Re: [PATCH v2 12/25] KVM: x86/mmu: cleanup computation of MMU roles for two-dimensional paging

From: Sean Christopherson
Date: Tue Mar 08 2022 - 13:38:45 EST

Next message: Carlos Bilbao: "[PATCH] x86/mce: Unify vendors grading logic and provide AMD machine error checks"
Previous message: Christian Borntraeger: "Re: [PATCH RESEND v2 0/5] memop selftest for storage key checking"
In reply to: Sean Christopherson: "Re: [PATCH v2 12/25] KVM: x86/mmu: cleanup computation of MMU roles for two-dimensional paging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 08, 2022, Sean Christopherson wrote:
> On Mon, Feb 21, 2022, Paolo Bonzini wrote:
> > Inline kvm_calc_mmu_role_common into its sole caller, and simplify it
> > by removing the computation of unnecessary bits.
> >
> > Extended bits are unnecessary because page walking uses the CPU mode,
> > and EFER.NX/CR0.WP can be set to one unconditionally---matching the
> > format of shadow pages rather than the format of guest pages.
>
> But they don't match the format of shadow pages. EPT has an equivalent to NX in
> that KVM can always clear X, but KVM explicitly supports running with EPT and
> EFER.NX=0 in the host (32-bit non-PAE kernels).

Oof, digging into this made me realize we probably have yet another bug in the
handling of the NX hugepages workaround. Unless I'm overlooking something, NX is
treated as reserved for NPT shadow pages and would cause WARN spam if someone
enabled the mitigation on AMD CPUs.

Untested... If this is needed, it also means I didn't properly test commit
b26a71a1a5b9 ("KVM: SVM: Refuse to load kvm_amd if NX support is not available").

:-(

From: Sean Christopherson <seanjc@xxxxxxxxxx>
Date: Tue, 8 Mar 2022 10:31:27 -0800
Subject: [PATCH] KVM: x86/mmu: Don't treat NX as reserved for NPT MMUs

Mark the NX bit as allowed for NPT shadow pages. KVM doesn't use NX in
"normal" operation as KVM doesn't honor userspace execute-protection
settings, but KVM allows userspace to enable the NX hugepages mitigation
on AMD CPUs, despite no known AMD CPUs being affected by the iTLB
multi-hit erratum.

Fixes: b8e8c8303ff2 ("kvm: mmu: ITLB_MULTIHIT mitigation")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
---
arch/x86/kvm/mmu/mmu.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index 47a2c5f3044d..9c79a0927a48 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -4461,13 +4461,17 @@ static inline bool boot_cpu_is_amd(void)
return shadow_x_mask == 0;
}

-/*
- * the direct page table on host, use as much mmu features as
- * possible, however, kvm currently does not do execution-protection.
- */
static void
reset_tdp_shadow_zero_bits_mask(struct kvm_mmu *context)
{
+ /*
+ * KVM doesn't honor execute-protection from the host page tables, but
+ * NX is required and potentially used at any time by KVM for NPT, as
+ * the NX hugepages iTLB multi-hit mitigation is supported for any CPU
+ * despite no known AMD (and derivative) CPUs being affected by erratum.
+ */
+ bool efer_nx = true;
+
struct rsvd_bits_validate *shadow_zero_check;
int i;

@@ -4475,7 +4479,7 @@ reset_tdp_shadow_zero_bits_mask(struct kvm_mmu *context)

if (boot_cpu_is_amd())
__reset_rsvds_bits_mask(shadow_zero_check, reserved_hpa_bits(),
- context->shadow_root_level, false,
+ context->shadow_root_level, efer_nx,
boot_cpu_has(X86_FEATURE_GBPAGES),
false, true);
else

base-commit: 2a809a65d88e7e071dc6ef4a6be8416d25885efe
--

Next message: Carlos Bilbao: "[PATCH] x86/mce: Unify vendors grading logic and provide AMD machine error checks"
Previous message: Christian Borntraeger: "Re: [PATCH RESEND v2 0/5] memop selftest for storage key checking"
In reply to: Sean Christopherson: "Re: [PATCH v2 12/25] KVM: x86/mmu: cleanup computation of MMU roles for two-dimensional paging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]