[MODERATED] [PATCH v2.1 4/6] [PATCH v2.1 4/6] Patch #4

[konrad.wilk@oracle.com]

If the L1TF CPU bug is present we allow the KVM module to be loaded
as the major of users that use Linux and KVM have trusted guests
and do not want a broken setup.

Cloud vendors are the ones that are uncomfortable with CVE 2018-3615
and as such they are the ones that should set disallow_smt to one.

Setting disallow_smt to means that the system administrator also needs
to disable SMT (Hyper-threading) in the BIOS, or via the 'nosmt' command
line parameter, or via the /sys/devices/system/cpu/smt/control
(see commit XYZ).

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
 Documentation/admin-guide/kernel-parameters.txt |  4 ++++
 arch/x86/kvm/x86.c                              | 13 +++++++++++++
 kernel/cpu.c                                    |  1 +
 3 files changed, 18 insertions(+)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 3a5908cd7ef7..dcc1c0313635 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1919,6 +1919,10 @@
 	kvm.enable_vmware_backdoor=[KVM] Support VMware backdoor PV interface.
 				   Default is false (don't support).
 
+	kvm.disallow_smt=[KVM] If the L1TF CPU bug is present and the system has
+			SMT (aka Hyper-Threading) enabled then don't load KVM module.
+			Default is 0 (allow module to be loaded).
+
 	kvm.mmu_audit=	[KVM] This is a R/W parameter which allows audit
 			KVM MMU at runtime.
 			Default is 0 (off)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 0046aa70205a..1065d4e7c5fd 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -150,6 +150,10 @@ EXPORT_SYMBOL_GPL(enable_vmware_backdoor);
 static bool __read_mostly force_emulation_prefix = false;
 module_param(force_emulation_prefix, bool, S_IRUGO);
 
+static bool __read_mostly disallow_smt = false;
+module_param(disallow_smt, bool, S_IRUGO);
+
+
 #define KVM_NR_SHARED_MSRS 16
 
 struct kvm_shared_msrs_global {
@@ -6555,6 +6559,15 @@ int kvm_arch_init(void *opaque)
 		goto out;
 	}
 
+	if (boot_cpu_has(X86_BUG_L1TF) && (cpu_smt_control == CPU_SMT_ENABLED)) {
+		printk(KERN_ERR "kvm: SMT enabled with L1TF CPU bug present. Refer to CVE-2018-3615 for details.\n");
+		if (disallow_smt) {
+			r = -EOPNOTSUPP;
+			goto out;
+		}
+		printk(KERN_ERR "Without disabling SMT or setting disallow_smt=1 you risk untrusted guests\n"
+				"being able to snoop the host memory!");
+	}
 	r = -ENOMEM;
 	shared_msrs = alloc_percpu(struct kvm_shared_msrs);
 	if (!shared_msrs) {
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 7edf0a5cfeb9..70770308c968 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -935,6 +935,7 @@ EXPORT_SYMBOL(cpu_down);
 
 #ifdef CONFIG_HOTPLUG_SMT
 enum cpuhp_smt_control cpu_smt_control __read_mostly = CPU_SMT_ENABLED;
+EXPORT_SYMBOL_GPL(cpu_smt_control);
 
 static int __init smt_cmdline_disable(char *str)
 {
-- 
2.14.3