KVM: SVM: Don't allow L1 intercepts for instructions not advertised

If a feature is not advertised in the guest's CPUID, prevent L1 from
intercepting the unsupported instructions by clearing the corresponding
intercept in KVM's cached vmcb12.

When an L2 guest executes an instruction that is not advertised to L1,
we expect a #UD exception to be injected by L0. However, the nested svm
exit handler first checks if the instruction intercept is set in vmcb12,
and if so, synthesizes an exit from L2 to L1 instead of a #UD exception.
If a feature is not advertised, the L1 intercept should be ignored.

While creating KVM's cached vmcb12, sanitize the intercepts for
instructions that are not advertised in the guest CPUID. This
effectively ignores the L1 intercept on nested vm exit handling. It also
ignores the L1 intercept when computing the intercepts in vmcb02, so if
L0 (for some reason) does not intercept the instruction, KVM won't
intercept it at all.

Signed-off-by: Kevin Cheng <chengkev@google.com>
Co-developed-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251215192510.2300816-1-chengkev@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index 9be67040e94d968fea3cee352c7a7b0fc3f11c46..aa1bea134aced589551ac53cc87fc0dd0c666858 100644 (file)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -403,6 +403,19 @@ static bool nested_vmcb_check_controls(struct kvm_vcpu *vcpu)
        return __nested_vmcb_check_controls(vcpu, ctl);
 }
 
+/*
+ * If a feature is not advertised to L1, clear the corresponding vmcb12
+ * intercept.
+ */
+#define __nested_svm_sanitize_intercept(__vcpu, __control, fname, iname)       \
+do {                                                                           \
+       if (!guest_cpu_cap_has(__vcpu, X86_FEATURE_##fname))                    \
+               vmcb12_clr_intercept(__control, INTERCEPT_##iname);             \
+} while (0)
+
+#define nested_svm_sanitize_intercept(__vcpu, __control, name)                 \
+       __nested_svm_sanitize_intercept(__vcpu, __control, name, name)
+
 static
 void __nested_copy_vmcb_control_to_cache(struct kvm_vcpu *vcpu,
                                         struct vmcb_ctrl_area_cached *to,
@@ -413,6 +426,12 @@ void __nested_copy_vmcb_control_to_cache(struct kvm_vcpu *vcpu,
        for (i = 0; i < MAX_INTERCEPT; i++)
                to->intercepts[i] = from->intercepts[i];
 
+       __nested_svm_sanitize_intercept(vcpu, to, XSAVE, XSETBV);
+       nested_svm_sanitize_intercept(vcpu, to, INVPCID);
+       nested_svm_sanitize_intercept(vcpu, to, RDTSCP);
+       nested_svm_sanitize_intercept(vcpu, to, SKINIT);
+       nested_svm_sanitize_intercept(vcpu, to, RDPRU);
+
        to->iopm_base_pa        = from->iopm_base_pa;
        to->msrpm_base_pa       = from->msrpm_base_pa;
        to->tsc_offset          = from->tsc_offset;

diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
index 01be93a53d0775cc951c780edcf65caf0c4635b7..806e68ba821b4f3eb7904f2437a9d750c3df7ec5 100644 (file)
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -434,28 +434,47 @@ static __always_inline struct vcpu_svm *to_svm(struct kvm_vcpu *vcpu)
  */
 #define SVM_REGS_LAZY_LOAD_SET (1 << VCPU_EXREG_PDPTR)
 
-static inline void vmcb_set_intercept(struct vmcb_control_area *control, u32 bit)
+static inline void __vmcb_set_intercept(unsigned long *intercepts, u32 bit)
 {
        WARN_ON_ONCE(bit >= 32 * MAX_INTERCEPT);
-       __set_bit(bit, (unsigned long *)&control->intercepts);
+       __set_bit(bit, intercepts);
 }
 
-static inline void vmcb_clr_intercept(struct vmcb_control_area *control, u32 bit)
+static inline void __vmcb_clr_intercept(unsigned long *intercepts, u32 bit)
 {
        WARN_ON_ONCE(bit >= 32 * MAX_INTERCEPT);
-       __clear_bit(bit, (unsigned long *)&control->intercepts);
+       __clear_bit(bit, intercepts);
 }
 
-static inline bool vmcb_is_intercept(struct vmcb_control_area *control, u32 bit)
+static inline bool __vmcb_is_intercept(unsigned long *intercepts, u32 bit)
 {
        WARN_ON_ONCE(bit >= 32 * MAX_INTERCEPT);
-       return test_bit(bit, (unsigned long *)&control->intercepts);
+       return test_bit(bit, intercepts);
+}
+
+static inline void vmcb_set_intercept(struct vmcb_control_area *control, u32 bit)
+{
+       __vmcb_set_intercept((unsigned long *)&control->intercepts, bit);
+}
+
+static inline void vmcb_clr_intercept(struct vmcb_control_area *control, u32 bit)
+{
+       __vmcb_clr_intercept((unsigned long *)&control->intercepts, bit);
+}
+
+static inline bool vmcb_is_intercept(struct vmcb_control_area *control, u32 bit)
+{
+       return __vmcb_is_intercept((unsigned long *)&control->intercepts, bit);
+}
+
+static inline void vmcb12_clr_intercept(struct vmcb_ctrl_area_cached *control, u32 bit)
+{
+       __vmcb_clr_intercept((unsigned long *)&control->intercepts, bit);
 }
 
 static inline bool vmcb12_is_intercept(struct vmcb_ctrl_area_cached *control, u32 bit)
 {
-       WARN_ON_ONCE(bit >= 32 * MAX_INTERCEPT);
-       return test_bit(bit, (unsigned long *)&control->intercepts);
+       return __vmcb_is_intercept((unsigned long *)&control->intercepts, bit);
 }
 
 static inline void set_exception_intercept(struct vcpu_svm *svm, u32 bit)