Fix couple of interrelated issues:
o KVM currently allows userspace to access MSRs even after the VMSA is
encrypted. This can result into issues if MSR update has side effects on
VM configuration. Patch 1 fixes that by preventing KVM_{GET|SET}_MSRS
for SEV-ES guests once VMSA is encrypted.
o As documented in APM, LBR Virtualization must be enabled for SEV-ES
guests. However, KVM currently enables LBRV unconditionally without
checking feature bit, which is wrong. Patch 2 prevents SEV-ES guests
when LBRV support is missing.
o Although LBRV is enabled for SEV-ES guests, MSR_IA32_DEBUGCTLMSR was
still intercepted. This can crash SEV-ES guest if used inadvertently.
Patch 3 fixes it.
Patches prepared on kvm/next (6f627b425378)
v3: https://lore.kernel.org/r/20240523121828.808-1-ravi.bangoria@amd.com
v3->v4:
- Return -EINVAL instead of 0 while preventing MSR accesses post VMSA
encryption.
- Make 'lbrv' a global variable instead of passing it as function
argument, this follows the pattern used by other variables.
Nikunj A Dadhania (1):
KVM: SEV-ES: Prevent MSR access post VMSA encryption
Ravi Bangoria (2):
KVM: SEV-ES: Disallow SEV-ES guests when X86_FEATURE_LBRV is absent
KVM: SEV-ES: Fix LBRV code
arch/x86/kvm/svm/sev.c | 19 ++++++++++++++-----
arch/x86/kvm/svm/svm.c | 42 ++++++++++++++++++++++++++++++++----------
arch/x86/kvm/svm/svm.h | 4 +++-
3 files changed, 49 insertions(+), 16 deletions(-)
--
2.45.1