[RFC PATCH 25/27] KVM: x86: Add new KVM_CAP_X86_CPUID_PARANOID

[Binbin Wu <binbin.wu@linux.intel.com>]

Introduce a new VM-scoped capability, KVM_CAP_X86_CPUID_PARANOID, to
allow userspace to opt-in CPUID paranoid mode.

When  CPUID paranoid mode is enabled, KVM rejects KVM_SET_CPUID2 if any
CPUID bits unknown or unsupported by KVM are set.

Userspace should enable KVM_CAP_X86_CPUID_PARANOID before creating any
vCPUs.

Unconditionally enforce CPUID paranoid mode for TDs.

Signed-off-by: Binbin Wu <binbin.wu@linux.intel.com>
---
 Documentation/virt/kvm/api.rst | 18 ++++++++++++++++++
 arch/x86/kvm/vmx/tdx.c         |  8 ++++++++
 arch/x86/kvm/x86.c             | 13 +++++++++++++
 include/uapi/linux/kvm.h       |  1 +
 4 files changed, 40 insertions(+)

diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst
index 52bbbb553ce1..81cb78ee9368 100644
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -8904,6 +8904,24 @@ helpful if user space wants to emulate instructions which are not
 This capability can be enabled dynamically even if VCPUs were already
 created and are running.
 
+7.47 KVM_CAP_X86_CPUID_PARANOID
+-------------------------------
+
+:Architectures: x86
+:Type: vm
+:Parameters: arg[0], a bitmask of flags, which is reserved for future use.
+:Returns: 0 on success, -EINVAL if arg[0] is not zero or vCPUs have been created
+          before enabling this capability.
+
+When this capability is supported, userspace can query supported CPUIDs per VM
+via KVM_GET_SUPPORTED_CPUID and KVM_GET_EMULATED_CPUID.
+
+When this capability is enabled, KVM will only allow the CPUID bits that are
+known and supported to be exposed to the guest.  KVM will reject KVM_SET_CPUID2
+if any unknown or unsupported bits are set.
+
+For TDX guests, this capability is enabled by default.
+
 8. Other capabilities.
 ======================
 
diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
index a1df89d66a84..a996e7f761ed 100644
--- a/arch/x86/kvm/vmx/tdx.c
+++ b/arch/x86/kvm/vmx/tdx.c
@@ -638,6 +638,14 @@ int tdx_vm_init(struct kvm *kvm)
 	kvm->arch.has_private_mem = true;
 	kvm->arch.disabled_quirks |= KVM_X86_QUIRK_IGNORE_GUEST_PAT;
 
+	/*
+	 * KVM enforces CPUID paranoid mode for TDs to prevent userspace from
+	 * setting unknown or unsupported bits in CPUID, which could be host
+	 * state clobbering features requiring KVM to do additional host state
+	 * management.
+	 */
+	kvm->arch.is_cpuid_paranoid_mode = true;
+
 	/*
 	 * Because guest TD is protected, VMM can't parse the instruction in TD.
 	 * Instead, guest uses MMIO hypercall.  For unmodified device driver,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 4f713afd909a..ed2df450fd0b 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4870,6 +4870,7 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
 	case KVM_CAP_MEMORY_FAULT_INFO:
 	case KVM_CAP_X86_GUEST_MODE:
 	case KVM_CAP_ONE_REG:
+	case KVM_CAP_X86_CPUID_PARANOID:
 		r = 1;
 		break;
 	case KVM_CAP_PRE_FAULT_MEMORY:
@@ -7006,6 +7007,18 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm,
 		mutex_unlock(&kvm->lock);
 		break;
 	}
+	case KVM_CAP_X86_CPUID_PARANOID:
+		r = -EINVAL;
+		if (cap->args[0])
+			break;
+
+		mutex_lock(&kvm->lock);
+		if (!kvm->created_vcpus) {
+			kvm->arch.is_cpuid_paranoid_mode = true;
+			r = 0;
+		}
+		mutex_unlock(&kvm->lock);
+		break;
 	default:
 		r = -EINVAL;
 		break;
diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h
index 6c8afa2047bf..daf429cfc6eb 100644
--- a/include/uapi/linux/kvm.h
+++ b/include/uapi/linux/kvm.h
@@ -996,6 +996,7 @@ struct kvm_enable_cap {
 #define KVM_CAP_S390_USER_OPEREXEC 246
 #define KVM_CAP_S390_KEYOP 247
 #define KVM_CAP_S390_VSIE_ESAMODE 248
+#define KVM_CAP_X86_CPUID_PARANOID 249
 
 struct kvm_irq_routing_irqchip {
 	__u32 irqchip;
-- 
2.46.0