From 2b4bf130f94476a7a4d3ed72722f5e3f06ce195e Mon Sep 17 00:00:00 2001 From: hanliyang Date: Wed, 7 Aug 2024 16:06:34 +0800 Subject: [PATCH 1/3] KVM: SVM: CSV: Explicitly enable LBR Virtualization after succeed to RECEIVE_UPDATE_VMSA Upstream: no Before the commit 834aa2c34b8f ("KVM: SEV-ES: Delegate LBR virtualization to the processor"), the LBR Virtualization is enabled during init VMCB: init_vmcb() -> sev_init_vmcb() -> sev_es_init_vmcb() While the commit 834aa2c34b8f ("KVM: SEV-ES: Delegate LBR virtualization to the processor") enable LBR Virtualization after succeed to LAUNCH_UPDATE_VMSA for each vCPUs. The process to enable LBR Virtualization will not be executed in common code path. To ensure the CSV2 guest to work properly after migrated to target machine, we should explicitly to enable LBR Virtualization after succeed to RECEIVE_UPDATE_VMSA for each vCPUs. Fixes: 834aa2c34b8f ("KVM: SEV-ES: Delegate LBR virtualization to the processor") Signed-off-by: hanliyang --- arch/x86/kvm/svm/csv.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/csv.c b/arch/x86/kvm/svm/csv.c index dfb74dffa406..6579433cf0dd 100644 --- a/arch/x86/kvm/svm/csv.c +++ b/arch/x86/kvm/svm/csv.c @@ -789,9 +789,19 @@ static int csv_receive_update_vmsa(struct kvm *kvm, struct kvm_sev_cmd *argp) ret = hygon_kvm_hooks.sev_issue_cmd(kvm, SEV_CMD_RECEIVE_UPDATE_VMSA, vmsa, &argp->error); - if (!ret) + if (!ret) { vcpu->arch.guest_state_protected = true; + /* + * CSV2 guest mandates LBR Virtualization to be _always_ ON. + * Enable it only after setting guest_state_protected because + * KVM_SET_MSRS allows dynamic toggling of LBRV (for performance + * reason) on write access to MSR_IA32_DEBUGCTLMSR when + * guest_state_protected is not set. + */ + svm_enable_lbrv(vcpu); + } + kfree(vmsa); e_free_trans: kfree(trans); -- Gitee From 06d47ac8175c00758458893603d113f613c778d3 Mon Sep 17 00:00:00 2001 From: hanliyang Date: Mon, 2 Sep 2024 16:20:05 +0800 Subject: [PATCH 2/3] KVM: SVM: CSV: Explicitly enable LBR Virtualization after succeed to LAUNCH_ENCRYPT_VMCB Upstream: no Before the commit 834aa2c34b8f ("KVM: SEV-ES: Delegate LBR virtualization to the processor"), the LBR Virtualization is enabled during init VMCB: init_vmcb() -> sev_init_vmcb() -> sev_es_init_vmcb() While the commit 834aa2c34b8f ("KVM: SEV-ES: Delegate LBR virtualization to the processor") enable LBR Virtualization after succeed to LAUNCH_UPDATE_VMSA for each vCPUs. The process to enable LBR Virtualization will not be executed in common code path. To ensure the CSV3 guest to work properly, we should explicitly to enable LBR Virtualization after succeed to LAUNCH_ENCRYPT_VMCB for each vCPUs. Fixes: 834aa2c34b8f ("KVM: SEV-ES: Delegate LBR virtualization to the processor") Signed-off-by: hanliyang --- arch/x86/kvm/svm/csv.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/arch/x86/kvm/svm/csv.c b/arch/x86/kvm/svm/csv.c index 6579433cf0dd..50826070bf39 100644 --- a/arch/x86/kvm/svm/csv.c +++ b/arch/x86/kvm/svm/csv.c @@ -1346,6 +1346,15 @@ static int csv3_launch_encrypt_vmcb(struct kvm *kvm, struct kvm_sev_cmd *argp) svm->current_vmcb->pa = encrypt_vmcb->secure_vmcb_addr; svm->vcpu.arch.guest_state_protected = true; + + /* + * CSV3 guest mandates LBR Virtualization to be _always_ ON. + * Enable it only after setting guest_state_protected because + * KVM_SET_MSRS allows dynamic toggling of LBRV (for performance + * reason) on write access to MSR_IA32_DEBUGCTLMSR when + * guest_state_protected is not set. + */ + svm_enable_lbrv(vcpu); } e_free: -- Gitee From 998d16004946811875298608fe9b7052976e7878 Mon Sep 17 00:00:00 2001 From: hanliyang Date: Tue, 3 Sep 2024 15:10:20 +0800 Subject: [PATCH 3/3] KVM: SVM: CSV: Explicitly enable LBR Virtualization after succeed to RECEIVE_ENCRYPT_CONTEXT Upstream: no Before the commit 834aa2c34b8f ("KVM: SEV-ES: Delegate LBR virtualization to the processor"), the LBR Virtualization is enabled during init VMCB: init_vmcb() -> sev_init_vmcb() -> sev_es_init_vmcb() While the commit 834aa2c34b8f ("KVM: SEV-ES: Delegate LBR virtualization to the processor") enable LBR Virtualization after succeed to LAUNCH_UPDATE_VMSA for each vCPUs. The process to enable LBR Virtualization will not be executed in common code path. To ensure the CSV3 guest to work properly after migrate to target machine, we should explicitly to enable LBR Virtualization after succeed to RECEIVE_ENCRYPT_CONTEXT for each vCPUs. Fixes: 834aa2c34b8f ("KVM: SEV-ES: Delegate LBR virtualization to the processor") Signed-off-by: hanliyang --- arch/x86/kvm/svm/csv.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/arch/x86/kvm/svm/csv.c b/arch/x86/kvm/svm/csv.c index 50826070bf39..f0e2dda6468f 100644 --- a/arch/x86/kvm/svm/csv.c +++ b/arch/x86/kvm/svm/csv.c @@ -1881,6 +1881,15 @@ static int csv3_receive_encrypt_context(struct kvm *kvm, struct kvm_sev_cmd *arg svm->current_vmcb->pa = secure_vmcb_block->vmcb_paddr[i]; svm->vcpu.arch.guest_state_protected = true; + + /* + * CSV3 guest mandates LBR Virtualization to be _always_ ON. + * Enable it only after setting guest_state_protected because + * KVM_SET_MSRS allows dynamic toggling of LBRV (for performance + * reason) on write access to MSR_IA32_DEBUGCTLMSR when + * guest_state_protected is not set. + */ + svm_enable_lbrv(vcpu); } e_free_shadow_vmcb_block: -- Gitee