mirror of
https://github.com/torvalds/linux
synced 2024-09-06 09:51:23 +00:00
b7e4be0a22
As documented in APM[1], LBR Virtualization must be enabled for SEV-ES
guests. Although KVM currently enforces LBRV for SEV-ES guests, there
are multiple issues with it:
o MSR_IA32_DEBUGCTLMSR is still intercepted. Since MSR_IA32_DEBUGCTLMSR
interception is used to dynamically toggle LBRV for performance reasons,
this can be fatal for SEV-ES guests. For ex SEV-ES guest on Zen3:
[guest ~]# wrmsr 0x1d9 0x4
KVM: entry failed, hardware error 0xffffffff
EAX=00000004 EBX=00000000 ECX=000001d9 EDX=00000000
Fix this by never intercepting MSR_IA32_DEBUGCTLMSR for SEV-ES guests.
No additional save/restore logic is required since MSR_IA32_DEBUGCTLMSR
is of swap type A.
o KVM will disable LBRV if userspace sets MSR_IA32_DEBUGCTLMSR before the
VMSA is encrypted. Fix this by moving LBRV enablement code post VMSA
encryption.
[1]: AMD64 Architecture Programmer's Manual Pub. 40332, Rev. 4.07 - June
2023, Vol 2, 15.35.2 Enabling SEV-ES.
https://bugzilla.kernel.org/attachment.cgi?id=304653
Fixes:
|
||
---|---|---|
.. | ||
boot | ||
coco | ||
configs | ||
crypto | ||
entry | ||
events | ||
hyperv | ||
ia32 | ||
include | ||
kernel | ||
kvm | ||
lib | ||
math-emu | ||
mm | ||
net | ||
pci | ||
platform | ||
power | ||
purgatory | ||
ras | ||
realmode | ||
tools | ||
um | ||
video | ||
virt | ||
xen | ||
.gitignore | ||
Kbuild | ||
Kconfig | ||
Kconfig.assembler | ||
Kconfig.cpu | ||
Kconfig.debug | ||
Makefile | ||
Makefile.postlink | ||
Makefile.um | ||
Makefile_32.cpu |