linux/arch/x86
Sean Christopherson 66155de93b KVM: x86: Disallow read-only memslots for SEV-ES and SEV-SNP (and TDX)
Disallow read-only memslots for SEV-{ES,SNP} VM types, as KVM can't
directly emulate instructions for ES/SNP, and instead the guest must
explicitly request emulation.  Unless the guest explicitly requests
emulation without accessing memory, ES/SNP relies on KVM creating an MMIO
SPTE, with the subsequent #NPF being reflected into the guest as a #VC.

But for read-only memslots, KVM deliberately doesn't create MMIO SPTEs,
because except for ES/SNP, doing so requires setting reserved bits in the
SPTE, i.e. the SPTE can't be readable while also generating a #VC on
writes.  Because KVM never creates MMIO SPTEs and jumps directly to
emulation, the guest never gets a #VC.  And since KVM simply resumes the
guest if ES/SNP guests trigger emulation, KVM effectively puts the vCPU
into an infinite #NPF loop if the vCPU attempts to write read-only memory.

Disallow read-only memory for all VMs with protected state, i.e. for
upcoming TDX VMs as well as ES/SNP VMs.  For TDX, it's actually possible
to support read-only memory, as TDX uses EPT Violation #VE to reflect the
fault into the guest, e.g. KVM could configure read-only SPTEs with RX
protections and SUPPRESS_VE=0.  But there is no strong use case for
supporting read-only memslots on TDX, e.g. the main historical usage is
to emulate option ROMs, but TDX disallows executing from shared memory.
And if someone comes along with a legitimate, strong use case, the
restriction can always be lifted for TDX.

Don't bother trying to retroactively apply the restriction to SEV-ES
VMs that are created as type KVM_X86_DEFAULT_VM.  Read-only memslots can't
possibly work for SEV-ES, i.e. disallowing such memslots is really just
means reporting an error to userspace instead of silently hanging vCPUs.
Trying to deal with the ordering between KVM_SEV_INIT and memslot creation
isn't worth the marginal benefit it would provide userspace.

Fixes: 26c44aa9e0 ("KVM: SEV: define VM types for SEV and SEV-ES")
Fixes: 1dfe571c12 ("KVM: SEV: Add initial SEV-SNP support")
Cc: Peter Gonda <pgonda@google.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Vishal Annapurve <vannapurve@google.com>
Cc: Ackerly Tng <ackerleytng@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20240809190319.1710470-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-08-14 12:28:24 -04:00
..
boot Kbuild updates for v6.11 2024-07-23 14:32:21 -07:00
coco x86/sev: Fix __reserved field in sev_config 2024-07-30 10:07:26 +02:00
configs hardening: Enable KCFI and some other options 2024-05-01 12:38:14 -07:00
crypto crypto: x86/aes-gcm - rewrite the AES-NI optimized AES-GCM 2024-06-07 19:47:58 +08:00
entry uretprobe: change syscall number, again 2024-08-02 15:18:49 +02:00
events perf/x86: Fix smp_processor_id()-in-preemptible warnings 2024-07-31 12:57:39 +02:00
hyperv x86/mm: Make x86_platform.guest.enc_status_change_*() return an error 2024-06-17 17:45:53 +02:00
ia32
include KVM: x86: Disallow read-only memslots for SEV-ES and SEV-SNP (and TDX) 2024-08-14 12:28:24 -04:00
kernel x86/mtrr: Check if fixed MTRRs exist before saving them 2024-08-08 17:03:12 +02:00
kvm KVM: x86: Make x2APIC ID 100% readonly 2024-08-13 12:01:46 -04:00
lib x86/uaccess: Zero the 8-byte get_range case on failure on 32-bit 2024-08-01 21:19:10 +02:00
math-emu x86/math-emu: Fix function cast warnings 2024-04-08 16:06:22 +02:00
mm x86/mm: Fix PTI for i386 some more 2024-08-07 15:35:01 +02:00
net bpf: remove unused parameter in bpf_jit_binary_pack_finalize 2024-06-20 19:50:26 -07:00
pci - Flip the logic to add feature names to /proc/cpuinfo to having to 2024-07-15 20:25:16 -07:00
platform xen: branch for v6.11-rc1a 2024-07-27 09:58:24 -07:00
power - Kuan-Wei Chiu has developed the well-named series "lib min_heap: Min 2024-03-14 18:03:09 -07:00
purgatory Kbuild updates for v6.10 2024-05-18 12:39:20 -07:00
ras
realmode Makefile: remove redundant tool coverage variables 2024-05-14 23:35:48 +09:00
tools Changes: 2024-05-19 11:32:42 -07:00
um This pull request contains the following changes for UML: 2024-07-25 12:33:08 -07:00
video arch: Fix name collision with ACPI's video.o 2024-05-20 21:17:06 +00:00
virt - Add support for running the kernel in a SEV-SNP guest, over a Secure 2024-07-16 11:12:25 -07:00
xen xen: branch for v6.11-rc1a 2024-07-27 09:58:24 -07:00
.gitignore
Kbuild x86/build: Use obj-y to descend into arch/x86/virt/ 2024-03-30 10:41:49 +01:00
Kconfig Random number generator updates for Linux 6.11-rc1. 2024-07-24 10:29:50 -07:00
Kconfig.assembler x86/kconfig: Add as-instr64 macro to properly evaluate AS_WRUSS 2024-06-20 19:48:18 +02:00
Kconfig.cpu x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6 2024-02-09 16:28:19 +01:00
Kconfig.debug x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y 2024-05-20 11:37:23 +02:00
Makefile - A series ("kbuild: enable more warnings by default") from Arnd 2024-05-22 18:59:29 -07:00
Makefile_32.cpu
Makefile.postlink kbuild: remove ARCH_POSTLINK from module builds 2023-10-28 21:10:08 +09:00
Makefile.um arch: um: rust: Use the generated target.json again 2024-07-03 12:22:11 +02:00