Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cafd6659 authored by Shane Wang's avatar Shane Wang Committed by Avi Kivity
Browse files

KVM: VMX: enable VMXON check with SMX enabled (Intel TXT) 



Per document, for feature control MSR:

  Bit 1 enables VMXON in SMX operation. If the bit is clear, execution
        of VMXON in SMX operation causes a general-protection exception.
  Bit 2 enables VMXON outside SMX operation. If the bit is clear, execution
        of VMXON outside SMX operation causes a general-protection exception.

This patch is to enable this kind of check with SMX for VMXON in KVM.

Signed-off-by: default avatarShane Wang <shane.wang@intel.com>
Signed-off-by: default avatarAvi Kivity <avi@redhat.com>
parent f1d86e46

arch/x86/include/asm/msr-index.h

+3 −2
Original line number Diff line number Diff line
@@ -203,7 +203,8 @@ 
#define MSR_IA32_FEATURE_CONTROL        0x0000003a



#define FEATURE_CONTROL_LOCKED				(1<<0)

#define FEATURE_CONTROL_VMXON_ENABLED	(1<<2)

#define FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX	(1<<1)

#define FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX	(1<<2)



#define MSR_IA32_APICBASE		0x0000001b

#define MSR_IA32_APICBASE_BSP		(1<<8)

arch/x86/kernel/tboot.c

+1 −0
Original line number Diff line number Diff line
@@ -46,6 +46,7 @@ 


/* Global pointer to shared data; NULL means no measured launch. */

struct tboot *tboot __read_mostly;

EXPORT_SYMBOL(tboot);



/* timeout for APs (in secs) to enter wait-for-SIPI state during shutdown */

#define AP_WAIT_TIMEOUT		1

arch/x86/kvm/vmx.c

+21 −11
Original line number Diff line number Diff line
@@ -27,6 +27,7 @@ 
#include <linux/moduleparam.h>

#include <linux/ftrace_event.h>

#include <linux/slab.h>

#include <linux/tboot.h>

#include "kvm_cache_regs.h"

#include "x86.h"
@@ -1272,9 +1273,16 @@ static __init int vmx_disabled_by_bios(void) 
	u64 msr;



	rdmsrl(MSR_IA32_FEATURE_CONTROL, msr);

	return (msr & (FEATURE_CONTROL_LOCKED |

		       FEATURE_CONTROL_VMXON_ENABLED))

	    == FEATURE_CONTROL_LOCKED;

	if (msr & FEATURE_CONTROL_LOCKED) {

		if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX)

			&& tboot_enabled())

			return 1;

		if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)

			&& !tboot_enabled())

			return 1;

	}



	return 0;

	/* locked but not enabled */

}
@@ -1282,21 +1290,23 @@ static int hardware_enable(void *garbage) 
{

	int cpu = raw_smp_processor_id();

	u64 phys_addr = __pa(per_cpu(vmxarea, cpu));

	u64 old;

	u64 old, test_bits;



	if (read_cr4() & X86_CR4_VMXE)

		return -EBUSY;



	INIT_LIST_HEAD(&per_cpu(vcpus_on_cpu, cpu));

	rdmsrl(MSR_IA32_FEATURE_CONTROL, old);

	if ((old & (FEATURE_CONTROL_LOCKED |

		    FEATURE_CONTROL_VMXON_ENABLED))

	    != (FEATURE_CONTROL_LOCKED |

		FEATURE_CONTROL_VMXON_ENABLED))



	test_bits = FEATURE_CONTROL_LOCKED;

	test_bits |= FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX;

	if (tboot_enabled())

		test_bits |= FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX;



	if ((old & test_bits) != test_bits) {

		/* enable and lock */

		wrmsrl(MSR_IA32_FEATURE_CONTROL, old |

		       FEATURE_CONTROL_LOCKED |

		       FEATURE_CONTROL_VMXON_ENABLED);

		wrmsrl(MSR_IA32_FEATURE_CONTROL, old | test_bits);

	}

	write_cr4(read_cr4() | X86_CR4_VMXE); /* FIXME: not cpu hotplug safe */

	asm volatile (ASM_VMX_VMXON_RAX

		      : : "a"(&phys_addr), "m"(phys_addr)

include/linux/tboot.h

+1 −0
Original line number Diff line number Diff line
@@ -150,6 +150,7 @@ extern int tboot_force_iommu(void); 


#else



#define tboot_enabled()			0

#define tboot_probe()			do { } while (0)

#define tboot_shutdown(shutdown_type)	do { } while (0)

#define tboot_sleep(sleep_state, pm1a_control, pm1b_control)	\