Commit 043248b3 authored by Paolo Bonzini's avatar Paolo Bonzini
Browse files

KVM: VMX: Forbid userspace MSR filters for x2APIC 



Allowing userspace to intercept reads to x2APIC MSRs when APICV is
fully enabled for the guest simply can't work.   But more in general,
the LAPIC could be set to in-kernel after the MSR filter is setup
and allowing accesses by userspace would be very confusing.

We could in principle allow userspace to intercept reads and writes to TPR,
and writes to EOI and SELF_IPI, but while that could be made it work, it
would still be silly.

Cc: Alexander Graf <graf@amazon.com>
Cc: Aaron Lewis <aaronlewis@google.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent 9389b9d5

Documentation/virt/kvm/api.rst

+10 −8
Original line number Diff line number Diff line
@@ -4777,20 +4777,22 @@ specify whether a certain MSR access should be explicitly filtered for or not. 
If this ioctl has never been invoked, MSR accesses are not guarded and the

default KVM in-kernel emulation behavior is fully preserved.



Calling this ioctl with an empty set of ranges (all nmsrs == 0) disables MSR

filtering. In that mode, ``KVM_MSR_FILTER_DEFAULT_DENY`` is invalid and causes

an error.



As soon as the filtering is in place, every MSR access is processed through

the filtering except for accesses to the x2APIC MSRs (from 0x800 to 0x8ff);

x2APIC MSRs are always allowed, independent of the ``default_allow`` setting,

and their behavior depends on the ``X2APIC_ENABLE`` bit of the APIC base

register.



If a bit is within one of the defined ranges, read and write

accesses are guarded by the bitmap's value for the MSR index. If it is not

defined in any range, whether MSR access is rejected is determined by the flags

field in the kvm_msr_filter struct: ``KVM_MSR_FILTER_DEFAULT_ALLOW`` and

``KVM_MSR_FILTER_DEFAULT_DENY``.



Calling this ioctl with an empty set of ranges (all nmsrs == 0) disables MSR

filtering. In that mode, KVM_MSR_FILTER_DEFAULT_DENY no longer has any effect.

If a bit is within one of the defined ranges, read and write accesses are

guarded by the bitmap's value for the MSR index if the kind of access

is included in the ``struct kvm_msr_filter_range`` flags.  If no range

cover this particular access, the behavior is determined by the flags

field in the kvm_msr_filter struct: ``KVM_MSR_FILTER_DEFAULT_ALLOW``

and ``KVM_MSR_FILTER_DEFAULT_DENY``.



Each bitmap range specifies a range of MSRs to potentially allow access on.

The range goes from MSR index [base .. base+nmsrs]. The flags field

arch/x86/kvm/x86.c

+8 −1
Original line number Diff line number Diff line
@@ -5252,14 +5252,21 @@ static int kvm_vm_ioctl_set_msr_filter(struct kvm *kvm, void __user *argp) 
	struct kvm_msr_filter filter;

	bool default_allow;

	int r = 0;

	bool empty = true;

	u32 i;



	if (copy_from_user(&filter, user_msr_filter, sizeof(filter)))

		return -EFAULT;



	kvm_clear_msr_filter(kvm);

	for (i = 0; i < ARRAY_SIZE(filter.ranges); i++)

		empty &= !filter.ranges[i].nmsrs;



	default_allow = !(filter.flags & KVM_MSR_FILTER_DEFAULT_DENY);

	if (empty && !default_allow)

		return -EINVAL;



	kvm_clear_msr_filter(kvm);



	kvm->arch.msr_filter.default_allow = default_allow;



	/*

CRA Git | Maintained and supported by SUSTech CRA and CCSE