lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aee0d84b-52b6-bf1e-557f-5990dfe4000d@amd.com>
Date:   Tue, 26 Jan 2021 09:39:17 -0600
From:   Wei Huang <wehuang@...hat.com>
To:     Maxim Levitsky <mlevitsk@...hat.com>, kvm@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org, pbonzini@...hat.com,
        vkuznets@...hat.com, seanjc@...gle.com, joro@...tes.org,
        bp@...en8.de, tglx@...utronix.de, mingo@...hat.com, x86@...nel.org,
        jmattson@...gle.com, wanpengli@...cent.com, bsd@...hat.com,
        dgilbert@...hat.com, luto@...capital.net
Subject: Re: [PATCH v3 3/4] KVM: SVM: Add support for SVM instruction address
 check change



On 1/26/21 5:52 AM, Maxim Levitsky wrote:
> On Tue, 2021-01-26 at 03:18 -0500, Wei Huang wrote:
>> New AMD CPUs have a change that checks #VMEXIT intercept on special SVM
>> instructions before checking their EAX against reserved memory region.
>> This change is indicated by CPUID_0x8000000A_EDX[28]. If it is 1, #VMEXIT
>> is triggered before #GP. KVM doesn't need to intercept and emulate #GP
>> faults as #GP is supposed to be triggered.
>>
>> Co-developed-by: Bandan Das <bsd@...hat.com>
>> Signed-off-by: Bandan Das <bsd@...hat.com>
>> Signed-off-by: Wei Huang <wei.huang2@....com>
>> Reviewed-by: Maxim Levitsky <mlevitsk@...hat.com>
>> ---
>>   arch/x86/include/asm/cpufeatures.h | 1 +
>>   arch/x86/kvm/svm/svm.c             | 3 +++
>>   2 files changed, 4 insertions(+)
>>
>> diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
>> index 84b887825f12..ea89d6fdd79a 100644
>> --- a/arch/x86/include/asm/cpufeatures.h
>> +++ b/arch/x86/include/asm/cpufeatures.h
>> @@ -337,6 +337,7 @@
>>   #define X86_FEATURE_AVIC		(15*32+13) /* Virtual Interrupt Controller */
>>   #define X86_FEATURE_V_VMSAVE_VMLOAD	(15*32+15) /* Virtual VMSAVE VMLOAD */
>>   #define X86_FEATURE_VGIF		(15*32+16) /* Virtual GIF */
>> +#define X86_FEATURE_SVME_ADDR_CHK	(15*32+28) /* "" SVME addr check */
>>   
>>   /* Intel-defined CPU features, CPUID level 0x00000007:0 (ECX), word 16 */
>>   #define X86_FEATURE_AVX512VBMI		(16*32+ 1) /* AVX512 Vector Bit Manipulation instructions*/
>> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
>> index e5ca01e25e89..f9233c79265b 100644
>> --- a/arch/x86/kvm/svm/svm.c
>> +++ b/arch/x86/kvm/svm/svm.c
>> @@ -1036,6 +1036,9 @@ static __init int svm_hardware_setup(void)
>>   		}
>>   	}
>>   
>> +	if (boot_cpu_has(X86_FEATURE_SVME_ADDR_CHK))
>> +		svm_gp_erratum_intercept = false;
>> +
> Again, I would make svm_gp_erratum_intercept a tri-state module param,
> and here if it is in 'auto' state do this.
> 

I will try to craft a param patch and see if it flies...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ