From: Krish Sadhukhan <krish.sadhukhan@oracle.com>
To: Jim Mattson <jmattson@google.com>
Cc: "kvm list" <kvm@vger.kernel.org>,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>
Subject: Re: [PATCH 1/4] KVM: nVMX: Check GUEST_DEBUGCTL on vmentry of nested guests
Date: Fri, 30 Aug 2019 16:26:50 -0700 [thread overview]
Message-ID: <e35e7c1f-e5c8-5f98-771e-302cf8dfba7f@oracle.com> (raw)
In-Reply-To: <CALMp9eQxdF5tJLWaWu+0t0NjhSiJfowo1U6MDkjB_zYNRKiyKw@mail.gmail.com>
On 08/29/2019 03:12 PM, Jim Mattson wrote:
> On Thu, Aug 29, 2019 at 2:25 PM Krish Sadhukhan
> <krish.sadhukhan@oracle.com> wrote:
>> According to section "Checks on Guest Control Registers, Debug Registers, and
>> and MSRs" in Intel SDM vol 3C, the following checks are performed on vmentry
>> of nested guests:
>>
>> If the "load debug controls" VM-entry control is 1, bits reserved in the
>> IA32_DEBUGCTL MSR must be 0 in the field for that register. The first
>> processors to support the virtual-machine extensions supported only the
>> 1-setting of this control and thus performed this check unconditionally.
>>
>> Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
>> Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
>> ---
>> arch/x86/kvm/vmx/nested.c | 4 ++++
>> arch/x86/kvm/x86.h | 6 ++++++
>> 2 files changed, 10 insertions(+)
>>
>> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
>> index 46af3a5e9209..0b234e95e0ed 100644
>> --- a/arch/x86/kvm/vmx/nested.c
>> +++ b/arch/x86/kvm/vmx/nested.c
>> @@ -2677,6 +2677,10 @@ static int nested_vmx_check_guest_state(struct kvm_vcpu *vcpu,
>> !nested_guest_cr4_valid(vcpu, vmcs12->guest_cr4))
>> return -EINVAL;
>>
>> + if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) &&
>> + !kvm_debugctl_valid(vmcs12->guest_ia32_debugctl))
>> + return -EINVAL;
>> +
>> if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT) &&
>> !kvm_pat_valid(vmcs12->guest_ia32_pat))
>> return -EINVAL;
>> diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
>> index a470ff0868c5..28ba6d0c359f 100644
>> --- a/arch/x86/kvm/x86.h
>> +++ b/arch/x86/kvm/x86.h
>> @@ -354,6 +354,12 @@ static inline bool kvm_pat_valid(u64 data)
>> return (data | ((data & 0x0202020202020202ull) << 1)) == data;
>> }
>>
>> +static inline bool kvm_debugctl_valid(u64 data)
>> +{
>> + /* Bits 2, 3, 4, 5, 13 and [31:16] are reserved */
>> + return ((data & 0xFFFFFFFFFFFF203Cull) ? false : true);
>> +}
> This should actually be consistent with the constraints in kvm_set_msr_common:
>
> case MSR_IA32_DEBUGCTLMSR:
> if (!data) {
> /* We support the non-activated case already */
> break;
> } else if (data & ~(DEBUGCTLMSR_LBR | DEBUGCTLMSR_BTF)) {
> /* Values other than LBR and BTF are vendor-specific,
> thus reserved and should throw a #GP */
> return 1;
> }
>
> Also, as I said earlier...
>
> I'd rather see this built on an interface like:
>
> bool kvm_valid_msr_value(u32 msr_index, u64 value);
Yes, I forgot to do it. Will send a patch for this...
>
> Strange that we allow IA32_DEBUGCTL.BTF, since kvm_vcpu_do_singlestep
> ignores it. And vLBR still isn't a thing, is it?
Yes, DEBUGCTLMSR_LBR isn't used.
Good catch !
>
> It's a bit scary to me that we allow any architecturally legal
> IA32_DEBUGCTL bits to be set today. There's probably a CVE in there
> somewhere.
Is it appropriate to disable those two bits as well, then ?
next prev parent reply other threads:[~2019-08-30 23:27 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-29 20:56 [PATCH 0/4] KVM: nVMX: Check GUEST_DEBUGCTL and GUEST_DR7 on vmentry of nested guests Krish Sadhukhan
2019-08-29 20:56 ` [PATCH 1/4] KVM: nVMX: Check GUEST_DEBUGCTL " Krish Sadhukhan
2019-08-29 22:12 ` Jim Mattson
2019-08-30 23:26 ` Krish Sadhukhan [this message]
2019-09-01 23:55 ` Jim Mattson
2019-08-29 20:56 ` [PATCH 2/4] KVM: nVMX: Check GUEST_DR7 " Krish Sadhukhan
2019-08-29 22:26 ` Jim Mattson
2019-08-30 23:07 ` Krish Sadhukhan
2019-08-30 23:15 ` Jim Mattson
2019-09-02 0:33 ` Jim Mattson
[not found] ` <e229bea2-acb2-e268-6281-d8e467c3282e@oracle.com>
2019-09-04 16:44 ` Jim Mattson
2019-09-04 16:58 ` Sean Christopherson
2019-09-04 18:05 ` Krish Sadhukhan
2019-09-04 18:20 ` Jim Mattson
2019-09-09 4:11 ` Krish Sadhukhan
2019-09-09 15:56 ` Jim Mattson
2019-09-04 17:14 ` Sean Christopherson
2019-12-20 23:45 ` Jim Mattson
2019-12-21 0:27 ` Jim Mattson
2019-08-29 20:56 ` [PATCH 3/4] kvm-unit-test: nVMX: __enter_guest() should not set "launched" state when VM-entry fails Krish Sadhukhan
2019-09-04 15:42 ` Sean Christopherson
2019-09-13 20:37 ` Krish Sadhukhan
2019-09-13 21:06 ` Sean Christopherson
2019-09-16 19:12 ` Krish Sadhukhan
2019-08-29 20:56 ` [PATCH 4/4] kvm-unit-test: nVMX: Check GUEST_DEBUGCTL and GUEST_DR7 on vmentry of nested guests Krish Sadhukhan
2019-08-29 23:17 ` Jim Mattson
2019-08-30 1:12 ` Nadav Amit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e35e7c1f-e5c8-5f98-771e-302cf8dfba7f@oracle.com \
--to=krish.sadhukhan@oracle.com \
--cc=jmattson@google.com \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.