc_intercepts(svm);
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-25 10:03:24 +02:00
|
|
|
static inline void svm_set_intercept(struct vcpu_svm *svm, int bit)
|
2020-03-24 10:41:52 +01:00
|
|
|
{
|
2021-01-13 07:07:52 -05:00
|
|
|
struct vmcb *vmcb = svm->vmcb01.ptr;
|
2020-03-24 10:41:52 +01:00
|
|
|
|
2020-09-11 14:28:28 -05:00
|
|
|
vmcb_set_intercept(&vmcb->control, bit);
|
2020-03-24 10:41:52 +01:00
|
|
|
|
|
|
|
|
recalc_intercepts(svm);
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-25 10:03:24 +02:00
|
|
|
static inline void svm_clr_intercept(struct vcpu_svm *svm, int bit)
|
2020-03-24 10:41:52 +01:00
|
|
|
{
|
2021-01-13 07:07:52 -05:00
|
|
|
struct vmcb *vmcb = svm->vmcb01.ptr;
|
2020-03-24 10:41:52 +01:00
|
|
|
|
2020-09-11 14:28:28 -05:00
|
|
|
vmcb_clr_intercept(&vmcb->control, bit);
|
2020-03-24 10:41:52 +01:00
|
|
|
|
|
|
|
|
recalc_intercepts(svm);
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-25 10:03:24 +02:00
|
|
|
static inline bool svm_is_intercept(struct vcpu_svm *svm, int bit)
|
2020-03-24 10:41:52 +01:00
|
|
|
{
|
2020-09-11 14:28:28 -05:00
|
|
|
return vmcb_is_intercept(&svm->vmcb->control, bit);
|
2020-03-24 10:41:52 +01:00
|
|
|
}
|
|
|
|
|
|
2022-03-22 19:40:48 +02:00
|
|
|
static inline bool nested_vgif_enabled(struct vcpu_svm *svm)
|
|
|
|
|
{
|
2024-11-27 17:34:06 -08:00
|
|
|
return guest_cpu_cap_has(&svm->vcpu, X86_FEATURE_VGIF) &&
|
2023-08-15 13:36:51 -07:00
|
|
|
(svm->nested.ctl.int_ctl & V_GIF_ENABLE_MASK);
|
2022-03-22 19:40:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline struct vmcb *get_vgif_vmcb(struct vcpu_svm *svm)
|
|
|
|
|
{
|
|
|
|
|
if (!vgif)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (is_guest_mode(&svm->vcpu) && !nested_vgif_enabled(svm))
|
|
|
|
|
return svm->nested.vmcb02.ptr;
|
|
|
|
|
else
|
|
|
|
|
return svm->vmcb01.ptr;
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-24 10:41:52 +01:00
|
|
|
static inline void enable_gif(struct vcpu_svm *svm)
|
|
|
|
|
{
|
2022-03-22 19:40:48 +02:00
|
|
|
struct vmcb *vmcb = get_vgif_vmcb(svm);
|
|
|
|
|
|
|
|
|
|
if (vmcb)
|
|
|
|
|
vmcb->control.int_ctl |= V_GIF_MASK;
|
2020-03-24 10:41:52 +01:00
|
|
|
else
|
2023-01-30 16:32:53 -08:00
|
|
|
svm->guest_gif = true;
|
2020-03-24 10:41:52 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void disable_gif(struct vcpu_svm *svm)
|
|
|
|
|
{
|
2022-03-22 19:40:48 +02:00
|
|
|
struct vmcb *vmcb = get_vgif_vmcb(svm);
|
|
|
|
|
|
|
|
|
|
if (vmcb)
|
|
|
|
|
vmcb->control.int_ctl &= ~V_GIF_MASK;
|
2020-03-24 10:41:52 +01:00
|
|
|
else
|
2023-01-30 16:32:53 -08:00
|
|
|
svm->guest_gif = false;
|
2020-03-24 10:41:52 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline bool gif_set(struct vcpu_svm *svm)
|
|
|
|
|
{
|
2022-03-22 19:40:48 +02:00
|
|
|
struct vmcb *vmcb = get_vgif_vmcb(svm);
|
|
|
|
|
|
|
|
|
|
if (vmcb)
|
|
|
|
|
return !!(vmcb->control.int_ctl & V_GIF_MASK);
|
2020-03-24 10:41:52 +01:00
|
|
|
else
|
2023-01-30 16:32:53 -08:00
|
|
|
return svm->guest_gif;
|
2020-03-24 10:41:52 +01:00
|
|
|
}
|
|
|
|
|
|
2022-03-01 16:36:46 +02:00
|
|
|
static inline bool nested_npt_enabled(struct vcpu_svm *svm)
|
|
|
|
|
{
|
|
|
|
|
return svm->nested.ctl.nested_ctl & SVM_NESTED_CTL_NP_ENABLE;
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-27 14:10:16 +05:30
|
|
|
static inline bool nested_vnmi_enabled(struct vcpu_svm *svm)
|
|
|
|
|
{
|
2024-11-27 17:34:06 -08:00
|
|
|
return guest_cpu_cap_has(&svm->vcpu, X86_FEATURE_VNMI) &&
|
2023-02-27 14:10:16 +05:30
|
|
|
(svm->nested.ctl.int_ctl & V_NMI_ENABLE_MASK);
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-19 05:27:02 -05:00
|
|
|
static inline bool is_x2apic_msrpm_offset(u32 offset)
|
|
|
|
|
{
|
|
|
|
|
/* 4 msrs per u8, and 4 u8 in u32 */
|
|
|
|
|
u32 msr = offset * 16;
|
|
|
|
|
|
|
|
|
|
return (msr >= APIC_BASE_MSR) &&
|
|
|
|
|
(msr < (APIC_BASE_MSR + 0x100));
|
|
|
|
|
}
|
|
|
|
|
|
KVM: x86: Add support for SVM's Virtual NMI
Add support for SVM's Virtual NMIs implementation, which adds proper
tracking of virtual NMI blocking, and an intr_ctrl flag that software can
set to mark a virtual NMI as pending. Pending virtual NMIs are serviced
by hardware if/when virtual NMIs become unblocked, i.e. act more or less
like real NMIs.
Introduce two new kvm_x86_ops callbacks so to support SVM's vNMI, as KVM
needs to treat a pending vNMI as partially injected. Specifically, if
two NMIs (for L1) arrive concurrently in KVM's software model, KVM's ABI
is to inject one and pend the other. Without vNMI, KVM manually tracks
the pending NMI and uses NMI windows to detect when the NMI should be
injected.
With vNMI, the pending NMI is simply stuffed into the VMCB and handed
off to hardware. This means that KVM needs to be able to set a vNMI
pending on-demand, and also query if a vNMI is pending, e.g. to honor the
"at most one NMI pending" rule and to preserve all NMIs across save and
restore.
Warn if KVM attempts to open an NMI window when vNMI is fully enabled,
as the above logic should prevent KVM from ever getting to
kvm_check_and_inject_events() with two NMIs pending _in software_, and
the "at most one NMI pending" logic should prevent having an NMI pending
in hardware and an NMI pending in software if NMIs are also blocked, i.e.
if KVM can't immediately inject the second NMI.
Signed-off-by: Santosh Shukla <Santosh.Shukla@amd.com>
Co-developed-by: Maxim Levitsky <mlevitsk@redhat.com>
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20230227084016.3368-11-santosh.shukla@amd.com
[sean: rewrite shortlog and changelog, massage code comments]
Signed-off-by: Sean Christopherson <seanjc@google.com>
2023-02-27 14:10:15 +05:30
|
|
|
static inline struct vmcb *get_vnmi_vmcb_l1(struct vcpu_svm *svm)
|
|
|
|
|
{
|
|
|
|
|
if (!vnmi)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (is_guest_mode(&svm->vcpu))
|
|
|
|
|
return NULL;
|
|
|
|
|
else
|
|
|
|
|
return svm->vmcb01.ptr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline bool is_vnmi_enabled(struct vcpu_svm *svm)
|
|
|
|
|
{
|
|
|
|
|
struct vmcb *vmcb = get_vnmi_vmcb_l1(svm);
|
|
|
|
|
|
|
|
|
|
if (vmcb)
|
|
|
|
|
return !!(vmcb->control.int_ctl & V_NMI_ENABLE_MASK);
|
|
|
|
|
else
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2025-02-25 21:39:37 +00:00
|
|
|
static inline void svm_vmgexit_set_return_code(struct vcpu_svm *svm,
|
|
|
|
|
u64 response, u64 data)
|
|
|
|
|
{
|
|
|
|
|
ghcb_set_sw_exit_info_1(svm->sev_es.ghcb, response);
|
|
|
|
|
ghcb_set_sw_exit_info_2(svm->sev_es.ghcb, data);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void svm_vmgexit_inject_exception(struct vcpu_svm *svm, u8 vector)
|
|
|
|
|
{
|
|
|
|
|
u64 data = SVM_EVTINJ_VALID | SVM_EVTINJ_TYPE_EXEPT | vector;
|
|
|
|
|
|
|
|
|
|
svm_vmgexit_set_return_code(svm, GHCB_HV_RESP_ISSUE_EXCEPTION, data);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void svm_vmgexit_bad_input(struct vcpu_svm *svm, u64 suberror)
|
|
|
|
|
{
|
|
|
|
|
svm_vmgexit_set_return_code(svm, GHCB_HV_RESP_MALFORMED_INPUT, suberror);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void svm_vmgexit_success(struct vcpu_svm *svm, u64 data)
|
|
|
|
|
{
|
|
|
|
|
svm_vmgexit_set_return_code(svm, GHCB_HV_RESP_NO_ACTION, data);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void svm_vmgexit_no_action(struct vcpu_svm *svm, u64 data)
|
|
|
|
|
{
|
|
|
|
|
svm_vmgexit_set_return_code(svm, GHCB_HV_RESP_NO_ACTION, data);
|
|
|
|
|
}
|
|
|
|
|
|
2025-06-10 15:57:14 -07:00
|
|
|
/*
|
|
|
|
|
* The MSRPM is 8KiB in size, divided into four 2KiB ranges (the fourth range
|
|
|
|
|
* is reserved). Each MSR within a range is covered by two bits, one each for
|
|
|
|
|
* read (bit 0) and write (bit 1), where a bit value of '1' means intercepted.
|
|
|
|
|
*/
|
|
|
|
|
#define SVM_MSRPM_BYTES_PER_RANGE 2048
|
|
|
|
|
#define SVM_BITS_PER_MSR 2
|
|
|
|
|
#define SVM_MSRS_PER_BYTE (BITS_PER_BYTE / SVM_BITS_PER_MSR)
|
|
|
|
|
#define SVM_MSRS_PER_RANGE (SVM_MSRPM_BYTES_PER_RANGE * SVM_MSRS_PER_BYTE)
|
|
|
|
|
static_assert(SVM_MSRS_PER_RANGE == 8192);
|
2025-06-10 15:57:18 -07:00
|
|
|
#define SVM_MSRPM_OFFSET_MASK (SVM_MSRS_PER_RANGE - 1)
|
2025-06-10 15:57:14 -07:00
|
|
|
|
2025-06-10 15:57:33 -07:00
|
|
|
static __always_inline int svm_msrpm_bit_nr(u32 msr)
|
2025-06-10 15:57:18 -07:00
|
|
|
{
|
|
|
|
|
int range_nr;
|
|
|
|
|
|
|
|
|
|
switch (msr & ~SVM_MSRPM_OFFSET_MASK) {
|
|
|
|
|
case 0:
|
|
|
|
|
range_nr = 0;
|
|
|
|
|
break;
|
|
|
|
|
case 0xc0000000:
|
|
|
|
|
range_nr = 1;
|
|
|
|
|
break;
|
|
|
|
|
case 0xc0010000:
|
|
|
|
|
range_nr = 2;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2025-06-10 15:57:33 -07:00
|
|
|
return -EINVAL;
|
2025-06-10 15:57:18 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return range_nr * SVM_MSRPM_BYTES_PER_RANGE * BITS_PER_BYTE +
|
|
|
|
|
(msr & SVM_MSRPM_OFFSET_MASK) * SVM_BITS_PER_MSR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#define __BUILD_SVM_MSR_BITMAP_HELPER(rtype, action, bitop, access, bit_rw) \
|
|
|
|
|
static inline rtype svm_##action##_msr_bitmap_##access(unsigned long *bitmap, \
|
|
|
|
|
u32 msr) \
|
|
|
|
|
{ \
|
2025-06-10 15:57:33 -07:00
|
|
|
int bit_nr; \
|
2025-06-10 15:57:18 -07:00
|
|
|
\
|
|
|
|
|
bit_nr = svm_msrpm_bit_nr(msr); \
|
2025-06-10 15:57:33 -07:00
|
|
|
if (bit_nr < 0) \
|
2025-06-10 15:57:18 -07:00
|
|
|
return (rtype)true; \
|
|
|
|
|
\
|
|
|
|
|
return bitop##_bit(bit_nr + bit_rw, bitmap); \
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#define BUILD_SVM_MSR_BITMAP_HELPERS(ret_type, action, bitop) \
|
|
|
|
|
__BUILD_SVM_MSR_BITMAP_HELPER(ret_type, action, bitop, read, 0) \
|
|
|
|
|
__BUILD_SVM_MSR_BITMAP_HELPER(ret_type, action, bitop, write, 1)
|
|
|
|
|
|
|
|
|
|
BUILD_SVM_MSR_BITMAP_HELPERS(bool, test, test)
|
|
|
|
|
BUILD_SVM_MSR_BITMAP_HELPERS(void, clear, __clear)
|
|
|
|
|
BUILD_SVM_MSR_BITMAP_HELPERS(void, set, __set)
|
2020-03-24 10:41:52 +01:00
|
|
|
|
KVM: SVM: Suppress DEBUGCTL.BTF on AMD
Mark BTF as reserved in DEBUGCTL on AMD, as KVM doesn't actually support
BTF, and fully enabling BTF virtualization is non-trivial due to
interactions with the emulator, guest_debug, #DB interception, nested SVM,
etc.
Don't inject #GP if the guest attempts to set BTF, as there's no way to
communicate lack of support to the guest, and instead suppress the flag
and treat the WRMSR as (partially) unsupported.
In short, make KVM behave the same on AMD and Intel (VMX already squashes
BTF).
Note, due to other bugs in KVM's handling of DEBUGCTL, the only way BTF
has "worked" in any capacity is if the guest simultaneously enables LBRs.
Reported-by: Ravi Bangoria <ravi.bangoria@amd.com>
Cc: stable@vger.kernel.org
Reviewed-and-tested-by: Ravi Bangoria <ravi.bangoria@amd.com>
Link: https://lore.kernel.org/r/20250227222411.3490595-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
2025-02-27 14:24:07 -08:00
|
|
|
#define DEBUGCTL_RESERVED_BITS (~DEBUGCTLMSR_LBR)
|
2022-03-22 19:40:46 +02:00
|
|
|
|
2025-06-10 15:57:14 -07:00
|
|
|
/* svm.c */
|
2020-12-10 11:09:47 -06:00
|
|
|
extern bool dump_invalid_vmcb;
|
2020-12-10 11:09:38 -06:00
|
|
|
|
2025-06-10 15:57:35 -07:00
|
|
|
void *svm_alloc_permissions_map(unsigned long size, gfp_t gfp_mask);
|
|
|
|
|
|
|
|
|
|
static inline void *svm_vcpu_alloc_msrpm(void)
|
|
|
|
|
{
|
|
|
|
|
return svm_alloc_permissions_map(MSRPM_SIZE, GFP_KERNEL_ACCOUNT);
|
|
|
|
|
}
|
|
|
|
|
|
2025-06-10 15:57:31 -07:00
|
|
|
void svm_vcpu_free_msrpm(void *msrpm);
|
2022-03-22 19:40:45 +02:00
|
|
|
void svm_copy_lbrs(struct vmcb *to_vmcb, struct vmcb *from_vmcb);
|
2024-05-31 04:46:44 +00:00
|
|
|
void svm_enable_lbrv(struct kvm_vcpu *vcpu);
|
2022-03-22 19:40:45 +02:00
|
|
|
void svm_update_lbrv(struct kvm_vcpu *vcpu);
|
2020-10-01 14:29:54 +03:00
|
|
|
|
2020-10-01 14:29:53 +03:00
|
|
|
int svm_set_efer(struct kvm_vcpu *vcpu, u64 efer);
|
2020-03-24 10:41:52 +01:00
|
|
|
void svm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0);
|
2020-10-06 18:44:15 -07:00
|
|
|
void svm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4);
|
2020-03-24 10:41:52 +01:00
|
|
|
void disable_nmi_singlestep(struct vcpu_svm *svm);
|
2020-04-23 14:19:26 -04:00
|
|
|
bool svm_smi_blocked(struct kvm_vcpu *vcpu);
|
|
|
|
|
bool svm_nmi_blocked(struct kvm_vcpu *vcpu);
|
|
|
|
|
bool svm_interrupt_blocked(struct kvm_vcpu *vcpu);
|
2020-05-22 12:18:27 -04:00
|
|
|
void svm_set_gif(struct vcpu_svm *svm, bool value);
|
2021-03-02 14:40:39 -05:00
|
|
|
int svm_invoke_exit_handler(struct kvm_vcpu *vcpu, u64 exit_code);
|
2020-12-10 11:10:06 -06:00
|
|
|
void set_msr_interception(struct kvm_vcpu *vcpu, u32 *msrpm, u32 msr,
|
|
|
|
|
int read, int write);
|
2022-05-19 05:27:03 -05:00
|
|
|
void svm_set_x2apic_msr_interception(struct vcpu_svm *svm, bool disable);
|
2022-02-08 06:48:42 -05:00
|
|
|
void svm_complete_interrupt_delivery(struct kvm_vcpu *vcpu, int delivery_mode,
|
|
|
|
|
int trig_mode, int vec);
|
2020-03-24 10:41:52 +01:00
|
|
|
|
2025-06-12 01:19:46 -07:00
|
|
|
void svm_set_intercept_for_msr(struct kvm_vcpu *vcpu, u32 msr, int type, bool set);
|
KVM: SVM: Implement and adopt VMX style MSR intercepts APIs
Add and use SVM MSR interception APIs (in most paths) to match VMX's
APIs and nomenclature. Specifically, add SVM variants of:
vmx_disable_intercept_for_msr(vcpu, msr, type)
vmx_enable_intercept_for_msr(vcpu, msr, type)
vmx_set_intercept_for_msr(vcpu, msr, type, intercept)
to eventually replace SVM's single helper:
set_msr_interception(vcpu, msrpm, msr, allow_read, allow_write)
which is awkward to use (in all cases, KVM either applies the same logic
for both reads and writes, or intercepts one of read or write), and is
unintuitive due to using '0' to indicate interception should be *set*.
Keep the guts of the old API for the moment to avoid churning the MSR
filter code, as that mess will be overhauled in the near future. Leave
behind a temporary comment to call out that the shadow bitmaps have
inverted polarity relative to the bitmaps consumed by hardware.
No functional change intended.
Reviewed-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Link: https://lore.kernel.org/r/20250610225737.156318-15-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
2025-06-10 15:57:19 -07:00
|
|
|
|
2025-06-12 01:19:46 -07:00
|
|
|
static inline void svm_disable_intercept_for_msr(struct kvm_vcpu *vcpu,
|
|
|
|
|
u32 msr, int type)
|
KVM: SVM: Implement and adopt VMX style MSR intercepts APIs
Add and use SVM MSR interception APIs (in most paths) to match VMX's
APIs and nomenclature. Specifically, add SVM variants of:
vmx_disable_intercept_for_msr(vcpu, msr, type)
vmx_enable_intercept_for_msr(vcpu, msr, type)
vmx_set_intercept_for_msr(vcpu, msr, type, intercept)
to eventually replace SVM's single helper:
set_msr_interception(vcpu, msrpm, msr, allow_read, allow_write)
which is awkward to use (in all cases, KVM either applies the same logic
for both reads and writes, or intercepts one of read or write), and is
unintuitive due to using '0' to indicate interception should be *set*.
Keep the guts of the old API for the moment to avoid churning the MSR
filter code, as that mess will be overhauled in the near future. Leave
behind a temporary comment to call out that the shadow bitmaps have
inverted polarity relative to the bitmaps consumed by hardware.
No functional change intended.
Reviewed-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Link: https://lore.kernel.org/r/20250610225737.156318-15-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
2025-06-10 15:57:19 -07:00
|
|
|
{
|
2025-06-12 01:19:46 -07:00
|
|
|
svm_set_intercept_for_msr(vcpu, msr, type, false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void svm_enable_intercept_for_msr(struct kvm_vcpu *vcpu,
|
|
|
|
|
u32 msr, int type)
|
|
|
|
|
{
|
|
|
|
|
svm_set_intercept_for_msr(vcpu, msr, type, true);
|
KVM: SVM: Implement and adopt VMX style MSR intercepts APIs
Add and use SVM MSR interception APIs (in most paths) to match VMX's
APIs and nomenclature. Specifically, add SVM variants of:
vmx_disable_intercept_for_msr(vcpu, msr, type)
vmx_enable_intercept_for_msr(vcpu, msr, type)
vmx_set_intercept_for_msr(vcpu, msr, type, intercept)
to eventually replace SVM's single helper:
set_msr_interception(vcpu, msrpm, msr, allow_read, allow_write)
which is awkward to use (in all cases, KVM either applies the same logic
for both reads and writes, or intercepts one of read or write), and is
unintuitive due to using '0' to indicate interception should be *set*.
Keep the guts of the old API for the moment to avoid churning the MSR
filter code, as that mess will be overhauled in the near future. Leave
behind a temporary comment to call out that the shadow bitmaps have
inverted polarity relative to the bitmaps consumed by hardware.
No functional change intended.
Reviewed-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Link: https://lore.kernel.org/r/20250610225737.156318-15-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
2025-06-10 15:57:19 -07:00
|
|
|
}
|
|
|
|
|
|
2020-03-24 10:41:52 +01:00
|
|
|
/* nested.c */
|
|
|
|
|
|
|
|
|
|
#define NESTED_EXIT_HOST 0 /* Exit handled on host level */
|
|
|
|
|
#define NESTED_EXIT_DONE 1 /* Exit caused nested vmexit */
|
|
|
|
|
#define NESTED_EXIT_CONTINUE 2 /* Further checks needed */
|
|
|
|
|
|
2020-06-25 10:03:25 +02:00
|
|
|
static inline bool nested_svm_virtualize_tpr(struct kvm_vcpu *vcpu)
|
2020-03-24 10:41:52 +01:00
|
|
|
{
|
2020-05-13 13:28:23 -04:00
|
|
|
struct vcpu_svm *svm = to_svm(vcpu);
|
|
|
|
|
|
|
|
|
|
return is_guest_mode(vcpu) && (svm->nested.ctl.int_ctl & V_INTR_MASKING_MASK);
|
2020-03-24 10:41:52 +01:00
|
|
|
}
|
|
|
|
|
|
2020-04-23 08:17:28 -04:00
|
|
|
static inline bool nested_exit_on_smi(struct vcpu_svm *svm)
|
|
|
|
|
{
|
2021-11-03 10:05:26 -04:00
|
|
|
return vmcb12_is_intercept(&svm->nested.ctl, INTERCEPT_SMI);
|
2020-04-23 08:17:28 -04:00
|
|
|
}
|
|
|
|
|
|
2020-04-23 18:02:45 -04:00
|
|
|
static inline bool nested_exit_on_intr(struct vcpu_svm *svm)
|
|
|
|
|
{
|
2021-11-03 10:05:26 -04:00
|
|
|
return vmcb12_is_intercept(&svm->nested.ctl, INTERCEPT_INTR);
|
2020-04-23 18:02:45 -04:00
|
|
|
}
|
|
|
|
|
|
2020-04-23 08:06:43 -04:00
|
|
|
static inline bool nested_exit_on_nmi(struct vcpu_svm *svm)
|
|
|
|
|
{
|
2021-11-03 10:05:26 -04:00
|
|
|
return vmcb12_is_intercept(&svm->nested.ctl, INTERCEPT_NMI);
|
2020-04-23 08:06:43 -04:00
|
|
|
}
|
|
|
|
|
|
KVM: nSVM: Use dedicated array of MSRPM offsets to merge L0 and L1 bitmaps
Use a dedicated array of MSRPM offsets to merge L0 and L1 bitmaps, i.e. to
merge KVM's vmcb01 bitmap with L1's vmcb12 bitmap. This will eventually
allow for the removal of direct_access_msrs, as the only path where
tracking the offsets is truly justified is the merge for nested SVM, where
merging in chunks is an easy way to batch uaccess reads/writes.
Opportunistically omit the x2APIC MSRs from the merge-specific array
instead of filtering them out at runtime.
Note, disabling interception of DEBUGCTL, XSS, EFER, PAT, GHCB, and
TSC_AUX is mutually exclusive with nested virtualization, as KVM passes
through those MSRs only for SEV-ES guests, and KVM doesn't support nested
virtualization for SEV+ guests. Defer removing those MSRs to a future
cleanup in order to make this refactoring as benign as possible.
Link: https://lore.kernel.org/r/20250610225737.156318-11-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
2025-06-10 15:57:15 -07:00
|
|
|
int __init nested_svm_init_msrpm_merge_offsets(void);
|
|
|
|
|
|
2021-09-13 17:09:51 +03:00
|
|
|
int enter_svm_guest_mode(struct kvm_vcpu *vcpu,
|
|
|
|
|
u64 vmcb_gpa, struct vmcb *vmcb12, bool from_vmrun);
|
KVM: x86: Forcibly leave nested virt when SMM state is toggled
Forcibly leave nested virtualization operation if userspace toggles SMM
state via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace
forces the vCPU out of SMM while it's post-VMXON and then injects an SMI,
vmx_enter_smm() will overwrite vmx->nested.smm.vmxon and end up with both
vmxon=false and smm.vmxon=false, but all other nVMX state allocated.
Don't attempt to gracefully handle the transition as (a) most transitions
are nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't
sufficient information to handle all transitions, e.g. SVM wants access
to the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede
KVM_SET_NESTED_STATE during state restore as the latter disallows putting
the vCPU into L2 if SMM is active, and disallows tagging the vCPU as
being post-VMXON in SMM if SMM is not active.
Abuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX
due to failure to free vmcs01's shadow VMCS, but the bug goes far beyond
just a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU
in an architecturally impossible state.
WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]
WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656
Modules linked in:
CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]
RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656
Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00
Call Trace:
<TASK>
kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123
kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline]
kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460
kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline]
kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676
kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline]
kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250
kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273
__fput+0x286/0x9f0 fs/file_table.c:311
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xb29/0x2a30 kernel/exit.c:806
do_group_exit+0xd2/0x2f0 kernel/exit.c:935
get_signal+0x4b0/0x28c0 kernel/signal.c:2862
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
</TASK>
Cc: stable@vger.kernel.org
Reported-by: syzbot+8112db3ab20e70d50c31@syzkaller.appspotmail.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220125220358.2091737-1-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-01-25 22:03:58 +00:00
|
|
|
void svm_leave_nested(struct kvm_vcpu *vcpu);
|
2020-10-01 14:29:54 +03:00
|
|
|
void svm_free_nested(struct vcpu_svm *svm);
|
|
|
|
|
int svm_allocate_nested(struct vcpu_svm *svm);
|
2021-03-02 14:40:39 -05:00
|
|
|
int nested_svm_vmrun(struct kvm_vcpu *vcpu);
|
2021-07-19 11:03:22 +02:00
|
|
|
void svm_copy_vmrun_state(struct vmcb_save_area *to_save,
|
|
|
|
|
struct vmcb_save_area *from_save);
|
|
|
|
|
void svm_copy_vmloadsave_state(struct vmcb *to_vmcb, struct vmcb *from_vmcb);
|
2020-03-24 10:41:52 +01:00
|
|
|
int nested_svm_vmexit(struct vcpu_svm *svm);
|
2021-03-02 09:45:15 -08:00
|
|
|
|
|
|
|
|
static inline int nested_svm_simple_vmexit(struct vcpu_svm *svm, u32 exit_code)
|
|
|
|
|
{
|
|
|
|
|
svm->vmcb->control.exit_code = exit_code;
|
|
|
|
|
svm->vmcb->control.exit_info_1 = 0;
|
|
|
|
|
svm->vmcb->control.exit_info_2 = 0;
|
|
|
|
|
return nested_svm_vmexit(svm);
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-24 10:41:52 +01:00
|
|
|
int nested_svm_exit_handled(struct vcpu_svm *svm);
|
2021-03-02 14:40:39 -05:00
|
|
|
int nested_svm_check_permissions(struct kvm_vcpu *vcpu);
|
2020-03-24 10:41:52 +01:00
|
|
|
int nested_svm_check_exception(struct vcpu_svm *svm, unsigned nr,
|
|
|
|
|
bool has_error_code, u32 error_code);
|
|
|
|
|
int nested_svm_exit_special(struct vcpu_svm *svm);
|
2021-09-14 18:48:24 +03:00
|
|
|
void nested_svm_update_tsc_ratio_msr(struct kvm_vcpu *vcpu);
|
2023-07-28 18:15:52 -07:00
|
|
|
void svm_write_tsc_multiplier(struct kvm_vcpu *vcpu);
|
2021-11-03 10:05:23 -04:00
|
|
|
void nested_copy_vmcb_control_to_cache(struct vcpu_svm *svm,
|
|
|
|
|
struct vmcb_control_area *control);
|
2021-11-03 10:05:22 -04:00
|
|
|
void nested_copy_vmcb_save_to_cache(struct vcpu_svm *svm,
|
|
|
|
|
struct vmcb_save_area *save);
|
2020-11-17 05:15:41 -05:00
|
|
|
void nested_sync_control_from_vmcb02(struct vcpu_svm *svm);
|
2021-01-13 07:07:52 -05:00
|
|
|
void nested_vmcb02_compute_g_pat(struct vcpu_svm *svm);
|
|
|
|
|
void svm_switch_vmcb(struct vcpu_svm *svm, struct kvm_vmcb_info *target_vmcb);
|
2020-03-24 10:41:52 +01:00
|
|
|
|
2020-04-17 10:24:18 -04:00
|
|
|
extern struct kvm_x86_nested_ops svm_nested_ops;
|
|
|
|
|
|
2020-03-31 12:17:38 -04:00
|
|
|
/* avic.c */
|
2023-01-06 01:13:04 +00:00
|
|
|
#define AVIC_REQUIRED_APICV_INHIBITS \
|
|
|
|
|
( \
|
2024-05-06 22:53:21 +00:00
|
|
|
BIT(APICV_INHIBIT_REASON_DISABLED) | \
|
2023-01-06 01:13:04 +00:00
|
|
|
BIT(APICV_INHIBIT_REASON_ABSENT) | \
|
|
|
|
|
BIT(APICV_INHIBIT_REASON_HYPERV) | \
|
|
|
|
|
BIT(APICV_INHIBIT_REASON_NESTED) | \
|
|
|
|
|
BIT(APICV_INHIBIT_REASON_IRQWIN) | \
|
|
|
|
|
BIT(APICV_INHIBIT_REASON_PIT_REINJ) | \
|
|
|
|
|
BIT(APICV_INHIBIT_REASON_BLOCKIRQ) | \
|
|
|
|
|
BIT(APICV_INHIBIT_REASON_SEV) | \
|
|
|
|
|
BIT(APICV_INHIBIT_REASON_PHYSICAL_ID_ALIASED) | \
|
|
|
|
|
BIT(APICV_INHIBIT_REASON_APIC_ID_MODIFIED) | \
|
|
|
|
|
BIT(APICV_INHIBIT_REASON_APIC_BASE_MODIFIED) | \
|
2025-06-11 15:45:15 -07:00
|
|
|
BIT(APICV_INHIBIT_REASON_LOGICAL_ID_ALIASED) | \
|
|
|
|
|
BIT(APICV_INHIBIT_REASON_PHYSICAL_ID_TOO_BIG) \
|
2023-01-06 01:13:04 +00:00
|
|
|
)
|
2020-03-31 12:17:38 -04:00
|
|
|
|
2022-11-09 19:59:52 +08:00
|
|
|
bool avic_hardware_setup(void);
|
2020-03-31 12:17:38 -04:00
|
|
|
int avic_ga_log_notifier(u32 ga_tag);
|
|
|
|
|
void avic_vm_destroy(struct kvm *kvm);
|
|
|
|
|
int avic_vm_init(struct kvm *kvm);
|
2022-03-22 18:24:43 +01:00
|
|
|
void avic_init_vmcb(struct vcpu_svm *svm, struct vmcb *vmcb);
|
2021-03-02 14:40:39 -05:00
|
|
|
int avic_incomplete_ipi_interception(struct kvm_vcpu *vcpu);
|
|
|
|
|
int avic_unaccelerated_access_interception(struct kvm_vcpu *vcpu);
|
2020-03-31 12:17:38 -04:00
|
|
|
int avic_init_vcpu(struct vcpu_svm *svm);
|
2022-06-06 21:08:29 +03:00
|
|
|
void avic_vcpu_load(struct kvm_vcpu *vcpu, int cpu);
|
|
|
|
|
void avic_vcpu_put(struct kvm_vcpu *vcpu);
|
2022-01-28 00:52:04 +00:00
|
|
|
void avic_apicv_post_state_restore(struct kvm_vcpu *vcpu);
|
|
|
|
|
void avic_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu);
|
2025-06-11 15:45:06 -07:00
|
|
|
int avic_pi_update_irte(struct kvm_kernel_irqfd *irqfd, struct kvm *kvm,
|
|
|
|
|
unsigned int host_irq, uint32_t guest_irq,
|
2025-06-11 15:45:31 -07:00
|
|
|
struct kvm_vcpu *vcpu, u32 vector);
|
2021-12-08 01:52:33 +00:00
|
|
|
void avic_vcpu_blocking(struct kvm_vcpu *vcpu);
|
|
|
|
|
void avic_vcpu_unblocking(struct kvm_vcpu *vcpu);
|
2022-02-08 06:48:42 -05:00
|
|
|
void avic_ring_doorbell(struct kvm_vcpu *vcpu);
|
2022-03-22 19:40:50 +02:00
|
|
|
unsigned long avic_vcpu_get_apicv_inhibit_reasons(struct kvm_vcpu *vcpu);
|
2023-01-06 01:12:40 +00:00
|
|
|
void avic_refresh_virtual_apic_mode(struct kvm_vcpu *vcpu);
|
2022-05-19 05:27:01 -05:00
|
|
|
|
2020-03-31 12:17:38 -04:00
|
|
|
|
2020-03-24 10:41:54 +01:00
|
|
|
/* sev.c */
|
|
|
|
|
|
2025-02-26 17:25:34 -08:00
|
|
|
int pre_sev_run(struct vcpu_svm *svm, int cpu);
|
2024-04-04 08:13:12 -04:00
|
|
|
void sev_init_vmcb(struct vcpu_svm *svm);
|
|
|
|
|
void sev_vcpu_after_set_cpuid(struct vcpu_svm *svm);
|
|
|
|
|
int sev_es_string_io(struct vcpu_svm *svm, int size, unsigned int port, int in);
|
|
|
|
|
void sev_es_vcpu_reset(struct vcpu_svm *svm);
|
2025-06-10 15:57:24 -07:00
|
|
|
void sev_es_recalc_msr_intercepts(struct kvm_vcpu *vcpu);
|
2024-04-04 08:13:12 -04:00
|
|
|
void sev_vcpu_deliver_sipi_vector(struct kvm_vcpu *vcpu, u8 vector);
|
2024-04-04 08:13:16 -04:00
|
|
|
void sev_es_prepare_switch_to_guest(struct vcpu_svm *svm, struct sev_es_save_area *hostsa);
|
2024-04-04 08:13:12 -04:00
|
|
|
void sev_es_unmap_ghcb(struct vcpu_svm *svm);
|
2020-03-24 10:41:54 +01:00
|
|
|
|
2024-04-04 08:13:12 -04:00
|
|
|
#ifdef CONFIG_KVM_AMD_SEV
|
2022-01-28 00:52:06 +00:00
|
|
|
int sev_mem_enc_ioctl(struct kvm *kvm, void __user *argp);
|
|
|
|
|
int sev_mem_enc_register_region(struct kvm *kvm,
|
|
|
|
|
struct kvm_enc_region *range);
|
|
|
|
|
int sev_mem_enc_unregister_region(struct kvm *kvm,
|
|
|
|
|
struct kvm_enc_region *range);
|
|
|
|
|
int sev_vm_copy_enc_context_from(struct kvm *kvm, unsigned int source_fd);
|
|
|
|
|
int sev_vm_move_enc_context_from(struct kvm *kvm, unsigned int source_fd);
|
2022-04-21 03:14:07 +00:00
|
|
|
void sev_guest_memory_reclaimed(struct kvm *kvm);
|
2024-04-04 08:13:12 -04:00
|
|
|
int sev_handle_vmgexit(struct kvm_vcpu *vcpu);
|
2022-04-21 03:14:07 +00:00
|
|
|
|
2024-04-04 08:13:12 -04:00
|
|
|
/* These symbols are used in common code and are stubbed below. */
|
2024-05-20 20:08:57 +08:00
|
|
|
|
2024-05-20 20:08:58 +08:00
|
|
|
struct page *snp_safe_alloc_page_node(int node, gfp_t gfp);
|
2024-05-20 20:08:57 +08:00
|
|
|
static inline struct page *snp_safe_alloc_page(void)
|
|
|
|
|
{
|
2024-05-20 20:08:58 +08:00
|
|
|
return snp_safe_alloc_page_node(numa_node_id(), GFP_KERNEL_ACCOUNT);
|
2024-05-20 20:08:57 +08:00
|
|
|
}
|
|
|
|
|
|
2024-04-04 08:13:12 -04:00
|
|
|
void sev_free_vcpu(struct kvm_vcpu *vcpu);
|
|
|
|
|
void sev_vm_destroy(struct kvm *kvm);
|
2021-04-21 19:11:15 -07:00
|
|
|
void __init sev_set_cpu_caps(void);
|
2020-12-10 11:09:38 -06:00
|
|
|
void __init sev_hardware_setup(void);
|
2022-01-28 00:52:07 +00:00
|
|
|
void sev_hardware_unsetup(void);
|
2021-04-21 19:11:22 -07:00
|
|
|
int sev_cpu_init(struct svm_cpu_data *sd);
|
2024-04-04 08:13:15 -04:00
|
|
|
int sev_dev_get_attr(u32 group, u64 attr, u64 *val);
|
2024-04-04 08:13:12 -04:00
|
|
|
extern unsigned int max_sev_asid;
|
2024-05-01 03:52:01 -05:00
|
|
|
void sev_handle_rmp_fault(struct kvm_vcpu *vcpu, gpa_t gpa, u64 error_code);
|
2024-05-01 03:52:02 -05:00
|
|
|
void sev_snp_init_protected_guest_state(struct kvm_vcpu *vcpu);
|
2024-05-01 03:52:03 -05:00
|
|
|
int sev_gmem_prepare(struct kvm *kvm, kvm_pfn_t pfn, gfn_t gfn, int max_order);
|
2024-05-01 03:52:04 -05:00
|
|
|
void sev_gmem_invalidate(kvm_pfn_t start, kvm_pfn_t end);
|
2024-05-01 03:52:05 -05:00
|
|
|
int sev_private_max_mapping_level(struct kvm *kvm, kvm_pfn_t pfn);
|
2025-03-20 08:26:49 -05:00
|
|
|
struct vmcb_save_area *sev_decrypt_vmsa(struct kvm_vcpu *vcpu);
|
|
|
|
|
void sev_free_decrypted_vmsa(struct kvm_vcpu *vcpu, struct vmcb_save_area *vmsa);
|
2024-04-04 08:13:12 -04:00
|
|
|
#else
|
2024-05-20 20:08:58 +08:00
|
|
|
static inline struct page *snp_safe_alloc_page_node(int node, gfp_t gfp)
|
2024-05-20 20:08:57 +08:00
|
|
|
{
|
2024-05-20 20:08:58 +08:00
|
|
|
return alloc_pages_node(node, gfp | __GFP_ZERO, 0);
|
2024-05-20 20:08:57 +08:00
|
|
|
}
|
|
|
|
|
|
2024-05-20 20:08:56 +08:00
|
|
|
static inline struct page *snp_safe_alloc_page(void)
|
|
|
|
|
{
|
2024-05-20 20:08:58 +08:00
|
|
|
return snp_safe_alloc_page_node(numa_node_id(), GFP_KERNEL_ACCOUNT);
|
2024-04-04 08:13:12 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void sev_free_vcpu(struct kvm_vcpu *vcpu) {}
|
|
|
|
|
static inline void sev_vm_destroy(struct kvm *kvm) {}
|
|
|
|
|
static inline void __init sev_set_cpu_caps(void) {}
|
|
|
|
|
static inline void __init sev_hardware_setup(void) {}
|
|
|
|
|
static inline void sev_hardware_unsetup(void) {}
|
|
|
|
|
static inline int sev_cpu_init(struct svm_cpu_data *sd) { return 0; }
|
2024-04-04 08:13:15 -04:00
|
|
|
static inline int sev_dev_get_attr(u32 group, u64 attr, u64 *val) { return -ENXIO; }
|
2024-04-04 08:13:12 -04:00
|
|
|
#define max_sev_asid 0
|
2024-05-01 03:52:01 -05:00
|
|
|
static inline void sev_handle_rmp_fault(struct kvm_vcpu *vcpu, gpa_t gpa, u64 error_code) {}
|
2024-05-01 03:52:02 -05:00
|
|
|
static inline void sev_snp_init_protected_guest_state(struct kvm_vcpu *vcpu) {}
|
2024-05-01 03:52:03 -05:00
|
|
|
static inline int sev_gmem_prepare(struct kvm *kvm, kvm_pfn_t pfn, gfn_t gfn, int max_order)
|
|
|
|
|
{
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2024-05-01 03:52:04 -05:00
|
|
|
static inline void sev_gmem_invalidate(kvm_pfn_t start, kvm_pfn_t end) {}
|
2024-05-01 03:52:05 -05:00
|
|
|
static inline int sev_private_max_mapping_level(struct kvm *kvm, kvm_pfn_t pfn)
|
|
|
|
|
{
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2024-05-01 03:52:01 -05:00
|
|
|
|
2025-03-20 08:26:49 -05:00
|
|
|
static inline struct vmcb_save_area *sev_decrypt_vmsa(struct kvm_vcpu *vcpu)
|
|
|
|
|
{
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
static inline void sev_free_decrypted_vmsa(struct kvm_vcpu *vcpu, struct vmcb_save_area *vmsa) {}
|
2024-04-04 08:13:12 -04:00
|
|
|
#endif
|
2020-03-24 10:41:54 +01:00
|
|
|
|
2020-12-10 11:10:08 -06:00
|
|
|
/* vmenter.S */
|
|
|
|
|
|
2024-02-23 12:42:30 -08:00
|
|
|
void __svm_sev_es_vcpu_run(struct vcpu_svm *svm, bool spec_ctrl_intercepted,
|
|
|
|
|
struct sev_es_save_area *hostsa);
|
KVM: SVM: move MSR_IA32_SPEC_CTRL save/restore to assembly
Restoration of the host IA32_SPEC_CTRL value is probably too late
with respect to the return thunk training sequence.
With respect to the user/kernel boundary, AMD says, "If software chooses
to toggle STIBP (e.g., set STIBP on kernel entry, and clear it on kernel
exit), software should set STIBP to 1 before executing the return thunk
training sequence." I assume the same requirements apply to the guest/host
boundary. The return thunk training sequence is in vmenter.S, quite close
to the VM-exit. On hosts without V_SPEC_CTRL, however, the host's
IA32_SPEC_CTRL value is not restored until much later.
To avoid this, move the restoration of host SPEC_CTRL to assembly and,
for consistency, move the restoration of the guest SPEC_CTRL as well.
This is not particularly difficult, apart from some care to cover both
32- and 64-bit, and to share code between SEV-ES and normal vmentry.
Cc: stable@vger.kernel.org
Fixes: a149180fbcf3 ("x86: Add magic AMD return-thunk")
Suggested-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-09-30 14:24:40 -04:00
|
|
|
void __svm_vcpu_run(struct vcpu_svm *svm, bool spec_ctrl_intercepted);
|
2020-12-10 11:10:08 -06:00
|
|
|
|
2023-08-04 12:42:45 -04:00
|
|
|
#define DEFINE_KVM_GHCB_ACCESSORS(field) \
|
|
|
|
|
static __always_inline bool kvm_ghcb_##field##_is_valid(const struct vcpu_svm *svm) \
|
|
|
|
|
{ \
|
|
|
|
|
return test_bit(GHCB_BITMAP_IDX(field), \
|
|
|
|
|
(unsigned long *)&svm->sev_es.valid_bitmap); \
|
|
|
|
|
} \
|
|
|
|
|
\
|
|
|
|
|
static __always_inline u64 kvm_ghcb_get_##field##_if_valid(struct vcpu_svm *svm, struct ghcb *ghcb) \
|
|
|
|
|
{ \
|
|
|
|
|
return kvm_ghcb_##field##_is_valid(svm) ? ghcb->save.field : 0; \
|
|
|
|
|
} \
|
|
|
|
|
|
|
|
|
|
DEFINE_KVM_GHCB_ACCESSORS(cpl)
|
|
|
|
|
DEFINE_KVM_GHCB_ACCESSORS(rax)
|
|
|
|
|
DEFINE_KVM_GHCB_ACCESSORS(rcx)
|
|
|
|
|
DEFINE_KVM_GHCB_ACCESSORS(rdx)
|
|
|
|
|
DEFINE_KVM_GHCB_ACCESSORS(rbx)
|
|
|
|
|
DEFINE_KVM_GHCB_ACCESSORS(rsi)
|
|
|
|
|
DEFINE_KVM_GHCB_ACCESSORS(sw_exit_code)
|
|
|
|
|
DEFINE_KVM_GHCB_ACCESSORS(sw_exit_info_1)
|
|
|
|
|
DEFINE_KVM_GHCB_ACCESSORS(sw_exit_info_2)
|
|
|
|
|
DEFINE_KVM_GHCB_ACCESSORS(sw_scratch)
|
|
|
|
|
DEFINE_KVM_GHCB_ACCESSORS(xcr0)
|
|
|
|
|
|
2020-03-24 10:41:52 +01:00
|
|
|
#endif
|