kvm: vmx: Raise #UD on unsupported RDSEED

A guest may not be configured to support RDSEED, even when the host does. If the guest does not support RDSEED, intercept the instruction and synthesize #UD. Also clear the "allowed-1" bit for RDSEED exiting in the IA32_VMX_PROCBASED_CTLS2 MSR. Signed-off-by: Jim Mattson <jmattson@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
author: Jim Mattson <jmattson@google.com> 2017-08-23 19:32:03 -0400
committer: Paolo Bonzini <pbonzini@redhat.com> 2017-08-24 09:35:46 -0400
commit: 75f4fc8da9bd3b56f08ff8ba4113e5c57a85c24c (patch)
tree: 042a8e67487e6ca825cd758bbefcaa8d79d48e3f
parent: 45ec368c9addbbf3fb25fc33d3f22f838ec91714 (diff)
1 files changed, 23 insertions, 1 deletions
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 1f2c69de7872..954e26079cd6 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2818,7 +2818,6 @@ static void nested_vmx_setup_ctls_msrs(struct vcpu_vmx *vmx)
                vmx->nested.nested_vmx_secondary_ctls_high);
        vmx->nested.nested_vmx_secondary_ctls_low = 0;
        vmx->nested.nested_vmx_secondary_ctls_high &=
-                SECONDARY_EXEC_RDSEED |
                SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES |
                SECONDARY_EXEC_DESC |
                SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE |
@@ -3671,6 +3670,7 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
                        SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY |
                        SECONDARY_EXEC_SHADOW_VMCS |
                        SECONDARY_EXEC_XSAVES |
+                        SECONDARY_EXEC_RDSEED |
                        SECONDARY_EXEC_RDRAND |
                        SECONDARY_EXEC_ENABLE_PML |
                        SECONDARY_EXEC_TSC_SCALING |
@@ -5280,6 +5280,12 @@ static bool vmx_rdrand_supported(void)
                SECONDARY_EXEC_RDRAND;
 }
+static bool vmx_rdseed_supported(void)
+{
+        return vmcs_config.cpu_based_2nd_exec_ctrl &
+                SECONDARY_EXEC_RDSEED;
+}
 static void vmx_compute_secondary_exec_control(struct vcpu_vmx *vmx)
 {
        struct kvm_vcpu *vcpu = &vmx->vcpu;
@@ -5364,6 +5370,21 @@ static void vmx_compute_secondary_exec_control(struct vcpu_vmx *vmx)
                }
        }
+        if (vmx_rdseed_supported()) {
+                bool rdseed_enabled = guest_cpuid_has(vcpu, X86_FEATURE_RDSEED);
+                if (rdseed_enabled)
+                        exec_control &= ~SECONDARY_EXEC_RDSEED;
+                if (nested) {
+                        if (rdseed_enabled)
+                                vmx->nested.nested_vmx_secondary_ctls_high |=
+                                        SECONDARY_EXEC_RDSEED;
+                        else
+                                vmx->nested.nested_vmx_secondary_ctls_high &=
+                                        ~SECONDARY_EXEC_RDSEED;
+                }
+        }
        vmx->secondary_exec_control = exec_control;
 }
@@ -8119,6 +8140,7 @@ static int (*const kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = {
        [EXIT_REASON_INVEPT]                  = handle_invept,
        [EXIT_REASON_INVVPID]                 = handle_invvpid,
        [EXIT_REASON_RDRAND]                  = handle_invalid_op,
+        [EXIT_REASON_RDSEED]                  = handle_invalid_op,
        [EXIT_REASON_XSAVES]                  = handle_xsaves,
        [EXIT_REASON_XRSTORS]                 = handle_xrstors,
        [EXIT_REASON_PML_FULL]                = handle_pml_full,
author	Jim Mattson <jmattson@google.com>	2017-08-23 19:32:03 -0400
committer	Paolo Bonzini <pbonzini@redhat.com>	2017-08-24 09:35:46 -0400
commit	75f4fc8da9bd3b56f08ff8ba4113e5c57a85c24c (patch)
tree	042a8e67487e6ca825cd758bbefcaa8d79d48e3f
parent	45ec368c9addbbf3fb25fc33d3f22f838ec91714 (diff)