提交 20ba1423 编写于 作者: S Singh, Brijesh 提交者: Caspar Zhang

KVM: SVM: Workaround errata#1096 (insn_len maybe zero on SMAP violation)

commit 05d5a48635259e621ea26d01e8316c6feeb34190 upstream.

Errata#1096:

On a nested data page fault when CR.SMAP=1 and the guest data read
generates a SMAP violation, GuestInstrBytes field of the VMCB on a
VMEXIT will incorrectly return 0h instead the correct guest
instruction bytes .

Recommend Workaround:

To determine what instruction the guest was executing the hypervisor
will have to decode the instruction at the instruction pointer.

The recommended workaround can not be implemented for the SEV
guest because guest memory is encrypted with the guest specific key,
and instruction decoder will not be able to decode the instruction
bytes. If we hit this errata in the SEV guest then log the message
and request a guest shutdown.
Reported-by: NVenkatesh Srinivas <venkateshs@google.com>
Cc: Jim Mattson <jmattson@google.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NWANG Siyuan <Siyuan.Wang@amd.com>
Acked-by: NCaspar Zhang <caspar@linux.alibaba.com>
上级 1abad802
...@@ -1147,6 +1147,8 @@ struct kvm_x86_ops { ...@@ -1147,6 +1147,8 @@ struct kvm_x86_ops {
int (*mem_enc_unreg_region)(struct kvm *kvm, struct kvm_enc_region *argp); int (*mem_enc_unreg_region)(struct kvm *kvm, struct kvm_enc_region *argp);
int (*get_msr_feature)(struct kvm_msr_entry *entry); int (*get_msr_feature)(struct kvm_msr_entry *entry);
bool (*need_emulation_on_page_fault)(struct kvm_vcpu *vcpu);
}; };
struct kvm_arch_async_pf { struct kvm_arch_async_pf {
......
...@@ -5370,10 +5370,12 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code, ...@@ -5370,10 +5370,12 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code,
* This can happen if a guest gets a page-fault on data access but the HW * This can happen if a guest gets a page-fault on data access but the HW
* table walker is not able to read the instruction page (e.g instruction * table walker is not able to read the instruction page (e.g instruction
* page is not present in memory). In those cases we simply restart the * page is not present in memory). In those cases we simply restart the
* guest. * guest, with the exception of AMD Erratum 1096 which is unrecoverable.
*/ */
if (unlikely(insn && !insn_len)) if (unlikely(insn && !insn_len)) {
return 1; if (!kvm_x86_ops->need_emulation_on_page_fault(vcpu))
return 1;
}
er = x86_emulate_instruction(vcpu, cr2, emulation_type, insn, insn_len); er = x86_emulate_instruction(vcpu, cr2, emulation_type, insn, insn_len);
......
...@@ -7109,6 +7109,36 @@ static int svm_unregister_enc_region(struct kvm *kvm, ...@@ -7109,6 +7109,36 @@ static int svm_unregister_enc_region(struct kvm *kvm,
return ret; return ret;
} }
static bool svm_need_emulation_on_page_fault(struct kvm_vcpu *vcpu)
{
bool is_user, smap;
is_user = svm_get_cpl(vcpu) == 3;
smap = !kvm_read_cr4_bits(vcpu, X86_CR4_SMAP);
/*
* Detect and workaround Errata 1096 Fam_17h_00_0Fh
*
* In non SEV guest, hypervisor will be able to read the guest
* memory to decode the instruction pointer when insn_len is zero
* so we return true to indicate that decoding is possible.
*
* But in the SEV guest, the guest memory is encrypted with the
* guest specific key and hypervisor will not be able to decode the
* instruction pointer so we will not able to workaround it. Lets
* print the error and request to kill the guest.
*/
if (is_user && smap) {
if (!sev_guest(vcpu->kvm))
return true;
pr_err_ratelimited("KVM: Guest triggered AMD Erratum 1096\n");
kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
}
return false;
}
static struct kvm_x86_ops svm_x86_ops __ro_after_init = { static struct kvm_x86_ops svm_x86_ops __ro_after_init = {
.cpu_has_kvm_support = has_svm, .cpu_has_kvm_support = has_svm,
.disabled_by_bios = is_disabled, .disabled_by_bios = is_disabled,
...@@ -7239,6 +7269,8 @@ static struct kvm_x86_ops svm_x86_ops __ro_after_init = { ...@@ -7239,6 +7269,8 @@ static struct kvm_x86_ops svm_x86_ops __ro_after_init = {
.mem_enc_op = svm_mem_enc_op, .mem_enc_op = svm_mem_enc_op,
.mem_enc_reg_region = svm_register_enc_region, .mem_enc_reg_region = svm_register_enc_region,
.mem_enc_unreg_region = svm_unregister_enc_region, .mem_enc_unreg_region = svm_unregister_enc_region,
.need_emulation_on_page_fault = svm_need_emulation_on_page_fault,
}; };
static int __init svm_init(void) static int __init svm_init(void)
......
...@@ -7857,6 +7857,11 @@ static void vmx_enable_tdp(void) ...@@ -7857,6 +7857,11 @@ static void vmx_enable_tdp(void)
kvm_enable_tdp(); kvm_enable_tdp();
} }
static bool vmx_need_emulation_on_page_fault(struct kvm_vcpu *vcpu)
{
return 0;
}
static __init int hardware_setup(void) static __init int hardware_setup(void)
{ {
unsigned long host_bndcfgs; unsigned long host_bndcfgs;
...@@ -14457,6 +14462,7 @@ static struct kvm_x86_ops vmx_x86_ops __ro_after_init = { ...@@ -14457,6 +14462,7 @@ static struct kvm_x86_ops vmx_x86_ops __ro_after_init = {
.pre_enter_smm = vmx_pre_enter_smm, .pre_enter_smm = vmx_pre_enter_smm,
.pre_leave_smm = vmx_pre_leave_smm, .pre_leave_smm = vmx_pre_leave_smm,
.enable_smi_window = enable_smi_window, .enable_smi_window = enable_smi_window,
.need_emulation_on_page_fault = vmx_need_emulation_on_page_fault,
}; };
static void vmx_cleanup_l1d_flush(void) static void vmx_cleanup_l1d_flush(void)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册