From: Tom Lendacky <thomas.lendacky@amd.com>
To: Sean Christopherson <seanjc@google.com>,
Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Mathias Krause <minipli@grsecurity.net>,
John Allen <john.allen@amd.com>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Chao Gao <chao.gao@intel.com>,
Binbin Wu <binbin.wu@linux.intel.com>,
Xiaoyao Li <xiaoyao.li@intel.com>,
Maxim Levitsky <mlevitsk@redhat.com>,
Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Subject: Re: [PATCH v16 02/51] KVM: SEV: Read save fields from GHCB exactly once
Date: Mon, 22 Sep 2025 16:39:04 -0500 [thread overview]
Message-ID: <1637f279-9c89-e367-19e6-d2aae2bcd4fb@amd.com> (raw)
In-Reply-To: <20250919223258.1604852-3-seanjc@google.com>
On 9/19/25 17:32, Sean Christopherson wrote:
> Wrap all reads of GHCB save fields with READ_ONCE() via a KVM-specific
> GHCB get() utility to help guard against TOCTOU bugs. Using READ_ONCE()
> doesn't completely prevent such bugs, e.g. doesn't prevent KVM from
> redoing get() after checking the initial value, but at least addresses
> all potential TOCTOU issues in the current KVM code base.
>
> To prevent unintentional use of the generic helpers, take only @svm for
> the kvm_ghcb_get_xxx() helpers and retrieve the ghcb instead of explicitly
> passing it in.
>
> Opportunistically reduce the indentation of the macro-defined helpers and
> clean up the alignment.
>
> Fixes: 4e15a0ddc3ff ("KVM: SEV: snapshot the GHCB before accessing it")
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
> ---
> arch/x86/kvm/svm/sev.c | 22 +++++++++++-----------
> arch/x86/kvm/svm/svm.h | 25 +++++++++++++++----------
> 2 files changed, 26 insertions(+), 21 deletions(-)
>
> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> index f046a587ecaf..8d057dbd8a71 100644
> --- a/arch/x86/kvm/svm/sev.c
> +++ b/arch/x86/kvm/svm/sev.c
> @@ -3343,26 +3343,26 @@ static void sev_es_sync_from_ghcb(struct vcpu_svm *svm)
> BUILD_BUG_ON(sizeof(svm->sev_es.valid_bitmap) != sizeof(ghcb->save.valid_bitmap));
> memcpy(&svm->sev_es.valid_bitmap, &ghcb->save.valid_bitmap, sizeof(ghcb->save.valid_bitmap));
>
> - vcpu->arch.regs[VCPU_REGS_RAX] = kvm_ghcb_get_rax_if_valid(svm, ghcb);
> - vcpu->arch.regs[VCPU_REGS_RBX] = kvm_ghcb_get_rbx_if_valid(svm, ghcb);
> - vcpu->arch.regs[VCPU_REGS_RCX] = kvm_ghcb_get_rcx_if_valid(svm, ghcb);
> - vcpu->arch.regs[VCPU_REGS_RDX] = kvm_ghcb_get_rdx_if_valid(svm, ghcb);
> - vcpu->arch.regs[VCPU_REGS_RSI] = kvm_ghcb_get_rsi_if_valid(svm, ghcb);
> + vcpu->arch.regs[VCPU_REGS_RAX] = kvm_ghcb_get_rax_if_valid(svm);
> + vcpu->arch.regs[VCPU_REGS_RBX] = kvm_ghcb_get_rbx_if_valid(svm);
> + vcpu->arch.regs[VCPU_REGS_RCX] = kvm_ghcb_get_rcx_if_valid(svm);
> + vcpu->arch.regs[VCPU_REGS_RDX] = kvm_ghcb_get_rdx_if_valid(svm);
> + vcpu->arch.regs[VCPU_REGS_RSI] = kvm_ghcb_get_rsi_if_valid(svm);
>
> - svm->vmcb->save.cpl = kvm_ghcb_get_cpl_if_valid(svm, ghcb);
> + svm->vmcb->save.cpl = kvm_ghcb_get_cpl_if_valid(svm);
>
> if (kvm_ghcb_xcr0_is_valid(svm)) {
> - vcpu->arch.xcr0 = ghcb_get_xcr0(ghcb);
> + vcpu->arch.xcr0 = kvm_ghcb_get_xcr0(svm);
> vcpu->arch.cpuid_dynamic_bits_dirty = true;
> }
>
> /* Copy the GHCB exit information into the VMCB fields */
> - exit_code = ghcb_get_sw_exit_code(ghcb);
> + exit_code = kvm_ghcb_get_sw_exit_code(svm);
> control->exit_code = lower_32_bits(exit_code);
> control->exit_code_hi = upper_32_bits(exit_code);
> - control->exit_info_1 = ghcb_get_sw_exit_info_1(ghcb);
> - control->exit_info_2 = ghcb_get_sw_exit_info_2(ghcb);
> - svm->sev_es.sw_scratch = kvm_ghcb_get_sw_scratch_if_valid(svm, ghcb);
> + control->exit_info_1 = kvm_ghcb_get_sw_exit_info_1(svm);
> + control->exit_info_2 = kvm_ghcb_get_sw_exit_info_2(svm);
> + svm->sev_es.sw_scratch = kvm_ghcb_get_sw_scratch_if_valid(svm);
>
> /* Clear the valid entries fields */
> memset(ghcb->save.valid_bitmap, 0, sizeof(ghcb->save.valid_bitmap));
> diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
> index 5d39c0b17988..5365984e82e5 100644
> --- a/arch/x86/kvm/svm/svm.h
> +++ b/arch/x86/kvm/svm/svm.h
> @@ -913,16 +913,21 @@ void __svm_sev_es_vcpu_run(struct vcpu_svm *svm, bool spec_ctrl_intercepted,
> void __svm_vcpu_run(struct vcpu_svm *svm, bool spec_ctrl_intercepted);
>
> #define DEFINE_KVM_GHCB_ACCESSORS(field) \
> - static __always_inline bool kvm_ghcb_##field##_is_valid(const struct vcpu_svm *svm) \
> - { \
> - return test_bit(GHCB_BITMAP_IDX(field), \
> - (unsigned long *)&svm->sev_es.valid_bitmap); \
> - } \
> - \
> - static __always_inline u64 kvm_ghcb_get_##field##_if_valid(struct vcpu_svm *svm, struct ghcb *ghcb) \
> - { \
> - return kvm_ghcb_##field##_is_valid(svm) ? ghcb->save.field : 0; \
> - } \
> +static __always_inline u64 kvm_ghcb_get_##field(struct vcpu_svm *svm) \
> +{ \
> + return READ_ONCE(svm->sev_es.ghcb->save.field); \
> +} \
> + \
> +static __always_inline bool kvm_ghcb_##field##_is_valid(const struct vcpu_svm *svm) \
> +{ \
> + return test_bit(GHCB_BITMAP_IDX(field), \
> + (unsigned long *)&svm->sev_es.valid_bitmap); \
> +} \
> + \
> +static __always_inline u64 kvm_ghcb_get_##field##_if_valid(struct vcpu_svm *svm) \
> +{ \
> + return kvm_ghcb_##field##_is_valid(svm) ? kvm_ghcb_get_##field(svm) : 0; \
> +}
>
> DEFINE_KVM_GHCB_ACCESSORS(cpl)
> DEFINE_KVM_GHCB_ACCESSORS(rax)
next prev parent reply other threads:[~2025-09-22 21:39 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-19 22:32 [PATCH v16 00/51] KVM: x86: Super Mega CET Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 01/51] KVM: SEV: Rename kvm_ghcb_get_sw_exit_code() to kvm_get_cached_sw_exit_code() Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 02/51] KVM: SEV: Read save fields from GHCB exactly once Sean Christopherson
2025-09-22 21:39 ` Tom Lendacky [this message]
2025-09-19 22:32 ` [PATCH v16 03/51] KVM: SEV: Validate XCR0 provided by guest in GHCB Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 04/51] KVM: x86: Introduce KVM_{G,S}ET_ONE_REG uAPIs support Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 05/51] KVM: x86: Report XSS as to-be-saved if there are supported features Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 06/51] KVM: x86: Check XSS validity against guest CPUIDs Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 07/51] KVM: x86: Refresh CPUID on write to guest MSR_IA32_XSS Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 08/51] KVM: x86: Initialize kvm_caps.supported_xss Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 09/51] KVM: x86: Load guest FPU state when access XSAVE-managed MSRs Sean Christopherson
2025-09-22 2:10 ` Binbin Wu
2025-09-22 16:41 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 10/51] KVM: x86: Add fault checks for guest CR4.CET setting Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 11/51] KVM: x86: Report KVM supported CET MSRs as to-be-saved Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 12/51] KVM: VMX: Introduce CET VMCS fields and control bits Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 13/51] KVM: x86: Enable guest SSP read/write interface with new uAPIs Sean Christopherson
2025-09-22 2:58 ` Binbin Wu
2025-09-23 9:06 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 14/51] KVM: VMX: Emulate read and write to CET MSRs Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 15/51] KVM: x86: Save and reload SSP to/from SMRAM Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 16/51] KVM: VMX: Set up interception for CET MSRs Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 17/51] KVM: VMX: Set host constant supervisor states to VMCS fields Sean Christopherson
2025-09-22 3:03 ` Binbin Wu
2025-09-19 22:32 ` [PATCH v16 18/51] KVM: x86: Don't emulate instructions affected by CET features Sean Christopherson
2025-09-22 5:39 ` Binbin Wu
2025-09-22 16:47 ` Sean Christopherson
2025-09-22 10:27 ` Chao Gao
2025-09-22 20:04 ` Sean Christopherson
2025-09-23 14:12 ` Xiaoyao Li
2025-09-23 16:15 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 19/51] KVM: x86: Don't emulate task switches when IBT or SHSTK is enabled Sean Christopherson
2025-09-22 6:41 ` Binbin Wu
2025-09-22 17:23 ` Sean Christopherson
2025-09-23 14:16 ` Xiaoyao Li
2025-09-22 11:27 ` Chao Gao
2025-09-19 22:32 ` [PATCH v16 20/51] KVM: x86: Emulate SSP[63:32]!=0 #GP(0) for FAR JMP to 32-bit mode Sean Christopherson
2025-09-22 7:15 ` Binbin Wu
2025-09-23 14:29 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 21/51] KVM: x86/mmu: WARN on attempt to check permissions for Shadow Stack #PF Sean Christopherson
2025-09-22 7:17 ` Binbin Wu
2025-09-22 7:46 ` Binbin Wu
2025-09-23 14:33 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 22/51] KVM: x86/mmu: Pretty print PK, SS, and SGX flags in MMU tracepoints Sean Christopherson
2025-09-22 7:18 ` Binbin Wu
2025-09-22 16:18 ` Sean Christopherson
2025-09-23 14:46 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 23/51] KVM: x86: Allow setting CR4.CET if IBT or SHSTK is supported Sean Christopherson
2025-09-22 7:25 ` Binbin Wu
2025-09-23 14:46 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 24/51] KVM: nVMX: Always forward XSAVES/XRSTORS exits from L2 to L1 Sean Christopherson
2025-09-23 8:15 ` Chao Gao
2025-09-23 14:49 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 25/51] KVM: x86: Add XSS support for CET_KERNEL and CET_USER Sean Christopherson
2025-09-22 7:31 ` Binbin Wu
2025-09-23 14:55 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 26/51] KVM: x86: Disable support for Shadow Stacks if TDP is disabled Sean Christopherson
2025-09-22 7:45 ` Binbin Wu
2025-09-23 14:56 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 27/51] KVM: x86: Disable support for IBT and SHSTK if allow_smaller_maxphyaddr is true Sean Christopherson
2025-09-22 8:00 ` Binbin Wu
2025-09-22 18:40 ` Sean Christopherson
2025-09-23 14:44 ` Xiaoyao Li
2025-09-23 15:04 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 28/51] KVM: x86: Enable CET virtualization for VMX and advertise to userspace Sean Christopherson
2025-09-22 8:06 ` Binbin Wu
2025-09-23 14:57 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 29/51] KVM: VMX: Configure nested capabilities after CPU capabilities Sean Christopherson
2025-09-23 2:37 ` Chao Gao
2025-09-23 16:24 ` Sean Christopherson
2025-09-23 16:49 ` Xin Li
2025-09-19 22:32 ` [PATCH v16 30/51] KVM: nVMX: Virtualize NO_HW_ERROR_CODE_CC for L1 event injection to L2 Sean Christopherson
2025-09-22 8:37 ` Binbin Wu
2025-09-19 22:32 ` [PATCH v16 31/51] KVM: nVMX: Prepare for enabling CET support for nested guest Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 32/51] KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET Sean Christopherson
2025-09-22 8:47 ` Binbin Wu
2025-09-19 22:32 ` [PATCH v16 33/51] KVM: nVMX: Add consistency checks for CET states Sean Christopherson
2025-09-22 9:23 ` Binbin Wu
2025-09-22 16:35 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 34/51] KVM: nVMX: Advertise new VM-Entry/Exit control bits for CET state Sean Christopherson
2025-09-23 2:43 ` Chao Gao
2025-09-23 16:28 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 35/51] KVM: SVM: Emulate reads and writes to shadow stack MSRs Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 36/51] KVM: nSVM: Save/load CET Shadow Stack state to/from vmcb12/vmcb02 Sean Christopherson
2025-10-28 22:23 ` Yosry Ahmed
2025-12-09 0:48 ` Yosry Ahmed
2025-09-19 22:32 ` [PATCH v16 37/51] KVM: SVM: Update dump_vmcb with shadow stack save area additions Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 38/51] KVM: SVM: Pass through shadow stack MSRs as appropriate Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 39/51] KVM: SEV: Synchronize MSR_IA32_XSS from the GHCB when it's valid Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 40/51] KVM: SVM: Enable shadow stack virtualization for SVM Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 41/51] KVM: x86: Add human friendly formatting for #XM, and #VE Sean Christopherson
2025-09-22 8:29 ` Binbin Wu
2025-09-19 22:32 ` [PATCH v16 42/51] KVM: x86: Define Control Protection Exception (#CP) vector Sean Christopherson
2025-09-22 8:29 ` Binbin Wu
2025-09-19 22:32 ` [PATCH v16 43/51] KVM: x86: Define AMD's #HV, #VC, and #SX exception vectors Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 44/51] KVM: selftests: Add ex_str() to print human friendly name of " Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 45/51] KVM: selftests: Add an MSR test to exercise guest/host and read/write Sean Christopherson
2025-09-23 8:03 ` Chao Gao
2025-09-23 16:51 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 46/51] KVM: selftests: Add support for MSR_IA32_{S,U}_CET to MSRs test Sean Christopherson
2025-09-23 7:12 ` Chao Gao
2025-09-19 22:32 ` [PATCH v16 47/51] KVM: selftests: Extend MSRs test to validate vCPUs without supported features Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 48/51] KVM: selftests: Add KVM_{G,S}ET_ONE_REG coverage to MSRs test Sean Christopherson
2025-09-23 6:52 ` Chao Gao
2025-09-19 22:32 ` [PATCH v16 49/51] KVM: selftests: Add coverate for KVM-defined registers in " Sean Christopherson
2025-09-23 6:31 ` Chao Gao
2025-09-23 16:59 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 50/51] KVM: selftests: Verify MSRs are (not) in save/restore list when (un)supported Sean Christopherson
2025-09-23 6:46 ` Chao Gao
2025-09-23 17:02 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 51/51] KVM: VMX: Make CR4.CET a guest owned bit Sean Christopherson
2025-09-22 8:34 ` Binbin Wu
2025-09-24 14:32 ` [PATCH v16 00/51] KVM: x86: Super Mega CET Chao Gao
2025-09-24 18:07 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1637f279-9c89-e367-19e6-d2aae2bcd4fb@amd.com \
--to=thomas.lendacky@amd.com \
--cc=binbin.wu@linux.intel.com \
--cc=chao.gao@intel.com \
--cc=john.allen@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=minipli@grsecurity.net \
--cc=mlevitsk@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
--cc=xiaoyao.li@intel.com \
--cc=xin@zytor.com \
--cc=yi.z.zhang@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox