[PATCH 0/2] KVM: nVMX: Check Host Address Space Size on vmentry of nested guests

[PATCH 0/2] KVM: nVMX: Check Host Address Space Size on vmentry of nested guests

[Krish Sadhukhan]

Patch# 1 adds the necessary KVM checks while patch# 2 adds the kvm-unit-tests.
Note that patch# 2 only tests those scenarios in which the "Host Address-Space
Size" VM-Exit control field can only be 1 as nested guests are 64-bit only.


[PATCH 1/2] KVM: nVMX: Check Host Address Space Size on vmentry of nested
[PATCH 2/2] kvm-unit-test: nVMX: Check Host Address Space Size on vmentry of nested

 arch/x86/kvm/vmx/nested.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

Krish Sadhukhan (1):
      nVMX: Check Host Address Space Size on vmentry of nested guests

 x86/vmx_tests.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

Krish Sadhukhan (1):
      nVMX: Check Host Address Space Size on vmentry of nested guests

[PATCH 1/2] KVM: nVMX: Check Host Address Space Size on vmentry of nested guests

[Krish Sadhukhan]

According to section "Checks Related to Address-Space Size" in Intel SDM
vol 3C, the following checks are performed on vmentry of nested guests:

    If the logical processor is outside IA-32e mode (if IA32_EFER.LMA = 0)
    at the time of VM entry, the following must hold:
	- The "IA-32e mode guest" VM-entry control is 0.
	- The "host address-space size" VM-exit control is 0.

    If the logical processor is in IA-32e mode (if IA32_EFER.LMA = 1) at the
    time of VM entry, the "host address-space size" VM-exit control must be 1.

    If the "host address-space size" VM-exit control is 0, the following must
    hold:
	- The "IA-32e mode guest" VM-entry control is 0.
	- Bit 17 of the CR4 field (corresponding to CR4.PCIDE) is 0.
	- Bits 63:32 in the RIP field are 0.

    If the "host address-space size" VM-exit control is 1, the following must
    hold:
	- Bit 5 of the CR4 field (corresponding to CR4.PAE) is 1.
	- The RIP field contains a canonical address.

    On processors that do not support Intel 64 architecture, checks are
    performed to ensure that the "IA-32e mode guest" VM-entry control and the
    "host address-space size" VM-exit control are both 0.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
---
 arch/x86/kvm/vmx/nested.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index bb509c254939..4de61b069d8c 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -2649,6 +2649,34 @@ static int nested_vmx_check_host_state(struct kvm_vcpu *vcpu,
 	    is_noncanonical_address(vmcs12->host_idtr_base, vcpu) ||
 	    is_noncanonical_address(vmcs12->host_tr_base, vcpu))
 		return -EINVAL;
+
+	if (!(vmcs12->host_ia32_efer & EFER_LMA) &&
+	    ((vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE) ||
+	    (vmcs12->vm_exit_controls & VM_EXIT_HOST_ADDR_SPACE_SIZE))) {
+		return -EINVAL;
+	}
+
+	if ((vmcs12->host_ia32_efer & EFER_LMA) &&
+	    !(vmcs12->vm_exit_controls & VM_EXIT_HOST_ADDR_SPACE_SIZE)) {
+		return -EINVAL;
+	}
+
+	if (!(vmcs12->vm_exit_controls & VM_EXIT_HOST_ADDR_SPACE_SIZE) &&
+	    ((vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE) ||
+	    (vmcs12->host_cr4 & X86_CR4_PCIDE) ||
+	    (((vmcs12->host_rip) >> 32) & 0xffffffff))) {
+		return -EINVAL;
+	}
+
+	if ((vmcs12->vm_exit_controls & VM_EXIT_HOST_ADDR_SPACE_SIZE) &&
+	    ((!(vmcs12->host_cr4 & X86_CR4_PAE)) ||
+	    (is_noncanonical_address(vmcs12->host_rip, vcpu)))) {
+		return -EINVAL;
+	}
+#else
+	if (vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE ||
+	    vmcs12->vm_exit_controls & VM_EXIT_HOST_ADDR_SPACE_SIZE)
+		return -EINVAL;
 #endif
 
 	/*
-- 
2.20.1

[PATCH 2/2] kvm-unit-test: nVMX: Check Host Address Space Size on vmentry of nested guests

[Krish Sadhukhan]

According to section "Checks Related to Address-Space Size" in Intel SDM vol
3C, the following checks are performed on vmentry of nested guests:

    If the "host address-space size" VM-exit control is 0, the following must
    hold:
	- The "IA-32e mode guest" VM-entry control is 0.
	- Bit 17 of the CR4 field (corresponding to CR4.PCIDE) is 0.
	- Bits 63:32 in the RIP field are 0.

    If the "host address-space size" VM-exit control is 1, the following must
    hold:
	- Bit 5 of the CR4 field (corresponding to CR4.PAE) is 1.
	- The RIP field contains a canonical address.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
---
 x86/vmx_tests.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/x86/vmx_tests.c b/x86/vmx_tests.c
index 8ad2674..fae00d3 100644
--- a/x86/vmx_tests.c
+++ b/x86/vmx_tests.c
@@ -7108,6 +7108,68 @@ static void test_host_desc_tables(void)
 #endif
 }
 
+/*
+ * If the "host address-space size" VM-exit control is 0, the following must
+ * hold:
+ *    - The "IA-32e mode guest" VM-entry control is 0.
+ *    - Bit 17 of the CR4 field (corresponding to CR4.PCIDE) is 0.
+ *    - Bits 63:32 in the RIP field are 0.
+ *
+ * If the "host address-space size" VM-exit control is 1, the following must
+ * hold:
+ *    - Bit 5 of the CR4 field (corresponding to CR4.PAE) is 1.
+ *    - The RIP field contains a canonical address.
+ *
+ */
+static void test_host_addr_size(void)
+{
+	u64 cr4_saved = vmcs_read(HOST_CR4);
+	u64 rip_saved = vmcs_read(HOST_RIP);
+	u64 entry_ctrl_saved = vmcs_read(ENT_CONTROLS);
+	int i;
+	u64 tmp;
+
+	if (vmcs_read(EXI_CONTROLS) & EXI_HOST_64) {
+		vmcs_write(ENT_CONTROLS, entry_ctrl_saved | ENT_GUEST_64);
+		report_prefix_pushf("\"IA-32e mode guest\" enabled");
+		test_vmx_vmlaunch(0, false);
+		report_prefix_pop();
+
+		vmcs_write(HOST_CR4, cr4_saved | X86_CR4_PCIDE);
+		report_prefix_pushf("\"CR4.PCIDE\" set");
+		test_vmx_vmlaunch(0, false);
+		report_prefix_pop();
+
+		for (i = 32; i <= 63; i = i + 4) {
+			tmp = rip_saved | 1ull << i;
+			vmcs_write(HOST_RIP, tmp);
+			report_prefix_pushf("HOST_RIP %lx", tmp);
+			test_vmx_vmlaunch(0, false);
+			report_prefix_pop();
+		}
+
+		if (cr4_saved & X86_CR4_PAE) {
+			vmcs_write(HOST_CR4, cr4_saved  & ~X86_CR4_PAE);
+			report_prefix_pushf("\"CR4.PAE\" unset");
+			test_vmx_vmlaunch(
+				VMXERR_ENTRY_INVALID_HOST_STATE_FIELD, false);
+		} else {
+			report_prefix_pushf("\"CR4.PAE\" set");
+			test_vmx_vmlaunch(0, false);
+		}
+		report_prefix_pop();
+
+		vmcs_write(HOST_RIP, NONCANONICAL);
+		report_prefix_pushf("HOST_RIP %llx", NONCANONICAL);
+		test_vmx_vmlaunch(VMXERR_ENTRY_INVALID_HOST_STATE_FIELD, false);
+		report_prefix_pop();
+
+		vmcs_write(ENT_CONTROLS, entry_ctrl_saved | ENT_GUEST_64);
+		vmcs_write(HOST_RIP, rip_saved);
+		vmcs_write(HOST_CR4, cr4_saved);
+	}
+}
+
 /*
  * Check that the virtual CPU checks the VMX Host State Area as
  * documented in the Intel SDM.
@@ -7130,6 +7192,7 @@ static void vmx_host_state_area_test(void)
 	test_load_host_pat();
 	test_host_segment_regs();
 	test_host_desc_tables();
+	test_host_addr_size();
 }
 
 /*
-- 
2.20.1

Re: [PATCH 0/2] KVM: nVMX: Check Host Address Space Size on vmentry of nested guests

[Paolo Bonzini]

On 09/08/19 21:26, Krish Sadhukhan wrote:
> Patch# 1 adds the necessary KVM checks while patch# 2 adds the kvm-unit-tests.
> Note that patch# 2 only tests those scenarios in which the "Host Address-Space
> Size" VM-Exit control field can only be 1 as nested guests are 64-bit only.
> 
> 
> [PATCH 1/2] KVM: nVMX: Check Host Address Space Size on vmentry of nested
> [PATCH 2/2] kvm-unit-test: nVMX: Check Host Address Space Size on vmentry of nested
> 
>  arch/x86/kvm/vmx/nested.c | 28 ++++++++++++++++++++++++++++
>  1 file changed, 28 insertions(+)
> 
> Krish Sadhukhan (1):
>       nVMX: Check Host Address Space Size on vmentry of nested guests
> 
>  x86/vmx_tests.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 63 insertions(+)
> 
> Krish Sadhukhan (1):
>       nVMX: Check Host Address Space Size on vmentry of nested guests
> 

Queued, thanks.

Paolo