aboutsummaryrefslogtreecommitdiffstats
path: root/arch/x86/kvm
diff options
context:
space:
mode:
authorFeng Wu <feng.wu@intel.com>2014-04-01 05:46:34 -0400
committerMarcelo Tosatti <mtosatti@redhat.com>2014-04-14 16:50:34 -0400
commit97ec8c067d322d32effdc1701760d3babbc5595f (patch)
tree16892fd16ce9e3d60c68b01f7bf11a8821eb3295 /arch/x86/kvm
parent56d6efc2de5fcf76d3c7b33a7671bc04c53cb0e5 (diff)
KVM: Add SMAP support when setting CR4
This patch adds SMAP handling logic when setting CR4 for guests Thanks a lot to Paolo Bonzini for his suggestion to use the branchless way to detect SMAP violation. Signed-off-by: Feng Wu <feng.wu@intel.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Diffstat (limited to 'arch/x86/kvm')
-rw-r--r--arch/x86/kvm/cpuid.h8
-rw-r--r--arch/x86/kvm/mmu.c34
-rw-r--r--arch/x86/kvm/mmu.h44
-rw-r--r--arch/x86/kvm/paging_tmpl.h2
-rw-r--r--arch/x86/kvm/x86.c9
5 files changed, 84 insertions, 13 deletions
diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
index a2a1bb7ed8c1..eeecbed26ac7 100644
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -48,6 +48,14 @@ static inline bool guest_cpuid_has_smep(struct kvm_vcpu *vcpu)
48 return best && (best->ebx & bit(X86_FEATURE_SMEP)); 48 return best && (best->ebx & bit(X86_FEATURE_SMEP));
49} 49}
50 50
51static inline bool guest_cpuid_has_smap(struct kvm_vcpu *vcpu)
52{
53 struct kvm_cpuid_entry2 *best;
54
55 best = kvm_find_cpuid_entry(vcpu, 7, 0);
56 return best && (best->ebx & bit(X86_FEATURE_SMAP));
57}
58
51static inline bool guest_cpuid_has_fsgsbase(struct kvm_vcpu *vcpu) 59static inline bool guest_cpuid_has_fsgsbase(struct kvm_vcpu *vcpu)
52{ 60{
53 struct kvm_cpuid_entry2 *best; 61 struct kvm_cpuid_entry2 *best;
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index f5704d9e5ddc..084caf3efaf5 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3601,20 +3601,27 @@ static void reset_rsvds_bits_mask_ept(struct kvm_vcpu *vcpu,
3601 } 3601 }
3602} 3602}
3603 3603
3604static void update_permission_bitmask(struct kvm_vcpu *vcpu, 3604void update_permission_bitmask(struct kvm_vcpu *vcpu,
3605 struct kvm_mmu *mmu, bool ept) 3605 struct kvm_mmu *mmu, bool ept)
3606{ 3606{
3607 unsigned bit, byte, pfec; 3607 unsigned bit, byte, pfec;
3608 u8 map; 3608 u8 map;
3609 bool fault, x, w, u, wf, uf, ff, smep; 3609 bool fault, x, w, u, wf, uf, ff, smapf, cr4_smap, smep, smap = 0;
3610 3610
3611 smep = kvm_read_cr4_bits(vcpu, X86_CR4_SMEP); 3611 smep = kvm_read_cr4_bits(vcpu, X86_CR4_SMEP);
3612 cr4_smap = kvm_read_cr4_bits(vcpu, X86_CR4_SMAP);
3612 for (byte = 0; byte < ARRAY_SIZE(mmu->permissions); ++byte) { 3613 for (byte = 0; byte < ARRAY_SIZE(mmu->permissions); ++byte) {
3613 pfec = byte << 1; 3614 pfec = byte << 1;
3614 map = 0; 3615 map = 0;
3615 wf = pfec & PFERR_WRITE_MASK; 3616 wf = pfec & PFERR_WRITE_MASK;
3616 uf = pfec & PFERR_USER_MASK; 3617 uf = pfec & PFERR_USER_MASK;
3617 ff = pfec & PFERR_FETCH_MASK; 3618 ff = pfec & PFERR_FETCH_MASK;
3619 /*
3620 * PFERR_RSVD_MASK bit is set in PFEC if the access is not
3621 * subject to SMAP restrictions, and cleared otherwise. The
3622 * bit is only meaningful if the SMAP bit is set in CR4.
3623 */
3624 smapf = !(pfec & PFERR_RSVD_MASK);
3618 for (bit = 0; bit < 8; ++bit) { 3625 for (bit = 0; bit < 8; ++bit) {
3619 x = bit & ACC_EXEC_MASK; 3626 x = bit & ACC_EXEC_MASK;
3620 w = bit & ACC_WRITE_MASK; 3627 w = bit & ACC_WRITE_MASK;
@@ -3627,11 +3634,32 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu,
3627 w |= !is_write_protection(vcpu) && !uf; 3634 w |= !is_write_protection(vcpu) && !uf;
3628 /* Disallow supervisor fetches of user code if cr4.smep */ 3635 /* Disallow supervisor fetches of user code if cr4.smep */
3629 x &= !(smep && u && !uf); 3636 x &= !(smep && u && !uf);
3637
3638 /*
3639 * SMAP:kernel-mode data accesses from user-mode
3640 * mappings should fault. A fault is considered
3641 * as a SMAP violation if all of the following
3642 * conditions are ture:
3643 * - X86_CR4_SMAP is set in CR4
3644 * - An user page is accessed
3645 * - Page fault in kernel mode
3646 * - if CPL = 3 or X86_EFLAGS_AC is clear
3647 *
3648 * Here, we cover the first three conditions.
3649 * The fourth is computed dynamically in
3650 * permission_fault() and is in smapf.
3651 *
3652 * Also, SMAP does not affect instruction
3653 * fetches, add the !ff check here to make it
3654 * clearer.
3655 */
3656 smap = cr4_smap && u && !uf && !ff;
3630 } else 3657 } else
3631 /* Not really needed: no U/S accesses on ept */ 3658 /* Not really needed: no U/S accesses on ept */
3632 u = 1; 3659 u = 1;
3633 3660
3634 fault = (ff && !x) || (uf && !u) || (wf && !w); 3661 fault = (ff && !x) || (uf && !u) || (wf && !w) ||
3662 (smapf && smap);
3635 map |= fault << bit; 3663 map |= fault << bit;
3636 } 3664 }
3637 mmu->permissions[byte] = map; 3665 mmu->permissions[byte] = map;
diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
index 292615274358..3842e70bdb7c 100644
--- a/arch/x86/kvm/mmu.h
+++ b/arch/x86/kvm/mmu.h
@@ -44,11 +44,17 @@
44#define PT_DIRECTORY_LEVEL 2 44#define PT_DIRECTORY_LEVEL 2
45#define PT_PAGE_TABLE_LEVEL 1 45#define PT_PAGE_TABLE_LEVEL 1
46 46
47#define PFERR_PRESENT_MASK (1U << 0) 47#define PFERR_PRESENT_BIT 0
48#define PFERR_WRITE_MASK (1U << 1) 48#define PFERR_WRITE_BIT 1
49#define PFERR_USER_MASK (1U << 2) 49#define PFERR_USER_BIT 2
50#define PFERR_RSVD_MASK (1U << 3) 50#define PFERR_RSVD_BIT 3
51#define PFERR_FETCH_MASK (1U << 4) 51#define PFERR_FETCH_BIT 4
52
53#define PFERR_PRESENT_MASK (1U << PFERR_PRESENT_BIT)
54#define PFERR_WRITE_MASK (1U << PFERR_WRITE_BIT)
55#define PFERR_USER_MASK (1U << PFERR_USER_BIT)
56#define PFERR_RSVD_MASK (1U << PFERR_RSVD_BIT)
57#define PFERR_FETCH_MASK (1U << PFERR_FETCH_BIT)
52 58
53int kvm_mmu_get_spte_hierarchy(struct kvm_vcpu *vcpu, u64 addr, u64 sptes[4]); 59int kvm_mmu_get_spte_hierarchy(struct kvm_vcpu *vcpu, u64 addr, u64 sptes[4]);
54void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask); 60void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask);
@@ -73,6 +79,8 @@ int handle_mmio_page_fault_common(struct kvm_vcpu *vcpu, u64 addr, bool direct);
73void kvm_init_shadow_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context); 79void kvm_init_shadow_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context);
74void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context, 80void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context,
75 bool execonly); 81 bool execonly);
82void update_permission_bitmask(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
83 bool ept);
76 84
77static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm) 85static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm)
78{ 86{
@@ -110,10 +118,30 @@ static inline bool is_write_protection(struct kvm_vcpu *vcpu)
110 * Will a fault with a given page-fault error code (pfec) cause a permission 118 * Will a fault with a given page-fault error code (pfec) cause a permission
111 * fault with the given access (in ACC_* format)? 119 * fault with the given access (in ACC_* format)?
112 */ 120 */
113static inline bool permission_fault(struct kvm_mmu *mmu, unsigned pte_access, 121static inline bool permission_fault(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
114 unsigned pfec) 122 unsigned pte_access, unsigned pfec)
115{ 123{
116 return (mmu->permissions[pfec >> 1] >> pte_access) & 1; 124 int cpl = kvm_x86_ops->get_cpl(vcpu);
125 unsigned long rflags = kvm_x86_ops->get_rflags(vcpu);
126
127 /*
128 * If CPL < 3, SMAP prevention are disabled if EFLAGS.AC = 1.
129 *
130 * If CPL = 3, SMAP applies to all supervisor-mode data accesses
131 * (these are implicit supervisor accesses) regardless of the value
132 * of EFLAGS.AC.
133 *
134 * This computes (cpl < 3) && (rflags & X86_EFLAGS_AC), leaving
135 * the result in X86_EFLAGS_AC. We then insert it in place of
136 * the PFERR_RSVD_MASK bit; this bit will always be zero in pfec,
137 * but it will be one in index if SMAP checks are being overridden.
138 * It is important to keep this branchless.
139 */
140 unsigned long smap = (cpl - 3) & (rflags & X86_EFLAGS_AC);
141 int index = (pfec >> 1) +
142 (smap >> (X86_EFLAGS_AC_BIT - PFERR_RSVD_BIT + 1));
143
144 return (mmu->permissions[index] >> pte_access) & 1;
117} 145}
118 146
119void kvm_mmu_invalidate_zap_all_pages(struct kvm *kvm); 147void kvm_mmu_invalidate_zap_all_pages(struct kvm *kvm);
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index b1e6c1bf68d3..123efd3ec29f 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -353,7 +353,7 @@ retry_walk:
353 walker->ptes[walker->level - 1] = pte; 353 walker->ptes[walker->level - 1] = pte;
354 } while (!is_last_gpte(mmu, walker->level, pte)); 354 } while (!is_last_gpte(mmu, walker->level, pte));
355 355
356 if (unlikely(permission_fault(mmu, pte_access, access))) { 356 if (unlikely(permission_fault(vcpu, mmu, pte_access, access))) {
357 errcode |= PFERR_PRESENT_MASK; 357 errcode |= PFERR_PRESENT_MASK;
358 goto error; 358 goto error;
359 } 359 }
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index d1c55f8722c6..41693787cd66 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -652,6 +652,9 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
652 if (!guest_cpuid_has_smep(vcpu) && (cr4 & X86_CR4_SMEP)) 652 if (!guest_cpuid_has_smep(vcpu) && (cr4 & X86_CR4_SMEP))
653 return 1; 653 return 1;
654 654
655 if (!guest_cpuid_has_smap(vcpu) && (cr4 & X86_CR4_SMAP))
656 return 1;
657
655 if (!guest_cpuid_has_fsgsbase(vcpu) && (cr4 & X86_CR4_FSGSBASE)) 658 if (!guest_cpuid_has_fsgsbase(vcpu) && (cr4 & X86_CR4_FSGSBASE))
656 return 1; 659 return 1;
657 660
@@ -680,6 +683,9 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
680 (!(cr4 & X86_CR4_PCIDE) && (old_cr4 & X86_CR4_PCIDE))) 683 (!(cr4 & X86_CR4_PCIDE) && (old_cr4 & X86_CR4_PCIDE)))
681 kvm_mmu_reset_context(vcpu); 684 kvm_mmu_reset_context(vcpu);
682 685
686 if ((cr4 ^ old_cr4) & X86_CR4_SMAP)
687 update_permission_bitmask(vcpu, vcpu->arch.walk_mmu, false);
688
683 if ((cr4 ^ old_cr4) & X86_CR4_OSXSAVE) 689 if ((cr4 ^ old_cr4) & X86_CR4_OSXSAVE)
684 kvm_update_cpuid(vcpu); 690 kvm_update_cpuid(vcpu);
685 691
@@ -4164,7 +4170,8 @@ static int vcpu_mmio_gva_to_gpa(struct kvm_vcpu *vcpu, unsigned long gva,
4164 | (write ? PFERR_WRITE_MASK : 0); 4170 | (write ? PFERR_WRITE_MASK : 0);
4165 4171
4166 if (vcpu_match_mmio_gva(vcpu, gva) 4172 if (vcpu_match_mmio_gva(vcpu, gva)
4167 && !permission_fault(vcpu->arch.walk_mmu, vcpu->arch.access, access)) { 4173 && !permission_fault(vcpu, vcpu->arch.walk_mmu,
4174 vcpu->arch.access, access)) {
4168 *gpa = vcpu->arch.mmio_gfn << PAGE_SHIFT | 4175 *gpa = vcpu->arch.mmio_gfn << PAGE_SHIFT |
4169 (gva & (PAGE_SIZE - 1)); 4176 (gva & (PAGE_SIZE - 1));
4170 trace_vcpu_match_mmio(gva, *gpa, write, false); 4177 trace_vcpu_match_mmio(gva, *gpa, write, false);