lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 5 Dec 2022 21:01:11 +0530
From:   Santosh Shukla <santosh.shukla@....com>
To:     Maxim Levitsky <mlevitsk@...hat.com>, kvm@...r.kernel.org
Cc:     Sandipan Das <sandipan.das@....com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Jim Mattson <jmattson@...gle.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Borislav Petkov <bp@...en8.de>,
        Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        Josh Poimboeuf <jpoimboe@...nel.org>,
        Daniel Sneddon <daniel.sneddon@...ux.intel.com>,
        Jiaxi Chen <jiaxi.chen@...ux.intel.com>,
        Babu Moger <babu.moger@....com>, linux-kernel@...r.kernel.org,
        Jing Liu <jing2.liu@...el.com>,
        Wyes Karny <wyes.karny@....com>, x86@...nel.org,
        "H. Peter Anvin" <hpa@...or.com>,
        Sean Christopherson <seanjc@...gle.com>, santosh.shukla@....com
Subject: Re: [PATCH v2 04/11] KVM: SVM: drop the SVM specific H_FLAGS

On 11/30/2022 1:07 AM, Maxim Levitsky wrote:
> GIF and 'waiting for IRET' are used only for the SVM and thus should
> not be in H_FLAGS.
> 
> NMI mask is not x86 specific but it is only used for SVM without vNMI.
> 
> The VMX have similar concept of NMI mask (soft_vnmi_blocked),
> and it is used when its 'vNMI' feature is not enabled,
> but because the VMX can't intercept IRET, it is more of a hack,
> and thus should not use common host flags either.
> 
> No functional change is intended.
> 
> Suggested-by: Sean Christopherson <seanjc@...gle.com>
> Signed-off-by: Maxim Levitsky <mlevitsk@...hat.com>
> ---
>  arch/x86/include/asm/kvm_host.h |  3 ---
>  arch/x86/kvm/svm/svm.c          | 22 +++++++++++++---------
>  arch/x86/kvm/svm/svm.h          | 25 ++++++++++++++++++++++---
>  3 files changed, 35 insertions(+), 15 deletions(-)
> 
> diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
> index 70af7240a1d5af..9208ad7a6bd004 100644
> --- a/arch/x86/include/asm/kvm_host.h
> +++ b/arch/x86/include/asm/kvm_host.h
> @@ -2052,9 +2052,6 @@ enum {
>  	TASK_SWITCH_GATE = 3,
>  };
>  
> -#define HF_GIF_MASK		(1 << 0)
> -#define HF_NMI_MASK		(1 << 3)
> -#define HF_IRET_MASK		(1 << 4)
>  #define HF_GUEST_MASK		(1 << 5) /* VCPU is in guest-mode */
>  
>  #ifdef CONFIG_KVM_SMM
> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
> index 91352d69284524..512b2aa21137e2 100644
> --- a/arch/x86/kvm/svm/svm.c
> +++ b/arch/x86/kvm/svm/svm.c
> @@ -1326,6 +1326,9 @@ static void __svm_vcpu_reset(struct kvm_vcpu *vcpu)
>  	vcpu->arch.microcode_version = 0x01000065;
>  	svm->tsc_ratio_msr = kvm_caps.default_tsc_scaling_ratio;
>  
> +	svm->nmi_masked = false;
> +	svm->awaiting_iret_completion = false;
> +
>  	if (sev_es_guest(vcpu->kvm))
>  		sev_es_vcpu_reset(svm);
>  }
> @@ -2470,7 +2473,7 @@ static int iret_interception(struct kvm_vcpu *vcpu)
>  	struct vcpu_svm *svm = to_svm(vcpu);
>  
>  	++vcpu->stat.nmi_window_exits;
> -	vcpu->arch.hflags |= HF_IRET_MASK;
> +	svm->awaiting_iret_completion = true;
>  	if (!sev_es_guest(vcpu->kvm)) {
>  		svm_clr_intercept(svm, INTERCEPT_IRET);
>  		svm->nmi_iret_rip = kvm_rip_read(vcpu);
> @@ -3466,7 +3469,7 @@ static void svm_inject_nmi(struct kvm_vcpu *vcpu)
>  	if (svm->nmi_l1_to_l2)
>  		return;
>  
> -	vcpu->arch.hflags |= HF_NMI_MASK;
> +	svm->nmi_masked = true;
>  	if (!sev_es_guest(vcpu->kvm))
>  		svm_set_intercept(svm, INTERCEPT_IRET);
>  	++vcpu->stat.nmi_injections;
> @@ -3580,7 +3583,7 @@ bool svm_nmi_blocked(struct kvm_vcpu *vcpu)
>  		return false;
>  
>  	ret = (vmcb->control.int_state & SVM_INTERRUPT_SHADOW_MASK) ||
> -	      (vcpu->arch.hflags & HF_NMI_MASK);
> +	      (svm->nmi_masked);
>  
>  	return ret;
>  }
> @@ -3602,7 +3605,7 @@ static int svm_nmi_allowed(struct kvm_vcpu *vcpu, bool for_injection)
>  
>  static bool svm_get_nmi_mask(struct kvm_vcpu *vcpu)
>  {
> -	return !!(vcpu->arch.hflags & HF_NMI_MASK);
> +	return to_svm(vcpu)->nmi_masked;
>  }
>  
>  static void svm_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
> @@ -3610,11 +3613,11 @@ static void svm_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
>  	struct vcpu_svm *svm = to_svm(vcpu);
>  
>  	if (masked) {
> -		vcpu->arch.hflags |= HF_NMI_MASK;
> +		svm->nmi_masked = true;
>  		if (!sev_es_guest(vcpu->kvm))
>  			svm_set_intercept(svm, INTERCEPT_IRET);
>  	} else {
> -		vcpu->arch.hflags &= ~HF_NMI_MASK;
> +		svm->nmi_masked = false;
>  		if (!sev_es_guest(vcpu->kvm))
>  			svm_clr_intercept(svm, INTERCEPT_IRET);
>  	}
> @@ -3700,7 +3703,7 @@ static void svm_enable_nmi_window(struct kvm_vcpu *vcpu)
>  {
>  	struct vcpu_svm *svm = to_svm(vcpu);
>  
> -	if ((vcpu->arch.hflags & (HF_NMI_MASK | HF_IRET_MASK)) == HF_NMI_MASK)
> +	if (svm->nmi_masked && !svm->awaiting_iret_completion)
>  		return; /* IRET will cause a vm exit */
>  
>  	if (!gif_set(svm)) {
> @@ -3824,10 +3827,11 @@ static void svm_complete_interrupts(struct kvm_vcpu *vcpu)
>  	 * If we've made progress since setting HF_IRET_MASK, we've
>  	 * executed an IRET and can allow NMI injection.
>  	 */
> -	if ((vcpu->arch.hflags & HF_IRET_MASK) &&
> +	if (svm->awaiting_iret_completion &&
>  	    (sev_es_guest(vcpu->kvm) ||
>  	     kvm_rip_read(vcpu) != svm->nmi_iret_rip)) {
> -		vcpu->arch.hflags &= ~(HF_NMI_MASK | HF_IRET_MASK);
> +		svm->awaiting_iret_completion = false;
> +		svm->nmi_masked = false;
>  		kvm_make_request(KVM_REQ_EVENT, vcpu);
>  	}
>  
> diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
> index 4826e6cc611bf1..587ddc150f9f34 100644
> --- a/arch/x86/kvm/svm/svm.h
> +++ b/arch/x86/kvm/svm/svm.h
> @@ -237,8 +237,24 @@ struct vcpu_svm {
>  
>  	struct svm_nested_state nested;
>  
> +	/* NMI mask value, used when vNMI is not enabled */
> +	bool nmi_masked;
> +
> +	/*
> +	 * True when the NMI still masked but guest IRET was just intercepted
> +	 * and KVM is waiting for RIP change which will signal that this IRET was
> +	 * retired and thus NMI can be unmasked.
> +	 */
> +	bool awaiting_iret_completion;
> +
> +	/*
> +	 * Set when KVM waits for IRET completion and needs to
> +	 * inject NMIs as soon as it completes (e.g NMI is pending injection).
> +	 * The KVM takes over EFLAGS.TF for this.
> +	 */
>  	bool nmi_singlestep;
>  	u64 nmi_singlestep_guest_rflags;
> +
^^^ blank line.

Thanks,
Santosh
>  	bool nmi_l1_to_l2;
>  
>  	unsigned long soft_int_csbase;
> @@ -280,6 +296,9 @@ struct vcpu_svm {
>  	bool guest_state_loaded;
>  
>  	bool x2avic_msrs_intercepted;
> +
> +	/* Guest GIF value which is used when vGIF is not enabled */
> +	bool gif_value;
>  };
>  
>  struct svm_cpu_data {
> @@ -497,7 +516,7 @@ static inline void enable_gif(struct vcpu_svm *svm)
>  	if (vmcb)
>  		vmcb->control.int_ctl |= V_GIF_MASK;
>  	else
> -		svm->vcpu.arch.hflags |= HF_GIF_MASK;
> +		svm->gif_value = true;
>  }
>  
>  static inline void disable_gif(struct vcpu_svm *svm)
> @@ -507,7 +526,7 @@ static inline void disable_gif(struct vcpu_svm *svm)
>  	if (vmcb)
>  		vmcb->control.int_ctl &= ~V_GIF_MASK;
>  	else
> -		svm->vcpu.arch.hflags &= ~HF_GIF_MASK;
> +		svm->gif_value = false;
>  }
>  
>  static inline bool gif_set(struct vcpu_svm *svm)
> @@ -517,7 +536,7 @@ static inline bool gif_set(struct vcpu_svm *svm)
>  	if (vmcb)
>  		return !!(vmcb->control.int_ctl & V_GIF_MASK);
>  	else
> -		return !!(svm->vcpu.arch.hflags & HF_GIF_MASK);
> +		return svm->gif_value;
>  }
>  
>  static inline bool nested_npt_enabled(struct vcpu_svm *svm)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ