lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Oct 2022 19:07:16 -0400 From: Paolo Bonzini <pbonzini@...hat.com> To: linux-kernel@...r.kernel.org, kvm@...r.kernel.org Cc: jmattson@...gle.com, seanjc@...gle.com, jpoimboe@...nel.org Subject: [RFC PATCH 0/7] KVM: SVM: move MSR_IA32_SPEC_CTRL save/restore to assembly On the Intel side, restoration of the guest's IA32_SPEC_CTRL is done as late as possible before vmentry, with the comment: * IMPORTANT: To avoid RSB underflow attacks and any other nastiness, * there must not be any returns or indirect branches between this code * and vmentry. On AMD, there is no need to avoid returns or indirect branches between wrmsr and vmrun because Linux doesn't use IBRS; however, restoration of the host IA32_SPEC_CTRL value is definitely way too late. With respect to the user/kernel boundary, AMD says, "If software chooses to toggle STIBP (e.g., set STIBP on kernel entry, and clear it on kernel exit), software should set STIBP to 1 before executing the return thunk training sequence." Assuming the same requirements apply to the guest/host boundary, KVM does not respect this recommendation: the return thunk training sequence is in vmenter.S, quite close to the VM-exit, while the host's IA32_SPEC_CTRL value is only restored much later for hosts without V_SPEC_CTRL. In the absence of clarifications for AMD, move all the SPEC_CTRL handling to assembly code and, in passing, also make the Intel and AMD code a bit more similar to each other. Patches 1-2 are the Intel side, which is just a cleanup. Patch 3 prepares for adding asm-offsets.c entries in arch/x86/kvm/svm/svm.h, and patches 4-5 are a similar cleanup to the earlier VMX ones. Patch 6 is the bulk of the change, and finally patch 7 removes now dead code in asm/spec-ctrl.h and arch/x86/kernel/. This is RFC because I haven't tested SEV-ES or 32-bit yet. Paolo Paolo Bonzini (7): KVM: VMX: remove regs argument of __vmx_vcpu_run KVM: VMX: more cleanups to __vmx_vcpu_run KVM: SVM: extract VMCB accessors to a new file KVM: SVM: replace argument of __svm_vcpu_run with vcpu_svm KVM: SVM: adjust register allocation for __svm_vcpu_run KVM: SVM: move MSR_IA32_SPEC_CTRL save/restore to assembly x86, KVM: remove unnecessary argument to x86_virt_spec_ctrl and callers arch/x86/include/asm/spec-ctrl.h | 10 +- arch/x86/kernel/asm-offsets.c | 8 ++ arch/x86/kernel/cpu/bugs.c | 15 +-- arch/x86/kvm/svm/avic.c | 1 + arch/x86/kvm/svm/nested.c | 1 + arch/x86/kvm/svm/sev.c | 1 + arch/x86/kvm/svm/svm.c | 39 +++--- arch/x86/kvm/svm/svm.h | 204 +----------------------------- arch/x86/kvm/svm/svm_onhyperv.c | 1 + arch/x86/kvm/svm/vmcb.h | 211 +++++++++++++++++++++++++++++++ arch/x86/kvm/svm/vmenter.S | 164 ++++++++++++++++++------ arch/x86/kvm/vmx/nested.c | 3 +- arch/x86/kvm/vmx/vmenter.S | 92 ++++++-------- arch/x86/kvm/vmx/vmx.c | 3 +- arch/x86/kvm/vmx/vmx.h | 3 +- 15 files changed, 419 insertions(+), 337 deletions(-) create mode 100644 arch/x86/kvm/svm/vmcb.h -- 2.31.1
Powered by blists - more mailing lists