diff options
Diffstat (limited to '0008-x86-vmx-Disallow-the-use-of-inactivity-states.patch')
| -rw-r--r-- | 0008-x86-vmx-Disallow-the-use-of-inactivity-states.patch | 126 |
1 files changed, 0 insertions, 126 deletions
diff --git a/0008-x86-vmx-Disallow-the-use-of-inactivity-states.patch b/0008-x86-vmx-Disallow-the-use-of-inactivity-states.patch deleted file mode 100644 index 3af45e8..0000000 --- a/0008-x86-vmx-Disallow-the-use-of-inactivity-states.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 7bd612727df792671e44152a8205f0cf821ad984 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper <andrew.cooper3@citrix.com> -Date: Fri, 2 Feb 2024 08:03:26 +0100 -Subject: [PATCH 08/67] x86/vmx: Disallow the use of inactivity states - -Right now, vvmx will blindly copy L12's ACTIVITY_STATE into the L02 VMCS and -enter the vCPU. Luckily for us, nested-virt is explicitly unsupported for -security bugs. - -The inactivity states are HLT, SHUTDOWN and WAIT-FOR-SIPI, and as noted by the -SDM in Vol3 27.7 "Special Features of VM Entry": - - If VM entry ends with the logical processor in an inactive activity state, - the VM entry generates any special bus cycle that is normally generated when - that activity state is entered from the active state. - -Also, - - Some activity states unconditionally block certain events. - -I.e. A VMEntry with ACTIVITY=SHUTDOWN will initiate a platform reset, while a -VMEntry with ACTIVITY=WAIT-FOR-SIPI will really block everything other than -SIPIs. - -Both of these activity states are for the TXT ACM to use, not for regular -hypervisors, and Xen doesn't support dropping the HLT intercept either. - -There are two paths in Xen which operate on ACTIVITY_STATE. - -1) The vmx_{get,set}_nonreg_state() helpers for VM-Fork. - - As regular VMs can't use any inactivity states, this is just duplicating - the 0 from construct_vmcs(). Retain the ability to query activity_state, - but crash the domain on any attempt to set an inactivity state. - -2) Nested virt, because of ACTIVITY_STATE in vmcs_gstate_field[]. - - Explicitly hide the inactivity states in the guest's view of MSR_VMX_MISC, - and remove ACTIVITY_STATE from vmcs_gstate_field[]. - - In virtual_vmentry(), we should trigger a VMEntry failure for the use of - any inactivity states, but there's no support for that in the code at all - so leave a TODO for when we finally start working on nested-virt in - earnest. - -Reported-by: Reima Ishii <ishiir@g.ecc.u-tokyo.ac.jp> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Tamas K Lengyel <tamas@tklengyel.com> -master commit: 3643bb53a05b7c8fbac072c63bef1538f2a6d0d2 -master date: 2024-01-18 20:59:06 +0000 ---- - xen/arch/x86/hvm/vmx/vmx.c | 8 +++++++- - xen/arch/x86/hvm/vmx/vvmx.c | 9 +++++++-- - xen/arch/x86/include/asm/hvm/vmx/vmcs.h | 1 + - 3 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c -index 31f4a861c6..35d391d8e5 100644 ---- a/xen/arch/x86/hvm/vmx/vmx.c -+++ b/xen/arch/x86/hvm/vmx/vmx.c -@@ -1499,7 +1499,13 @@ static void cf_check vmx_set_nonreg_state(struct vcpu *v, - { - vmx_vmcs_enter(v); - -- __vmwrite(GUEST_ACTIVITY_STATE, nrs->vmx.activity_state); -+ if ( nrs->vmx.activity_state ) -+ { -+ printk("Attempt to set %pv activity_state %#lx\n", -+ v, nrs->vmx.activity_state); -+ domain_crash(v->domain); -+ } -+ - __vmwrite(GUEST_INTERRUPTIBILITY_INFO, nrs->vmx.interruptibility_info); - __vmwrite(GUEST_PENDING_DBG_EXCEPTIONS, nrs->vmx.pending_dbg); - -diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c -index f8fe8d0c14..515cb5ae77 100644 ---- a/xen/arch/x86/hvm/vmx/vvmx.c -+++ b/xen/arch/x86/hvm/vmx/vvmx.c -@@ -910,7 +910,10 @@ static const u16 vmcs_gstate_field[] = { - GUEST_LDTR_AR_BYTES, - GUEST_TR_AR_BYTES, - GUEST_INTERRUPTIBILITY_INFO, -+ /* -+ * ACTIVITY_STATE is handled specially. - GUEST_ACTIVITY_STATE, -+ */ - GUEST_SYSENTER_CS, - GUEST_PREEMPTION_TIMER, - /* natural */ -@@ -1211,6 +1214,8 @@ static void virtual_vmentry(struct cpu_user_regs *regs) - nvcpu->nv_vmentry_pending = 0; - nvcpu->nv_vmswitch_in_progress = 1; - -+ /* TODO: Fail VMentry for GUEST_ACTIVITY_STATE != 0 */ -+ - /* - * EFER handling: - * hvm_set_efer won't work if CR0.PG = 1, so we change the value -@@ -2327,8 +2332,8 @@ int nvmx_msr_read_intercept(unsigned int msr, u64 *msr_content) - data = hvm_cr4_guest_valid_bits(d); - break; - case MSR_IA32_VMX_MISC: -- /* Do not support CR3-target feature now */ -- data = host_data & ~VMX_MISC_CR3_TARGET; -+ /* Do not support CR3-targets or activity states. */ -+ data = host_data & ~(VMX_MISC_CR3_TARGET | VMX_MISC_ACTIVITY_MASK); - break; - case MSR_IA32_VMX_EPT_VPID_CAP: - data = nept_get_ept_vpid_cap(); -diff --git a/xen/arch/x86/include/asm/hvm/vmx/vmcs.h b/xen/arch/x86/include/asm/hvm/vmx/vmcs.h -index 78404e42b3..0af021d5f5 100644 ---- a/xen/arch/x86/include/asm/hvm/vmx/vmcs.h -+++ b/xen/arch/x86/include/asm/hvm/vmx/vmcs.h -@@ -288,6 +288,7 @@ extern u32 vmx_secondary_exec_control; - #define VMX_VPID_INVVPID_SINGLE_CONTEXT_RETAINING_GLOBAL 0x80000000000ULL - extern u64 vmx_ept_vpid_cap; - -+#define VMX_MISC_ACTIVITY_MASK 0x000001c0 - #define VMX_MISC_PROC_TRACE 0x00004000 - #define VMX_MISC_CR3_TARGET 0x01ff0000 - #define VMX_MISC_VMWRITE_ALL 0x20000000 --- -2.44.0 - |