From: Sean Christopherson <seanjc@google.com>
To: Kai Huang <kai.huang@intel.com>
Cc: "pbonzini@redhat.com" <pbonzini@redhat.com>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/3] KVM: VMX: Don't rely _only_ on CPUID to enforce XCR0 restrictions for ECREATE
Date: Wed, 5 Apr 2023 18:44:16 -0700 [thread overview]
Message-ID: <ZC4j37H2+2945xxb@google.com> (raw)
In-Reply-To: <626179c54707297736158da89ee634705cd6d62f.camel@intel.com>
On Wed, Apr 05, 2023, Huang, Kai wrote:
> On Tue, 2023-04-04 at 17:59 -0700, Sean Christopherson wrote:
> > Explicitly check the vCPU's supported XCR0 when determining whether or not
> > the XFRM for ECREATE is valid. Checking CPUID works because KVM updates
> > guest CPUID.0x12.1 to restrict the leaf to a subset of the guest's allowed
> > XCR0, but that is rather subtle and KVM should not modify guest CPUID
> > except for modeling true runtime behavior (allowed XFRM is most definitely
> > not "runtime" behavior).
> >
> > Signed-off-by: Sean Christopherson <seanjc@google.com>
> > ---
> > arch/x86/kvm/vmx/sgx.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/kvm/vmx/sgx.c b/arch/x86/kvm/vmx/sgx.c
> > index aa53c98034bf..362a31b19b0e 100644
> > --- a/arch/x86/kvm/vmx/sgx.c
> > +++ b/arch/x86/kvm/vmx/sgx.c
> > @@ -175,7 +175,8 @@ static int __handle_encls_ecreate(struct kvm_vcpu *vcpu,
> > (u32)attributes & ~sgx_12_1->eax ||
> > (u32)(attributes >> 32) & ~sgx_12_1->ebx ||
> > (u32)xfrm & ~sgx_12_1->ecx ||
> > - (u32)(xfrm >> 32) & ~sgx_12_1->edx) {
> > + (u32)(xfrm >> 32) & ~sgx_12_1->edx ||
> > + xfrm & ~vcpu->arch.guest_supported_xcr0) {
>
> Perhaps this change is needed even without patch 2?
>
> This is because when CPUID 0xD doesn't exist, guest_supported_xcr0 is 0. But
> when CPUID 0xD doesn't exist, IIUC currently KVM doesn't clear SGX in CPUID, and
> sgx_12_1->ecx is always set to 0x3.
Hrm, that's a bug in this patch. Drat. More below.
> __handle_encls_ereate() doesn't check CPUID 0xD either, so w/o above explicit
> check xfrm against guest_supported_xcr0, it seems guest can successfully run
> ECREATE when it doesn't have CPUID 0xD?
ECREATE doesn't have a strict dependency on CPUID 0xD or XSAVE. This exact scenario
is called out in the SDM:
Legal values for SECS.ATTRIBUTES.XFRM conform to these requirements:
* XFRM[1:0] must be set to 0x3.
* If the processor does support XSAVE, XFRM must contain a value that would
be legal if loaded into XCR0.
* If the processor does not support XSAVE, or if the system software has not
enabled XSAVE, then XFRM[63:2] must be zero.
So the above needs to be either
xfrm & ~(vcpu->arch.guest_supported_xcr0 | XFEATURE_MASK_FPSSE)
or
(xfrm & ~XFEATURE_MASK_FPSSE & ~vcpu->arch.guest_supported_xcr0)
I think I prefer the first one as I find it slightly more obvious that FP+SSE are
allowed in addition to the XCR0 bits.
next prev parent reply other threads:[~2023-04-06 1:44 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-05 0:59 [PATCH 0/3] KVM: x86: SGX vs. XCR0 cleanups Sean Christopherson
2023-04-05 0:59 ` [PATCH 1/3] KVM: VMX: Don't rely _only_ on CPUID to enforce XCR0 restrictions for ECREATE Sean Christopherson
2023-04-05 10:52 ` Huang, Kai
2023-04-06 1:44 ` Sean Christopherson [this message]
2023-04-06 3:02 ` Huang, Kai
2023-04-06 19:12 ` Sean Christopherson
2023-04-12 10:12 ` Huang, Kai
2023-04-20 10:55 ` Huang, Kai
2023-04-05 0:59 ` [PATCH 2/3] KVM: x86: Don't adjust guest's CPUID.0x12.1 (allowed SGX enclave XFRM) Sean Christopherson
2023-04-05 0:59 ` [PATCH 3/3] KVM: x86: Open code supported XCR0 calculation in kvm_vcpu_after_set_cpuid() Sean Christopherson
2023-04-05 3:05 ` [PATCH 0/3] KVM: x86: SGX vs. XCR0 cleanups Huang, Kai
2023-04-05 9:44 ` Huang, Kai
2023-04-06 2:10 ` Sean Christopherson
2023-04-06 10:01 ` Zhi Wang
2023-04-12 12:07 ` Huang, Kai
2023-04-12 15:22 ` Sean Christopherson
2023-04-13 0:20 ` Huang, Kai
2023-04-13 22:48 ` Sean Christopherson
2023-04-14 13:42 ` Huang, Kai
2023-04-16 6:36 ` Zhi Wang
2023-04-13 6:07 ` Zhi Wang
2023-04-12 12:15 ` Huang, Kai
2023-04-12 14:57 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZC4j37H2+2945xxb@google.com \
--to=seanjc@google.com \
--cc=kai.huang@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.