From: Sean Christopherson <seanjc@google.com>
To: Maxim Levitsky <mlevitsk@redhat.com>
Cc: kvm@vger.kernel.org, Thomas Gleixner <tglx@linutronix.de>,
Paolo Bonzini <pbonzini@redhat.com>,
Ingo Molnar <mingo@redhat.com>,
Vitaly Kuznetsov <vkuznets@redhat.com>,
linux-kernel@vger.kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>
Subject: Re: [PATCH v4 3/4] KVM: x86: model canonical checks more precisely
Date: Wed, 30 Oct 2024 17:45:58 -0700 [thread overview]
Message-ID: <ZyLTRvbLq9ZTXBim@google.com> (raw)
In-Reply-To: <20240906221824.491834-4-mlevitsk@redhat.com>
On Fri, Sep 06, 2024, Maxim Levitsky wrote:
> As a result of a recent investigation, it was determined that x86 CPUs
> which support 5-level paging, don't always respect CR4.LA57 when doing
> canonical checks.
>
> In particular:
>
> 1. MSRs which contain a linear address, allow full 57-bitcanonical address
> regardless of CR4.LA57 state. For example: MSR_KERNEL_GS_BASE.
>
> 2. All hidden segment bases and GDT/IDT bases also behave like MSRs.
> This means that full 57-bit canonical address can be loaded to them
> regardless of CR4.LA57, both using MSRS (e.g GS_BASE) and instructions
> (e.g LGDT).
>
> 3. TLB invalidation instructions also allow the user to use full 57-bit
> address regardless of the CR4.LA57.
>
> Finally, it must be noted that the CPU doesn't prevent the user from
> disabling 5-level paging, even when the full 57-bit canonical address is
> present in one of the registers mentioned above (e.g GDT base).
>
> In fact, this can happen without any userspace help, when the CPU enters
> SMM mode - some MSRs, for example MSR_KERNEL_GS_BASE are left to contain
> a non-canonical address in regard to the new mode.
>
> Since most of the affected MSRs and all segment bases can be read and
> written freely by the guest without any KVM intervention, this patch makes
> the emulator closely follow hardware behavior, which means that the
> emulator doesn't take in the account the guest CPUID support for 5-level
> paging, and only takes in the account the host CPU support.
>
> Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
> ---
> arch/x86/kvm/emulate.c | 2 +-
> arch/x86/kvm/mmu/mmu.c | 2 +-
> arch/x86/kvm/vmx/nested.c | 22 ++++++++--------
> arch/x86/kvm/vmx/pmu_intel.c | 2 +-
> arch/x86/kvm/vmx/sgx.c | 2 +-
> arch/x86/kvm/vmx/vmx.c | 4 +--
> arch/x86/kvm/x86.c | 8 +++---
> arch/x86/kvm/x86.h | 49 ++++++++++++++++++++++++++++++++++--
> 8 files changed, 68 insertions(+), 23 deletions(-)
>
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index 8c8061884a019..60986f67c35a8 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -654,7 +654,7 @@ static inline bool emul_is_noncanonical_address(u64 la,
> struct x86_emulate_ctxt *ctxt,
> unsigned int flags)
> {
> - return !ctxt->ops->is_canonical_addr(ctxt, la, 0);
> + return !ctxt->ops->is_canonical_addr(ctxt, la, flags);
And conversely, passing flags to ->is_canonical_addr() belongs in the patch that
adds the plumbing. Even though flags isn't truly consumed until this patch,
passing '0' in this helper is confusing and an unnecessary risk.
next prev parent reply other threads:[~2024-10-31 0:46 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-06 22:18 [PATCH v4 0/4] Relax canonical checks on some arch msrs Maxim Levitsky
2024-09-06 22:18 ` [PATCH v4 1/4] KVM: x86: drop x86.h include from cpuid.h Maxim Levitsky
2024-10-31 0:43 ` Sean Christopherson
2024-09-06 22:18 ` [PATCH v4 2/4] KVM: x86: implement emul_is_noncanonical_address using is_noncanonical_address Maxim Levitsky
2024-10-31 0:44 ` Sean Christopherson
2024-09-06 22:18 ` [PATCH v4 3/4] KVM: x86: model canonical checks more precisely Maxim Levitsky
2024-10-31 0:45 ` Sean Christopherson [this message]
2024-09-06 22:18 ` [PATCH v4 4/4] KVM: nVMX: fix canonical check of vmcs12 HOST_RIP Maxim Levitsky
2024-10-30 21:20 ` [PATCH v4 0/4] Relax canonical checks on some arch msrs Maxim Levitsky
2024-10-30 21:22 ` Sean Christopherson
2024-10-30 21:25 ` Maxim Levitsky
2024-10-31 19:51 ` Sean Christopherson
2024-11-01 19:25 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZyLTRvbLq9ZTXBim@google.com \
--to=seanjc@google.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=mlevitsk@redhat.com \
--cc=pbonzini@redhat.com \
--cc=tglx@linutronix.de \
--cc=vkuznets@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox