* [PATCH] KVM: SVM: Treat SVM as unsupported when running as an SEV guest
@ 2021-02-02 21:20 Sean Christopherson
2021-02-03 8:02 ` Paolo Bonzini
0 siblings, 1 reply; 2+ messages in thread
From: Sean Christopherson @ 2021-02-02 21:20 UTC (permalink / raw)
To: Paolo Bonzini, Dave Hansen, Andy Lutomirski, Peter Zijlstra
Cc: Sean Christopherson, Vitaly Kuznetsov, Wanpeng Li, Jim Mattson,
Joerg Roedel, kvm, linux-kernel
Don't let KVM load when running as an SEV guest, regardless of what
CPUID says. Memory is encrypted with a key that is not accessible to
the host (L0), thus it's impossible for L0 to emulate SVM, e.g. it'll
see garbage when reading the VMCB.
Technically, KVM could decrypt all memory that needs to be accessible to
the L0 and use shadow paging so that L0 does not need to shadow NPT, but
exposing such information to L0 largely defeats the purpose of running as
an SEV guest. This can always be revisited if someone comes up with a
use case for running VMs inside SEV guests.
Note, VMLOAD, VMRUN, etc... will also #GP on GPAs with C-bit set, i.e. KVM
is doomed even if the SEV guest is debuggable and the hypervisor is willing
to decrypt the VMCB. This may or may not be fixed on CPUs that have the
SVME_ADDR_CHK fix.
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
FWIW, I did get nested SVM working on SEV by decrypting all structures
that are shadowed by L0, albeit with many restrictions. So even though
there's unlikely to be a legitimate use case, I don't think KVM (as L0)
needs to be changed to disallow nSVM for SEV guests, userspace is
ultimately the one that should hide SVM from L1.
arch/x86/kvm/svm/svm.c | 5 +++++
arch/x86/mm/mem_encrypt.c | 1 +
2 files changed, 6 insertions(+)
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 687876211ebe..9fb367cb4f15 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -448,6 +448,11 @@ static int has_svm(void)
return 0;
}
+ if (sev_active()) {
+ pr_info("KVM is unsupported when running as an SEV guest\n");
+ return 0;
+ }
+
return 1;
}
diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c
index c79e5736ab2b..c3d5f0236f35 100644
--- a/arch/x86/mm/mem_encrypt.c
+++ b/arch/x86/mm/mem_encrypt.c
@@ -382,6 +382,7 @@ bool sev_active(void)
{
return sev_status & MSR_AMD64_SEV_ENABLED;
}
+EXPORT_SYMBOL_GPL(sev_active);
/* Needs to be called from non-instrumentable code */
bool noinstr sev_es_active(void)
--
2.30.0.365.g02bc693789-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] KVM: SVM: Treat SVM as unsupported when running as an SEV guest
2021-02-02 21:20 [PATCH] KVM: SVM: Treat SVM as unsupported when running as an SEV guest Sean Christopherson
@ 2021-02-03 8:02 ` Paolo Bonzini
0 siblings, 0 replies; 2+ messages in thread
From: Paolo Bonzini @ 2021-02-03 8:02 UTC (permalink / raw)
To: Sean Christopherson, Dave Hansen, Andy Lutomirski, Peter Zijlstra
Cc: Vitaly Kuznetsov, Wanpeng Li, Jim Mattson, Joerg Roedel, kvm,
linux-kernel
On 02/02/21 22:20, Sean Christopherson wrote:
> Don't let KVM load when running as an SEV guest, regardless of what
> CPUID says. Memory is encrypted with a key that is not accessible to
> the host (L0), thus it's impossible for L0 to emulate SVM, e.g. it'll
> see garbage when reading the VMCB.
>
> Technically, KVM could decrypt all memory that needs to be accessible to
> the L0 and use shadow paging so that L0 does not need to shadow NPT, but
> exposing such information to L0 largely defeats the purpose of running as
> an SEV guest. This can always be revisited if someone comes up with a
> use case for running VMs inside SEV guests.
>
> Note, VMLOAD, VMRUN, etc... will also #GP on GPAs with C-bit set, i.e. KVM
> is doomed even if the SEV guest is debuggable and the hypervisor is willing
> to decrypt the VMCB. This may or may not be fixed on CPUs that have the
> SVME_ADDR_CHK fix.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
>
> FWIW, I did get nested SVM working on SEV by decrypting all structures
> that are shadowed by L0, albeit with many restrictions. So even though
> there's unlikely to be a legitimate use case, I don't think KVM (as L0)
> needs to be changed to disallow nSVM for SEV guests, userspace is
> ultimately the one that should hide SVM from L1.
>
> arch/x86/kvm/svm/svm.c | 5 +++++
> arch/x86/mm/mem_encrypt.c | 1 +
> 2 files changed, 6 insertions(+)
>
> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
> index 687876211ebe..9fb367cb4f15 100644
> --- a/arch/x86/kvm/svm/svm.c
> +++ b/arch/x86/kvm/svm/svm.c
> @@ -448,6 +448,11 @@ static int has_svm(void)
> return 0;
> }
>
> + if (sev_active()) {
> + pr_info("KVM is unsupported when running as an SEV guest\n");
> + return 0;
> + }
> +
> return 1;
> }
>
> diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c
> index c79e5736ab2b..c3d5f0236f35 100644
> --- a/arch/x86/mm/mem_encrypt.c
> +++ b/arch/x86/mm/mem_encrypt.c
> @@ -382,6 +382,7 @@ bool sev_active(void)
> {
> return sev_status & MSR_AMD64_SEV_ENABLED;
> }
> +EXPORT_SYMBOL_GPL(sev_active);
>
> /* Needs to be called from non-instrumentable code */
> bool noinstr sev_es_active(void)
>
Queued, thanks.
Paolo
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-02-03 8:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-02 21:20 [PATCH] KVM: SVM: Treat SVM as unsupported when running as an SEV guest Sean Christopherson
2021-02-03 8:02 ` Paolo Bonzini
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).