From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933127AbcHVXOj (ORCPT ); Mon, 22 Aug 2016 19:14:39 -0400 Received: from mail-co1nam03on0063.outbound.protection.outlook.com ([104.47.40.63]:59654 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1756603AbcHVXOd (ORCPT ); Mon, 22 Aug 2016 19:14:33 -0400 X-Greylist: delayed 1429 seconds by postgrey-1.27 at vger.kernel.org; Mon, 22 Aug 2016 19:14:33 EDT Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Lendacky@amd.com; From: Tom Lendacky Subject: [RFC PATCH v2 18/20] x86/kvm: Enable Secure Memory Encryption of nested page tables To: , , , , , , , , CC: Radim =?utf-8?b?S3LEjW3DocWZ?= , Arnd Bergmann , Jonathan Corbet , Matt Fleming , Joerg Roedel , "Konrad Rzeszutek Wilk" , Andrey Ryabinin , Ingo Molnar , Borislav Petkov , "Andy Lutomirski" , "H. Peter Anvin" , "Paolo Bonzini" , Alexander Potapenko , Thomas Gleixner , Dmitry Vyukov Date: Mon, 22 Aug 2016 17:38:49 -0500 Message-ID: <20160822223849.29880.35462.stgit@tlendack-t1.amdoffice.net> In-Reply-To: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> References: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SN1PR01CA0029.prod.exchangelabs.com (10.165.224.39) To DM5PR12MB1147.namprd12.prod.outlook.com (10.168.236.142) X-MS-Office365-Filtering-Correlation-Id: af24031a-8ab1-4383-428c-08d3cadd1921 X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1147;2:lRRcQabW1IQDkkS7a5uJfFDxhCkxsD/KcVe7mVcHPp4f96M8y6iTbAhesuAJAikHLovC0+2oFfGL4iVkcAtNIBQsMEGw3IS2CVkA9m4v43QCf5Me9h9jgXUcF9dMwphVg7UMQy3qwJ5imdyQP67vaNLKKVBhklFl5zkKRNIIyYnDzoQl8bTBHsgd7XQrQCOM;3:IucVwMlXiGh/Fu4tDX7f1VlLNij751ryyq6VgjL5lRY36pSzxn02llfBmd1nVGnINw2Myhlukm3wVJls+wOWQFQdF2bCTDT62XwdRGKWaVMKzpkb5kqThwNO0arlHr6g X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM5PR12MB1147; X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1147;25:meD0EhCZvkpEMK3IyXKWcM3oHTBrgrnnT3IkppQ7ypsIM3HB1ZgccozpjRbD8zxhm1GqetFLR3AlfRxVTj+4wpb73T6OUeDtUmPLcXlyg9xsB306c7JgT0PbY1ZT9u+XONmZl/WxlsSMJY6N5mhMPvtyv0EaJMUxPs39FnY463y4h/KTQDPOKb4QCYj1vX3v8oGjCPKCV0/xLxMK4xYoVSSWKVCQqPUSwcB0ozQzL3gpN0dFee/viVTPjyDnqWuGNBQOWHB94s9fK/zafz1zKua723fhZlRIantpRepNhfHzHV/7MksM31UF6Y8XynLM50bWj6ari1Ag2miBgNlZG1Np8XGLvGunb5GARS75LBxcLc6sinBYuRCwW9FYSwdmUg3ds+2ZCjGTMnAzTDYaEq0x+8tWhCsRsESEZ181whcPA0kS20euZLiJgX3NLSmu5G1ZUkiNQoiIvaXOh+SC5DIowL5iUzk9fJgN+gqte5b9i7tjylck8wVAPfxmhPfPTpQygI1mUFx+bSSyx+R8/IluJ2RzzrXiQcTswW8Bi2czGB1zm0a24GXqOwSNpUxm1n05YdMdezErgzCveeBR/rOCaQ3XUPSW8TzuQ+1qvmkBCZOm5w8xKklH+dmmujY/Ew50GM/eoA4FHgIPBflFjEG688UD2okUfE9/5FqNztBG2taWksrXll5YeTHh9lh9EoLaMAPyv9SFyPn9teu3ciobFKxuwyKHBAlR/XHJBlQ= X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1147;31:phUeKR8lp05VJ8AY4iXwC3yJeDfuaSN/hXm7uCH8pKmAVyk32+/D1g8c95+IDQJiPUVVi/HtC+xJnKi+SMJLertO8XT2PfLVcC8vM6bVlW2gigomKh6AtuDSafNRjXjCZ1m7j0axck5YVKP89mgp1ZpXGBrY8bmvUvX1qt7s74MEX/ajudmCzjasDsvRLQIfP4yXkHQQyq5u8Ezv6hFpC7lE5B5ovm7ZQpH14oibWLk=;20:YmmELAwaaDqKCTgNNa7EJUDOHYVUtn/FWLu2aW1TiZpeAQXDPXeJrpv6THqpu8caRuMjcqEJGQtmr5pn6zws/Xx8CjoHoZUXQyb6cnReLakgmZAKgiC64ui0/ENWY+Sx8jQLg8nm/ddXbQhU3q9y+FZcoUpL5TwMimyw7qqYDd0KLRV4UEZpNFYMxfsyBJmXaSGWr4PdpSUkiq6WFyVWOB/fl9nV+249FxG/ppLm23Z79ppQYqRGWmnBHrFRWj+Q6GSOFRUNWjYNqBL2oWDbalHA7Jjg+fmDxC6IxbFWESW0MHJSZkTPoMiC695bwBbOgo67/fSpJenS1polL9hX2ChSL9O3UDYT1NpeY0p3oF4FYQ4cD1DCrS37RaXv7ns65fqY7o7IYZcaEe0z8eZV3iIw8lX5CLazA1z8OhREf0VXbyLkum2TUcbm2UMVhjYBd172kgWzO1tJnqLEC/WSDY5FwaofJj29sJ3N2N7M3Q/bG/v3LO8w5OlW8EwE8tFH X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026);SRVR:DM5PR12MB1147;BCL:0;PCL:0;RULEID:;SRVR:DM5PR12MB1147; X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1147;4:4OIQIYFFefndx1OOE3k+9nW6itLT1aOhD+iGrvbRX4l8XQxRi2z1GP3Jy+p3ooV7TuZLRhht6xe4V6sYL3c0lZ09juUGcD28K7o2MD3ReGYk8zLY1xQci2KMjIYsUcPrWj2t7bcphMXnuHh4r8NEnmEtsKx9WQkGOGqh7DuhgmNmfiE5wy5m7LwUpsslViXWieiWrUJYl0cFEd/xxIE6NUezf0zlZpmJ3azUIV//QMnh3CiNdumCNfR5slWZwnskyX4CPazO/zDPIFsra4Sr+Oi0UESBwP7RGHjQuop/w52u247PvJ42bVY90zNH/BjvzxQ7UQ7yB3dW0/NfcoMovzLOuWsl5xZ9WZYWIQag1bqY0XIb6QQT9YbElldLfmQo/tzYgJuDPwJY2VeCAJQraSa98OEOHhEBMjyn5vnrvEGaUs8AG9Gv9tEAyczKuYXl X-Forefront-PRVS: 00429279BA X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6009001)(7916002)(189002)(199003)(19580405001)(77096005)(106356001)(23676002)(50466002)(229853001)(105586002)(97746001)(97736004)(4001350100001)(5001770100001)(81166006)(2950100001)(81156014)(66066001)(76176999)(8676002)(69596002)(86362001)(2201001)(42186005)(53416004)(83506001)(2906002)(33646002)(47776003)(50986999)(54356999)(7416002)(1076002)(305945005)(101416001)(4326007)(7846002)(92566002)(7736002)(19580395003)(103116003)(5660300001)(6116002)(189998001)(230700001)(68736007)(3846002)(586003)(9686002)(71626007)(217873001);DIR:OUT;SFP:1101;SCL:1;SRVR:DM5PR12MB1147;H:tlendack-t1.amdoffice.net;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtETTVQUjEyTUIxMTQ3OzIzOlV1VDZuY1VKT01GR0ZYYklCU0tyMk5JTEYx?= =?utf-8?B?NllKU3c4aS94clR1MkI4NzVva2xraGVpWnRCV256eVljWk9EdzR0RHo4d1Jy?= =?utf-8?B?SDgyQzczWC9xSGZlOE01RHErMVk1Y0RyRExBdVdTNCtFeDQ0RkcyTVRITGcy?= =?utf-8?B?NjE4d3dWYlRVRmxYbW9mc3N6TmJhU1VBSEN2eFUxN3FSSkJBclZNZGp5dTM2?= =?utf-8?B?RVE4VEM3SDlBUlBtV1VHZmJXQWQzL0xxcUptSnc0bFhyaFBIYnR4NXVpYUI5?= =?utf-8?B?R0Q3QTRsc28xYkVpM3VHMFFOWFI1VVd6bE5OSE9BdjNSeGV3a0hlNmJCc0lJ?= =?utf-8?B?d244VkxhYU9nL2VFQXNmR005SUFoTGZwcnFjVzdpMlE1LzZ2b25hMS9md2la?= =?utf-8?B?dTZjbnF3UHN0SkNaNUpqV05aTVlja0V4NEw5M1hpbUVzVUNGQ2cvcXpLc2hQ?= =?utf-8?B?Q3RKZzJ2cmgrUEFlaGFVS290YnlEcXB0SUpTbTg4am4zdlJNSGVUT2hMazRt?= =?utf-8?B?UWd3cTFPVWM5TTFVUjZSZTkwV3RnYkJxdXZqVkdBYjBqQlloOUl2cmo1V29E?= =?utf-8?B?cEJjMXhuWjhyY09GdTA3bS9QQ2pPRmUzeXBEcE56Q2todEdoUWd5RG04SzVT?= =?utf-8?B?QU5HUFNMbzYraVFzcEp0SXZoMitnZFJMZDBVNk9sZ0h0L2NiaW9YMTBVcll2?= =?utf-8?B?N2J3U0RYY2YvcmhkZDVhLzZNbU1ibGoybWNVaE9pQk1BQjRKZ0lWVWQ5NVRl?= =?utf-8?B?T29BR1F4V0t6cEVyak1VanFiMlREL2MwT016aDFjSzVaUlpXMDdhU0d0NVk4?= =?utf-8?B?WExNbWZCR3RKZDI2VTJBWTVJVWJqK08zeEVlLzNyUFBxOWlIVnM4RGRGZENB?= =?utf-8?B?cUpJcGtGWE53NVlVTFhYb3huVzNvcTBhbGNFcEtoUkRhbDcvdklodWxvcnJC?= =?utf-8?B?bWhBdkhhM2JZdzQzMkJUcHpxcTd0ZUo3WG51ODF4aCticHdMMVNyT3cvU2Z4?= =?utf-8?B?ZHQ2RDk2cFNuMFl0RkUzMTRCMEN4ck5pQ1lZbkt6cHF0MlRqL1VxY3FzcTZZ?= =?utf-8?B?Zlp5TllHZW9MRy9lQXdINHpackEyREJpd0U3MEdrUTZqVDZ1aUR3Y0RtTi91?= =?utf-8?B?SkJRclluK1AvMmhhcExZRS9qTy82TUtQWmJjNEtIcnoyenV0N3lRQndQelBY?= =?utf-8?B?VWtHUnNXeVRrc0RlS0ZjcVlpZ05vNzdzeWFoZGQxclJ2TkZGVUcrcGpYeUh6?= =?utf-8?B?TUkvbk5pZERKQk9LVlM5MUR5NTRWcGdBMVRhRDAxdC9kUnlYL0M0Y0JhaVEw?= =?utf-8?B?NVpXOExQU29VYzhiL1RZQW9oZ29INHp6MC9tWE80VlZ0K24vbU9sVHJKNjgx?= =?utf-8?B?RVRLL3d6S01DeUxXZzAvY1ZuTU9UTVpLSnNGUkpwTWVPeTFtNjBHdU1Na09M?= =?utf-8?B?cTFIWERLRmU0bTUyQlZaWC8rYkI5V2R4Vm9rVFU0VHYzV3ZTWjRDcjR2REZa?= =?utf-8?B?Z2dIN0Q0YkxhUERYNUdNWDNuT1RnNnIvTWRJOWdSOHJ2aytPUk1ZK05RdTNZ?= =?utf-8?B?Q2tNUjMwZTAvN3k4M2FiOW9NaytMVWxWUGQvb2F0R01Yc1UzbVc5RU9UYjJ1?= =?utf-8?B?eTEzaDhOUSt0QWdxYkxJZ3IrMTJTc3RuSjJrQXFkeUFSbDdZekgyYkJyMVRt?= =?utf-8?B?NG9CRklDTWFCSHAzcFNacG55Rjl1a1MzYkNEZU5EbHJYNE8rZklNRlU3ay9C?= =?utf-8?Q?hinlNnqKK10OiudxqD3wk486/Uws1f/yCB+VY=3D?= X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1147;6:A2/TsisSyVq0BQNjyX/3l4aK7kTvK7UtRfnuLzJQFgu93plSxWJbHjzbCf2rWlTmS1mwa7WbL/AGInSbLrdzTVkzD3ex0RedqpVZvDcg8vXL/mdew2ordmOP0eTJ/dfUFLnRxjrPoBjTLuuYp0i/fXiB6Zo8pywQOWyiiPhaXlOWaD9EhxTqbHbImWuj+UU7X4x89x24EGv/fnxstgU587kZ9xROaDYly7LG7Fkf8Nu0sxRX3OkiFwN6hcQPBbSWxirSuFU4L2xn57OA0UrJU0pRqg0Ura75EoI5frj50mY2UKy8Q9ef/r/bz1UqpQsvqK4CJD/YnrtguzjNnEIYmA==;5:RCCG5Gndxr22+FHDrzHsw7HvfLcvVIgcspJTENSYWVvd1i7/QCf7fJ8e2nDsWD/Lgqyom9vHgNmQK6kiyY9asnrDXd7hq9Ne/9BlWm9UvUkWJ0WpKUQhsyGQ66+LLUF1cREcGN1XC8aTRpiPXGrfAA==;24:9JapZu1fuxTCJsqP9mwbykHVuH60olyYRyJiPXxhJZqTzj5PxrYQ2Kkkd8AiXLHujCSi3ZIvDE8gn/sNGnG43Oa9s0D47MCOXfzWwMXwNtQ=;7:J1LbWozFGUD1961w/lBkFbgAD1+biDT+3zRU73Z4mKRxyACqdEKHluDv4niXiUAfSiUoDTyvZFXnBkAFwZBe1NGRs2b7HZpU0LKKWxd2I+6nbMgPlJDPf0VFJAFkWuHzw5cbBsNkAxPqh2PzWArWXMgJCoGJvAXUo1o/gIZ1+c6jYeM9LlunhXRH76YGtVBxzkHc9EM4MR0lB8fPIbHqC949VBQ1JhtXmkWSlmv1y50D11/l+p+nkHz1vrMiBN9I SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1147;20:p7ogBOXKiVZQcSB4SqP34/vRJKquPuhA3Qauf0FlSNGn1ErhYoIQa6RjvtsPd4nWubaFL+lRPZx9uL7QbwSMWAwcBe1gHe6rXzOd+zK/WGvJ+E/NesJSYT5DSPx3/aRxF7vkwnaZDOKrxBSFTDL6asfGYSxuL+JjVH/63FfcAz38oEGy2uzllcMekvp5F+elWbpH4AQa4oFczRVwBpGiCr7uKDSKqGaylldHh1iK+AsQEJ1uyN6/SR9Eqb0aJp4s X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Aug 2016 22:38:53.6715 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1147 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Update the KVM support to include the memory encryption mask when creating and using nested page tables. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/kvm_host.h | 3 ++- arch/x86/kvm/mmu.c | 8 ++++++-- arch/x86/kvm/vmx.c | 3 ++- arch/x86/kvm/x86.c | 3 ++- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index 33ae3a4..c51c1cb 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1039,7 +1039,8 @@ void kvm_mmu_setup(struct kvm_vcpu *vcpu); void kvm_mmu_init_vm(struct kvm *kvm); void kvm_mmu_uninit_vm(struct kvm *kvm); void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask, - u64 dirty_mask, u64 nx_mask, u64 x_mask, u64 p_mask); + u64 dirty_mask, u64 nx_mask, u64 x_mask, u64 p_mask, + u64 me_mask); void kvm_mmu_reset_context(struct kvm_vcpu *vcpu); void kvm_mmu_slot_remove_write_access(struct kvm *kvm, diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c index 3d4cc8cc..a7040f4 100644 --- a/arch/x86/kvm/mmu.c +++ b/arch/x86/kvm/mmu.c @@ -122,7 +122,7 @@ module_param(dbg, bool, 0644); * PT32_LEVEL_BITS))) - 1)) #define PT64_PERM_MASK (PT_PRESENT_MASK | PT_WRITABLE_MASK | shadow_user_mask \ - | shadow_x_mask | shadow_nx_mask) + | shadow_x_mask | shadow_nx_mask | shadow_me_mask) #define ACC_EXEC_MASK 1 #define ACC_WRITE_MASK PT_WRITABLE_MASK @@ -177,6 +177,7 @@ static u64 __read_mostly shadow_accessed_mask; static u64 __read_mostly shadow_dirty_mask; static u64 __read_mostly shadow_mmio_mask; static u64 __read_mostly shadow_present_mask; +static u64 __read_mostly shadow_me_mask; static void mmu_spte_set(u64 *sptep, u64 spte); static void mmu_free_roots(struct kvm_vcpu *vcpu); @@ -284,7 +285,8 @@ static bool check_mmio_spte(struct kvm_vcpu *vcpu, u64 spte) } void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask, - u64 dirty_mask, u64 nx_mask, u64 x_mask, u64 p_mask) + u64 dirty_mask, u64 nx_mask, u64 x_mask, u64 p_mask, + u64 me_mask) { shadow_user_mask = user_mask; shadow_accessed_mask = accessed_mask; @@ -292,6 +294,7 @@ void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask, shadow_nx_mask = nx_mask; shadow_x_mask = x_mask; shadow_present_mask = p_mask; + shadow_me_mask = me_mask; } EXPORT_SYMBOL_GPL(kvm_mmu_set_mask_ptes); @@ -2553,6 +2556,7 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep, pte_access &= ~ACC_WRITE_MASK; spte |= (u64)pfn << PAGE_SHIFT; + spte |= shadow_me_mask; if (pte_access & ACC_WRITE_MASK) { diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index 87eaa6b..9040645 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -6485,7 +6485,8 @@ static __init int hardware_setup(void) (enable_ept_ad_bits) ? VMX_EPT_DIRTY_BIT : 0ull, 0ull, VMX_EPT_EXECUTABLE_MASK, cpu_has_vmx_ept_execute_only() ? - 0ull : VMX_EPT_READABLE_MASK); + 0ull : VMX_EPT_READABLE_MASK, + 0ull); ept_set_mmio_spte_mask(); kvm_enable_tdp(); } else diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 19f9f9e..d432894 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -65,6 +65,7 @@ #include #include #include +#include #define CREATE_TRACE_POINTS #include "trace.h" @@ -5875,7 +5876,7 @@ int kvm_arch_init(void *opaque) kvm_mmu_set_mask_ptes(PT_USER_MASK, PT_ACCESSED_MASK, PT_DIRTY_MASK, PT64_NX_MASK, 0, - PT_PRESENT_MASK); + PT_PRESENT_MASK, sme_me_mask); kvm_timer_init(); perf_register_guest_info_callbacks(&kvm_guest_cbs);