lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250927060910.2933942-7-seanjc@google.com>
Date: Fri, 26 Sep 2025 23:09:06 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Paolo Bonzini <pbonzini@...hat.com>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org, 
	Sean Christopherson <seanjc@...gle.com>
Subject: [GIT PULL] KVM: x86: SVM changes for 6.18

The headliner here is to enable AVIC by deafult for Zen4+ if x2AVIC is
supported.  The other highlight is support for Secure TSC (support for
CiphertextHiding is coming in a separate pull request).

The "lowlight" is a bug fix for an issue where KVM could clobber TSC_AUX if an
SEV-ES+ vCPU runs on the same pCPU as a non-SEV-ES CPU.

Regarding enabling AVIC by default, despite there still being at least one
known wart (the IRQ window inhibit mess), I think AVIC is stable enough to
enable by default.  More importantly, I think that getting it enabled in 6.18
in particular, i.e. in the next LTS, will be a net positive in the sense that
we'll hopefully get more "free" testing, and thus help fix any lurking bugs
for the folks that are explicitly enabling AVIC.

The following changes since commit c17b750b3ad9f45f2b6f7e6f7f4679844244f0b9:

  Linux 6.17-rc2 (2025-08-17 15:22:10 -0700)

are available in the Git repository at:

  https://github.com/kvm-x86/linux.git tags/kvm-x86-svm-6.18

for you to fetch changes up to ca2967de5a5b098b43c5ad665672945ce7e7d4f7:

  KVM: SVM: Enable AVIC by default for Zen4+ if x2AVIC is support (2025-09-23 08:56:49 -0700)

----------------------------------------------------------------
KVM SVM changes for 6.18

 - Require a minimum GHCB version of 2 when starting SEV-SNP guests via
   KVM_SEV_INIT2 so that invalid GHCB versions result in immediate errors
   instead of latent guest failures.

 - Add support for Secure TSC for SEV-SNP guests, which prevents the untrusted
   host from tampering with the guest's TSC frequency, while still allowing the
   the VMM to configure the guest's TSC frequency prior to launch.

 - Mitigate the potential for TOCTOU bugs when accessing GHCB fields by
   wrapping all accesses via READ_ONCE().

 - Validate the XCR0 provided by the guest (via the GHCB) to avoid tracking a
   bogous XCR0 value in KVM's software model.

 - Save an SEV guest's policy if and only if LAUNCH_START fully succeeds to
   avoid leaving behind stale state (thankfully not consumed in KVM).

 - Explicitly reject non-positive effective lengths during SNP's LAUNCH_UPDATE
   instead of subtly relying on guest_memfd to do the "heavy" lifting.

 - Reload the pre-VMRUN TSC_AUX on #VMEXIT for SEV-ES guests, not the host's
   desired TSC_AUX, to fix a bug where KVM could clobber a different vCPU's
   TSC_AUX due to hardware not matching the value cached in the user-return MSR
   infrastructure.

 - Enable AVIC by default for Zen4+ if x2AVIC (and other prereqs) is supported,
   and clean up the AVIC initialization code along the way.

----------------------------------------------------------------
Hou Wenlong (2):
      KVM: x86: Add helper to retrieve current value of user return MSR
      KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES guest

Naveen N Rao (1):
      KVM: SVM: Enable AVIC by default for Zen4+ if x2AVIC is support

Nikunj A Dadhania (4):
      KVM: SEV: Drop GHCB_VERSION_DEFAULT and open code it
      KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests
      x86/cpufeatures: Add SNP Secure TSC
      KVM: SVM: Enable Secure TSC for SNP guests

Sean Christopherson (15):
      KVM: SVM: Move SEV-ES VMSA allocation to a dedicated sev_vcpu_create() helper
      KVM: SEV: Move init of SNP guest state into sev_init_vmcb()
      KVM: SEV: Set RESET GHCB MSR value during sev_es_init_vmcb()
      KVM: SEV: Fold sev_es_vcpu_reset() into sev_vcpu_create()
      KVM: SEV: Save the SEV policy if and only if LAUNCH_START succeeds
      KVM: SEV: Rename kvm_ghcb_get_sw_exit_code() to kvm_get_cached_sw_exit_code()
      KVM: SEV: Read save fields from GHCB exactly once
      KVM: SEV: Validate XCR0 provided by guest in GHCB
      KVM: SEV: Reject non-positive effective lengths during LAUNCH_UPDATE
      KVM: SVM: Make svm_x86_ops globally visible, clean up on-HyperV usage
      KVM: SVM: Move x2AVIC MSR interception helper to avic.c
      KVM: SVM: Update "APICv in x2APIC without x2AVIC" in avic.c, not svm.c
      KVM: SVM: Always print "AVIC enabled" separately, even when force enabled
      KVM: SVM: Don't advise the user to do force_avic=y (when x2AVIC is detected)
      KVM: SVM: Move global "avic" variable to avic.c

Thorsten Blum (1):
      KVM: nSVM: Replace kzalloc() + copy_from_user() with memdup_user()

 arch/x86/include/asm/cpufeatures.h |   1 +
 arch/x86/include/asm/kvm_host.h    |   2 +
 arch/x86/include/asm/svm.h         |   1 +
 arch/x86/kvm/svm/avic.c            | 151 ++++++++++++++++++++++++++++------
 arch/x86/kvm/svm/nested.c          |  18 ++---
 arch/x86/kvm/svm/sev.c             | 160 +++++++++++++++++++++++++------------
 arch/x86/kvm/svm/svm.c             | 126 +++++------------------------
 arch/x86/kvm/svm/svm.h             |  40 ++++++----
 arch/x86/kvm/svm/svm_onhyperv.c    |  28 ++++++-
 arch/x86/kvm/svm/svm_onhyperv.h    |  31 +------
 arch/x86/kvm/x86.c                 |   9 ++-
 virt/kvm/guest_memfd.c             |   3 +-
 12 files changed, 323 insertions(+), 247 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ