From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5970C23875D
	for <virtualization@lists.linux.dev>; Thu, 27 Feb 2025 02:19:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1740622801; cv=none; b=aJ4vAu0ossFKc4K84GGrM3eGao+T2Kv6ONlEPBw1poKRiqEb1tcplUxf0z87U6kHoj/KaRoadYMP2ywAQ/tM+wU2ougLjI2+dsARZcR9HAkU+LH0vUHX7sLu18YqeuqiZlEDb5b4yvBs/t8w7W7MQsI0vTAXuASatfROgsuKybk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1740622801; c=relaxed/simple;
	bh=XdZRYBlPZyw/8jtawHaf0Gd25EjncrTXZSrOsMRCotM=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type; b=hX/I/6nDHGW/UpejXcAJI8Osn7ctXILGSClHBMNPr+AwZDUTDtqBft3i/cyFuI7OLQkUTPxf8YW+s5PNi+i2jfXaZEf8IeoGPTpz6WluW6pyJJ+bC3W5mh//EHyUbIronh9g+Em7VfXhiL4J4FcW0OQ/LDKA4lXWs5PNINV+x9Q=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Un/moftS; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Un/moftS"
Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-2fea1685337so792241a91.0
        for <virtualization@lists.linux.dev>; Wed, 26 Feb 2025 18:19:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1740622799; x=1741227599; darn=lists.linux.dev;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=LZJJLySVHQgVgABAB7C0XZjDtBlLYwz9ES+Z1vP/8LE=;
        b=Un/moftSpicczL664M2OHKr1I3IcJJWzOqca4Z7R4T93fjwAFRumXEmF6UyNAeDuF1
         fCTeBvGA9M1XnKvs5Xu+6XfIlPJomCaJSvh6UuFlR1rU7Lva6ZevE8F/i90uGSVczRr6
         M8VNox31Y9/o0wgvMHRI5RxvjQWzF85evIGuBbYh6MH0+CkjJUCrIES7E05OhHiecrJg
         fqQNNmBC/CEYnttCp/c4uyIKwfp7M+EQqDPIYLuwPypYfqUhCVOZUvVoHQnbtQr06y7j
         bTc7oSd24eO015dbeQdJg6mUdEZbUbDW0hz0hs+uGgImcGTShmfZa6zLZ6OAOiC8HD3P
         6kkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740622799; x=1741227599;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=LZJJLySVHQgVgABAB7C0XZjDtBlLYwz9ES+Z1vP/8LE=;
        b=Lhv6zBPjvkYUD9jgGfqZDRSkWNnW/F0n/mFQumll73aTuJL3W3mov+cDseDJJM1a/l
         D7/sulK0LbP3fozc+F2C7S3HsSJ6+0e/Fb2OkZJ6Ea3kCqHIW5urzUOz0/Gh0ZPIKbAy
         ULvddLsegQ5HkhBDxeOImGIpP4F4PjA6sqJR1JlwSiM1zqOk83NxRnSlu0BwPErraEbv
         kkrrXW7Y3fjtCOoo/jTShUwVZSOS1Sfer1Dvz57S1pAGWP0dEMDKoU7wHVvY3RyLU9Ze
         ncqTWkyLNyBKg8SVl04jPMZEkL/3trpjXHkifIf4UphmGx8GBg8+nLyb1WRaCqNQmaex
         525A==
X-Forwarded-Encrypted: i=1; AJvYcCXzz8URHsvuY93Ib+eZDLyjAmOJX14Qp5o4edvwIyNb7suY3mkMS7uvdiOOJO7LdrNrYPGLMNCh1bnTz7gOTA==@lists.linux.dev
X-Gm-Message-State: AOJu0YxFq/fQzVmpVmge3o9kgZU2KhsTzSXKonW6WteRSlTa/lVHrxf8
	tbRXS4+kSrYCuKutQ5o/A7vy+Xu5fNaBHiKJhe0BuGKx5uWC4IukCpoYNWs6IbAl0EI4+YneQ0P
	iFA==
X-Google-Smtp-Source: AGHT+IGhmfOgzOy0w88MLax4aQJq7WSM6/RTmeD/HK48z8QB3SAzs8w4kTiAhr4wwBRMQkXZhflq/qsZ2GU=
X-Received: from pjtq6.prod.google.com ([2002:a17:90a:c106:b0:2fc:11a0:c53f])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:570c:b0:2fa:2c61:3e5a
 with SMTP id 98e67ed59e1d1-2fea12c36b0mr2515446a91.10.1740622798574; Wed, 26
 Feb 2025 18:19:58 -0800 (PST)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Wed, 26 Feb 2025 18:18:48 -0800
In-Reply-To: <20250227021855.3257188-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: virtualization@lists.linux.dev
List-Id: <virtualization.lists.linux.dev>
List-Subscribe: <mailto:virtualization+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:virtualization+unsubscribe@lists.linux.dev>
Mime-Version: 1.0
References: <20250227021855.3257188-1-seanjc@google.com>
X-Mailer: git-send-email 2.48.1.711.g2feabab25a-goog
Message-ID: <20250227021855.3257188-33-seanjc@google.com>
Subject: [PATCH v2 32/38] x86/tsc: Rejects attempts to override TSC
 calibration with lesser routine
From: Sean Christopherson <seanjc@google.com>
To: Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>, 
	Dave Hansen <dave.hansen@linux.intel.com>, x86@kernel.org, 
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>, Paolo Bonzini <pbonzini@redhat.com>, 
	Sean Christopherson <seanjc@google.com>, Juergen Gross <jgross@suse.com>, 
	"K. Y. Srinivasan" <kys@microsoft.com>, Haiyang Zhang <haiyangz@microsoft.com>, Wei Liu <wei.liu@kernel.org>, 
	Dexuan Cui <decui@microsoft.com>, Ajay Kaher <ajay.kaher@broadcom.com>, 
	Jan Kiszka <jan.kiszka@siemens.com>, Andy Lutomirski <luto@kernel.org>, 
	Peter Zijlstra <peterz@infradead.org>, Daniel Lezcano <daniel.lezcano@linaro.org>, 
	John Stultz <jstultz@google.com>
Cc: linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, 
	kvm@vger.kernel.org, virtualization@lists.linux.dev, 
	linux-hyperv@vger.kernel.org, xen-devel@lists.xenproject.org, 
	Tom Lendacky <thomas.lendacky@amd.com>, Nikunj A Dadhania <nikunj@amd.com>
Content-Type: text/plain; charset="UTF-8"

When registering a TSC frequency calibration routine, sanity check that
the incoming routine is as robust as the outgoing routine, and reject the
incoming routine if the sanity check fails.

Because native calibration routines only mark the TSC frequency as known
and reliable when they actually run, the effective progression of
capabilities is: None (native) => Known and maybe Reliable (PV) =>
Known and Reliable (CoCo).  Violating that progression for a PV override
is relatively benign, but messing up the progression when CoCo is
involved is more problematic, as it likely means a trusted source of
information (hardware/firmware) is being discarded in favor of a less
trusted source (hypervisor).

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kernel/tsc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
index be58df4fef66..ebcfaf7dcd38 100644
--- a/arch/x86/kernel/tsc.c
+++ b/arch/x86/kernel/tsc.c
@@ -1309,8 +1309,13 @@ void tsc_register_calibration_routines(unsigned long (*calibrate_tsc)(void),
 
 	if (properties & TSC_FREQUENCY_KNOWN)
 		setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ);
+	else if (WARN_ON(boot_cpu_has(X86_FEATURE_TSC_KNOWN_FREQ)))
+		return;
+
 	if (properties & TSC_RELIABLE)
 		setup_force_cpu_cap(X86_FEATURE_TSC_RELIABLE);
+	else if (WARN_ON(boot_cpu_has(X86_FEATURE_TSC_RELIABLE)))
+		return;
 
 	x86_platform.calibrate_tsc = calibrate_tsc;
 	if (calibrate_cpu)
-- 
2.48.1.711.g2feabab25a-goog