From patchwork Sun Jul 3 19:16:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Lewis X-Patchwork-Id: 12904450 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4A9BC43334 for ; Sun, 3 Jul 2022 19:16:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232537AbiGCTQt (ORCPT ); Sun, 3 Jul 2022 15:16:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43260 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229986AbiGCTQr (ORCPT ); Sun, 3 Jul 2022 15:16:47 -0400 Received: from mail-pj1-x104a.google.com (mail-pj1-x104a.google.com [IPv6:2607:f8b0:4864:20::104a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AFF0A617F for ; Sun, 3 Jul 2022 12:16:46 -0700 (PDT) Received: by mail-pj1-x104a.google.com with SMTP id i15-20020a17090a2a0f00b001ef826b921dso1116071pjd.5 for ; Sun, 03 Jul 2022 12:16:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=GSHTLT4m8ohADBBAUekmRLG4su/WuVT4c1OmBkMAma0=; b=JMa9NTQE5GV9nNfuInPdv9m5U+Kam3CEQ4y2fZOmRFTqosAeuN4NZXs6qnzv9N/SkI wg5+fA9DIX+lcX2HpgOBJC3Fu/jcVglqKt5omo37gKBXf0g3cV+sp0zkA2F+AmW8a3gc 103Na0C58ts5c97EZUqv3Lk9tKBrmdXLCjLyAAvsCbdtBsalczf11FBhB1T8VKEt3sDy sRAaNrkvlGlxJre3dyB1HtWZdW/BGInM4Q/B75ypJuIcKXbFUI4rpzVRUPvFRSw+y4NC yi5mMsifFqBRd2f6jignP3aA8s1qNsFuHWK0yjCbfhAvMEZvfMI52ma+sK9yVrhL3j+A b9hA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=GSHTLT4m8ohADBBAUekmRLG4su/WuVT4c1OmBkMAma0=; b=jGpJ6ZbZc8SOfv9tjuiZIHZqABQHp81n3tZ/2Ocs0llYIijtHYHoirYhXiFspTN1fE zVMEjCmWLM5ZG3Fh+33joF8jgZDNQdwpLGlSSH/ElMi8X1V6kKJEzT7Xo0w2CkpAAaFK eZwEDgHjJt/tLLmp3SQ6d8jfBs8eUAfHNnE0KqXjM8h9nt/6oyN2AhfmVz4zQXbYE8v1 sffQZykjF5g0uGW578Y1OXMtaXpB85VpzLhltqO+TbUyX1EVofkEO7h1iommoYmhj3k4 A/D6EImwbMyz7Ou73Gy4aHDBaW8aKbHG5UEIxruqNx11jDM2CKaB9lgVJa9Cc+0umkwH V7ig== X-Gm-Message-State: AJIora8n9A2xfoq7R7vgxU6KWyzJ/xQp92woYXT9JcBFAeZeOt91ovpw NwEVtIIf3ONV5RUv6wScAG+EuQ7pj+U4kxIuOsKBhhCdWycoNmf3asUKj4ij0Uxzat9cf7XNDOE Je2qByqRDazb2wFZmQKW1qIXxNAjU24pPmMTYJSwJzqAoPvvdNwhohK8yWXYX2BSq/QIz X-Google-Smtp-Source: AGRyM1tC1UANe4dpHELWnnWfnHzRWvnf1Q3vwveRdrT7xZgkwHMoCbDRT5V8DiYxpYOPmdX7lAYT2qGMC8Kv6xwi X-Received: from aaronlewis.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:2675]) (user=aaronlewis job=sendgmr) by 2002:a17:90a:249:b0:1e0:a8a3:3c6c with SMTP id t9-20020a17090a024900b001e0a8a33c6cmr731004pje.0.1656875805223; Sun, 03 Jul 2022 12:16:45 -0700 (PDT) Date: Sun, 3 Jul 2022 19:16:34 +0000 In-Reply-To: <20220703191636.2159067-1-aaronlewis@google.com> Message-Id: <20220703191636.2159067-2-aaronlewis@google.com> Mime-Version: 1.0 References: <20220703191636.2159067-1-aaronlewis@google.com> X-Mailer: git-send-email 2.37.0.rc0.161.g10f37bed90-goog Subject: [PATCH 1/3] KVM: x86: fix documentation for KVM_X86_SET_MSR_FILTER From: Aaron Lewis To: kvm@vger.kernel.org Cc: pbonzini@redhat.com, jmattson@google.com, seanjc@google.com, Aaron Lewis Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Two copies of KVM_X86_SET_MSR_FILTER somehow managed to make it's way into the documentation. Remove one copy and merge the difference from the removed copy into the copy that's being kept. Fixes: fd49e8ee70b3 ("Merge branch 'kvm-sev-cgroup' into HEAD") Signed-off-by: Aaron Lewis --- Documentation/virt/kvm/api.rst | 115 +++------------------------------ 1 file changed, 8 insertions(+), 107 deletions(-) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index bafaeedd455c..5c651a4e4e2c 100644 --- a/Documentation/virt/kvm/api.rst +++ b/Documentation/virt/kvm/api.rst @@ -4074,7 +4074,7 @@ Queues an SMI on the thread's vcpu. 4.97 KVM_X86_SET_MSR_FILTER ---------------------------- -:Capability: KVM_X86_SET_MSR_FILTER +:Capability: KVM_CAP_X86_MSR_FILTER :Architectures: x86 :Type: vm ioctl :Parameters: struct kvm_msr_filter @@ -4173,8 +4173,12 @@ If an MSR access is not permitted through the filtering, it generates a allows user space to deflect and potentially handle various MSR accesses into user space. -If a vCPU is in running state while this ioctl is invoked, the vCPU may -experience inconsistent filtering behavior on MSR accesses. +Note, invoking this ioctl while a vCPU is running is inherently racy. However, +KVM does guarantee that vCPUs will see either the previous filter or the new +filter, e.g. MSRs with identical settings in both the old and new filter will +have deterministic behavior. + + 4.98 KVM_CREATE_SPAPR_TCE_64 ---------------------------- @@ -5287,110 +5291,7 @@ KVM_PV_DUMP authentication tag all of which are needed to decrypt the dump at a later time. - -4.126 KVM_X86_SET_MSR_FILTER ----------------------------- - -:Capability: KVM_CAP_X86_MSR_FILTER -:Architectures: x86 -:Type: vm ioctl -:Parameters: struct kvm_msr_filter -:Returns: 0 on success, < 0 on error - -:: - - struct kvm_msr_filter_range { - #define KVM_MSR_FILTER_READ (1 << 0) - #define KVM_MSR_FILTER_WRITE (1 << 1) - __u32 flags; - __u32 nmsrs; /* number of msrs in bitmap */ - __u32 base; /* MSR index the bitmap starts at */ - __u8 *bitmap; /* a 1 bit allows the operations in flags, 0 denies */ - }; - - #define KVM_MSR_FILTER_MAX_RANGES 16 - struct kvm_msr_filter { - #define KVM_MSR_FILTER_DEFAULT_ALLOW (0 << 0) - #define KVM_MSR_FILTER_DEFAULT_DENY (1 << 0) - __u32 flags; - struct kvm_msr_filter_range ranges[KVM_MSR_FILTER_MAX_RANGES]; - }; - -flags values for ``struct kvm_msr_filter_range``: - -``KVM_MSR_FILTER_READ`` - - Filter read accesses to MSRs using the given bitmap. A 0 in the bitmap - indicates that a read should immediately fail, while a 1 indicates that - a read for a particular MSR should be handled regardless of the default - filter action. - -``KVM_MSR_FILTER_WRITE`` - - Filter write accesses to MSRs using the given bitmap. A 0 in the bitmap - indicates that a write should immediately fail, while a 1 indicates that - a write for a particular MSR should be handled regardless of the default - filter action. - -``KVM_MSR_FILTER_READ | KVM_MSR_FILTER_WRITE`` - - Filter both read and write accesses to MSRs using the given bitmap. A 0 - in the bitmap indicates that both reads and writes should immediately fail, - while a 1 indicates that reads and writes for a particular MSR are not - filtered by this range. - -flags values for ``struct kvm_msr_filter``: - -``KVM_MSR_FILTER_DEFAULT_ALLOW`` - - If no filter range matches an MSR index that is getting accessed, KVM will - fall back to allowing access to the MSR. - -``KVM_MSR_FILTER_DEFAULT_DENY`` - - If no filter range matches an MSR index that is getting accessed, KVM will - fall back to rejecting access to the MSR. In this mode, all MSRs that should - be processed by KVM need to explicitly be marked as allowed in the bitmaps. - -This ioctl allows user space to define up to 16 bitmaps of MSR ranges to -specify whether a certain MSR access should be explicitly filtered for or not. - -If this ioctl has never been invoked, MSR accesses are not guarded and the -default KVM in-kernel emulation behavior is fully preserved. - -Calling this ioctl with an empty set of ranges (all nmsrs == 0) disables MSR -filtering. In that mode, ``KVM_MSR_FILTER_DEFAULT_DENY`` is invalid and causes -an error. - -As soon as the filtering is in place, every MSR access is processed through -the filtering except for accesses to the x2APIC MSRs (from 0x800 to 0x8ff); -x2APIC MSRs are always allowed, independent of the ``default_allow`` setting, -and their behavior depends on the ``X2APIC_ENABLE`` bit of the APIC base -register. - -If a bit is within one of the defined ranges, read and write accesses are -guarded by the bitmap's value for the MSR index if the kind of access -is included in the ``struct kvm_msr_filter_range`` flags. If no range -cover this particular access, the behavior is determined by the flags -field in the kvm_msr_filter struct: ``KVM_MSR_FILTER_DEFAULT_ALLOW`` -and ``KVM_MSR_FILTER_DEFAULT_DENY``. - -Each bitmap range specifies a range of MSRs to potentially allow access on. -The range goes from MSR index [base .. base+nmsrs]. The flags field -indicates whether reads, writes or both reads and writes are filtered -by setting a 1 bit in the bitmap for the corresponding MSR index. - -If an MSR access is not permitted through the filtering, it generates a -#GP inside the guest. When combined with KVM_CAP_X86_USER_SPACE_MSR, that -allows user space to deflect and potentially handle various MSR accesses -into user space. - -Note, invoking this ioctl with a vCPU is running is inherently racy. However, -KVM does guarantee that vCPUs will see either the previous filter or the new -filter, e.g. MSRs with identical settings in both the old and new filter will -have deterministic behavior. - -4.127 KVM_XEN_HVM_SET_ATTR +4.126 KVM_XEN_HVM_SET_ATTR -------------------------- :Capability: KVM_CAP_XEN_HVM / KVM_XEN_HVM_CONFIG_SHARED_INFO From patchwork Sun Jul 3 19:16:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Lewis X-Patchwork-Id: 12904451 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C273C433EF for ; Sun, 3 Jul 2022 19:16:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232686AbiGCTQt (ORCPT ); Sun, 3 Jul 2022 15:16:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43276 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232443AbiGCTQs (ORCPT ); Sun, 3 Jul 2022 15:16:48 -0400 Received: from mail-pl1-x649.google.com (mail-pl1-x649.google.com [IPv6:2607:f8b0:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 46954617A for ; Sun, 3 Jul 2022 12:16:48 -0700 (PDT) Received: by mail-pl1-x649.google.com with SMTP id b13-20020a170902e94d00b001692fd82122so3855678pll.14 for ; Sun, 03 Jul 2022 12:16:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=PJho9CZvmlpqVROBIgjr58I6W6rS70wBDTVWcl2x88M=; b=dhfgXlXI+DKmrDGLYwp9oOHhs6iNnxgr/7LrX1Czf60haKVLts/OWxV1q1W0WtjlPx rpq0sZUrRepj8TAHoOI7TJMBUXRFaBpc+aLRh0G7c0FEF7L2/z54a0qiPvmczqkpsE22 YzZYdQjx6LXrALy4kxfRBAWBlEBNjt7Se8qaLhmRirl5baAOiGUV8e5huGh/EVdcBt+7 tMvK1NkhrXodKPyYa98L+5eA32FkWc1rEf9jha2iTKzcKzVM4Y6+U4zhT6yLSyDR1L3v NNZHDxDTd/ukUKB5ysOItJVfC/wR+axxVDbNWPsI253zvoj9eqgIu5Di1OX/NZqA023m rsfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=PJho9CZvmlpqVROBIgjr58I6W6rS70wBDTVWcl2x88M=; b=t1eJaoqDXvohK7laly45LCVrYCx2wAcqlMJ76YQcyfF3tx0eL4U4C/NQIBkrFKY+eO JywgV0a6//ARGksurMt7RMRcPqfGpq4FdieYJ+/Hjnhlgiu9MxMtNg0TscblQpVk8bZE 63bsmvKuZuB1vsV87H0ISSJCAcNoGYeyFMNOY8G1DYDBgF6+H1LbOy9xxqHfaJlpEori LcMGCtOi03Oj7MdAzeH6m3u4WZq1+MW9ude0CKEHNkq86wvQeE0FZvTFA363c8wv/CX0 pykx2/GOLYGpDpfWcJmVjxMQJvHDGLSrCuJ2BHofS8rhTxeQ1rZgh4ckhXTGw9Fv/prP p3Xw== X-Gm-Message-State: AJIora+E0kZrQm9S4frHK/mQZ480kRt5BKg2tsohjAcmK4rhSV5waqx/ TX66zIb05iLizCBzbIsdjJnyHDjEcqGTyVE5o3KwiJD8sR189tICuleDK+t/X6Og2Y7jLTdGMzS eLIV4icYywigfRa4AgsU5c5NAusNxzrQfKNGgp6AYaz6CRkokZSK/5sWTmRHjOOYbLxiW X-Google-Smtp-Source: AGRyM1thoph7A8CcRJheWKWoPcMNifgQHb9oCTYqRTCuGYJZOOJJ3jyU1vu0tH4vyPCe08oUq2p/S5anDsXmZfxp X-Received: from aaronlewis.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:2675]) (user=aaronlewis job=sendgmr) by 2002:a05:6a00:3027:b0:528:195f:11e2 with SMTP id ay39-20020a056a00302700b00528195f11e2mr18833258pfb.24.1656875807741; Sun, 03 Jul 2022 12:16:47 -0700 (PDT) Date: Sun, 3 Jul 2022 19:16:35 +0000 In-Reply-To: <20220703191636.2159067-1-aaronlewis@google.com> Message-Id: <20220703191636.2159067-3-aaronlewis@google.com> Mime-Version: 1.0 References: <20220703191636.2159067-1-aaronlewis@google.com> X-Mailer: git-send-email 2.37.0.rc0.161.g10f37bed90-goog Subject: [PATCH 2/3] KVM: x86: update documentation for MSR filtering From: Aaron Lewis To: kvm@vger.kernel.org Cc: pbonzini@redhat.com, jmattson@google.com, seanjc@google.com, Aaron Lewis Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Update the documentation to ensure best practices are used by VMM developers when using KVM_X86_SET_MSR_FILTER and KVM_CAP_X86_USER_SPACE_MSR. Signed-off-by: Aaron Lewis --- Documentation/virt/kvm/api.rst | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index 5c651a4e4e2c..bd7d081e960f 100644 --- a/Documentation/virt/kvm/api.rst +++ b/Documentation/virt/kvm/api.rst @@ -4178,7 +4178,14 @@ KVM does guarantee that vCPUs will see either the previous filter or the new filter, e.g. MSRs with identical settings in both the old and new filter will have deterministic behavior. +When using filtering for the purpose of deflecting MSR accesses to userspace, +exiting[1] **must** be enabled for the lifetime of filtering. That is to say, +exiting needs to be enabled before filtering is enabled, and exiting needs to +remain enabled until after filtering has been disabled. Doing so avoids the +case where when an MSR access is filtered, instead of deflecting it to +userspace as intended a #GP is injected in the guest. +[1] KVM_CAP_X86_USER_SPACE_MSR set with exit reason KVM_MSR_EXIT_REASON_FILTER. 4.98 KVM_CREATE_SPAPR_TCE_64 ---------------------------- @@ -7191,6 +7198,16 @@ KVM_EXIT_X86_RDMSR and KVM_EXIT_X86_WRMSR exit notifications which user space can then handle to implement model specific MSR handling and/or user notifications to inform a user that an MSR was not handled. +When using filtering[1] for the purpose of deflecting MSR accesses to +userspace, exiting[2] **must** be enabled for the lifetime of filtering. That +is to say, exiting needs to be enabled before filtering is enabled, and exiting +needs to remain enabled until after filtering has been disabled. Doing so +avoids the case where when an MSR access is filtered, instead of deflecting it +to userspace as intended a #GP is injected in the guest. + +[1] Using KVM_X86_SET_MSR_FILTER +[2] KVM_CAP_X86_USER_SPACE_MSR set with exit reason KVM_MSR_EXIT_REASON_FILTER. + 7.22 KVM_CAP_X86_BUS_LOCK_EXIT ------------------------------- From patchwork Sun Jul 3 19:16:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Lewis X-Patchwork-Id: 12904452 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A438C43334 for ; Sun, 3 Jul 2022 19:16:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232711AbiGCTQw (ORCPT ); Sun, 3 Jul 2022 15:16:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43338 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229986AbiGCTQv (ORCPT ); Sun, 3 Jul 2022 15:16:51 -0400 Received: from mail-pg1-x549.google.com (mail-pg1-x549.google.com [IPv6:2607:f8b0:4864:20::549]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C4AD86243 for ; Sun, 3 Jul 2022 12:16:50 -0700 (PDT) Received: by mail-pg1-x549.google.com with SMTP id q132-20020a632a8a000000b00411eb01811fso2340510pgq.3 for ; Sun, 03 Jul 2022 12:16:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=vazLTlsYU+mYFnCPz/KZ8cOdjR8SVTeoUYL47/gBt1w=; b=ZodkwlLK0IT7ofzMQt2k4WOZP0X2X2953VKOqvEd0vxi6qdy9w8JbnSHtEkZ+MNLTc 3hi56DCsho54HnXeg1DqaO0P0dtKOdkqzA+NOZs8hYb3GxSvVnUhLImYVQAhfj3BOz1b CASv8AFIs4URYXNKLTeYjUMwXaglnE4D7wx1P0cLQm07n9KKcry/EXih0NX7IMqaFaQS /Q6YxGhF/7hceKbsuFxBGg3UqCjokYAJ6yL9WHPmT6xGG0zq/ZI55YQrqrHkjAaMlODk 3iAT0TqjpE+wYV7x2rdzYz9+pMHYG6m94ZUP9YEDla8TINCfa23aFJZNuxtjAqFcm8DW EXZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=vazLTlsYU+mYFnCPz/KZ8cOdjR8SVTeoUYL47/gBt1w=; b=FMjR9CMauFEdOyZRSdsRtSnP4/Jk9JzEY8UYNfrO5TXBlBZ+kSHOBtanNT3UVOPneE +OGZmpbWApTuH2lbgTH6TR7UxvBD94MfBGuFn+RnkfoQoqBx7xBBoAhF3SEnTlGutObx LgENrLNatTLJgzMdLx+lnFwj3IhwUsB6hC4bA5HSs1j2VzsmiVI6wPnK10TGWmFzCWs9 aokyasfN/f9nj9MJk76Iy7tK0R3rrVKfmKjzv4PEks6AzH3wf4YoSXROG/tQmSAT5JLT Z/PJ7jqh9m2S/iWEX1uy+MHWbzR+kDzSg7thGGrdazKd1xojB6B2WyZHonmJVnPNCMOr 52vA== X-Gm-Message-State: AJIora9J4zIZU2BbsmuneXA5rh5N/Ii8fsHpQxVNDWdGVTBW310kCAx7 9rjiixVJ7wqlm+0iQ9xwSsKCaLzkVoZbFVy1abkBVu1LVjhZE7MSOKJKE+bC4/AnF2g07If5W7r Xmr7oT874yw8KT6If/lYBacu4+vTDxhzrL2DfiU3p9qfgXEgAuRc+vIra6ix0dVPdG6w+ X-Google-Smtp-Source: AGRyM1t2rgmG3fiYGGTFv0Zq47qwynn/K+X9urm5CuzTRvM9+BSrxYU2+zV3eNyA1ZpGq4br8lE/+UtavXMsx7F8 X-Received: from aaronlewis.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:2675]) (user=aaronlewis job=sendgmr) by 2002:a17:902:cec4:b0:16a:16d6:f67f with SMTP id d4-20020a170902cec400b0016a16d6f67fmr30334899plg.139.1656875810234; Sun, 03 Jul 2022 12:16:50 -0700 (PDT) Date: Sun, 3 Jul 2022 19:16:36 +0000 In-Reply-To: <20220703191636.2159067-1-aaronlewis@google.com> Message-Id: <20220703191636.2159067-4-aaronlewis@google.com> Mime-Version: 1.0 References: <20220703191636.2159067-1-aaronlewis@google.com> X-Mailer: git-send-email 2.37.0.rc0.161.g10f37bed90-goog Subject: [PATCH 3/3] KVM: x86: Don't deflect MSRs to userspace that can't be filtered From: Aaron Lewis To: kvm@vger.kernel.org Cc: pbonzini@redhat.com, jmattson@google.com, seanjc@google.com, Aaron Lewis Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org If an MSR is not permitted to be filtered and deflected to userspace, don't then allow it to be deflected to userspace by other means. If an MSR that cannot be filtered #GP's, and KVM is configured to send all MSRs that #GP to userspace, that MSR will be sent to userspace as well. Prevent that from happening by filtering out disallowed MSRs from being deflected to userspace. Signed-off-by: Aaron Lewis Reported-by: kernel test robot Reported-by: kernel test robot Reported-by: kernel test robot --- arch/x86/kvm/x86.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 031678eff28e..a84741f7d254 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1712,6 +1712,15 @@ void kvm_enable_efer_bits(u64 mask) } EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); +bool kvm_msr_filtering_disallowed(u32 index) +{ + /* x2APIC MSRs do not support filtering. */ + if (index >= 0x800 && index <= 0x8ff) + return true; + + return false; +} + bool kvm_msr_allowed(struct kvm_vcpu *vcpu, u32 index, u32 type) { struct kvm_x86_msr_filter *msr_filter; @@ -1721,8 +1730,8 @@ bool kvm_msr_allowed(struct kvm_vcpu *vcpu, u32 index, u32 type) int idx; u32 i; - /* x2APIC MSRs do not support filtering. */ - if (index >= 0x800 && index <= 0x8ff) + /* Prevent certain MSRs from using MSR Filtering. */ + if (kvm_msr_filtering_disallowed(index)) return true; idx = srcu_read_lock(&kvm->srcu); @@ -1962,6 +1971,9 @@ static int kvm_msr_user_space(struct kvm_vcpu *vcpu, u32 index, if (!(vcpu->kvm->arch.user_space_msr_mask & msr_reason)) return 0; + if (kvm_msr_filtering_disallowed(index)) + return 0; + vcpu->run->exit_reason = exit_reason; vcpu->run->msr.error = 0; memset(vcpu->run->msr.pad, 0, sizeof(vcpu->run->msr.pad));