KVM: x86: Introduce MSR filtering

  Verify the integrity of the unpacked image. Only if this succeeds,

  KVM is allowed to start protected VCPUs.

4.126 KVM_X86_SET_MSR_FILTER

----------------------------

:Capability: KVM_X86_SET_MSR_FILTER

:Architectures: x86

:Type: vm ioctl

:Parameters: struct kvm_msr_filter

:Returns: 0 on success, < 0 on error

::

  struct kvm_msr_filter_range {

  #define KVM_MSR_FILTER_READ  (1 << 0)

  #define KVM_MSR_FILTER_WRITE (1 << 1)

	__u32 flags;

	__u32 nmsrs; /* number of msrs in bitmap */

	__u32 base;  /* MSR index the bitmap starts at */

	__u8 *bitmap; /* a 1 bit allows the operations in flags, 0 denies */

  };

  #define KVM_MSR_FILTER_MAX_RANGES 16

  struct kvm_msr_filter {

  #define KVM_MSR_FILTER_DEFAULT_ALLOW (0 << 0)

  #define KVM_MSR_FILTER_DEFAULT_DENY  (1 << 0)

	__u32 flags;

	struct kvm_msr_filter_range ranges[KVM_MSR_FILTER_MAX_RANGES];

  };

flags values for struct kvm_msr_filter_range:

KVM_MSR_FILTER_READ

  Filter read accesses to MSRs using the given bitmap. A 0 in the bitmap

  indicates that a read should immediately fail, while a 1 indicates that

  a read for a particular MSR should be handled regardless of the default

  filter action.

KVM_MSR_FILTER_WRITE

  Filter write accesses to MSRs using the given bitmap. A 0 in the bitmap

  indicates that a write should immediately fail, while a 1 indicates that

  a write for a particular MSR should be handled regardless of the default

  filter action.

KVM_MSR_FILTER_READ | KVM_MSR_FILTER_WRITE

  Filter both read and write accesses to MSRs using the given bitmap. A 0

  in the bitmap indicates that both reads and writes should immediately fail,

  while a 1 indicates that reads and writes for a particular MSR are not

  filtered by this range.

flags values for struct kvm_msr_filter:

KVM_MSR_FILTER_DEFAULT_ALLOW

  If no filter range matches an MSR index that is getting accessed, KVM will

  fall back to allowing access to the MSR.

KVM_MSR_FILTER_DEFAULT_DENY

  If no filter range matches an MSR index that is getting accessed, KVM will

  fall back to rejecting access to the MSR. In this mode, all MSRs that should

  be processed by KVM need to explicitly be marked as allowed in the bitmaps.

This ioctl allows user space to define up to 16 bitmaps of MSR ranges to

specify whether a certain MSR access should be explicitly filtered for or not.

If this ioctl has never been invoked, MSR accesses are not guarded and the

old KVM in-kernel emulation behavior is fully preserved.

As soon as the filtering is in place, every MSR access is processed through

the filtering. If a bit is within one of the defined ranges, read and write

accesses are guarded by the bitmap's value for the MSR index. If it is not

defined in any range, whether MSR access is rejected is determined by the flags

field in the kvm_msr_filter struct: KVM_MSR_FILTER_DEFAULT_ALLOW and

KVM_MSR_FILTER_DEFAULT_DENY.

Calling this ioctl with an empty set of ranges (all nmsrs == 0) disables MSR

filtering. In that mode, KVM_MSR_FILTER_DEFAULT_DENY no longer has any effect.

Each bitmap range specifies a range of MSRs to potentially allow access on.

The range goes from MSR index [base .. base+nmsrs]. The flags field

indicates whether reads, writes or both reads and writes are filtered

by setting a 1 bit in the bitmap for the corresponding MSR index.

If an MSR access is not permitted through the filtering, it generates a

#GP inside the guest. When combined with KVM_CAP_X86_USER_SPACE_MSR, that

allows user space to deflect and potentially handle various MSR accesses

into user space.

If a vCPU is in running state while this ioctl is invoked, the vCPU may

experience inconsistent filtering behavior on MSR accesses.

5. The kvm_run structure

========================

	KVM_MSR_EXIT_REASON_UNKNOWN - access to MSR that is unknown to KVM

	KVM_MSR_EXIT_REASON_INVAL - access to invalid MSRs or reserved bits

	KVM_MSR_EXIT_REASON_FILTER - access blocked by KVM_X86_SET_MSR_FILTER

For KVM_EXIT_X86_RDMSR, the "index" field tells user space which MSR the guest

wants to read. To respond to this request with a successful read, user space

accesses that would usually trigger a #GP by KVM into the guest will

instead get bounced to user space through the KVM_EXIT_X86_RDMSR and

KVM_EXIT_X86_WRMSR exit notifications.

8.25 KVM_X86_SET_MSR_FILTER

---------------------------

:Architectures: x86

This capability indicates that KVM supports that accesses to user defined MSRs

may be rejected. With this capability exposed, KVM exports new VM ioctl

KVM_X86_SET_MSR_FILTER which user space can call to specify bitmaps of MSR

ranges that KVM should reject access to.

In combination with KVM_CAP_X86_USER_SPACE_MSR, this allows user space to

trap and emulate MSRs that are outside of the scope of KVM as well as

limit the attack surface on KVM's MSR emulation code.

#define KVM_REQ_HV_TLB_FLUSH \

	KVM_ARCH_REQ_FLAGS(27, KVM_REQUEST_NO_WAKEUP)

#define KVM_REQ_APF_READY		KVM_ARCH_REQ(28)

#define KVM_REQ_MSR_FILTER_CHANGED	KVM_ARCH_REQ(29)

#define CR0_RESERVED_BITS                                               \

	(~(unsigned long)(X86_CR0_PE | X86_CR0_MP | X86_CR0_EM | X86_CR0_TS \

	struct kvm_hv_syndbg hv_syndbg;

};

struct msr_bitmap_range {

	u32 flags;

	u32 nmsrs;

	u32 base;

	unsigned long *bitmap;

};

enum kvm_irqchip_mode {

	KVM_IRQCHIP_NONE,

	KVM_IRQCHIP_KERNEL,       /* created with KVM_CREATE_IRQCHIP */

	/* Deflect RDMSR and WRMSR to user space when they trigger a #GP */

	u32 user_space_msr_mask;

	struct {

		u8 count;

		bool default_allow:1;

		struct msr_bitmap_range ranges[16];

	} msr_filter;

	struct kvm_pmu_event_filter *pmu_event_filter;

	struct task_struct *nx_lpage_recovery_thread;

};

	__u32 indices[0];

};

/* Maximum size of any access bitmap in bytes */

#define KVM_MSR_FILTER_MAX_BITMAP_SIZE 0x600

/* for KVM_X86_SET_MSR_FILTER */

struct kvm_msr_filter_range {

#define KVM_MSR_FILTER_READ  (1 << 0)

#define KVM_MSR_FILTER_WRITE (1 << 1)

	__u32 flags;

	__u32 nmsrs; /* number of msrs in bitmap */

	__u32 base;  /* MSR index the bitmap starts at */

	__u8 *bitmap; /* a 1 bit allows the operations in flags, 0 denies */

};

#define KVM_MSR_FILTER_MAX_RANGES 16

struct kvm_msr_filter {

#define KVM_MSR_FILTER_DEFAULT_ALLOW (0 << 0)

#define KVM_MSR_FILTER_DEFAULT_DENY  (1 << 0)

	__u32 flags;

	struct kvm_msr_filter_range ranges[KVM_MSR_FILTER_MAX_RANGES];

};

struct kvm_cpuid_entry {

	__u32 function;

bool kvm_msr_allowed(struct kvm_vcpu *vcpu, u32 index, u32 type)

{

	struct kvm *kvm = vcpu->kvm;

	struct msr_bitmap_range *ranges = kvm->arch.msr_filter.ranges;

	u32 count = kvm->arch.msr_filter.count;

	u32 i;

	bool r = kvm->arch.msr_filter.default_allow;

	int idx;

	/* MSR filtering not set up, allow everything */

	if (!count)

		return true;

	/* Prevent collision with set_msr_filter */

	idx = srcu_read_lock(&kvm->srcu);

	for (i = 0; i < count; i++) {

		u32 start = ranges[i].base;

		u32 end = start + ranges[i].nmsrs;

		u32 flags = ranges[i].flags;

		unsigned long *bitmap = ranges[i].bitmap;

		if ((index >= start) && (index < end) && (flags & type)) {

			r = !!test_bit(index - start, bitmap);

			break;

		}

	}

	srcu_read_unlock(&kvm->srcu, idx);

	return r;

}

EXPORT_SYMBOL_GPL(kvm_msr_allowed);

{

	struct msr_data msr;

	if (!host_initiated && !kvm_msr_allowed(vcpu, index, KVM_MSR_FILTER_WRITE))

		return -EPERM;

	switch (index) {

	case MSR_FS_BASE:

	case MSR_GS_BASE:

	struct msr_data msr;

	int ret;

	if (!host_initiated && !kvm_msr_allowed(vcpu, index, KVM_MSR_FILTER_READ))

		return -EPERM;

	msr.index = index;

	msr.host_initiated = host_initiated;

	switch (r) {

	case -ENOENT:

		return KVM_MSR_EXIT_REASON_UNKNOWN;

	case -EPERM:

		return KVM_MSR_EXIT_REASON_FILTER;

	default:

		return KVM_MSR_EXIT_REASON_INVAL;

	}

	case KVM_CAP_SET_GUEST_DEBUG:

	case KVM_CAP_LAST_CPU:

	case KVM_CAP_X86_USER_SPACE_MSR:

	case KVM_CAP_X86_MSR_FILTER:

		r = 1;

		break;

	case KVM_CAP_SYNC_REGS:

	return r;

}

static void kvm_clear_msr_filter(struct kvm *kvm)

{

	u32 i;

	u32 count = kvm->arch.msr_filter.count;

	struct msr_bitmap_range ranges[16];

	mutex_lock(&kvm->lock);

	kvm->arch.msr_filter.count = 0;

	memcpy(ranges, kvm->arch.msr_filter.ranges, count * sizeof(ranges[0]));

	mutex_unlock(&kvm->lock);

	synchronize_srcu(&kvm->srcu);

	for (i = 0; i < count; i++)

		kfree(ranges[i].bitmap);

}

static int kvm_add_msr_filter(struct kvm *kvm, struct kvm_msr_filter_range *user_range)

{

	struct msr_bitmap_range *ranges = kvm->arch.msr_filter.ranges;

	struct msr_bitmap_range range;

	unsigned long *bitmap = NULL;

	size_t bitmap_size;

	int r;

	if (!user_range->nmsrs)

		return 0;

	bitmap_size = BITS_TO_LONGS(user_range->nmsrs) * sizeof(long);

	if (!bitmap_size || bitmap_size > KVM_MSR_FILTER_MAX_BITMAP_SIZE)

		return -EINVAL;

	bitmap = memdup_user((__user u8*)user_range->bitmap, bitmap_size);

	if (IS_ERR(bitmap))

		return PTR_ERR(bitmap);

	range = (struct msr_bitmap_range) {

		.flags = user_range->flags,

		.base = user_range->base,

		.nmsrs = user_range->nmsrs,

		.bitmap = bitmap,

	};

	if (range.flags & ~(KVM_MSR_FILTER_READ | KVM_MSR_FILTER_WRITE)) {

		r = -EINVAL;

		goto err;

	}

	if (!range.flags) {

		r = -EINVAL;

		goto err;

	}

	/* Everything ok, add this range identifier to our global pool */

	ranges[kvm->arch.msr_filter.count] = range;

	/* Make sure we filled the array before we tell anyone to walk it */

	smp_wmb();

	kvm->arch.msr_filter.count++;

	return 0;

err:

	kfree(bitmap);

	return r;

}

static int kvm_vm_ioctl_set_msr_filter(struct kvm *kvm, void __user *argp)

{

	struct kvm_msr_filter __user *user_msr_filter = argp;

	struct kvm_msr_filter filter;

	bool default_allow;

	int r = 0;

	u32 i;

	if (copy_from_user(&filter, user_msr_filter, sizeof(filter)))

		return -EFAULT;

	kvm_clear_msr_filter(kvm);

	default_allow = !(filter.flags & KVM_MSR_FILTER_DEFAULT_DENY);

	kvm->arch.msr_filter.default_allow = default_allow;

	/*

	 * Protect from concurrent calls to this function that could trigger

	 * a TOCTOU violation on kvm->arch.msr_filter.count.

	 */

	mutex_lock(&kvm->lock);

	for (i = 0; i < ARRAY_SIZE(filter.ranges); i++) {

		r = kvm_add_msr_filter(kvm, &filter.ranges[i]);

		if (r)

			break;

	}

	kvm_make_all_cpus_request(kvm, KVM_REQ_MSR_FILTER_CHANGED);

	mutex_unlock(&kvm->lock);

	return r;

}

long kvm_arch_vm_ioctl(struct file *filp,

		       unsigned int ioctl, unsigned long arg)

{

	case KVM_SET_PMU_EVENT_FILTER:

		r = kvm_vm_ioctl_set_pmu_event_filter(kvm, argp);

		break;

	case KVM_X86_SET_MSR_FILTER:

		r = kvm_vm_ioctl_set_msr_filter(kvm, argp);

		break;

	default:

		r = -ENOTTY;

	}

			kvm_vcpu_update_apicv(vcpu);

		if (kvm_check_request(KVM_REQ_APF_READY, vcpu))

			kvm_check_async_pf_completion(vcpu);

		if (kvm_check_request(KVM_REQ_MSR_FILTER_CHANGED, vcpu))

			kvm_x86_ops.msr_filter_changed(vcpu);

	}

	if (kvm_check_request(KVM_REQ_EVENT, vcpu) || req_int_win) {

void kvm_arch_destroy_vm(struct kvm *kvm)

{

	u32 i;

	if (current->mm == kvm->mm) {

		/*

		 * Free memory regions allocated on behalf of userspace,

	}

	if (kvm_x86_ops.vm_destroy)

		kvm_x86_ops.vm_destroy(kvm);

	for (i = 0; i < kvm->arch.msr_filter.count; i++)

		kfree(kvm->arch.msr_filter.ranges[i].bitmap);

	kvm_pic_destroy(kvm);

	kvm_ioapic_destroy(kvm);

	kvm_free_vcpus(kvm);

			__u8 pad[7];

#define KVM_MSR_EXIT_REASON_INVAL	(1 << 0)

#define KVM_MSR_EXIT_REASON_UNKNOWN	(1 << 1)

#define KVM_MSR_EXIT_REASON_FILTER	(1 << 2)

			__u32 reason; /* kernel -> user */

			__u32 index; /* kernel -> user */

			__u64 data; /* kernel <-> user */

#define KVM_CAP_S390_DIAG318 186

#define KVM_CAP_STEAL_TIME 187

#define KVM_CAP_X86_USER_SPACE_MSR 188

#define KVM_CAP_X86_MSR_FILTER 189

#ifdef KVM_CAP_IRQ_ROUTING

/* Available with KVM_CAP_S390_PROTECTED */

#define KVM_S390_PV_COMMAND		_IOWR(KVMIO, 0xc5, struct kvm_pv_cmd)

/* Available with KVM_CAP_X86_MSR_FILTER */

#define KVM_X86_SET_MSR_FILTER	_IOW(KVMIO,  0xc6, struct kvm_msr_filter)

/* Secure Encrypted Virtualization command */

enum sev_cmd_id {

	/* Guest initialization commands */