[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.7] x86/msr: Virtualise MSR_FLUSH_CMD for guests



commit f05a33e327b87b30a14b6926e232c712ee7c4a1d
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Fri Apr 13 15:34:01 2018 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Aug 14 17:33:42 2018 +0100

    x86/msr: Virtualise MSR_FLUSH_CMD for guests
    
    Guests (outside of the nested virt case, which isn't supported yet) don't 
need
    L1D_FLUSH for their L1TF mitigations, but offering/emulating MSR_FLUSH_CMD 
is
    easy and doesn't pose an issue for Xen.
    
    The MSR is offered to HVM guests only.  PV guests attempting to use it would
    trap for emulation, and the L1D cache would fill long before the return to
    guest context.  As such, PV guests can't make any use of the L1D_FLUSH
    functionality.
    
    This is part of XSA-273 / CVE-2018-3646.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    (cherry picked from commit fd9823faf9df057a69a9a53c2e100691d3f4267c)
---
 xen/arch/x86/hvm/hvm.c                      | 12 ++++++++++++
 xen/arch/x86/hvm/vmx/vmx.c                  |  6 ++++++
 xen/arch/x86/traps.c                        |  5 +++++
 xen/include/public/arch-x86/cpufeatureset.h |  2 +-
 4 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 5ba00b22c5..522430b84c 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3795,6 +3795,7 @@ int hvm_msr_read_intercept(unsigned int msr, uint64_t 
*msr_content)
     case MSR_AMD_PATCHLOADER:
     case MSR_IA32_UCODE_WRITE:
     case MSR_PRED_CMD:
+    case MSR_FLUSH_CMD:
         /* Write-only */
         goto gp_fault;
 
@@ -4012,6 +4013,17 @@ int hvm_msr_write_intercept(unsigned int msr, uint64_t 
msr_content,
         wrmsrl(MSR_PRED_CMD, msr_content);
         break;
 
+    case MSR_FLUSH_CMD:
+        hvm_cpuid(7, NULL, NULL, NULL, &edx);
+        if ( !(edx & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) )
+            goto gp_fault; /* MSR available? */
+
+        if ( msr_content & ~FLUSH_CMD_L1D )
+            goto gp_fault; /* Rsvd bit set? */
+
+        wrmsrl(MSR_FLUSH_CMD, msr_content);
+        break;
+
     case MSR_ARCH_CAPABILITIES:
         /* Read-only */
         goto gp_fault;
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 85502c0bea..a9e87b5a9a 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -574,6 +574,12 @@ static void vmx_cpuid_policy_changed(struct vcpu *v)
         vmx_disable_intercept_for_msr(v, MSR_PRED_CMD, MSR_TYPE_R | 
MSR_TYPE_W);
     else
         vmx_enable_intercept_for_msr(v, MSR_PRED_CMD, MSR_TYPE_R | MSR_TYPE_W);
+
+    /* MSR_FLUSH_CMD is safe to pass through if the guest knows about it. */
+    if ( _7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH) )
+        vmx_disable_intercept_for_msr(v, MSR_FLUSH_CMD, MSR_TYPE_R | 
MSR_TYPE_W);
+    else
+        vmx_enable_intercept_for_msr(v, MSR_FLUSH_CMD, MSR_TYPE_R | 
MSR_TYPE_W);
 }
 
 static int vmx_guest_x86_mode(struct vcpu *v)
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index d528be9c28..139737bd83 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -2924,6 +2924,10 @@ static int emulate_privileged_op(struct cpu_user_regs 
*regs)
             wrmsrl(MSR_PRED_CMD, msr_content);
             break;
 
+        case MSR_FLUSH_CMD:
+            /* Not available to PV guests. */
+            break;
+
         case MSR_P6_PERFCTR(0)...MSR_P6_PERFCTR(7):
         case MSR_P6_EVNTSEL(0)...MSR_P6_EVNTSEL(3):
         case MSR_CORE_PERF_FIXED_CTR0...MSR_CORE_PERF_FIXED_CTR2:
@@ -3055,6 +3059,7 @@ static int emulate_privileged_op(struct cpu_user_regs 
*regs)
             break;
 
         case MSR_PRED_CMD:
+        case MSR_FLUSH_CMD:
             /* Write-only */
             goto fail;
 
diff --git a/xen/include/public/arch-x86/cpufeatureset.h 
b/xen/include/public/arch-x86/cpufeatureset.h
index cc0c4f33a4..f5fb483556 100644
--- a/xen/include/public/arch-x86/cpufeatureset.h
+++ b/xen/include/public/arch-x86/cpufeatureset.h
@@ -229,7 +229,7 @@ XEN_CPUFEATURE(IBPB,          8*32+12) /*A  IBPB support 
only (no IBRS, used by
 /* Intel-defined CPU features, CPUID level 0x00000007:0.edx, word 9 */
 XEN_CPUFEATURE(IBRSB,         9*32+26) /*A  IBRS and IBPB support (used by 
Intel) */
 XEN_CPUFEATURE(STIBP,         9*32+27) /*A! STIBP */
-XEN_CPUFEATURE(L1D_FLUSH,     9*32+28) /*   MSR_FLUSH_CMD and L1D flush. */
+XEN_CPUFEATURE(L1D_FLUSH,     9*32+28) /*S  MSR_FLUSH_CMD and L1D flush. */
 XEN_CPUFEATURE(ARCH_CAPS,     9*32+29) /*   IA32_ARCH_CAPABILITIES MSR */
 XEN_CPUFEATURE(SSBD,          9*32+31) /*A  MSR_SPEC_CTRL.SSBD available */
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.7

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.