Commit 2985afbc authored by Tom Lendacky's avatar Tom Lendacky Committed by Paolo Bonzini
Browse files

KVM: SVM: Add support for EFER write traps for an SEV-ES guest 



For SEV-ES guests, the interception of EFER write access is not
recommended. EFER interception occurs prior to EFER being modified and
the hypervisor is unable to modify EFER itself because the register is
located in the encrypted register state.

SEV-ES support introduces a new EFER write trap. This trap provides
intercept support of an EFER write after it has been modified. The new
EFER value is provided in the VMCB EXITINFO1 field, allowing the
hypervisor to track the setting of the guest EFER.

Add support to track the value of the guest EFER value using the EFER
write trap so that the hypervisor understands the guest operating mode.

Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
Message-Id: <8993149352a3a87cd0625b3b61bfd31ab28977e1.1607620209.git.thomas.lendacky@amd.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent 7ed9abfe

arch/x86/include/uapi/asm/svm.h

+2 −0
Original line number Diff line number Diff line
@@ -77,6 +77,7 @@ 
#define SVM_EXIT_MWAIT_COND    0x08c

#define SVM_EXIT_XSETBV        0x08d

#define SVM_EXIT_RDPRU         0x08e

#define SVM_EXIT_EFER_WRITE_TRAP		0x08f

#define SVM_EXIT_INVPCID       0x0a2

#define SVM_EXIT_NPF           0x400

#define SVM_EXIT_AVIC_INCOMPLETE_IPI		0x401
@@ -184,6 +185,7 @@ 
	{ SVM_EXIT_MONITOR,     "monitor" }, \

	{ SVM_EXIT_MWAIT,       "mwait" }, \

	{ SVM_EXIT_XSETBV,      "xsetbv" }, \

	{ SVM_EXIT_EFER_WRITE_TRAP,	"write_efer_trap" }, \

	{ SVM_EXIT_INVPCID,     "invpcid" }, \

	{ SVM_EXIT_NPF,         "npf" }, \

	{ SVM_EXIT_AVIC_INCOMPLETE_IPI,		"avic_incomplete_ipi" }, \

arch/x86/kvm/svm/svm.c

+20 −0
Original line number Diff line number Diff line
@@ -2503,6 +2503,25 @@ static int cr8_write_interception(struct vcpu_svm *svm) 
	return 0;

}



static int efer_trap(struct vcpu_svm *svm)

{

	struct msr_data msr_info;

	int ret;



	/*

	 * Clear the EFER_SVME bit from EFER. The SVM code always sets this

	 * bit in svm_set_efer(), but __kvm_valid_efer() checks it against

	 * whether the guest has X86_FEATURE_SVM - this avoids a failure if

	 * the guest doesn't have X86_FEATURE_SVM.

	 */

	msr_info.host_initiated = false;

	msr_info.index = MSR_EFER;

	msr_info.data = svm->vmcb->control.exit_info_1 & ~EFER_SVME;

	ret = kvm_set_msr_common(&svm->vcpu, &msr_info);



	return kvm_complete_insn_gp(&svm->vcpu, ret);

}



static int svm_get_msr_feature(struct kvm_msr_entry *msr)

{

	msr->data = 0;
@@ -2977,6 +2996,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = { 
	[SVM_EXIT_MWAIT]			= mwait_interception,

	[SVM_EXIT_XSETBV]			= xsetbv_interception,

	[SVM_EXIT_RDPRU]			= rdpru_interception,

	[SVM_EXIT_EFER_WRITE_TRAP]		= efer_trap,

	[SVM_EXIT_INVPCID]                      = invpcid_interception,

	[SVM_EXIT_NPF]				= npf_interception,

	[SVM_EXIT_RSM]                          = rsm_interception,

CRA Git | Maintained and supported by SUSTech CRA and CCSE