[xen stable-4.18] x86/vmx: Disallow the use of inactivity states

[patchbot@xxxxxxx]

commit 00550e808c10c67710ebb8867200eda1fbee332c
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Feb 1 18:00:32 2024 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Feb 1 18:00:32 2024 +0100

    x86/vmx: Disallow the use of inactivity states
    
    Right now, vvmx will blindly copy L12's ACTIVITY_STATE into the L02 VMCS and
    enter the vCPU.  Luckily for us, nested-virt is explicitly unsupported for
    security bugs.
    
    The inactivity states are HLT, SHUTDOWN and WAIT-FOR-SIPI, and as noted by 
the
    SDM in Vol3 27.7 "Special Features of VM Entry":
    
      If VM entry ends with the logical processor in an inactive activity state,
      the VM entry generates any special bus cycle that is normally generated 
when
      that activity state is entered from the active state.
    
    Also,
    
      Some activity states unconditionally block certain events.
    
    I.e. A VMEntry with ACTIVITY=SHUTDOWN will initiate a platform reset, while 
a
    VMEntry with ACTIVITY=WAIT-FOR-SIPI will really block everything other than
    SIPIs.
    
    Both of these activity states are for the TXT ACM to use, not for regular
    hypervisors, and Xen doesn't support dropping the HLT intercept either.
    
    There are two paths in Xen which operate on ACTIVITY_STATE.
    
    1) The vmx_{get,set}_nonreg_state() helpers for VM-Fork.
    
       As regular VMs can't use any inactivity states, this is just duplicating
       the 0 from construct_vmcs().  Retain the ability to query activity_state,
       but crash the domain on any attempt to set an inactivity state.
    
    2) Nested virt, because of ACTIVITY_STATE in vmcs_gstate_field[].
    
       Explicitly hide the inactivity states in the guest's view of 
MSR_VMX_MISC,
       and remove ACTIVITY_STATE from vmcs_gstate_field[].
    
       In virtual_vmentry(), we should trigger a VMEntry failure for the use of
       any inactivity states, but there's no support for that in the code at all
       so leave a TODO for when we finally start working on nested-virt in
       earnest.
    
    Reported-by: Reima Ishii <ishiir@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Tamas K Lengyel <tamas@xxxxxxxxxxxxx>
    master commit: 3643bb53a05b7c8fbac072c63bef1538f2a6d0d2
    master date: 2024-01-18 20:59:06 +0000
---
 xen/arch/x86/hvm/vmx/vmx.c              | 5 ++++-
 xen/arch/x86/hvm/vmx/vvmx.c             | 9 +++++++--
 xen/arch/x86/include/asm/hvm/vmx/vmcs.h | 1 +
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 964891934b..28dece7c6b 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -1558,7 +1558,10 @@ static void cf_check vmx_set_nonreg_state(struct vcpu *v,
 {
     vmx_vmcs_enter(v);
 
-    __vmwrite(GUEST_ACTIVITY_STATE, nrs->vmx.activity_state);
+    if ( nrs->vmx.activity_state )
+        domain_crash(v->domain, "Attempt to set %pv activity_state %#lx\n",
+                     v, nrs->vmx.activity_state);
+
     __vmwrite(GUEST_INTERRUPTIBILITY_INFO, nrs->vmx.interruptibility_info);
     __vmwrite(GUEST_PENDING_DBG_EXCEPTIONS, nrs->vmx.pending_dbg);
 
diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
index 16b0ef82b6..fd0ae39166 100644
--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -899,7 +899,10 @@ static const u16 vmcs_gstate_field[] = {
     GUEST_LDTR_AR_BYTES,
     GUEST_TR_AR_BYTES,
     GUEST_INTERRUPTIBILITY_INFO,
+    /*
+     * ACTIVITY_STATE is handled specially.
     GUEST_ACTIVITY_STATE,
+     */
     GUEST_SYSENTER_CS,
     GUEST_PREEMPTION_TIMER,
     /* natural */
@@ -1200,6 +1203,8 @@ static void virtual_vmentry(struct cpu_user_regs *regs)
     nvcpu->nv_vmentry_pending = 0;
     nvcpu->nv_vmswitch_in_progress = 1;
 
+    /* TODO: Fail VMentry for GUEST_ACTIVITY_STATE != 0 */
+
     /*
      * EFER handling:
      * hvm_set_efer won't work if CR0.PG = 1, so we change the value
@@ -2316,8 +2321,8 @@ int nvmx_msr_read_intercept(unsigned int msr, u64 
*msr_content)
         data = hvm_cr4_guest_valid_bits(d);
         break;
     case MSR_IA32_VMX_MISC:
-        /* Do not support CR3-target feature now */
-        data = host_data & ~VMX_MISC_CR3_TARGET;
+        /* Do not support CR3-targets or activity states. */
+        data = host_data & ~(VMX_MISC_CR3_TARGET | VMX_MISC_ACTIVITY_MASK);
         break;
     case MSR_IA32_VMX_EPT_VPID_CAP:
         data = nept_get_ept_vpid_cap();
diff --git a/xen/arch/x86/include/asm/hvm/vmx/vmcs.h 
b/xen/arch/x86/include/asm/hvm/vmx/vmcs.h
index d07fcb2bc9..8de9977eb3 100644
--- a/xen/arch/x86/include/asm/hvm/vmx/vmcs.h
+++ b/xen/arch/x86/include/asm/hvm/vmx/vmcs.h
@@ -277,6 +277,7 @@ extern u32 vmx_secondary_exec_control;
 #define VMX_VPID_INVVPID_SINGLE_CONTEXT_RETAINING_GLOBAL 0x80000000000ULL
 extern u64 vmx_ept_vpid_cap;
 
+#define VMX_MISC_ACTIVITY_MASK                  0x000001c0
 #define VMX_MISC_PROC_TRACE                     0x00004000
 #define VMX_MISC_CR3_TARGET                     0x01ff0000
 #define VMX_MISC_VMWRITE_ALL                    0x20000000
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.18