| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Jan 2024 16:23:40 -0800 From: Sean Christopherson <seanjc@...gle.com> To: Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini <pbonzini@...hat.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org, Yi Lai <yi1.lai@...el.com>, Tao Su <tao1.su@...ux.intel.com>, Xudong Hao <xudong.hao@...el.com> Subject: [PATCH] x86/cpu: Add a VMX flag to enumerate 5-level EPT support to userspace Add a VMX flag in /proc/cpuinfo, ept_5level, so that userspace can query whether or not the CPU supports 5-level EPT paging. EPT capabilities are enumerated via MSR, i.e. aren't accessible to userspace without help from the kernel, and knowing whether or not 5-level EPT is supported is sadly necessary for userspace to correctly configure KVM VMs. When EPT is enabled, bits 51:49 of guest physical addresses are consumed if and only if 5-level EPT is enabled. For CPUs with MAXPHYADDR > 48, KVM *can't* map all legal guest memory if 5-level EPT is unsupported, e.g. creating a VM with RAM (or anything that gets stuffed into KVM's memslots) above bit 48 will be completely broken. Having KVM enumerate guest.MAXPHYADDR=48 in this scenario doesn't work either, as architecturally guest accesses to illegal addresses generate RSVD #PF, i.e. advertising guest.MAXPHYADDR < host.MAXPHYADDR when EPT is enabled would also result in broken guests. KVM does provide a knob, allow_smaller_maxphyaddr, to let userspace opt-in to such setups, but that support is firmly best-effort, i.e. not something KVM wants to force upon userspace. While it's decidedly odd for a CPU to support a 52-bit MAXPHYADDR but not 5-level EPT, the combination is architecturally legal and such CPUs do exist (and can easily be "created" with nested virtualization). Reported-by: Yi Lai <yi1.lai@...el.com> Cc: Tao Su <tao1.su@...ux.intel.com> Cc: Xudong Hao <xudong.hao@...el.com> Signed-off-by: Sean Christopherson <seanjc@...gle.com> --- tip-tree folks, this is obviously not technically KVM code, but I'd like to take this through the KVM tree so that we can use the information to fix KVM selftests (hopefully this cycle). arch/x86/include/asm/vmxfeatures.h | 1 + arch/x86/kernel/cpu/feat_ctl.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/arch/x86/include/asm/vmxfeatures.h b/arch/x86/include/asm/vmxfeatures.h index c6a7eed03914..266daf5b5b84 100644 --- a/arch/x86/include/asm/vmxfeatures.h +++ b/arch/x86/include/asm/vmxfeatures.h @@ -25,6 +25,7 @@ #define VMX_FEATURE_EPT_EXECUTE_ONLY ( 0*32+ 17) /* "ept_x_only" EPT entries can be execute only */ #define VMX_FEATURE_EPT_AD ( 0*32+ 18) /* EPT Accessed/Dirty bits */ #define VMX_FEATURE_EPT_1GB ( 0*32+ 19) /* 1GB EPT pages */ +#define VMX_FEATURE_EPT_5LEVEL ( 0*32+ 20) /* 5-level EPT paging */ /* Aggregated APIC features 24-27 */ #define VMX_FEATURE_FLEXPRIORITY ( 0*32+ 24) /* TPR shadow + virt APIC */ diff --git a/arch/x86/kernel/cpu/feat_ctl.c b/arch/x86/kernel/cpu/feat_ctl.c index 03851240c3e3..1640ae76548f 100644 --- a/arch/x86/kernel/cpu/feat_ctl.c +++ b/arch/x86/kernel/cpu/feat_ctl.c @@ -72,6 +72,8 @@ static void init_vmx_capabilities(struct cpuinfo_x86 *c) c->vmx_capability[MISC_FEATURES] |= VMX_F(EPT_AD); if (ept & VMX_EPT_1GB_PAGE_BIT) c->vmx_capability[MISC_FEATURES] |= VMX_F(EPT_1GB); + if (ept & VMX_EPT_PAGE_WALK_5_BIT) + c->vmx_capability[MISC_FEATURES] |= VMX_F(EPT_5LEVEL); /* Synthetic APIC features that are aggregates of multiple features. */ if ((c->vmx_capability[PRIMARY_CTLS] & VMX_F(VIRTUAL_TPR)) && base-commit: 1c6d984f523f67ecfad1083bb04c55d91977bb15 -- 2.43.0.472.g3155946c3a-goog
Powered by blists - more mailing lists