Remove all flavors of A/D bits from FROZEN_SPTE so that KVM can keep A/D
bits set in SPTEs that are frozen, without getting false positives.
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
arch/x86/kvm/mmu/spte.h | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kvm/mmu/spte.h b/arch/x86/kvm/mmu/spte.h
index ba7ff1dfbeb2..d403ecdfcb8e 100644
--- a/arch/x86/kvm/mmu/spte.h
+++ b/arch/x86/kvm/mmu/spte.h
@@ -216,15 +216,17 @@ extern u64 __read_mostly shadow_nonpresent_or_rsvd_mask;
* should not modify the SPTE.
*
* Use a semi-arbitrary value that doesn't set RWX bits, i.e. is not-present on
- * both AMD and Intel CPUs, and doesn't set PFN bits, i.e. doesn't create a L1TF
- * vulnerability.
+ * both AMD and Intel CPUs, doesn't set any A/D bits, and doesn't set PFN bits,
+ * i.e. doesn't create a L1TF vulnerability.
*
* Only used by the TDP MMU.
*/
-#define FROZEN_SPTE (SHADOW_NONPRESENT_VALUE | 0x5a0ULL)
+#define FROZEN_SPTE (SHADOW_NONPRESENT_VALUE | 0x498ULL)
/* Removed SPTEs must not be misconstrued as shadow present PTEs. */
static_assert(!(FROZEN_SPTE & SPTE_MMU_PRESENT_MASK));
+static_assert(!(FROZEN_SPTE & (PT_ACCESSED_MASK | VMX_EPT_ACCESS_BIT)));
+static_assert(!(FROZEN_SPTE & (PT_DIRTY_MASK | VMX_EPT_DIRTY_BIT)));
static inline bool is_frozen_spte(u64 spte)
{
--
2.46.0.rc1.232.g9752f9e123-goog
On Thu, Aug 01, 2024 at 11:34:49AM -0700, Sean Christopherson wrote: > Remove all flavors of A/D bits from FROZEN_SPTE so that KVM can keep A/D > bits set in SPTEs that are frozen, without getting false positives. > > Signed-off-by: Sean Christopherson <seanjc@google.com> > --- > arch/x86/kvm/mmu/spte.h | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/kvm/mmu/spte.h b/arch/x86/kvm/mmu/spte.h > index ba7ff1dfbeb2..d403ecdfcb8e 100644 > --- a/arch/x86/kvm/mmu/spte.h > +++ b/arch/x86/kvm/mmu/spte.h > @@ -216,15 +216,17 @@ extern u64 __read_mostly shadow_nonpresent_or_rsvd_mask; > * should not modify the SPTE. > * > * Use a semi-arbitrary value that doesn't set RWX bits, i.e. is not-present on > - * both AMD and Intel CPUs, and doesn't set PFN bits, i.e. doesn't create a L1TF > - * vulnerability. > + * both AMD and Intel CPUs, doesn't set any A/D bits, and doesn't set PFN bits, > + * i.e. doesn't create a L1TF vulnerability. > * > * Only used by the TDP MMU. > */ > -#define FROZEN_SPTE (SHADOW_NONPRESENT_VALUE | 0x5a0ULL) > +#define FROZEN_SPTE (SHADOW_NONPRESENT_VALUE | 0x498ULL) Question: Why bit3 and bit4 also changed from 0 to 1 ? They're not part of AD bits fro EPT and CR3 page table/AMD NPT EPT: Abit:8 Dbit:9 CR3: Abit:5 Dbit:6 > > /* Removed SPTEs must not be misconstrued as shadow present PTEs. */ > static_assert(!(FROZEN_SPTE & SPTE_MMU_PRESENT_MASK)); > +static_assert(!(FROZEN_SPTE & (PT_ACCESSED_MASK | VMX_EPT_ACCESS_BIT))); > +static_assert(!(FROZEN_SPTE & (PT_DIRTY_MASK | VMX_EPT_DIRTY_BIT))); > > static inline bool is_frozen_spte(u64 spte) > { > -- > 2.46.0.rc1.232.g9752f9e123-goog > >
On Mon, Aug 05, 2024, Yuan Yao wrote: > On Thu, Aug 01, 2024 at 11:34:49AM -0700, Sean Christopherson wrote: > > Remove all flavors of A/D bits from FROZEN_SPTE so that KVM can keep A/D > > bits set in SPTEs that are frozen, without getting false positives. > > > > Signed-off-by: Sean Christopherson <seanjc@google.com> > > --- > > arch/x86/kvm/mmu/spte.h | 8 +++++--- > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > diff --git a/arch/x86/kvm/mmu/spte.h b/arch/x86/kvm/mmu/spte.h > > index ba7ff1dfbeb2..d403ecdfcb8e 100644 > > --- a/arch/x86/kvm/mmu/spte.h > > +++ b/arch/x86/kvm/mmu/spte.h > > @@ -216,15 +216,17 @@ extern u64 __read_mostly shadow_nonpresent_or_rsvd_mask; > > * should not modify the SPTE. > > * > > * Use a semi-arbitrary value that doesn't set RWX bits, i.e. is not-present on > > - * both AMD and Intel CPUs, and doesn't set PFN bits, i.e. doesn't create a L1TF > > - * vulnerability. > > + * both AMD and Intel CPUs, doesn't set any A/D bits, and doesn't set PFN bits, > > + * i.e. doesn't create a L1TF vulnerability. > > * > > * Only used by the TDP MMU. > > */ > > -#define FROZEN_SPTE (SHADOW_NONPRESENT_VALUE | 0x5a0ULL) > > +#define FROZEN_SPTE (SHADOW_NONPRESENT_VALUE | 0x498ULL) > > Question: > Why bit3 and bit4 also changed from 0 to 1 ? Purely so that more bits are set, i.e. so that KVM doesn't rely on one or two bits to identify frozen SPTEs. > They're not part of AD bits fro EPT and CR3 page table/AMD NPT This is very delibreate. The A/D bits need to be '0' in the FROZEN, i.e. bits 5,6, 8, and 9 must not be set in FROZEN_SPTE. > > EPT: Abit:8 Dbit:9 > CR3: Abit:5 Dbit:6
On Mon, Aug 05, 2024 at 03:17:20PM -0700, Sean Christopherson wrote: > On Mon, Aug 05, 2024, Yuan Yao wrote: > > On Thu, Aug 01, 2024 at 11:34:49AM -0700, Sean Christopherson wrote: > > > Remove all flavors of A/D bits from FROZEN_SPTE so that KVM can keep A/D > > > bits set in SPTEs that are frozen, without getting false positives. > > > > > > Signed-off-by: Sean Christopherson <seanjc@google.com> > > > --- > > > arch/x86/kvm/mmu/spte.h | 8 +++++--- > > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > > > diff --git a/arch/x86/kvm/mmu/spte.h b/arch/x86/kvm/mmu/spte.h > > > index ba7ff1dfbeb2..d403ecdfcb8e 100644 > > > --- a/arch/x86/kvm/mmu/spte.h > > > +++ b/arch/x86/kvm/mmu/spte.h > > > @@ -216,15 +216,17 @@ extern u64 __read_mostly shadow_nonpresent_or_rsvd_mask; > > > * should not modify the SPTE. > > > * > > > * Use a semi-arbitrary value that doesn't set RWX bits, i.e. is not-present on > > > - * both AMD and Intel CPUs, and doesn't set PFN bits, i.e. doesn't create a L1TF > > > - * vulnerability. > > > + * both AMD and Intel CPUs, doesn't set any A/D bits, and doesn't set PFN bits, > > > + * i.e. doesn't create a L1TF vulnerability. > > > * > > > * Only used by the TDP MMU. > > > */ > > > -#define FROZEN_SPTE (SHADOW_NONPRESENT_VALUE | 0x5a0ULL) > > > +#define FROZEN_SPTE (SHADOW_NONPRESENT_VALUE | 0x498ULL) > > > > Question: > > Why bit3 and bit4 also changed from 0 to 1 ? > > Purely so that more bits are set, i.e. so that KVM doesn't rely on one or two > bits to identify frozen SPTEs. Thanks for your explanation! Please consider add this into the commit log, it explains the reason of why some non A/D bits are selected. > > > They're not part of AD bits fro EPT and CR3 page table/AMD NPT > > This is very delibreate. The A/D bits need to be '0' in the FROZEN, i.e. bits > 5,6, 8, and 9 must not be set in FROZEN_SPTE. > > > > > EPT: Abit:8 Dbit:9 > > CR3: Abit:5 Dbit:6
© 2016 - 2024 Red Hat, Inc.