From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (193.142.43.55:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 01 Nov 2019 21:45:04 -0000 Received: from mga02.intel.com ([134.134.136.20]) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1iQej8-0005fR-N2 for speck@linutronix.de; Fri, 01 Nov 2019 22:45:03 +0100 Date: Fri, 1 Nov 2019 14:38:31 -0700 From: Pawan Gupta Subject: [MODERATED] Re: [PATCH v2] NX mitigations=off fix Message-ID: <20191101213831.GB26083@guptapadev.amr> References: <20191101163150.z7qlfwp6vai3ttp5@treble> <20191101203859.GA10998@sec> MIME-Version: 1.0 In-Reply-To: <20191101203859.GA10998@sec> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: speck@linutronix.de List-ID: From: Pawan Gupta Date: Wed, 30 Oct 2019 21:28:24 -0700 Subject: [PATCH] kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT Problem: The global mitigation knob mitigations=off does not turn off X86_BUG_ITLB_MULTIHIT mitigation. Fix: Turn off the mitigation when ITLB_MULTIHIT mitigation mode is "auto" and mitigations are turned off globally via cmdline mitigations=off. Signed-off-by: Pawan Gupta --- Rebased on taa-master bundle. I do not have access to Thomas's repo. This needs to go on top of Tyler's fix. Documentation/admin-guide/kernel-parameters.txt | 6 ++++++ arch/x86/kvm/mmu.c | 10 ++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index e8e0a140a632..555236b92289 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2654,6 +2654,12 @@ l1tf=off [X86] mds=off [X86] tsx_async_abort=off [X86] + kvm.nx_huge_pages=off [X86] + + Exceptions: + This does not have any effect on + kvm.nx_huge_pages when + kvm.nx_huge_pages=force. auto (default) Mitigate all CPU vulnerabilities, but leave SMT diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c index e6a5748a12d5..529589a42afb 100644 --- a/arch/x86/kvm/mmu.c +++ b/arch/x86/kvm/mmu.c @@ -6250,6 +6250,12 @@ static void kvm_set_mmio_spte_mask(void) kvm_mmu_set_mmio_spte_mask(mask, mask, ACC_WRITE_MASK | ACC_USER_MASK); } +static bool get_nx_auto_mode(void) +{ + /* Return true when CPU has the bug, and mitigations are ON */ + return boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT) && !cpu_mitigations_off(); +} + static void __set_nx_huge_pages(bool val) { nx_huge_pages = itlb_multihit_kvm_mitigation = val; @@ -6266,7 +6272,7 @@ static int set_nx_huge_pages(const char *val, const struct kernel_param *kp) else if (sysfs_streq(val, "force")) new_val = 1; else if (sysfs_streq(val, "auto")) - new_val = boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT); + new_val = get_nx_auto_mode(); else if (strtobool(val, &new_val) < 0) return -EINVAL; @@ -6296,7 +6302,7 @@ int kvm_mmu_module_init(void) int ret = -ENOMEM; if (nx_huge_pages == -1) - __set_nx_huge_pages(boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT)); + __set_nx_huge_pages(get_nx_auto_mode()); /* * MMU roles use union aliasing which is, generally speaking, an -- 2.20.1