• Sean Christopherson's avatar
    KVM: x86: Emulate triple fault shutdown if RSM emulation fails · 25b17226
    Sean Christopherson authored
    Use the recently introduced KVM_REQ_TRIPLE_FAULT to properly emulate
    shutdown if RSM from SMM fails.
    
    Note, entering shutdown after clearing the SMM flag and restoring NMI
    blocking is architecturally correct with respect to AMD's APM, which KVM
    also uses for SMRAM layout and RSM NMI blocking behavior.  The APM says:
    
      An RSM causes a processor shutdown if an invalid-state condition is
      found in the SMRAM state-save area. Only an external reset, external
      processor-initialization, or non-maskable external interrupt (NMI) can
      cause the processor to leave the shutdown state.
    
    Of note is processor-initialization (INIT) as a valid shutdown wake
    event, as INIT is blocked by SMM, implying that entering shutdown also
    forces the CPU out of SMM.
    
    For recent Intel CPUs, restoring NMI blocking is technically wrong, but
    so is restoring NMI blocking in the first place, and Intel's RSM
    "architecture" is such a mess that just about anything is allowed and can
    be justified as micro-architectural behavior.
    
    Per the SDM:
    
      On Pentium 4 and later processors, shutdown will inhibit INTR and A20M
      but will not change any of the other inhibits. On these processors,
      NMIs will be inhibited if no action is taken in the SMI handler to
      uninhibit them (see Section 34.8).
    
    where Section 34.8 says:
    
      When the processor enters SMM while executing an NMI handler, the
      processor saves the SMRAM state save map but does not save the
      attribute to keep NMI interrupts disabled. Potentially, an NMI could be
      latched (while in SMM or upon exit) and serviced upon exit of SMM even
      though the previous NMI handler has still not completed.
    
    I.e. RSM unconditionally unblocks NMI, but shutdown on RSM does not,
    which is in direct contradiction of KVM's behavior.  But, as mentioned
    above, KVM follows AMD architecture and restores NMI blocking on RSM, so
    that micro-architectural detail is already lost.
    
    And for Pentium era CPUs, SMI# can break shutdown, meaning that at least
    some Intel CPUs fully leave SMM when entering shutdown:
    
      In the shutdown state, Intel processors stop executing instructions
      until a RESET#, INIT# or NMI# is asserted.  While Pentium family
      processors recognize the SMI# signal in shutdown state, P6 family and
      Intel486 processors do not.
    
    In other words, the fact that Intel CPUs have implemented the two
    extremes gives KVM carte blanche when it comes to honoring Intel's
    architecture for handling shutdown during RSM.
    Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
    Message-Id: <20210609185619.992058-3-seanjc@google.com>
    [Return X86EMUL_CONTINUE after triple fault. - Paolo]
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    25b17226
emulate.c 147 KB