Xen project Mailing List

[PATCH v2 1/3] amd/msr: implement VIRT_SPEC_CTRL for HVM guests on top of SPEC_CTRL

From: Roger Pau Monne <roger.pau@xxxxxxxxxx>

Date: Tue, 15 Mar 2022 15:18:05 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ydoKvzijOpuejbc717jjBMoXN5ikPR5XfqS80f3JJYA=; b=nu5CQuiLTxOxZ2fhSPEEgmZzpvpiq+0hfPbI3ehlWWG7vQtAYhoy41NCUZ+8jX7WrXsI9Lgy1fcpkBNCsoEMzLxau+Pu35L+k5WVR93+9vgvixPjn7l2o7HKN/n3JjsuRAbmB6rSiF0Clh/BSHIHdYrKg+zLJ0NJ4XaT+nJszzmgQB/F7E8iOrdK4z3NxeJvnCDSuaZ4XAex7UJ8uSJCSxXccU+ilys4trQiD5fSk4Ga9a5/P2scAX7yB3A+EiXTHlAKavoRlxO1pFoB02vZrz7f/OvRbHzpJlCVzWVZICXBdyNtvSVvxWAvYoXOq/MQPEbTFYIheWxMQVJUGpl3jA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GTg1HWzoNOCs30EYOPA6EBRQ3tk2N9qel7QFV1yiN5AWQ5TZ4HF2F4Q/IgFV5bdiQXM/if6/+7QUNajiLjEQSPNrWFoF/YORUrtW1DxUcAKFYlPlg2AVutAUrnk4t3e0fU9bpNWKXGifF+q6gEk6xyQMBTt5504JQSSGKa+M/8DWsv4/3nxWx73qvG4cD18PuCxW3bUI3ohgeu07xNQT82/lT5Vg9c+F8uocHjL2F7YAAoKrpESCQtvUJAvzomrolMu+F48hsAFkH1Bn9ljuiBFj2dgdscgWkF4ilKSySbhN8nSoM/aN5cNk5Cfaja3gYWka2VNsQ7fFwieFw/NErw==

Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Tue, 15 Mar 2022 14:18:31 +0000

Ironport-data: A9a23:u63cnqvbJttPEqhSkBTWcoaMEefnVEFeMUV32f8akzHdYApBsoF/q tZmKTqOM/+DYGqgftwnO9mzphwFuJDcmtQ1TFM6pCs2HiMX+JbJXdiXEBz9bniYRiHhoOOLz Cm8hv3odp1coqr0/0/1WlTZhSAgk/nOHNIQMcacUsxLbVYMpBwJ1FQyw4bVvqYy2YLjW1jU5 IupyyHiEATNNwBcYzp8B52r8HuDjNyq0N/PlgVjDRzjlAa2e0g9VPrzF4noR5fLatA88tqBb /TC1NmEElbxpH/BPD8HfoHTKSXmSpaKVeSHZ+E/t6KK2nCurQRquko32WZ1he66RFxlkvgoo Oihu6BcRi8IJ4PhldYAdiNkKAc9OZB0yY7ecEKW5Jn7I03uKxMAwt1rBUAye4YZ5vx2ESdF8 vlwxDIlN07ZwbjsmfTiF7cq1p9LwMrDZevzvll6yj7UF7A+SI3rSKTW/95Imjw3g6iiGN6AO pVEN2E1NHwsZTVNH0tJKNE+ptv4pV2hUWIJmXaXi/QOtj27IAtZj+G2bYu9lsaxbdpRtlaVo CTB5WuRKhMQOcGbyDGF2mmxneKJliT+MKoCGbv9+vN0jVm7wm0IFAZQRVa9ueO+iEO1R5RYM UN8x8Y1hfFsrgrxFIC7BkDm5i7f1vIBZzZOO8wjxiyA+Lfx2TqiICsAcwxwWcV3juZjEFTGy WS1t9/uADVutpicRnSc6qqYoFuOBMQFEYMRTXRaFFVYurEPtKl210uSFYg7TMZZm/WvQVnNL ya2QD/Sbln5peoCzO2F8F/OmFpATbCZH1dutm07so9Ihz6VhbJJhaT1sTA3Dt4ade51q2VtW lBfw6ByC8hUUfmweNSlGrllIV1Qz6/t3MfgqVBuBYI90D+m5mSue4tdiBknehs2aJdeIGW5O RWJ0e+02HO1FCDzBUOQS9jtY/nGMIC6TYi1PhwqRocmjmdNmP+vo3g1OB/4M5HFm0kwi6AvU ap3gu73ZUv2/Z9PlWLsL89EiOdD7nlnmQv7GMCqpzz6gOH2TCPEFt843K6mM7lRAFWs+16Or b6y9qKiln1ibQEJSnKOoNBJcgxScyRT6FKfg5U/S9Nv6zFOQQkJI/TQ3akga8pimaFUnf3P5 XazRglTz1+XuJENAV/ihqxLAF83YatCkA==

Ironport-hdrordr: A9a23:8E5XY6Ng8SCf5cBcTqKjsMiBIKoaSvp037BL7SBMoHluGfBw+P rCoB1273XJYVUqOU3I5+ruBEDoexq1yXcf2+Us1NmZMjXbhA==

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Use the logic to set shadow SPEC_CTRL values in order to implement support for VIRT_SPEC_CTRL (signaled by VIRT_SSBD CPUID flag) for HVM guests. This includes using the spec_ctrl vCPU MSR variable to store the guest set value of VIRT_SPEC_CTRL.SSBD, which will be OR'ed with any SPEC_CTRL values being set by the guest. On hardware having SPEC_CTRL VIRT_SPEC_CTRL will not be offered by default to guests. VIRT_SPEC_CTRL will only be part of the max CPUID policy so it can be enabled for compatibility purposes. Note that '!' is used in order to tag the VIRT_SSBD feature as specially handled. It's possible for the feature to be available to guests on hardware that doesn't support it natively, for example when implemented as done by this patch on top of SPEC_CTRL.SSBD (AMD_SSBD). Suggested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> --- Changes since v1: - Only expose VIRT_SSBD if AMD_SSBD is available on the host. - Revert change to msr-sc= command line option documentation. - Only set or clear the SSBD bit of spec_ctrl. --- xen/arch/x86/cpuid.c | 7 +++++++ xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/include/asm/msr.h | 4 ++++ xen/arch/x86/msr.c | 21 +++++++++++++++++++++ xen/arch/x86/spec_ctrl.c | 3 ++- xen/include/public/arch-x86/cpufeatureset.h | 2 +- 6 files changed, 36 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c index bb554b06a7..4ca77ea870 100644 --- a/xen/arch/x86/cpuid.c +++ b/xen/arch/x86/cpuid.c @@ -543,6 +543,13 @@ static void __init calculate_hvm_max_policy(void) __clear_bit(X86_FEATURE_IBRSB, hvm_featureset); __clear_bit(X86_FEATURE_IBRS, hvm_featureset); } + else if ( boot_cpu_has(X86_FEATURE_AMD_SSBD) ) + /* + * If SPEC_CTRL.SSBD is available VIRT_SPEC_CTRL.SSBD can be exposed + * and implemented using the former. Expose in the max policy only as + * the preference is for guests to use SPEC_CTRL.SSBD if available. + */ + __set_bit(X86_FEATURE_VIRT_SSBD, hvm_featureset); /* * With VT-x, some features are only supported by Xen if dedicated diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 709a4191ef..595858f2a7 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -1334,6 +1334,7 @@ static const uint32_t msrs_to_send[] = { MSR_INTEL_MISC_FEATURES_ENABLES, MSR_IA32_BNDCFGS, MSR_IA32_XSS, + MSR_VIRT_SPEC_CTRL, MSR_AMD64_DR0_ADDRESS_MASK, MSR_AMD64_DR1_ADDRESS_MASK, MSR_AMD64_DR2_ADDRESS_MASK, diff --git a/xen/arch/x86/include/asm/msr.h b/xen/arch/x86/include/asm/msr.h index ce4fe51afe..ab6fbb5051 100644 --- a/xen/arch/x86/include/asm/msr.h +++ b/xen/arch/x86/include/asm/msr.h @@ -291,6 +291,7 @@ struct vcpu_msrs { /* * 0x00000048 - MSR_SPEC_CTRL + * 0xc001011f - MSR_VIRT_SPEC_CTRL (if X86_FEATURE_AMD_SSBD) * * For PV guests, this holds the guest kernel value. It is accessed on * every entry/exit path. @@ -306,6 +307,9 @@ struct vcpu_msrs * We must clear/restore Xen's value before/after VMRUN to avoid unduly * influencing the guest. In order to support "behind the guest's back" * protections, we load this value (commonly 0) before VMRUN. + * + * Once of such "behind the guest's back" usages is setting SPEC_CTRL.SSBD + * if the guest sets VIRT_SPEC_CTRL.SSBD. */ struct { uint32_t raw; diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c index 01a15857b7..b212acf29d 100644 --- a/xen/arch/x86/msr.c +++ b/xen/arch/x86/msr.c @@ -381,6 +381,13 @@ int guest_rdmsr(struct vcpu *v, uint32_t msr, uint64_t *val) ? K8_HWCR_TSC_FREQ_SEL : 0; break; + case MSR_VIRT_SPEC_CTRL: + if ( !cp->extd.virt_ssbd ) + goto gp_fault; + + *val = msrs->spec_ctrl.raw & SPEC_CTRL_SSBD; + break; + case MSR_AMD64_DE_CFG: if ( !(cp->x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON)) ) goto gp_fault; @@ -666,6 +673,20 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val) wrmsr_tsc_aux(val); break; + case MSR_VIRT_SPEC_CTRL: + if ( !cp->extd.virt_ssbd ) + goto gp_fault; + + /* + * Only supports SSBD bit, the rest are ignored. Only modify the SSBD + * bit in case other bits are set. + */ + if ( val & SPEC_CTRL_SSBD ) + msrs->spec_ctrl.raw |= SPEC_CTRL_SSBD; + else + msrs->spec_ctrl.raw &= ~SPEC_CTRL_SSBD; + break; + case MSR_AMD64_DE_CFG: /* * OpenBSD 6.7 will panic if writing to DE_CFG triggers a #GP: diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 1408e4c7ab..f338bfe292 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -402,12 +402,13 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) * mitigation support for guests. */ #ifdef CONFIG_HVM - printk(" Support for HVM VMs:%s%s%s%s%s\n", + printk(" Support for HVM VMs:%s%s%s%s%s%s\n", (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || boot_cpu_has(X86_FEATURE_MD_CLEAR) || opt_eager_fpu) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", + boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_VIRT_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : ""); diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 9cee4b439e..b797c6bea1 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -265,7 +265,7 @@ XEN_CPUFEATURE(IBRS_SAME_MODE, 8*32+19) /*S IBRS provides same-mode protection XEN_CPUFEATURE(NO_LMSL, 8*32+20) /*S EFER.LMSLE no longer supported. */ XEN_CPUFEATURE(AMD_PPIN, 8*32+23) /* Protected Processor Inventory Number */ XEN_CPUFEATURE(AMD_SSBD, 8*32+24) /*S MSR_SPEC_CTRL.SSBD available */ -XEN_CPUFEATURE(VIRT_SSBD, 8*32+25) /* MSR_VIRT_SPEC_CTRL.SSBD */ +XEN_CPUFEATURE(VIRT_SSBD, 8*32+25) /*!s MSR_VIRT_SPEC_CTRL.SSBD */ XEN_CPUFEATURE(SSB_NO, 8*32+26) /*A Hardware not vulnerable to SSB */ XEN_CPUFEATURE(PSFD, 8*32+28) /*S MSR_SPEC_CTRL.PSFD */ -- 2.34.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.