From: John Allen <john.allen@amd.com>
To: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Tom Lendacky <thomas.lendacky@amd.com>,
Mathias Krause <minipli@grsecurity.net>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Chao Gao <chao.gao@intel.com>,
Maxim Levitsky <mlevitsk@redhat.com>,
Xiaoyao Li <xiaoyao.li@intel.com>
Subject: Re: [PATCH v15 29/41] KVM: SEV: Synchronize MSR_IA32_XSS from the GHCB when it's valid
Date: Thu, 18 Sep 2025 16:23:27 -0500 [thread overview]
Message-ID: <aMx4TwOLS62ccHTQ@AUSJOHALLEN.amd.com> (raw)
In-Reply-To: <aMxvHbhsRn40x-4g@google.com>
On Thu, Sep 18, 2025 at 01:44:13PM -0700, Sean Christopherson wrote:
> On Thu, Sep 18, 2025, Sean Christopherson wrote:
> > On Thu, Sep 18, 2025, John Allen wrote:
> > > On Tue, Sep 16, 2025 at 05:55:33PM -0500, John Allen wrote:
> > > > Interesting, I see "Guest CPUID doesn't have XSAVES" times the number of
> > > > cpus followed by "XSS already set to val = 0, eliding updates" times the
> > > > number of cpus. This is with host tracing only. I can try with guest
> > > > tracing too in the morning.
> > >
> > > Ok, I think I see the problem. The cases above where we were seeing the
> > > added print statements from kvm_set_msr_common were not situations where
> > > we were going through the __kvm_emulate_msr_write via
> > > sev_es_sync_from_ghcb. When we call __kvm_emulate_msr_write from this
> > > context, we never end up getting to kvm_set_msr_common because we hit
> > > the following statement at the top of svm_set_msr:
> > >
> > > if (sev_es_prevent_msr_access(vcpu, msr))
> > > return vcpu->kvm->arch.has_protected_state ? -EINVAL : 0;
> >
> > Gah, I was looking for something like that but couldn't find it, obviously.
> >
> > > So I'm not sure if this would force using the original method of
> > > directly setting arch.ia32_xss or if there's some additional handling
> > > here that we need in this scenario to allow the msr access.
> >
> > Does this fix things? If so, I'll slot in a patch to extract setting XSS to
> > the helper, and then this patch can use that API. I like the symmetry between
> > __kvm_set_xcr() and __kvm_set_xss(), and I especially like not doing a generic
> > end-around on svm_set_msr() by calling kvm_set_msr_common() directly.
>
> Scratch that, KVM supports intra-host (and inter-host?) migration of SEV-ES
> guests and so needs to allow the host to save/restore XSS, otherwise a guest
> that *knows* its XSS hasn't change could get stale/bad CPUID emulation if the
> guest doesn't provide XSS in the GHCB on every exit.
>
> So while seemingly hacky, I'm pretty sure the right solution is actually:
>
> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
> index cabe1950b160..d48bf20c865b 100644
> --- a/arch/x86/kvm/svm/svm.c
> +++ b/arch/x86/kvm/svm/svm.c
> @@ -2721,8 +2721,8 @@ static int svm_get_feature_msr(u32 msr, u64 *data)
> static bool sev_es_prevent_msr_access(struct kvm_vcpu *vcpu,
> struct msr_data *msr_info)
> {
> - return sev_es_guest(vcpu->kvm) &&
> - vcpu->arch.guest_state_protected &&
> + return sev_es_guest(vcpu->kvm) && vcpu->arch.guest_state_protected &&
> + msr_info->index != MSR_IA32_XSS &&
> !msr_write_intercepted(vcpu, msr_info->index);
> }
Yes, it looks like this fixes the regression. Thanks!
The 32bit selftest still doesn't work properly with sev-es, but that was
a problem with the previous version too. I suspect there's some
incompatibility between sev-es and the test, but I haven't been able to
get a good answer on why that might be.
Thanks,
John
>
> Side topic, checking msr_write_intercepted() is likely wrong. It's a bad
> heuristic for "managed in the VMSA". MSRs that _KVM_ loads into hardware and
> context switches should still be accessible. I haven't looked to see if this is
> a problem in practice.
>
> >
> > diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
> > index 945f7da60107..ace9f321d2c9 100644
> > --- a/arch/x86/include/asm/kvm_host.h
> > +++ b/arch/x86/include/asm/kvm_host.h
> > @@ -2213,6 +2213,7 @@ unsigned long kvm_get_cr8(struct kvm_vcpu *vcpu);
> > void kvm_lmsw(struct kvm_vcpu *vcpu, unsigned long msw);
> > int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr);
> > int kvm_emulate_xsetbv(struct kvm_vcpu *vcpu);
> > +int __kvm_set_xss(struct kvm_vcpu *vcpu, u64 xss);
> >
> > int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr);
> > int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr);
> > diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> > index 94d9acc94c9a..462aebc54135 100644
> > --- a/arch/x86/kvm/svm/sev.c
> > +++ b/arch/x86/kvm/svm/sev.c
> > @@ -3355,7 +3355,7 @@ static void sev_es_sync_from_ghcb(struct vcpu_svm *svm)
> > __kvm_set_xcr(vcpu, 0, kvm_ghcb_get_xcr0(svm));
> >
> > if (kvm_ghcb_xss_is_valid(svm))
> > - __kvm_emulate_msr_write(vcpu, MSR_IA32_XSS, kvm_ghcb_get_xss(svm));
> > + __kvm_set_xss(vcpu, kvm_ghcb_get_xss(svm));
> >
> > /* Copy the GHCB exit information into the VMCB fields */
> > exit_code = kvm_ghcb_get_sw_exit_code(svm);
> > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> > index 5bbc187ab428..9b81e92a8de5 100644
> > --- a/arch/x86/kvm/x86.c
> > +++ b/arch/x86/kvm/x86.c
> > @@ -1313,6 +1313,22 @@ int kvm_emulate_xsetbv(struct kvm_vcpu *vcpu)
> > }
> > EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_emulate_xsetbv);
> >
> > +int __kvm_set_xss(struct kvm_vcpu *vcpu, u64 xss)
> > +{
> > + if (!guest_cpuid_has(vcpu, X86_FEATURE_XSAVES))
> > + return KVM_MSR_RET_UNSUPPORTED;
> > +
> > + if (xss & ~vcpu->arch.guest_supported_xss)
> > + return 1;
> > + if (vcpu->arch.ia32_xss == xss)
> > + return 0;
> > +
> > + vcpu->arch.ia32_xss = xss;
> > + vcpu->arch.cpuid_dynamic_bits_dirty = true;
> > + return 0;
> > +}
> > +EXPORT_SYMBOL_GPL(__kvm_set_xss);
> > +
> > static bool kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
> > {
> > return __kvm_is_valid_cr4(vcpu, cr4) &&
> > @@ -4119,16 +4135,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> > }
> > break;
> > case MSR_IA32_XSS:
> > - if (!guest_cpuid_has(vcpu, X86_FEATURE_XSAVES))
> > - return KVM_MSR_RET_UNSUPPORTED;
> > -
> > - if (data & ~vcpu->arch.guest_supported_xss)
> > - return 1;
> > - if (vcpu->arch.ia32_xss == data)
> > - break;
> > - vcpu->arch.ia32_xss = data;
> > - vcpu->arch.cpuid_dynamic_bits_dirty = true;
> > - break;
> > + return __kvm_set_xss(vcpu, data);
> > case MSR_SMI_COUNT:
> > if (!msr_info->host_initiated)
> > return 1;
next prev parent reply other threads:[~2025-09-18 21:23 UTC|newest]
Thread overview: 130+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-12 23:22 [PATCH v15 00/41] KVM: x86: Mega-CET Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 01/41] KVM: SEV: Rename kvm_ghcb_get_sw_exit_code() to kvm_get_cached_sw_exit_code() Sean Christopherson
2025-09-15 16:15 ` Tom Lendacky
2025-09-15 16:30 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 02/41] KVM: SEV: Read save fields from GHCB exactly once Sean Christopherson
2025-09-15 17:32 ` Tom Lendacky
2025-09-15 21:08 ` Sean Christopherson
2025-09-17 21:47 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 03/41] KVM: SEV: Validate XCR0 provided by guest in GHCB Sean Christopherson
2025-09-15 18:41 ` Tom Lendacky
2025-09-15 21:22 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 04/41] KVM: x86: Introduce KVM_{G,S}ET_ONE_REG uAPIs support Sean Christopherson
2025-09-15 6:29 ` Xiaoyao Li
2025-09-16 7:10 ` Binbin Wu
2025-09-17 13:14 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 05/41] KVM: x86: Report XSS as to-be-saved if there are supported features Sean Christopherson
2025-09-16 7:12 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 06/41] KVM: x86: Check XSS validity against guest CPUIDs Sean Christopherson
2025-09-16 7:20 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 07/41] KVM: x86: Refresh CPUID on write to guest MSR_IA32_XSS Sean Christopherson
2025-09-16 7:23 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 08/41] KVM: x86: Initialize kvm_caps.supported_xss Sean Christopherson
2025-09-16 7:29 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 09/41] KVM: x86: Load guest FPU state when access XSAVE-managed MSRs Sean Christopherson
2025-09-15 17:04 ` Xin Li
2025-09-16 6:51 ` Xiaoyao Li
2025-09-16 8:28 ` Binbin Wu
2025-09-17 2:51 ` Binbin Wu
2025-09-17 12:47 ` Sean Christopherson
2025-09-17 21:56 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 10/41] KVM: x86: Add fault checks for guest CR4.CET setting Sean Christopherson
2025-09-16 8:33 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 11/41] KVM: x86: Report KVM supported CET MSRs as to-be-saved Sean Christopherson
2025-09-15 6:30 ` Xiaoyao Li
2025-09-16 8:46 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 12/41] KVM: VMX: Introduce CET VMCS fields and control bits Sean Christopherson
2025-09-15 6:31 ` Xiaoyao Li
2025-09-16 9:00 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 13/41] KVM: x86: Enable guest SSP read/write interface with new uAPIs Sean Christopherson
2025-09-15 6:55 ` Xiaoyao Li
2025-09-15 22:12 ` Sean Christopherson
2025-09-16 5:52 ` Xiaoyao Li
2025-09-19 17:47 ` Sean Christopherson
2025-09-19 17:58 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 14/41] KVM: VMX: Emulate read and write to CET MSRs Sean Christopherson
2025-09-16 7:07 ` Xiaoyao Li
2025-09-16 7:48 ` Chao Gao
2025-09-16 8:10 ` Xiaoyao Li
2025-09-19 22:11 ` Sean Christopherson
2025-09-17 7:52 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 15/41] KVM: x86: Save and reload SSP to/from SMRAM Sean Christopherson
2025-09-16 7:37 ` Xiaoyao Li
2025-09-17 7:53 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 16/41] KVM: VMX: Set up interception for CET MSRs Sean Christopherson
2025-09-15 17:21 ` Xin Li
2025-09-16 7:40 ` Xiaoyao Li
2025-09-17 8:32 ` Binbin Wu
2025-09-17 13:44 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 17/41] KVM: VMX: Set host constant supervisor states to VMCS fields Sean Christopherson
2025-09-16 7:44 ` Xiaoyao Li
2025-09-17 8:48 ` Xiaoyao Li
2025-09-17 21:25 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 18/41] KVM: x86: Don't emulate instructions affected by CET features Sean Christopherson
2025-09-17 8:16 ` Chao Gao
2025-09-17 21:15 ` Sean Christopherson
2025-09-18 14:54 ` Chao Gao
2025-09-18 18:02 ` Sean Christopherson
2025-09-17 8:19 ` Xiaoyao Li
2025-09-18 14:15 ` Chao Gao
2025-09-19 1:25 ` Sean Christopherson
2025-09-17 8:45 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 19/41] KVM: x86: Enable CET virtualization for VMX and advertise to userspace Sean Christopherson
2025-09-18 1:57 ` Binbin Wu
2025-09-19 22:57 ` Sean Christopherson
2025-09-18 2:18 ` Binbin Wu
2025-09-18 18:05 ` Sean Christopherson
2025-09-19 7:10 ` Xiaoyao Li
2025-09-19 14:25 ` Sean Christopherson
2025-09-12 23:22 ` [PATCH v15 20/41] KVM: nVMX: Virtualize NO_HW_ERROR_CODE_CC for L1 event injection to L2 Sean Christopherson
2025-09-18 2:27 ` Binbin Wu
2025-09-12 23:22 ` [PATCH v15 21/41] KVM: nVMX: Prepare for enabling CET support for nested guest Sean Christopherson
2025-09-15 17:45 ` Xin Li
2025-09-18 4:48 ` Xin Li
2025-09-18 18:05 ` Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 22/41] KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 23/41] KVM: nVMX: Add consistency checks for CET states Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 24/41] KVM: nVMX: Advertise new VM-Entry/Exit control bits for CET state Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 25/41] KVM: x86: SVM: Emulate reads and writes to shadow stack MSRs Sean Christopherson
2025-09-15 17:56 ` Xin Li
2025-09-15 20:43 ` Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 26/41] KVM: nSVM: Save/load CET Shadow Stack state to/from vmcb12/vmcb02 Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 27/41] KVM: x86: SVM: Update dump_vmcb with shadow stack save area additions Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 28/41] KVM: x86: SVM: Pass through shadow stack MSRs as appropriate Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 29/41] KVM: SEV: Synchronize MSR_IA32_XSS from the GHCB when it's valid Sean Christopherson
2025-09-16 18:55 ` John Allen
2025-09-16 19:53 ` Sean Christopherson
2025-09-16 20:33 ` John Allen
2025-09-16 21:38 ` Sean Christopherson
2025-09-16 22:55 ` John Allen
2025-09-18 19:48 ` John Allen
2025-09-18 20:34 ` Sean Christopherson
2025-09-18 20:44 ` Sean Christopherson
2025-09-18 21:23 ` John Allen [this message]
2025-09-18 21:42 ` Edgecombe, Rick P
2025-09-18 22:18 ` John Allen
2025-09-19 13:40 ` Tom Lendacky
2025-09-19 16:13 ` John Allen
2025-09-19 17:29 ` Edgecombe, Rick P
2025-09-19 20:58 ` Edgecombe, Rick P
2025-09-22 9:19 ` Kiryl Shutsemau
2025-09-22 9:33 ` Upadhyay, Neeraj
2025-09-22 9:54 ` Kiryl Shutsemau
2025-09-12 23:23 ` [PATCH v15 30/41] KVM: SVM: Enable shadow stack virtualization for SVM Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 31/41] KVM: x86: Add human friendly formatting for #XM, and #VE Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 32/41] KVM: x86: Define Control Protection Exception (#CP) vector Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 33/41] KVM: x86: Define AMD's #HV, #VC, and #SX exception vectors Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 34/41] KVM: selftests: Add ex_str() to print human friendly name of " Sean Christopherson
2025-09-15 9:07 ` Chao Gao
2025-09-12 23:23 ` [PATCH v15 35/41] KVM: selftests: Add an MSR test to exercise guest/host and read/write Sean Christopherson
2025-09-15 8:22 ` Chao Gao
2025-09-15 17:00 ` Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 36/41] KVM: selftests: Add support for MSR_IA32_{S,U}_CET to MSRs test Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 37/41] KVM: selftests: Extend MSRs test to validate vCPUs without supported features Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 38/41] KVM: selftests: Add KVM_{G,S}ET_ONE_REG coverage to MSRs test Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 39/41] KVM: selftests: Add coverate for KVM-defined registers in " Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 40/41] KVM: selftests: Verify MSRs are (not) in save/restore list when (un)supported Sean Christopherson
2025-09-12 23:23 ` [PATCH v15 41/41] KVM: VMX: Make CR4.CET a guest owned bit Sean Christopherson
2025-09-15 13:18 ` [PATCH v15 00/41] KVM: x86: Mega-CET Mathias Krause
2025-09-15 21:20 ` John Allen
2025-09-16 13:53 ` Chao Gao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aMx4TwOLS62ccHTQ@AUSJOHALLEN.amd.com \
--to=john.allen@amd.com \
--cc=chao.gao@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=minipli@grsecurity.net \
--cc=mlevitsk@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
--cc=thomas.lendacky@amd.com \
--cc=xiaoyao.li@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.