KVM: vmx: Inject #UD for SGX ENCLS instruction in guest

Virtualization of Intel SGX depends on Enclave Page Cache (EPC) management that is not yet available in the kernel, i.e. KVM support for exposing SGX to a guest cannot be added until basic support for SGX is upstreamed, which is a WIP[1]. Until SGX is properly supported in KVM, ensure a guest sees expected behavior for ENCLS, i.e. all ENCLS #UD. Because SGX does not have a true software enable bit, e.g. there is no CR4.SGXE bit, the ENCLS instruction can be executed[1] by the guest if SGX is supported by the system. Intercept all ENCLS leafs (via the ENCLS- exiting control and field) and unconditionally inject #UD. [1] https://www.spinics.net/lists/kvm/msg171333.html or https://lkml.org/lkml/2018/7/3/879 [2] A guest can execute ENCLS in the sense that ENCLS will not take an immediate #UD, but no ENCLS will ever succeed in a guest without explicit support from KVM (map EPC memory into the guest), unless KVM has a *very* egregious bug, e.g. accidentally mapped EPC memory into the guest SPTEs. In other words this patch is needed only to prevent the guest from seeing inconsistent behavior, e.g. #GP (SGX not enabled in Feature Control MSR) or #PF (leaf operand(s) does not point at EPC memory) instead of #UD on ENCLS. Intercepting ENCLS is not required to prevent the guest from truly utilizing SGX. Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> Message-Id: <20180814163334.25724-3-sean.j.christopherson@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
author: Sean Christopherson <sean.j.christopherson@intel.com> 2018-08-14 12:33:34 -0400
committer: Paolo Bonzini <pbonzini@redhat.com> 2018-08-22 10:48:35 -0400
commit: 0b665d30402819830caa21aa23942f70f36a7e72 (patch)
tree: 14324efc3c1487e98c2104f78d433363f7c9b9fa
parent: 802ec461670773b433b678b27145050262df5994 (diff)
1 files changed, 29 insertions, 1 deletions
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 31e90e83fdd6..c76ca8c4befa 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1684,6 +1684,12 @@ static inline bool cpu_has_vmx_virtual_intr_delivery(void)
                SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY;
 }
+static inline bool cpu_has_vmx_encls_vmexit(void)
+{
+        return vmcs_config.cpu_based_2nd_exec_ctrl &
+                SECONDARY_EXEC_ENCLS_EXITING;
+}
 /*
 * Comment's format: document - errata name - stepping - processor name.
 * Refer from
@@ -4551,7 +4557,8 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
                        SECONDARY_EXEC_RDRAND_EXITING |
                        SECONDARY_EXEC_ENABLE_PML |
                        SECONDARY_EXEC_TSC_SCALING |
-                        SECONDARY_EXEC_ENABLE_VMFUNC;
+                        SECONDARY_EXEC_ENABLE_VMFUNC |
+                        SECONDARY_EXEC_ENCLS_EXITING;
                if (adjust_vmx_controls(min2, opt2,
                                        MSR_IA32_VMX_PROCBASED_CTLS2,
                                        &_cpu_based_2nd_exec_control) < 0)
@@ -6648,6 +6655,9 @@ static void vmx_vcpu_setup(struct vcpu_vmx *vmx)
                vmcs_write64(PML_ADDRESS, page_to_phys(vmx->pml_pg));
                vmcs_write16(GUEST_PML_INDEX, PML_ENTITY_NUM - 1);
        }
+        if (cpu_has_vmx_encls_vmexit())
+                vmcs_write64(ENCLS_EXITING_BITMAP, -1ull);
 }
 static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
@@ -9314,6 +9324,17 @@ fail:
        return 1;
 }
+static int handle_encls(struct kvm_vcpu *vcpu)
+{
+        /*
+         * SGX virtualization is not yet supported.  There is no software
+         * enable bit for SGX, so we have to trap ENCLS and inject a #UD
+         * to prevent the guest from executing ENCLS.
+         */
+        kvm_queue_exception(vcpu, UD_VECTOR);
+        return 1;
+}
 /*
 * The exit handlers return 1 if the exit was handled fully and guest execution
 * may resume.  Otherwise they set the kvm_run parameter to indicate what needs
@@ -9371,6 +9392,7 @@ static int (*const kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = {
        [EXIT_REASON_INVPCID]                 = handle_invpcid,
        [EXIT_REASON_VMFUNC]                  = handle_vmfunc,
        [EXIT_REASON_PREEMPTION_TIMER]        = handle_preemption_timer,
+        [EXIT_REASON_ENCLS]                   = handle_encls,
 };
 static const int kvm_vmx_max_exit_handlers =
@@ -9741,6 +9763,9 @@ static bool nested_vmx_exit_reflected(struct kvm_vcpu *vcpu, u32 exit_reason)
        case EXIT_REASON_VMFUNC:
                /* VM functions are emulated through L2->L0 vmexits. */
                return false;
+        case EXIT_REASON_ENCLS:
+                /* SGX is never exposed to L1 */
+                return false;
        default:
                return true;
        }
@@ -12101,6 +12126,9 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
                if (exec_control & SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES)
                        vmcs_write64(APIC_ACCESS_ADDR, -1ull);
+                if (exec_control & SECONDARY_EXEC_ENCLS_EXITING)
+                        vmcs_write64(ENCLS_EXITING_BITMAP, -1ull);
                vmcs_write32(SECONDARY_VM_EXEC_CONTROL, exec_control);
        }
author	Sean Christopherson <sean.j.christopherson@intel.com>	2018-08-14 12:33:34 -0400
committer	Paolo Bonzini <pbonzini@redhat.com>	2018-08-22 10:48:35 -0400
commit	0b665d30402819830caa21aa23942f70f36a7e72 (patch)
tree	14324efc3c1487e98c2104f78d433363f7c9b9fa
parent	802ec461670773b433b678b27145050262df5994 (diff)