| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250228085115.105648-18-Neeraj.Upadhyay@amd.com>
Date: Fri, 28 Feb 2025 14:21:13 +0530
From: Neeraj Upadhyay <Neeraj.Upadhyay@....com>
To: <seanjc@...gle.com>, <pbonzini@...hat.com>, <kvm@...r.kernel.org>
CC: <linux-kernel@...r.kernel.org>, <bp@...en8.de>, <tglx@...utronix.de>,
<mingo@...hat.com>, <dave.hansen@...ux.intel.com>, <Thomas.Lendacky@....com>,
<nikunj@....com>, <Santosh.Shukla@....com>, <Vasant.Hegde@....com>,
<Suravee.Suthikulpanit@....com>, <David.Kaplan@....com>, <x86@...nel.org>,
<hpa@...or.com>, <peterz@...radead.org>, <huibo.wang@....com>,
<naveen.rao@....com>, <binbin.wu@...ux.intel.com>, <isaku.yamahata@...el.com>
Subject: [RFC PATCH 17/19] KVM: x86/ioapic: Disable RTC_GSI EOI tracking for protected APIC
Disable RTC_GSI pending EOI tracking for guests with protected APIC
state such as Secure AVIC. RTC_GSI is a edge-triggered vector and
Secure AVIC accelerates EOI write for edge-triggered interrupts.
In addition, APIC_ISR state is not visible within KVM and is part
of guest-owned backing page. So, lazy pending EOI checks also cannot
be done. So, disable tracking of pending EOI. This means coalesced
RTC interrupts cannot be detected by userspace for Secure AVIC guests.
Signed-off-by: Neeraj Upadhyay <Neeraj.Upadhyay@....com>
---
arch/x86/kvm/ioapic.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
index 995eb5054360..7d68e8ef6245 100644
--- a/arch/x86/kvm/ioapic.c
+++ b/arch/x86/kvm/ioapic.c
@@ -113,6 +113,9 @@ static void __rtc_irq_eoi_tracking_restore_one(struct kvm_vcpu *vcpu)
struct dest_map *dest_map = &ioapic->rtc_status.dest_map;
union kvm_ioapic_redirect_entry *e;
+ if (vcpu->arch.apic->guest_apic_protected)
+ return;
+
e = &ioapic->redirtbl[RTC_GSI];
if (!kvm_apic_match_dest(vcpu, NULL, APIC_DEST_NOSHORT,
e->fields.dest_id,
@@ -443,6 +446,7 @@ static int ioapic_service(struct kvm_ioapic *ioapic, int irq, bool line_status)
{
union kvm_ioapic_redirect_entry *entry = &ioapic->redirtbl[irq];
struct kvm_lapic_irq irqe;
+ struct kvm_vcpu *vcpu;
int ret;
if (entry->fields.mask ||
@@ -472,7 +476,9 @@ static int ioapic_service(struct kvm_ioapic *ioapic, int irq, bool line_status)
BUG_ON(ioapic->rtc_status.pending_eoi != 0);
ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe,
&ioapic->rtc_status.dest_map);
- ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret);
+ vcpu = kvm_get_vcpu(ioapic->kvm, 0);
+ if (!vcpu->arch.apic->guest_apic_protected)
+ ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret);
} else
ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL);
--
2.34.1
Powered by blists - more mailing lists