diff mbox series

[v3,2/3] KVM: SEV-ES: Disallow SEV-ES guests when X86_FEATURE_LBRV is absent

Message ID 20240523121828.808-3-ravi.bangoria@amd.com (mailing list archive)
State New, archived
Headers show
Series KVM: SEV-ES: Fix KVM_{GET|SET}_MSRS and LBRV handling | expand

Commit Message

Ravi Bangoria May 23, 2024, 12:18 p.m. UTC
As documented in APM[1], LBR Virtualization must be enabled for SEV-ES
guests. So, prevent SEV-ES guests when LBRV support is missing.

[1]: AMD64 Architecture Programmer's Manual Pub. 40332, Rev. 4.07 - June
     2023, Vol 2, 15.35.2 Enabling SEV-ES.
     https://bugzilla.kernel.org/attachment.cgi?id=304653

Fixes: 376c6d285017 ("KVM: SVM: Provide support for SEV-ES vCPU creation/loading")
Signed-off-by: Ravi Bangoria <ravi.bangoria@amd.com>
---
 arch/x86/kvm/svm/sev.c |  8 +++++++-
 arch/x86/kvm/svm/svm.c | 16 +++++++---------
 arch/x86/kvm/svm/svm.h |  4 ++--
 3 files changed, 16 insertions(+), 12 deletions(-)

Comments

Paolo Bonzini May 28, 2024, 4:33 p.m. UTC | #1
On 5/23/24 14:18, Ravi Bangoria wrote:
> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
> index 489b0183f37d..dcb5eb00a4f5 100644
> --- a/arch/x86/kvm/svm/svm.c
> +++ b/arch/x86/kvm/svm/svm.c
> @@ -5308,11 +5308,17 @@ static __init int svm_hardware_setup(void)
>   
>   	nrips = nrips && boot_cpu_has(X86_FEATURE_NRIPS);
>   
> +	if (lbrv) {
> +		if (!boot_cpu_has(X86_FEATURE_LBRV))
> +			lbrv = false;
> +		else
> +			pr_info("LBR virtualization supported\n");
> +	}
>   	/*
>   	 * Note, SEV setup consumes npt_enabled and enable_mmio_caching (which
>   	 * may be modified by svm_adjust_mmio_mask()), as well as nrips.
>   	 */

Since it consumes nrips, just make lbrv non-static:

/* enable/disable Next RIP Save */
int nrips = true;
module_param(nrips, int, 0444);

Paolo
Ravi Bangoria May 29, 2024, 10:43 a.m. UTC | #2
On 5/28/2024 10:03 PM, Paolo Bonzini wrote:
> On 5/23/24 14:18, Ravi Bangoria wrote:
>> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
>> index 489b0183f37d..dcb5eb00a4f5 100644
>> --- a/arch/x86/kvm/svm/svm.c
>> +++ b/arch/x86/kvm/svm/svm.c
>> @@ -5308,11 +5308,17 @@ static __init int svm_hardware_setup(void)
>>         nrips = nrips && boot_cpu_has(X86_FEATURE_NRIPS);
>>   +    if (lbrv) {
>> +        if (!boot_cpu_has(X86_FEATURE_LBRV))
>> +            lbrv = false;
>> +        else
>> +            pr_info("LBR virtualization supported\n");
>> +    }
>>       /*
>>        * Note, SEV setup consumes npt_enabled and enable_mmio_caching (which
>>        * may be modified by svm_adjust_mmio_mask()), as well as nrips.
>>        */
> 
> Since it consumes nrips, just make lbrv non-static:

Sure.

Thanks,
Ravi
diff mbox series

Patch

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 176ba117413a..1a2bde579727 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -2856,7 +2856,7 @@  void __init sev_set_cpu_caps(void)
 	}
 }
 
-void __init sev_hardware_setup(void)
+void __init sev_hardware_setup(int lbrv)
 {
 	unsigned int eax, ebx, ecx, edx, sev_asid_count, sev_es_asid_count;
 	bool sev_snp_supported = false;
@@ -2933,6 +2933,12 @@  void __init sev_hardware_setup(void)
 	if (!boot_cpu_has(X86_FEATURE_SEV_ES))
 		goto out;
 
+	if (!lbrv) {
+		WARN_ONCE(!boot_cpu_has(X86_FEATURE_LBRV),
+			  "LBRV must be present for SEV-ES support");
+		goto out;
+	}
+
 	/* Has the system been allocated ASIDs for SEV-ES? */
 	if (min_sev_asid == 1)
 		goto out;
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 489b0183f37d..dcb5eb00a4f5 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -5308,11 +5308,17 @@  static __init int svm_hardware_setup(void)
 
 	nrips = nrips && boot_cpu_has(X86_FEATURE_NRIPS);
 
+	if (lbrv) {
+		if (!boot_cpu_has(X86_FEATURE_LBRV))
+			lbrv = false;
+		else
+			pr_info("LBR virtualization supported\n");
+	}
 	/*
 	 * Note, SEV setup consumes npt_enabled and enable_mmio_caching (which
 	 * may be modified by svm_adjust_mmio_mask()), as well as nrips.
 	 */
-	sev_hardware_setup();
+	sev_hardware_setup(lbrv);
 
 	svm_hv_hardware_setup();
 
@@ -5361,14 +5367,6 @@  static __init int svm_hardware_setup(void)
 		svm_x86_ops.set_vnmi_pending = NULL;
 	}
 
-
-	if (lbrv) {
-		if (!boot_cpu_has(X86_FEATURE_LBRV))
-			lbrv = false;
-		else
-			pr_info("LBR virtualization supported\n");
-	}
-
 	if (!enable_pmu)
 		pr_info("PMU virtualization is disabled\n");
 
diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
index 555c55f50298..2d7fd09c08c9 100644
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -728,7 +728,7 @@  struct page *snp_safe_alloc_page(struct kvm_vcpu *vcpu);
 void sev_free_vcpu(struct kvm_vcpu *vcpu);
 void sev_vm_destroy(struct kvm *kvm);
 void __init sev_set_cpu_caps(void);
-void __init sev_hardware_setup(void);
+void __init sev_hardware_setup(int lbrv);
 void sev_hardware_unsetup(void);
 int sev_cpu_init(struct svm_cpu_data *sd);
 int sev_dev_get_attr(u32 group, u64 attr, u64 *val);
@@ -747,7 +747,7 @@  static inline struct page *snp_safe_alloc_page(struct kvm_vcpu *vcpu) {
 static inline void sev_free_vcpu(struct kvm_vcpu *vcpu) {}
 static inline void sev_vm_destroy(struct kvm *kvm) {}
 static inline void __init sev_set_cpu_caps(void) {}
-static inline void __init sev_hardware_setup(void) {}
+static inline void __init sev_hardware_setup(int lbrv) {}
 static inline void sev_hardware_unsetup(void) {}
 static inline int sev_cpu_init(struct svm_cpu_data *sd) { return 0; }
 static inline int sev_dev_get_attr(u32 group, u64 attr, u64 *val) { return -ENXIO; }