[RFC PATCH 0/9] Intel SPEC CTRL virtualization support
From: Zhang Chen
Date: Sat Dec 10 2022 - 11:19:12 EST
This series introduces "virtual IA32_SPEC_CTRL" support. Here are introduction
and use cases of this new feature.
### Virtual IA32_SPEC_CTRL
Virtual IA32_SPEC_CTRL [1] is a new VMX feature on Intel CPUs.
This feature allows VMM to fix some bits of IA32_SPEC_CTRL MSR even when
the MSR is pass-thru'd to a guest.
### Use cases of virtual IA32_SPEC_CTRL
Software mitigations like Retpoline and software BHB-clearing sequence
depend on CPU microarchitectures. And guest cannot know exactly
the underlying microarchitecture. When a guest is migrated between
processors of different microarchitectures, software mitigations which
work perfectly on previous microachitecture may be not effective on the
new one. To fix the problem, some hardware mitigations should be used in
conjunction with software mitigations. Using virtual IA32_SPEC_CTRL,
VMM can enforce hardware mitigations transparently to guests and avoid
those hardware mitigations being accidentally disabled when guest
changes IA32_SPEC_CTRL MSR.
### Intention of this series
This series adds the capability of enforcing hardware mitigations for
guests transparently and efficiently (i.e., without intecepting
IA32_SPEC_CTRL MSR accesses) to kvm. The capability can be used to solve
the VM migration issue in a pool consisting of processors of different
microarchitectures.
Specifically, below are two target scenarios of this series:
Scenario 1: If retpoline is used by a VM to mitigate IMBTI in CPL0, VMM
can set RRSBA_DIS_S on parts enumerates RRSBA. Note that
the VM is presented with a microarchitecture doesn't enumerate
RRSBA.
Scenario 2: If a VM uses software BHB-clearing sequence on transitions
into CPL0 to mitigate BHI, VMM can use "virtual
IA32_SPEC_CTRL" to set BHI_DIS_S on newer
hardware which doesn't enumerate BHI_NO.
Intel defines some virtual MSRs for guests to notify VMM of software
mitigations in use. Such information allows VMM to enable hardware
mitigations only when necessary (i.e., VMs care about the vulnerability
and are using software mitigiation) to minimize the performance impact
to other VMs. The support of the virtual MSRs also added in this series.
### Organization of this series
This series is developed based on v6.1-rc7 (commit ef4d3ea40565a781c25847e9cb96c1bd9f462bc6)
1. Patch 1 introduce Intel SPEC_CTRL BHI related definition.
2. Patch 2/3 advertises {RRSBA/BHI}_CTRL for retpoline/BHB-clearing
sequence mitigations for KVM.
3. Patch 4 introduce Intel virtual IA32_SPEC_CTRL
4. Patch 5-7 virtualize a set of virtual MSRs for guests to communicate
software mitigations in use.
5. Patch 8-9 enable "virtual IA32_SPEC_CTRL" VMX feature with virtual
MSRs support in KVM.
### Documentation
Refer to below link for more information:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html
Pawan Gupta (1):
x86/bugs: Use Virtual MSRs to request hardware mitigations
Zhang Chen (8):
x86/speculation: Introduce Intel SPEC_CTRL BHI related definition
KVM: x86: Add a kvm-only leaf for RRSBA_CTRL
KVM: x86: Add a kvm-only leaf for BHI_CTRL
x86/kvm/vmx: Virtualize Intel IA32_SPEC_CTRL
kvm/x86: Add ARCH_CAP_VIRTUAL_ENUM for guest
MSR_IA32_ARCH_CAPABILITIES
kvm/x86: Add MSR_VIRTUAL_MITIGATION_ENUM/CTRL emulation
x86/kvm/vmx: Initialize SPEC_CTRL MASK for RRSBA
x86/kvm/vmx: Initialize SPEC_CTRL MASK for BHI
arch/x86/include/asm/msr-index.h | 29 +++++++
arch/x86/include/asm/vmx.h | 5 ++
arch/x86/include/asm/vmxfeatures.h | 2 +
arch/x86/kernel/cpu/bugs.c | 24 ++++++
arch/x86/kvm/cpuid.c | 4 +
arch/x86/kvm/reverse_cpuid.h | 9 ++
arch/x86/kvm/vmx/capabilities.h | 5 ++
arch/x86/kvm/vmx/vmx.c | 109 ++++++++++++++++++++++++-
arch/x86/kvm/vmx/vmx.h | 27 +++++-
arch/x86/kvm/x86.c | 23 +++++-
tools/arch/x86/include/asm/msr-index.h | 6 ++
11 files changed, 238 insertions(+), 5 deletions(-)
--
2.25.1