From nobody Fri Apr 19 21:47:43 2024
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 836CEC3F6B0
	for <linux-kernel@archiver.kernel.org>; Fri,  5 Aug 2022 19:42:34 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241630AbiHETmG (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 5 Aug 2022 15:42:06 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52030 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S241536AbiHETlq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 5 Aug 2022 15:41:46 -0400
Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com
 [IPv6:2607:f8b0:4864:20::b4a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5C0913E35
        for <linux-kernel@vger.kernel.org>;
 Fri,  5 Aug 2022 12:41:38 -0700 (PDT)
Received: by mail-yb1-xb4a.google.com with SMTP id
 m11-20020a5b040b000000b0066fcc60d1a0so2805540ybp.19
        for <linux-kernel@vger.kernel.org>;
 Fri, 05 Aug 2022 12:41:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:mime-version:message-id:date:reply-to:from:to:cc;
        bh=AqDbpS3tKOnMAygn4Y+bPVaibFr+A3nAwDRXJDQenbU=;
        b=T36RbBJqSwXAI7p0EtgwJkmUwLqP2o9NToASYr6lEWGg0+KY1uumxgBYLpDFQ4jWZn
         2hgtMsUfvLUpHhOZwh9Pr91C0RoEUhoG0s/lytEOwmi3m15f/AI3/lpR85IXw0e8+i/u
         3gHizKELR2f4XpOQicoG5SD3a1RynwBxhlj/4xS00pRVpM7RXVP0pU6iGKQH1VGPFg0y
         JlYHsn7TqATM+o+G/mdP0plGiIcnP/zqVCCOo5o+PV+ry4st445f+S7cUh/nu0t+78Kp
         4JWDArH9HWYK4KId8JvI0n3sOl3ddRco6S6YwR8GaJb8OjUk02cSKnKTwpPxLw9nmr86
         AyPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:mime-version:message-id:date:reply-to
         :x-gm-message-state:from:to:cc;
        bh=AqDbpS3tKOnMAygn4Y+bPVaibFr+A3nAwDRXJDQenbU=;
        b=qqCsP+eYj7VMNWTEfeKkZUWvhtEqPExJ+rWBLuC/ZZiGUpd8rGvKOs7LMitvcx9fxz
         BhBmjz9QfreQSX3stATUH94GUiJL2Z4qlNLfLTPA+KgA/X6RelPhSXSq7YyCwFczB4Uz
         qone0Lugx5R0StmV2SJzTNHpw7h6s4Q0EF6yAV4dDjleWX4jaZjZV6go+x9hpzBWjWOK
         1QKf9w7SfBXHmbJeADt3q0OoVfdiT3lozGbzqsW09UhMml6j9Ir4YqOzzBuBuvQodmbA
         beKeLFduF0IOnliMBSBj9cQBj4sO7VE+FtTrcF/wd/R0hAeR4MpL5QWwBB9JsKmhSER6
         DZIA==
X-Gm-Message-State: ACgBeo3HNa94vFp4bbIbkFXhh66s8vp0yK2m8Q+nHdfNSiRlgcyx1O0M
        V/peNIdRKAJ7raO48pSTCzSbD7z0wfc=
X-Google-Smtp-Source: 
 AA6agR5ZdS7BvImoBdsApE9Xgt4ptDDxg5olo2D88FCk+SUYh8qkzoYzD2w/C84DnsPoxOI7xrsvHeaLiJE=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a81:ae55:0:b0:31f:6630:9736 with SMTP id
 g21-20020a81ae55000000b0031f66309736mr7614405ywk.346.1659728497753; Fri, 05
 Aug 2022 12:41:37 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri,  5 Aug 2022 19:41:33 +0000
Message-Id: <20220805194133.86299-1-seanjc@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.37.1.559.g78731f0fdb-goog
Subject: [PATCH v2] KVM: x86/mmu: Add sanity check that MMIO SPTE mask doesn't
 overlap gen
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Kai Huang <kai.huang@intel.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add compile-time and init-time sanity checks to ensure that the MMIO SPTE
mask doesn't overlap the MMIO SPTE generation or the MMU-present bit.
The generation currently avoids using bit 63, but that's as much
coincidence as it is strictly necessarly.  That will change in the future,
as TDX support will require setting bit 63 (SUPPRESS_VE) in the mask.

Explicitly carve out the bits that are allowed in the mask so that any
future shuffling of SPTE bits doesn't silently break MMIO caching (KVM
has broken MMIO caching more than once due to overlapping the generation
with other things).

Suggested-by: Kai Huang <kai.huang@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
---

Kai, I didn't included your review since I pretty much rewrote the entire
comment.

v2: Prevent overlap with SPTE_MMU_PRESENT_MASK
v1: https://lore.kernel.org/all/20220803213354.951376-1-seanjc@google.com

 arch/x86/kvm/mmu/spte.c |  8 ++++++++
 arch/x86/kvm/mmu/spte.h | 14 ++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/arch/x86/kvm/mmu/spte.c b/arch/x86/kvm/mmu/spte.c
index 7314d27d57a4..08e8c46f3037 100644
--- a/arch/x86/kvm/mmu/spte.c
+++ b/arch/x86/kvm/mmu/spte.c
@@ -343,6 +343,14 @@ void kvm_mmu_set_mmio_spte_mask(u64 mmio_value, u64 mm=
io_mask, u64 access_mask)
 	if (!enable_mmio_caching)
 		mmio_value =3D 0;
=20
+	/*
+	 * The mask must contain only bits that are carved out specifically for
+	 * the MMIO SPTE mask, e.g. to ensure there's no overlap with the MMIO
+	 * generation.
+	 */
+	if (WARN_ON(mmio_mask & ~SPTE_MMIO_ALLOWED_MASK))
+		mmio_value =3D 0;
+
 	/*
 	 * Disable MMIO caching if the MMIO value collides with the bits that
 	 * are used to hold the relocated GFN when the L1TF mitigation is
diff --git a/arch/x86/kvm/mmu/spte.h b/arch/x86/kvm/mmu/spte.h
index cabe3fbb4f39..10f16421e876 100644
--- a/arch/x86/kvm/mmu/spte.h
+++ b/arch/x86/kvm/mmu/spte.h
@@ -125,6 +125,20 @@ static_assert(!(EPT_SPTE_MMU_WRITABLE & SHADOW_ACC_TRA=
CK_SAVED_MASK));
 static_assert(!(SPTE_MMU_PRESENT_MASK &
 		(MMIO_SPTE_GEN_LOW_MASK | MMIO_SPTE_GEN_HIGH_MASK)));
=20
+/*
+ * The SPTE MMIO mask must NOT overlap the MMIO generation bits or the
+ * MMU-present bit.  The generation obviously co-exists with the magic MMIO
+ * mask/value, and MMIO SPTEs are considered !MMU-present.
+ *
+ * The SPTE MMIO mask is allowed to use hardware "present" bits (i.e. all =
EPT
+ * RWX bits), all physical address bits (legal PA bits are used for "fast"=
 MMIO
+ * and so they're off-limits for generation; additional checks ensure the =
mask
+ * doesn't overlap legal PA bits), and bit 63 (carved out for future usage=
).
+ */
+#define SPTE_MMIO_ALLOWED_MASK (BIT_ULL(63) | GENMASK_ULL(51, 12) | GENMAS=
K_ULL(2, 0))
+static_assert(!(SPTE_MMIO_ALLOWED_MASK &
+		(SPTE_MMU_PRESENT_MASK | MMIO_SPTE_GEN_LOW_MASK | MMIO_SPTE_GEN_HIGH_MAS=
K)));
+
 #define MMIO_SPTE_GEN_LOW_BITS		(MMIO_SPTE_GEN_LOW_END - MMIO_SPTE_GEN_LOW=
_START + 1)
 #define MMIO_SPTE_GEN_HIGH_BITS		(MMIO_SPTE_GEN_HIGH_END - MMIO_SPTE_GEN_H=
IGH_START + 1)
=20

base-commit: 93472b79715378a2386598d6632c654a2223267b
--=20
2.37.1.559.g78731f0fdb-goog