From nobody Sun Feb  8 14:35:32 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1532379405831804.4135333108695;
 Mon, 23 Jul 2018 13:56:45 -0700 (PDT)
Received: from localhost ([::1]:36559 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1fhhsq-00006I-MU
	for importer@patchew.org; Mon, 23 Jul 2018 16:56:44 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41725)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <flukshun@gmail.com>) id 1fhhJL-0002XJ-OG
	for qemu-devel@nongnu.org; Mon, 23 Jul 2018 16:20:05 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <flukshun@gmail.com>) id 1fhhJK-0004FO-Ey
	for qemu-devel@nongnu.org; Mon, 23 Jul 2018 16:20:03 -0400
Received: from mail-oi0-x241.google.com ([2607:f8b0:4003:c06::241]:38112)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <flukshun@gmail.com>)
	id 1fhhJK-0004EQ-8z; Mon, 23 Jul 2018 16:20:02 -0400
Received: by mail-oi0-x241.google.com with SMTP id v8-v6so3477908oie.5;
	Mon, 23 Jul 2018 13:20:02 -0700 (PDT)
Received: from localhost (76-251-165-188.lightspeed.austtx.sbcglobal.net.
	[76.251.165.188]) by smtp.gmail.com with ESMTPSA id
	r81-v6sm14553095oih.28.2018.07.23.13.19.59
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Mon, 23 Jul 2018 13:20:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=gzwlOawH4PtkHsI9A42W5MxYylvHtLdDYFtEu9+yvuM=;
	b=Kz+1+bafhSSvAkt4ygDGGQfNWE+pYtKqPWdas9kA7UaxOOh1+1YNGv4wnWlSPlenaE
	2nXY/MUVr8Yl9SVn1pcMQ9RfgkyMTDm8+GfLst+dCX8Tp79D4nlrkNC4Mn+TEsjm0Ip2
	jeqHh9VXeWOlMmRsZECDt9wrCGxfwJOPETfG87LG12pPiJbhGJyt6hVIWZJZ0RQgXRk8
	sOOkYGFwHNO7FRvqt5OFg/KPNlI/E/vITIuRAPvfjmaydAZSx0nL+j9E26nqeEOn7E3i
	lXN2r0cfaMSkZR1JIfMm0ElgqhCi/Hv8Pn4nHKD034IR8Z6YPJPJ2PuqpJUeJvbkMzHc
	oX8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:in-reply-to:references:mime-version:content-transfer-encoding;
	bh=gzwlOawH4PtkHsI9A42W5MxYylvHtLdDYFtEu9+yvuM=;
	b=ObrTmNV5o2jpAv+1Z2TzLmgPr2aXcRe4L5nxAmhytBRdBV1FyIdYZMx/IX6QLQHoEJ
	0mIUnIN5TkvlUGu/WhJvLWr/m/0CnuhSgUkwfq3rwFF7hKln7OsWNO+yxvtitGtyZxeO
	djF40xYDv9eUb7NgbVhR/1XZugfEBoOdcwiL5FyB6hRgD2qzXSFAS54XSUwQ4gz+iOus
	qfKGJxGrIMovkV8P9lJICXQgecOxm+zsLBP3ouvq0hRW2vTKVe+cHESfYGEHMCOdcZ5D
	FDKKaeDEzL0aAx2CCjxKRLU1FP5gvSsmiNF7DCdVd5JJdgyKMcOQxJSmww3YFtNTjbc5
	Anug==
X-Gm-Message-State: AOUpUlFQvWtE3Xya+4aro9NmO0N8FuOEx/rUw0ihQmFYgOFZMzNBmGBg
	qxqEbR01fgbMOPJjoFljC3TMEMBglk0=
X-Google-Smtp-Source: 
 AAOMgpfjFew52bFMS6AshpTVToGu3cqh+0BaothCOlAPEnxTKoHXmRjRq4NGf4EqrQ5GbDTP8yWL/g==
X-Received: by 2002:aca:4ac6:: with SMTP id
	x189-v6mr289980oia.211.1532377201181;
	Mon, 23 Jul 2018 13:20:01 -0700 (PDT)
From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Date: Mon, 23 Jul 2018 15:16:52 -0500
Message-Id: <20180723201748.25573-44-mdroth@linux.vnet.ibm.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180723201748.25573-1-mdroth@linux.vnet.ibm.com>
References: <20180723201748.25573-1-mdroth@linux.vnet.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2607:f8b0:4003:c06::241
Subject: [Qemu-devel] [PATCH 43/99] i386: Define the Virt SSBD MSR and
 handling of it (CVE-2018-3639)
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: qemu-stable@nongnu.org, Eduardo Habkost <ehabkost@redhat.com>,
	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZohoMail: RDKM_2  RSF_0  Z_629925259 SPT_0

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

"Some AMD processors only support a non-architectural means of enabling
speculative store bypass disable (SSBD).  To allow a simplified view of
this to a guest, an architectural definition has been created through a new
CPUID bit, 0x80000008_EBX[25], and a new MSR, 0xc001011f.  With this, a
hypervisor can virtualize the existence of this definition and provide an
architectural method for using SSBD to a guest.

Add the new CPUID feature, the new MSR and update the existing SSBD
support to use this MSR when present." (from x86/speculation: Add virtualiz=
ed
speculative store bypass disable support in Linux).

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Message-Id: <20180521215424.13520-4-berrange@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit cfeea0c021db6234c154dbc723730e81553924ff)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target/i386/cpu.h     |  2 ++
 target/i386/kvm.c     | 16 ++++++++++++++--
 target/i386/machine.c | 20 ++++++++++++++++++++
 3 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 970ab96e54..75e821cefe 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -351,6 +351,7 @@ typedef enum X86Seg {
 #define MSR_IA32_FEATURE_CONTROL        0x0000003a
 #define MSR_TSC_ADJUST                  0x0000003b
 #define MSR_IA32_SPEC_CTRL              0x48
+#define MSR_VIRT_SSBD                   0xc001011f
 #define MSR_IA32_TSCDEADLINE            0x6e0
=20
 #define FEATURE_CONTROL_LOCKED                    (1<<0)
@@ -1150,6 +1151,7 @@ typedef struct CPUX86State {
     uint32_t pkru;
=20
     uint64_t spec_ctrl;
+    uint64_t virt_ssbd;
=20
     /* End of state preserved by INIT (dummy marker).  */
     struct {} end_init_save;
diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index 6c49954e68..19e6aa320d 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -92,6 +92,7 @@ static bool has_msr_hv_stimer;
 static bool has_msr_hv_frequencies;
 static bool has_msr_xss;
 static bool has_msr_spec_ctrl;
+static bool has_msr_virt_ssbd;
 static bool has_msr_smi_count;
=20
 static uint32_t has_architectural_pmu_version;
@@ -1218,6 +1219,9 @@ static int kvm_get_supported_msrs(KVMState *s)
                 case MSR_IA32_SPEC_CTRL:
                     has_msr_spec_ctrl =3D true;
                     break;
+                case MSR_VIRT_SSBD:
+                    has_msr_virt_ssbd =3D true;
+                    break;
                 }
             }
         }
@@ -1706,6 +1710,10 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
     if (has_msr_spec_ctrl) {
         kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, env->spec_ctrl);
     }
+    if (has_msr_virt_ssbd) {
+        kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, env->virt_ssbd);
+    }
+
 #ifdef TARGET_X86_64
     if (lm_capable_kernel) {
         kvm_msr_entry_add(cpu, MSR_CSTAR, env->cstar);
@@ -2077,8 +2085,9 @@ static int kvm_get_msrs(X86CPU *cpu)
     if (has_msr_spec_ctrl) {
         kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, 0);
     }
-
-
+    if (has_msr_virt_ssbd) {
+        kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, 0);
+    }
     if (!env->tsc_valid) {
         kvm_msr_entry_add(cpu, MSR_IA32_TSC, 0);
         env->tsc_valid =3D !runstate_is_running();
@@ -2444,6 +2453,9 @@ static int kvm_get_msrs(X86CPU *cpu)
         case MSR_IA32_SPEC_CTRL:
             env->spec_ctrl =3D msrs[i].data;
             break;
+        case MSR_VIRT_SSBD:
+            env->virt_ssbd =3D msrs[i].data;
+            break;
         case MSR_IA32_RTIT_CTL:
             env->msr_rtit_ctrl =3D msrs[i].data;
             break;
diff --git a/target/i386/machine.c b/target/i386/machine.c
index bd2d82e91b..f0a835c292 100644
--- a/target/i386/machine.c
+++ b/target/i386/machine.c
@@ -893,6 +893,25 @@ static const VMStateDescription vmstate_msr_intel_pt =
=3D {
     }
 };
=20
+static bool virt_ssbd_needed(void *opaque)
+{
+    X86CPU *cpu =3D opaque;
+    CPUX86State *env =3D &cpu->env;
+
+    return env->virt_ssbd !=3D 0;
+}
+
+static const VMStateDescription vmstate_msr_virt_ssbd =3D {
+    .name =3D "cpu/virt_ssbd",
+    .version_id =3D 1,
+    .minimum_version_id =3D 1,
+    .needed =3D virt_ssbd_needed,
+    .fields =3D (VMStateField[]){
+        VMSTATE_UINT64(env.virt_ssbd, X86CPU),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 VMStateDescription vmstate_x86_cpu =3D {
     .name =3D "cpu",
     .version_id =3D 12,
@@ -1015,6 +1034,7 @@ VMStateDescription vmstate_x86_cpu =3D {
         &vmstate_spec_ctrl,
         &vmstate_mcg_ext_ctl,
         &vmstate_msr_intel_pt,
+        &vmstate_msr_virt_ssbd,
         NULL
     }
 };
--=20
2.17.1