[PATCH 0/3 v2] KVM: nSVM: Test MBZ bits in nested CR3 (nCR3)

[PATCH 0/3 v2] KVM: nSVM: Test MBZ bits in nested CR3 (nCR3)

[Krish Sadhukhan]

v1 -> v2:
        1. Instead of using a fixed MBZ mask, the mask is now generated 
           based on the VCPU's implemented physical bit width.

        2. Patch# 3 is new and it fixes the existing 'test_cr3' tests to
           use the VCPU's implemented physical bit width in generating
           the MBZ mask.

[PATCH 1/3 v2] nSVM: Check MBZ bits in nested CR3 (nCR3) on VMRUN of nested
[PATCH 2/3 v2] nSVM: Test MBZ bits in nested CR3 (nCR3)
[PATCH 3/3 v2] nSVM: Use VCPU's implemented physical bit width to

 arch/x86/kvm/svm/nested.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Krish Sadhukhan (1):
      nSVM: Check MBZ bits in nested CR3 (nCR3) on VMRUN of nested guests

 x86/svm.h       |  1 -
 x86/svm_tests.c | 49 +++++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 45 insertions(+), 5 deletions(-)

Krish Sadhukhan (2):
      nSVM: Test MBZ bits in nested CR3 (nCR3)
      nSVM: Use VCPU's implemented physical bit width to genereate MBZ mask for CR3

[PATCH 1/3 v2] nSVM: Check MBZ bits in nested CR3 (nCR3) on VMRUN of nested guests

[Krish Sadhukhan]

According to section "Nested Paging and VMRUN/#VMEXIT" in APM vol 2, the
following guest state is illegal:

	"Any MBZ bit of nCR3 is set"

According to section "System-Control Registers" in APM vol 2,

        "All CR3 bits are writable, except for unimplemented physical
        address bits, which must be cleared to 0."

Therefore, if any bit in nCR3 is set beyond VCPU's implemented physical bit
width, return VMEXIT_INVALID.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
---
 arch/x86/kvm/svm/nested.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index 510b833cbd39..3b1d2da8820d 100644
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -247,7 +247,8 @@ static bool nested_vmcb_check_controls(struct kvm_vcpu *vcpu,
 	if (CC(control->asid == 0))
 		return false;
 
-	if (CC((control->nested_ctl & SVM_NESTED_CTL_NP_ENABLE) && !npt_enabled))
+	if (CC((control->nested_ctl & SVM_NESTED_CTL_NP_ENABLE) && (!npt_enabled
+	    || control->nested_cr3 & rsvd_bits(vcpu->arch.maxphyaddr, 63))))
 		return false;
 
 	if (CC(!nested_svm_check_bitmap_pa(vcpu, control->msrpm_base_pa,
-- 
2.27.0

[PATCH 2/3 v2] nSVM: Test MBZ bits in nested CR3 (nCR3)

[Krish Sadhukhan]

According to section "Nested Paging and VMRUN/#VMEXIT" in APM vol 2, the
following guest state is illegal:

            "Any MBZ bit of nCR3 is set"

According to section "System-Control Registers" in APM vol 2,

    "All CR3 bits are writable, except for unimplemented physical
    address bits, which must be cleared to 0."

Therefore, test that any bit in nCR3 that is set beyond VCPU's implemented
physical bit width, results in VMEXIT_ERR.

Signed-off-by: Krish Sadhukhan <krish.sadhkhan@oracle.com>
---
 x86/svm_tests.c | 42 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

diff --git a/x86/svm_tests.c b/x86/svm_tests.c
index 8ad6122..4897a21 100644
--- a/x86/svm_tests.c
+++ b/x86/svm_tests.c
@@ -2183,7 +2183,10 @@ static void basic_guest_main(struct svm_test *test)
 			vmcb->save.cr0 = tmp;				\
 			break;						\
 		case 3:							\
-			vmcb->save.cr3 = tmp;				\
+			if (strcmp(test_name, "nested ") == 0)		\
+				vmcb->control.nested_cr3 = tmp;		\
+			else						\
+				vmcb->save.cr3 = tmp;			\
 			break;						\
 		case 4:							\
 			vmcb->save.cr4 = tmp;				\
@@ -2547,6 +2550,42 @@ static void guest_rflags_test_db_handler(struct ex_regs *r)
 	r->rflags &= ~X86_EFLAGS_TF;
 }
 
+static void test_ncr3(void)
+{
+	u64 ncr3_saved = vmcb->control.nested_cr3;
+	u64 nested_ctl_saved = vmcb->control.nested_ctl;
+	u64 ncr3_mbz_mask = GENMASK_ULL(63, cpuid_maxphyaddr());
+	u32 ret;
+
+	if (!npt_supported()) {
+		report_skip("NPT not supported");
+		return;
+	}
+
+	vmcb->control.nested_ctl = 0;
+	SVM_TEST_CR_RESERVED_BITS(0, 63, 1, 3, ncr3_saved, ncr3_mbz_mask,
+	    SVM_EXIT_VMMCALL, "nested ");
+
+	vmcb->control.nested_cr3 = ncr3_saved & ~ncr3_mbz_mask;
+	ret = svm_vmrun();
+	report (ret == SVM_EXIT_VMMCALL, "Test CR3 nested 63:0: %lx, wanted "
+	    "exit 0x%x, got 0x%x", ncr3_saved & ~ncr3_mbz_mask,
+	    SVM_EXIT_VMMCALL, ret);
+
+	vmcb->control.nested_ctl = 1;
+	SVM_TEST_CR_RESERVED_BITS(0, 63, 1, 3, ncr3_saved, ncr3_mbz_mask,
+	    SVM_EXIT_ERR, "nested ");
+
+	vmcb->control.nested_cr3 = ncr3_saved & ~ncr3_mbz_mask;
+	ret = svm_vmrun();
+	report (ret == SVM_EXIT_VMMCALL, "Test CR3 nested 63:0: %lx, wanted "
+	    "exit 0x%x, got 0x%x", ncr3_saved & ~ncr3_mbz_mask,
+	    SVM_EXIT_VMMCALL, ret);
+
+	vmcb->control.nested_cr3 = ncr3_saved;
+	vmcb->control.nested_ctl = nested_ctl_saved;
+}
+
 static void svm_guest_state_test(void)
 {
 	test_set_guest(basic_guest_main);
@@ -2557,6 +2596,7 @@ static void svm_guest_state_test(void)
 	test_dr();
 	test_msrpm_iopm_bitmap_addrs();
 	test_canonicalization();
+	test_ncr3();
 }
 
 extern void guest_rflags_test_guest(struct svm_test *test);
-- 
2.27.0

[PATCH 3/3 v2] nSVM: Use VCPU's implemented physical bit width to genereate MBZ mask for CR3

[Krish Sadhukhan]

According to section "System-Control Registers" in APM vol 2,

    "All CR3 bits are writable, except for unimplemented physical
    address bits, which must be cleared to 0."

Therefore, generate the MBZ mask for CR3 base on the the VCPU's implemented
physical bit width, instead of using a fixed MBZ mask.

Signed-off-by: Krish Sadhukhan <krish.sadhkhan@oracle.com>
---
 x86/svm.h       | 1 -
 x86/svm_tests.c | 7 ++++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/x86/svm.h b/x86/svm.h
index f74b13a..cdab44a 100644
--- a/x86/svm.h
+++ b/x86/svm.h
@@ -349,7 +349,6 @@ struct __attribute__ ((__packed__)) vmcb {
 #define SVM_CR0_SELECTIVE_MASK (X86_CR0_TS | X86_CR0_MP)
 
 #define	SVM_CR0_RESERVED_MASK			0xffffffff00000000U
-#define	SVM_CR3_LONG_MBZ_MASK			0xfff0000000000000U
 #define	SVM_CR3_LONG_RESERVED_MASK		0x0000000000000fe7U
 #define SVM_CR3_PAE_LEGACY_RESERVED_MASK	0x0000000000000007U
 #define	SVM_CR4_LEGACY_RESERVED_MASK		0xff08e000U
diff --git a/x86/svm_tests.c b/x86/svm_tests.c
index 4897a21..8a3f2e9 100644
--- a/x86/svm_tests.c
+++ b/x86/svm_tests.c
@@ -2317,11 +2317,12 @@ static void test_cr3(void)
 	 *   [63:52] - long mode
 	 */
 	u64 cr3_saved = vmcb->save.cr3;
+	u64 cr3_mbz_mask = GENMASK_ULL(63, cpuid_maxphyaddr());
 
-	SVM_TEST_CR_RESERVED_BITS(0, 63, 1, 3, cr3_saved,
-	    SVM_CR3_LONG_MBZ_MASK, SVM_EXIT_ERR, "");
+	SVM_TEST_CR_RESERVED_BITS(0, 63, 1, 3, cr3_saved, cr3_mbz_mask,
+	    SVM_EXIT_ERR, "");
 
-	vmcb->save.cr3 = cr3_saved & ~SVM_CR3_LONG_MBZ_MASK;
+	vmcb->save.cr3 = cr3_saved & ~cr3_mbz_mask;
 	report(svm_vmrun() == SVM_EXIT_VMMCALL, "Test CR3 63:0: %lx",
 	    vmcb->save.cr3);
 
-- 
2.27.0