[PATCH] KVM: x86/cpuid: Stop exposing unknown AMX Tile Palettes and accelerator units

[PATCH] KVM: x86/cpuid: Stop exposing unknown AMX Tile Palettes and accelerator units

[Like Xu]

From: Like Xu <likexu@tencent.com>

Guest enablement of Intel AMX requires a good co-work from both host and
KVM, which means that KVM should take a more safer approach to avoid
the accidental inclusion of new unknown AMX features, even though it's
designed to be an extensible architecture.

Per current spec, Intel CPUID Leaf 1EH sub-leaf 1 and above are reserved,
other bits in leaves 0x1d and 0x1e marked as "Reserved=0" shall be strictly
limited by definition for reporeted KVM_GET_SUPPORTED_CPUID.

Fixes: 690a757d610e ("kvm: x86: Add CPUID support for Intel AMX")
Signed-off-by: Like Xu <likexu@tencent.com>
---
 arch/x86/kvm/cpuid.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index c55e57b30e81..3fde6610d314 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -661,7 +661,6 @@ static struct kvm_cpuid_entry2 *do_host_cpuid(struct kvm_cpuid_array *array,
 	case 0x17:
 	case 0x18:
 	case 0x1d:
-	case 0x1e:
 	case 0x1f:
 	case 0x8000001d:
 		entry->flags |= KVM_CPUID_FLAG_SIGNIFCANT_INDEX;
@@ -936,21 +935,26 @@ static inline int __do_cpuid_func(struct kvm_cpuid_array *array, u32 function)
 		break;
 	/* Intel AMX TILE */
 	case 0x1d:
+		entry->ebx = entry->ecx = entry->edx = 0;
 		if (!kvm_cpu_cap_has(X86_FEATURE_AMX_TILE)) {
-			entry->eax = entry->ebx = entry->ecx = entry->edx = 0;
+			entry->eax = 0;
 			break;
 		}
 
+		entry->eax = min(entry->eax, 1u);
 		for (i = 1, max_idx = entry->eax; i <= max_idx; ++i) {
 			if (!do_host_cpuid(array, function, i))
 				goto out;
 		}
 		break;
-	case 0x1e: /* TMUL information */
+	/* TMUL Information */
+	case 0x1e:
+		entry->eax = entry->ecx = entry->edx = 0;
 		if (!kvm_cpu_cap_has(X86_FEATURE_AMX_TILE)) {
-			entry->eax = entry->ebx = entry->ecx = entry->edx = 0;
+			entry->ebx = 0;
 			break;
 		}
+		entry->ebx &= 0xffffffu;
 		break;
 	case KVM_CPUID_SIGNATURE: {
 		const u32 *sigptr = (const u32 *)KVM_SIGNATURE;
-- 
2.33.1

Re: [PATCH] KVM: x86/cpuid: Stop exposing unknown AMX Tile Palettes and accelerator units

[Like Xu]

Hi,

KVM does not have much filtering in exposing the host cpuid (at least for Intel 
PT and AMX),
and innocent user spaces could be corrupted when unknown new bits are 
accidentally exposed.

Comments on code changes in this direction are welcome.

+ https://lore.kernel.org/kvm/20220112041100.26769-1-likexu@tencent.com/

On 17/1/2022 2:59 pm, Like Xu wrote:
> From: Like Xu <likexu@tencent.com>
> 
> Guest enablement of Intel AMX requires a good co-work from both host and
> KVM, which means that KVM should take a more safer approach to avoid
> the accidental inclusion of new unknown AMX features, even though it's
> designed to be an extensible architecture.
> 
> Per current spec, Intel CPUID Leaf 1EH sub-leaf 1 and above are reserved,
> other bits in leaves 0x1d and 0x1e marked as "Reserved=0" shall be strictly
> limited by definition for reporeted KVM_GET_SUPPORTED_CPUID.
> 
> Fixes: 690a757d610e ("kvm: x86: Add CPUID support for Intel AMX")
> Signed-off-by: Like Xu <likexu@tencent.com>
> ---
>   arch/x86/kvm/cpuid.c | 12 ++++++++----
>   1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
> index c55e57b30e81..3fde6610d314 100644
> --- a/arch/x86/kvm/cpuid.c
> +++ b/arch/x86/kvm/cpuid.c
> @@ -661,7 +661,6 @@ static struct kvm_cpuid_entry2 *do_host_cpuid(struct kvm_cpuid_array *array,
>   	case 0x17:
>   	case 0x18:
>   	case 0x1d:
> -	case 0x1e:
>   	case 0x1f:
>   	case 0x8000001d:
>   		entry->flags |= KVM_CPUID_FLAG_SIGNIFCANT_INDEX;
> @@ -936,21 +935,26 @@ static inline int __do_cpuid_func(struct kvm_cpuid_array *array, u32 function)
>   		break;
>   	/* Intel AMX TILE */
>   	case 0x1d:
> +		entry->ebx = entry->ecx = entry->edx = 0;
>   		if (!kvm_cpu_cap_has(X86_FEATURE_AMX_TILE)) {
> -			entry->eax = entry->ebx = entry->ecx = entry->edx = 0;
> +			entry->eax = 0;
>   			break;
>   		}
>   
> +		entry->eax = min(entry->eax, 1u);
>   		for (i = 1, max_idx = entry->eax; i <= max_idx; ++i) {
>   			if (!do_host_cpuid(array, function, i))
>   				goto out;
>   		}
>   		break;
> -	case 0x1e: /* TMUL information */
> +	/* TMUL Information */
> +	case 0x1e:
> +		entry->eax = entry->ecx = entry->edx = 0;
>   		if (!kvm_cpu_cap_has(X86_FEATURE_AMX_TILE)) {
> -			entry->eax = entry->ebx = entry->ecx = entry->edx = 0;
> +			entry->ebx = 0;
>   			break;
>   		}
> +		entry->ebx &= 0xffffffu;
>   		break;
>   	case KVM_CPUID_SIGNATURE: {
>   		const u32 *sigptr = (const u32 *)KVM_SIGNATURE;

Re: [PATCH] KVM: x86/cpuid: Stop exposing unknown AMX Tile Palettes and accelerator units

[Like Xu]

Let me try pinging again until it times out or fails.

On 9/2/2022 5:29 pm, Like Xu wrote:
> Hi,
> 
> KVM does not have much filtering in exposing the host cpuid (at least for Intel 
> PT and AMX),
> and innocent user spaces could be corrupted when unknown new bits are 
> accidentally exposed.
> 
> Comments on code changes in this direction are welcome.
> 
> + https://lore.kernel.org/kvm/20220112041100.26769-1-likexu@tencent.com/
> 
> On 17/1/2022 2:59 pm, Like Xu wrote:
>> From: Like Xu <likexu@tencent.com>
>>
>> Guest enablement of Intel AMX requires a good co-work from both host and
>> KVM, which means that KVM should take a more safer approach to avoid
>> the accidental inclusion of new unknown AMX features, even though it's
>> designed to be an extensible architecture.
>>
>> Per current spec, Intel CPUID Leaf 1EH sub-leaf 1 and above are reserved,
>> other bits in leaves 0x1d and 0x1e marked as "Reserved=0" shall be strictly
>> limited by definition for reporeted KVM_GET_SUPPORTED_CPUID.
>>
>> Fixes: 690a757d610e ("kvm: x86: Add CPUID support for Intel AMX")
>> Signed-off-by: Like Xu <likexu@tencent.com>
>> ---
>>   arch/x86/kvm/cpuid.c | 12 ++++++++----
>>   1 file changed, 8 insertions(+), 4 deletions(-)
>>
>> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
>> index c55e57b30e81..3fde6610d314 100644
>> --- a/arch/x86/kvm/cpuid.c
>> +++ b/arch/x86/kvm/cpuid.c
>> @@ -661,7 +661,6 @@ static struct kvm_cpuid_entry2 *do_host_cpuid(struct 
>> kvm_cpuid_array *array,
>>       case 0x17:
>>       case 0x18:
>>       case 0x1d:
>> -    case 0x1e:
>>       case 0x1f:
>>       case 0x8000001d:
>>           entry->flags |= KVM_CPUID_FLAG_SIGNIFCANT_INDEX;
>> @@ -936,21 +935,26 @@ static inline int __do_cpuid_func(struct kvm_cpuid_array 
>> *array, u32 function)
>>           break;
>>       /* Intel AMX TILE */
>>       case 0x1d:
>> +        entry->ebx = entry->ecx = entry->edx = 0;
>>           if (!kvm_cpu_cap_has(X86_FEATURE_AMX_TILE)) {
>> -            entry->eax = entry->ebx = entry->ecx = entry->edx = 0;
>> +            entry->eax = 0;
>>               break;
>>           }
>> +        entry->eax = min(entry->eax, 1u);
>>           for (i = 1, max_idx = entry->eax; i <= max_idx; ++i) {
>>               if (!do_host_cpuid(array, function, i))
>>                   goto out;
>>           }
>>           break;
>> -    case 0x1e: /* TMUL information */
>> +    /* TMUL Information */
>> +    case 0x1e:
>> +        entry->eax = entry->ecx = entry->edx = 0;
>>           if (!kvm_cpu_cap_has(X86_FEATURE_AMX_TILE)) {
>> -            entry->eax = entry->ebx = entry->ecx = entry->edx = 0;
>> +            entry->ebx = 0;
>>               break;
>>           }
>> +        entry->ebx &= 0xffffffu;
>>           break;
>>       case KVM_CPUID_SIGNATURE: {
>>           const u32 *sigptr = (const u32 *)KVM_SIGNATURE;