Xen project Mailing List

[PATCH v3 1/3] amd/msr: implement VIRT_SPEC_CTRL for HVM guests on top of SPEC_CTRL

From: Roger Pau Monne <roger.pau@xxxxxxxxxx>

Date: Thu, 31 Mar 2022 11:27:15 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rAw124Di0ueDnIBDAjnts+YHpoOqLIJr7FiTknmZajY=; b=B4RSzIuLkR071UPcdoMK3C2OvIncCTrcbqfkV6wDwnDtxV9Dc7iKs/ndMMSv3suWu/BLmCCNJSmcXx+cMUXd01zEksteGnZG/n4M9XKXVZDDlYb8arL5mowFMHFmQGWZ4gt/9E2NWz+S+p80FSPze6p3UpBQ8ia7d9X1gRavOdzHPnOMW3YpYPIqt3OgxchZSaI0ntz3Nfac6jK4fo7T/xYrhXL1J2CQ/CcYogzaa1CD/FAKGxEgEpTB+J+WBSAGhmpfQEDSXdjglYc5ohV6MqUttOClcBBbhTQ6/Q59bKM97jNFfTIW1CsctsD4ZdnJNSUAzFnFUpIlPnMEi/jvVQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=klmzBhd9T1gU8RgFDkdRZrsVbVb2Bge91BowZBamhOkftkFm10HS1vgEXpK+jtWy6euxu3XFpdYKcDnemGMRxxzbte2YRzqR0NBptX92XW/3hObmmK/4CjEitQc93y5jPbuPZYtXRdrqt6U9G5zYxNZ8f6CwpRAqKyPBrAzpoag8Vxw0nte2B1yWqp0+vvi0+5aeUL0uQvqpon2CqAkLGTNnnrs/34jlhxhLVIY4O6cBBKHdrcBJnfWJWFdJsFz2gHYNq0TuzZNxTN67ikZrr/rZ3FHY5NHID9csoJN80Z6JYF3JayoQbDc/Zx6k6zrF84rc3RazZuolChh8LBaIvQ==

Authentication-results: esa3.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Thu, 31 Mar 2022 09:29:03 +0000

Ironport-data: A9a23:qt7wsaLzIXEvAJ7eFE+RxpUlxSXFcZb7ZxGr2PjKsXjdYENShTMCm 2FOWm7QP/jcNzbyKNEgPt/n9RgDvZDVzd9nSAVlqX01Q3x08seUXt7xwmUcns+xwm8vaGo9s q3yv/GZdJhcokf0/0vrav67xZVF/fngqoDUUYYoAQgsA148IMsdoUg7wbRh2dUx2YHR7z6l4 rseneWOYDdJ5BYsWo4kw/rrRMRH5amaVJsw5zTSVNgT1LPsvyB94KE3fMldG0DQUIhMdtNWc s6YpF2PEsE1yD92Yj+tuu6TnkTn2dc+NyDW4pZdc/DKbhSvOkXee0v0XRYRQR4/ttmHozx+4 NNp6My1cSUWBfeWoPkGSDIHHCdOP6ITrdcrIVDn2SCS50jPcn+qyPRyFkAme4Yf/46bA0kXq 6ZecmpUKEne2aTmm9pXScE17ignBNPsM44F/Glp0BnSDOo8QICFSKLPjTNd9Glv2JsVTa2OD yYfQRtxaUzMYjZIA3VUE74ahdiohFrnfwQN/Tp5ooJoujOOnWSdyoPFL979atGMA8JPkS6wp GjL4mD4CREyL8GExHyO9XfErv/Cm2b3VZwfEJW89+V2mxuDy2oLEhoUWFCn5/6jhSaDt8l3c hJOvHB09O5rqRLtHoKVswCETGCsuDpBC99oMdIBslu117HPyFmWAFgGQWsUADA5j/MeSTsv3 16PutrmAz1zrbGYIU6gGqeoQSCaYnZMczJbDcMQZU5cuoS4/tlv5v7aZow7eJNZmOEZDt0ZL 9qiiCElz4segscQv0lQ1QCW2mn8znQlo+Nc2+k2Yo5Hxl4hDGJGT9bxgbQ+0RqmBNzDJrVml CJY8/VyFMhUUfmweNWlGY3h5o2B6fefKyH7ilVyBZQn/DnF0yf9IdAOvmwheh00bZtsldrVj Kn741k5CHh7ZibCUEOKS9jpV5RCIVbIS7wJqcw4nvIRO8MsJWdrDQllZFKK3nCFraTfufpXB HtvSu71VSxyIf0+lFKeHr5BuZd2lnFW7T6CHvjTkkX4uYdykVbIEN/pxnPVNbtnhE5FyS2Im +ti2zyikEsHCrSkMniKqeb+7zkidBAGOHw/kOQOHsarKQt6AmAxTfjXxLIqYYt+mKpJ0OzP+ xmAtoVwkTITWVWvxd22V01e

Ironport-hdrordr: A9a23:pMFkz6yRVEyAPOSPp0M2KrPwKL1zdoMgy1knxilNoHtuA6ulfq GV7ZAmPHrP4wr5N0tNpTntAsa9qBDnlaKdg7N+AV7KZmCP0gaVxepZjLfK8nnNHDD/6/4Y9Y oISdkaNDQoNykYsS8t2njbL+od

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Use the logic to set shadow SPEC_CTRL values in order to implement support for VIRT_SPEC_CTRL (signaled by VIRT_SSBD CPUID flag) for HVM guests. This includes using the spec_ctrl vCPU MSR variable to store the guest set value of VIRT_SPEC_CTRL.SSBD, which will be OR'ed with any SPEC_CTRL values being set by the guest. On hardware having SPEC_CTRL VIRT_SPEC_CTRL will not be offered by default to guests. VIRT_SPEC_CTRL will only be part of the max CPUID policy so it can be enabled for compatibility purposes. Some reasoning regarding why '!s' is used to annotate the feature: * '!': the feature might be exposed to guests even when not present on the host hardware. * 's': the feature won't be exposed by default. Suggested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> --- Changes since v2: - Reword reasoning for using '!s'. - Trim comment about only setting SSBD bit in spec_ctrl.raw. Changes since v1: - Only expose VIRT_SSBD if AMD_SSBD is available on the host. - Revert change to msr-sc= command line option documentation. - Only set or clear the SSBD bit of spec_ctrl. --- xen/arch/x86/cpuid.c | 7 +++++++ xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/include/asm/msr.h | 4 ++++ xen/arch/x86/msr.c | 18 ++++++++++++++++++ xen/arch/x86/spec_ctrl.c | 3 ++- xen/include/public/arch-x86/cpufeatureset.h | 2 +- 6 files changed, 33 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c index bb554b06a7..4ca77ea870 100644 --- a/xen/arch/x86/cpuid.c +++ b/xen/arch/x86/cpuid.c @@ -543,6 +543,13 @@ static void __init calculate_hvm_max_policy(void) __clear_bit(X86_FEATURE_IBRSB, hvm_featureset); __clear_bit(X86_FEATURE_IBRS, hvm_featureset); } + else if ( boot_cpu_has(X86_FEATURE_AMD_SSBD) ) + /* + * If SPEC_CTRL.SSBD is available VIRT_SPEC_CTRL.SSBD can be exposed + * and implemented using the former. Expose in the max policy only as + * the preference is for guests to use SPEC_CTRL.SSBD if available. + */ + __set_bit(X86_FEATURE_VIRT_SSBD, hvm_featureset); /* * With VT-x, some features are only supported by Xen if dedicated diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 709a4191ef..595858f2a7 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -1334,6 +1334,7 @@ static const uint32_t msrs_to_send[] = { MSR_INTEL_MISC_FEATURES_ENABLES, MSR_IA32_BNDCFGS, MSR_IA32_XSS, + MSR_VIRT_SPEC_CTRL, MSR_AMD64_DR0_ADDRESS_MASK, MSR_AMD64_DR1_ADDRESS_MASK, MSR_AMD64_DR2_ADDRESS_MASK, diff --git a/xen/arch/x86/include/asm/msr.h b/xen/arch/x86/include/asm/msr.h index ce4fe51afe..ab6fbb5051 100644 --- a/xen/arch/x86/include/asm/msr.h +++ b/xen/arch/x86/include/asm/msr.h @@ -291,6 +291,7 @@ struct vcpu_msrs { /* * 0x00000048 - MSR_SPEC_CTRL + * 0xc001011f - MSR_VIRT_SPEC_CTRL (if X86_FEATURE_AMD_SSBD) * * For PV guests, this holds the guest kernel value. It is accessed on * every entry/exit path. @@ -306,6 +307,9 @@ struct vcpu_msrs * We must clear/restore Xen's value before/after VMRUN to avoid unduly * influencing the guest. In order to support "behind the guest's back" * protections, we load this value (commonly 0) before VMRUN. + * + * Once of such "behind the guest's back" usages is setting SPEC_CTRL.SSBD + * if the guest sets VIRT_SPEC_CTRL.SSBD. */ struct { uint32_t raw; diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c index 01a15857b7..72c175fd8b 100644 --- a/xen/arch/x86/msr.c +++ b/xen/arch/x86/msr.c @@ -381,6 +381,13 @@ int guest_rdmsr(struct vcpu *v, uint32_t msr, uint64_t *val) ? K8_HWCR_TSC_FREQ_SEL : 0; break; + case MSR_VIRT_SPEC_CTRL: + if ( !cp->extd.virt_ssbd ) + goto gp_fault; + + *val = msrs->spec_ctrl.raw & SPEC_CTRL_SSBD; + break; + case MSR_AMD64_DE_CFG: if ( !(cp->x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON)) ) goto gp_fault; @@ -666,6 +673,17 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val) wrmsr_tsc_aux(val); break; + case MSR_VIRT_SPEC_CTRL: + if ( !cp->extd.virt_ssbd ) + goto gp_fault; + + /* Only supports SSBD bit, the rest are ignored. */ + if ( val & SPEC_CTRL_SSBD ) + msrs->spec_ctrl.raw |= SPEC_CTRL_SSBD; + else + msrs->spec_ctrl.raw &= ~SPEC_CTRL_SSBD; + break; + case MSR_AMD64_DE_CFG: /* * OpenBSD 6.7 will panic if writing to DE_CFG triggers a #GP: diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 1408e4c7ab..f338bfe292 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -402,12 +402,13 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) * mitigation support for guests. */ #ifdef CONFIG_HVM - printk(" Support for HVM VMs:%s%s%s%s%s\n", + printk(" Support for HVM VMs:%s%s%s%s%s%s\n", (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || boot_cpu_has(X86_FEATURE_MD_CLEAR) || opt_eager_fpu) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", + boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_VIRT_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : ""); diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 9cee4b439e..b797c6bea1 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -265,7 +265,7 @@ XEN_CPUFEATURE(IBRS_SAME_MODE, 8*32+19) /*S IBRS provides same-mode protection XEN_CPUFEATURE(NO_LMSL, 8*32+20) /*S EFER.LMSLE no longer supported. */ XEN_CPUFEATURE(AMD_PPIN, 8*32+23) /* Protected Processor Inventory Number */ XEN_CPUFEATURE(AMD_SSBD, 8*32+24) /*S MSR_SPEC_CTRL.SSBD available */ -XEN_CPUFEATURE(VIRT_SSBD, 8*32+25) /* MSR_VIRT_SPEC_CTRL.SSBD */ +XEN_CPUFEATURE(VIRT_SSBD, 8*32+25) /*!s MSR_VIRT_SPEC_CTRL.SSBD */ XEN_CPUFEATURE(SSB_NO, 8*32+26) /*A Hardware not vulnerable to SSB */ XEN_CPUFEATURE(PSFD, 8*32+28) /*S MSR_SPEC_CTRL.PSFD */ -- 2.35.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.