tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

KVM: x86: Don't adjust guest's CPUID.0x12.1 (allowed SGX enclave XFRM)

Drop KVM's manipulation of guest's CPUID.0x12.1 ECX and EDX, i.e. the
allowed XFRM of SGX enclaves, now that KVM explicitly checks the guest's
allowed XCR0 when emulating ECREATE.

Note, this could theoretically break a setup where userspace advertises
a "bad" XFRM and relies on KVM to provide a sane CPUID model, but QEMU
is the only known user of KVM SGX, and QEMU explicitly sets the SGX CPUID
XFRM subleaf based on the guest's XCR0.

Reviewed-by: Kai Huang <kai.huang@intel.com>
Tested-by: Kai Huang <kai.huang@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20230503160838.3412617-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

authored by Sean Christopherson and committed by Paolo Bonzini 275a8724 ad45413d

options
unified split
Changed files
-16
arch
x86
kvm
cpuid.c
-16
arch/x86/kvm/cpuid.c
··· 253 253 int nent) 254 254 { 255 255 struct kvm_cpuid_entry2 *best; 256 - u64 guest_supported_xcr0 = cpuid_get_supported_xcr0(entries, nent); 257 256 258 257 best = cpuid_entry2_find(entries, nent, 1, KVM_CPUID_INDEX_NOT_SIGNIFICANT); 259 258 if (best) { ··· 290 291 cpuid_entry_change(best, X86_FEATURE_MWAIT, 291 292 vcpu->arch.ia32_misc_enable_msr & 292 293 MSR_IA32_MISC_ENABLE_MWAIT); 293 - } 294 - 295 - /* 296 - * Bits 127:0 of the allowed SECS.ATTRIBUTES (CPUID.0x12.0x1) enumerate 297 - * the supported XSAVE Feature Request Mask (XFRM), i.e. the enclave's 298 - * requested XCR0 value. The enclave's XFRM must be a subset of XCRO 299 - * at the time of EENTER, thus adjust the allowed XFRM by the guest's 300 - * supported XCR0. Similar to XCR0 handling, FP and SSE are forced to 301 - * '1' even on CPUs that don't support XSAVE. 302 - */ 303 - best = cpuid_entry2_find(entries, nent, 0x12, 0x1); 304 - if (best) { 305 - best->ecx &= guest_supported_xcr0 & 0xffffffff; 306 - best->edx &= guest_supported_xcr0 >> 32; 307 - best->ecx |= XFEATURE_MASK_FPSSE; 308 294 } 309 295 } 310 296