From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (146.0.238.70:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 20 Jun 2018 20:50:33 -0000 Received: from aserp2130.oracle.com ([141.146.126.79]) by Galois.linutronix.de with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1fVk0F-0004Sz-BA for speck@linutronix.de; Wed, 20 Jun 2018 22:46:56 +0200 Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w5KKhvKX108748 for ; Wed, 20 Jun 2018 20:46:48 GMT Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp2130.oracle.com with ESMTP id 2jmr2mpbff-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Wed, 20 Jun 2018 20:46:48 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w5KKklnO023998 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Wed, 20 Jun 2018 20:46:47 GMT Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w5KKklYU009742 for ; Wed, 20 Jun 2018 20:46:47 GMT Message-Id: <20180620204351.997227234@localhost.localdomain> Date: Wed, 20 Jun 2018 16:43:00 -0400 From: konrad.wilk@oracle.com Subject: [MODERATED] [PATCH v2.1 4/6] [PATCH v2.1 4/6] Patch #4 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: speck@linutronix.de List-ID: If the L1TF CPU bug is present we allow the KVM module to be loaded as the major of users that use Linux and KVM have trusted guests and do not want a broken setup. Cloud vendors are the ones that are uncomfortable with CVE 2018-3615 and as such they are the ones that should set disallow_smt to one. Setting disallow_smt to means that the system administrator also needs to disable SMT (Hyper-threading) in the BIOS, or via the 'nosmt' command line parameter, or via the /sys/devices/system/cpu/smt/control (see commit XYZ). Signed-off-by: Konrad Rzeszutek Wilk --- Documentation/admin-guide/kernel-parameters.txt | 4 ++++ arch/x86/kvm/x86.c | 13 +++++++++++++ kernel/cpu.c | 1 + 3 files changed, 18 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 3a5908cd7ef7..dcc1c0313635 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -1919,6 +1919,10 @@ kvm.enable_vmware_backdoor=[KVM] Support VMware backdoor PV interface. Default is false (don't support). + kvm.disallow_smt=[KVM] If the L1TF CPU bug is present and the system has + SMT (aka Hyper-Threading) enabled then don't load KVM module. + Default is 0 (allow module to be loaded). + kvm.mmu_audit= [KVM] This is a R/W parameter which allows audit KVM MMU at runtime. Default is 0 (off) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 0046aa70205a..1065d4e7c5fd 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -150,6 +150,10 @@ EXPORT_SYMBOL_GPL(enable_vmware_backdoor); static bool __read_mostly force_emulation_prefix = false; module_param(force_emulation_prefix, bool, S_IRUGO); +static bool __read_mostly disallow_smt = false; +module_param(disallow_smt, bool, S_IRUGO); + + #define KVM_NR_SHARED_MSRS 16 struct kvm_shared_msrs_global { @@ -6555,6 +6559,15 @@ int kvm_arch_init(void *opaque) goto out; } + if (boot_cpu_has(X86_BUG_L1TF) && (cpu_smt_control == CPU_SMT_ENABLED)) { + printk(KERN_ERR "kvm: SMT enabled with L1TF CPU bug present. Refer to CVE-2018-3615 for details.\n"); + if (disallow_smt) { + r = -EOPNOTSUPP; + goto out; + } + printk(KERN_ERR "Without disabling SMT or setting disallow_smt=1 you risk untrusted guests\n" + "being able to snoop the host memory!"); + } r = -ENOMEM; shared_msrs = alloc_percpu(struct kvm_shared_msrs); if (!shared_msrs) { diff --git a/kernel/cpu.c b/kernel/cpu.c index 7edf0a5cfeb9..70770308c968 100644 --- a/kernel/cpu.c +++ b/kernel/cpu.c @@ -935,6 +935,7 @@ EXPORT_SYMBOL(cpu_down); #ifdef CONFIG_HOTPLUG_SMT enum cpuhp_smt_control cpu_smt_control __read_mostly = CPU_SMT_ENABLED; +EXPORT_SYMBOL_GPL(cpu_smt_control); static int __init smt_cmdline_disable(char *str) { -- 2.14.3