Commit 9389b9d5 authored by Sean Christopherson's avatar Sean Christopherson Committed by Paolo Bonzini

KVM: VMX: Ignore userspace MSR filters for x2APIC

Rework the resetting of the MSR bitmap for x2APIC MSRs to ignore userspace
filtering.  Allowing userspace to intercept reads to x2APIC MSRs when
APICV is fully enabled for the guest simply can't work; the LAPIC and thus
virtual APIC is in-kernel and cannot be directly accessed by userspace.
To keep things simple we will in fact forbid intercepting x2APIC MSRs
altogether, independent of the default_allow setting.

Cc: Alexander Graf <graf@amazon.com>
Cc: Aaron Lewis <aaronlewis@google.com>
Cc: Peter Xu <peterx@redhat.com>
Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
Message-Id: <20201005195532.8674-3-sean.j.christopherson@intel.com>
[Modified to operate even if APICv is disabled, adjust documentation. - Paolo]
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent 1b21c8db
...@@ -4735,37 +4735,37 @@ KVM_PV_VM_VERIFY ...@@ -4735,37 +4735,37 @@ KVM_PV_VM_VERIFY
struct kvm_msr_filter_range ranges[KVM_MSR_FILTER_MAX_RANGES]; struct kvm_msr_filter_range ranges[KVM_MSR_FILTER_MAX_RANGES];
}; };
flags values for struct kvm_msr_filter_range: flags values for ``struct kvm_msr_filter_range``:
KVM_MSR_FILTER_READ ``KVM_MSR_FILTER_READ``
Filter read accesses to MSRs using the given bitmap. A 0 in the bitmap Filter read accesses to MSRs using the given bitmap. A 0 in the bitmap
indicates that a read should immediately fail, while a 1 indicates that indicates that a read should immediately fail, while a 1 indicates that
a read for a particular MSR should be handled regardless of the default a read for a particular MSR should be handled regardless of the default
filter action. filter action.
KVM_MSR_FILTER_WRITE ``KVM_MSR_FILTER_WRITE``
Filter write accesses to MSRs using the given bitmap. A 0 in the bitmap Filter write accesses to MSRs using the given bitmap. A 0 in the bitmap
indicates that a write should immediately fail, while a 1 indicates that indicates that a write should immediately fail, while a 1 indicates that
a write for a particular MSR should be handled regardless of the default a write for a particular MSR should be handled regardless of the default
filter action. filter action.
KVM_MSR_FILTER_READ | KVM_MSR_FILTER_WRITE ``KVM_MSR_FILTER_READ | KVM_MSR_FILTER_WRITE``
Filter both read and write accesses to MSRs using the given bitmap. A 0 Filter both read and write accesses to MSRs using the given bitmap. A 0
in the bitmap indicates that both reads and writes should immediately fail, in the bitmap indicates that both reads and writes should immediately fail,
while a 1 indicates that reads and writes for a particular MSR are not while a 1 indicates that reads and writes for a particular MSR are not
filtered by this range. filtered by this range.
flags values for struct kvm_msr_filter: flags values for ``struct kvm_msr_filter``:
KVM_MSR_FILTER_DEFAULT_ALLOW ``KVM_MSR_FILTER_DEFAULT_ALLOW``
If no filter range matches an MSR index that is getting accessed, KVM will If no filter range matches an MSR index that is getting accessed, KVM will
fall back to allowing access to the MSR. fall back to allowing access to the MSR.
KVM_MSR_FILTER_DEFAULT_DENY ``KVM_MSR_FILTER_DEFAULT_DENY``
If no filter range matches an MSR index that is getting accessed, KVM will If no filter range matches an MSR index that is getting accessed, KVM will
fall back to rejecting access to the MSR. In this mode, all MSRs that should fall back to rejecting access to the MSR. In this mode, all MSRs that should
...@@ -4775,14 +4775,19 @@ This ioctl allows user space to define up to 16 bitmaps of MSR ranges to ...@@ -4775,14 +4775,19 @@ This ioctl allows user space to define up to 16 bitmaps of MSR ranges to
specify whether a certain MSR access should be explicitly filtered for or not. specify whether a certain MSR access should be explicitly filtered for or not.
If this ioctl has never been invoked, MSR accesses are not guarded and the If this ioctl has never been invoked, MSR accesses are not guarded and the
old KVM in-kernel emulation behavior is fully preserved. default KVM in-kernel emulation behavior is fully preserved.
As soon as the filtering is in place, every MSR access is processed through As soon as the filtering is in place, every MSR access is processed through
the filtering. If a bit is within one of the defined ranges, read and write the filtering except for accesses to the x2APIC MSRs (from 0x800 to 0x8ff);
x2APIC MSRs are always allowed, independent of the ``default_allow`` setting,
and their behavior depends on the ``X2APIC_ENABLE`` bit of the APIC base
register.
If a bit is within one of the defined ranges, read and write
accesses are guarded by the bitmap's value for the MSR index. If it is not accesses are guarded by the bitmap's value for the MSR index. If it is not
defined in any range, whether MSR access is rejected is determined by the flags defined in any range, whether MSR access is rejected is determined by the flags
field in the kvm_msr_filter struct: KVM_MSR_FILTER_DEFAULT_ALLOW and field in the kvm_msr_filter struct: ``KVM_MSR_FILTER_DEFAULT_ALLOW`` and
KVM_MSR_FILTER_DEFAULT_DENY. ``KVM_MSR_FILTER_DEFAULT_DENY``.
Calling this ioctl with an empty set of ranges (all nmsrs == 0) disables MSR Calling this ioctl with an empty set of ranges (all nmsrs == 0) disables MSR
filtering. In that mode, KVM_MSR_FILTER_DEFAULT_DENY no longer has any effect. filtering. In that mode, KVM_MSR_FILTER_DEFAULT_DENY no longer has any effect.
......
...@@ -3782,28 +3782,41 @@ static u8 vmx_msr_bitmap_mode(struct kvm_vcpu *vcpu) ...@@ -3782,28 +3782,41 @@ static u8 vmx_msr_bitmap_mode(struct kvm_vcpu *vcpu)
return mode; return mode;
} }
static void vmx_update_msr_bitmap_x2apic(struct kvm_vcpu *vcpu, u8 mode) static void vmx_reset_x2apic_msrs(struct kvm_vcpu *vcpu, u8 mode)
{ {
unsigned long *msr_bitmap = to_vmx(vcpu)->vmcs01.msr_bitmap;
unsigned long read_intercept;
int msr; int msr;
for (msr = 0x800; msr <= 0x8ff; msr++) { read_intercept = (mode & MSR_BITMAP_MODE_X2APIC_APICV) ? 0 : ~0;
bool apicv = !!(mode & MSR_BITMAP_MODE_X2APIC_APICV);
for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) {
unsigned int read_idx = msr / BITS_PER_LONG;
unsigned int write_idx = read_idx + (0x800 / sizeof(long));
vmx_set_intercept_for_msr(vcpu, msr, MSR_TYPE_R, !apicv); msr_bitmap[read_idx] = read_intercept;
vmx_set_intercept_for_msr(vcpu, msr, MSR_TYPE_W, true); msr_bitmap[write_idx] = ~0ul;
} }
}
if (mode & MSR_BITMAP_MODE_X2APIC) { static void vmx_update_msr_bitmap_x2apic(struct kvm_vcpu *vcpu, u8 mode)
/* {
* TPR reads and writes can be virtualized even if virtual interrupt if (!cpu_has_vmx_msr_bitmap())
* delivery is not in use. return;
*/
vmx_disable_intercept_for_msr(vcpu, X2APIC_MSR(APIC_TASKPRI), MSR_TYPE_RW); vmx_reset_x2apic_msrs(vcpu, mode);
if (mode & MSR_BITMAP_MODE_X2APIC_APICV) {
vmx_enable_intercept_for_msr(vcpu, X2APIC_MSR(APIC_TMCCT), MSR_TYPE_RW); /*
vmx_disable_intercept_for_msr(vcpu, X2APIC_MSR(APIC_EOI), MSR_TYPE_W); * TPR reads and writes can be virtualized even if virtual interrupt
vmx_disable_intercept_for_msr(vcpu, X2APIC_MSR(APIC_SELF_IPI), MSR_TYPE_W); * delivery is not in use.
} */
vmx_set_intercept_for_msr(vcpu, X2APIC_MSR(APIC_TASKPRI), MSR_TYPE_RW,
!(mode & MSR_BITMAP_MODE_X2APIC));
if (mode & MSR_BITMAP_MODE_X2APIC_APICV) {
vmx_enable_intercept_for_msr(vcpu, X2APIC_MSR(APIC_TMCCT), MSR_TYPE_RW);
vmx_disable_intercept_for_msr(vcpu, X2APIC_MSR(APIC_EOI), MSR_TYPE_W);
vmx_disable_intercept_for_msr(vcpu, X2APIC_MSR(APIC_SELF_IPI), MSR_TYPE_W);
} }
} }
......
...@@ -1497,8 +1497,8 @@ bool kvm_msr_allowed(struct kvm_vcpu *vcpu, u32 index, u32 type) ...@@ -1497,8 +1497,8 @@ bool kvm_msr_allowed(struct kvm_vcpu *vcpu, u32 index, u32 type)
bool r = kvm->arch.msr_filter.default_allow; bool r = kvm->arch.msr_filter.default_allow;
int idx; int idx;
/* MSR filtering not set up, allow everything */ /* MSR filtering not set up or x2APIC enabled, allow everything */
if (!count) if (!count || (index >= 0x800 && index <= 0x8ff))
return true; return true;
/* Prevent collision with set_msr_filter */ /* Prevent collision with set_msr_filter */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment