x86/fred: Disallow the swapgs instruction when FRED is enabled

SWAPGS is no longer needed thus NOT allowed with FRED because FRED
transitions ensure that an operating system can _always_ operate
with its own GS base address:

  - For events that occur in ring 3, FRED event delivery swaps the GS
    base address with the IA32_KERNEL_GS_BASE MSR.

  - ERETU (the FRED transition that returns to ring 3) also swaps the
    GS base address with the IA32_KERNEL_GS_BASE MSR.

And the operating system can still setup the GS segment for a user
thread without the need of loading a user thread GS with:

  - Using LKGS, available with FRED, to modify other attributes of the
    GS segment without compromising its ability always to operate with
    its own GS base address.

  - Accessing the GS segment base address for a user thread as before
    using RDMSR or WRMSR on the IA32_KERNEL_GS_BASE MSR.

Note, LKGS loads the GS base address into the IA32_KERNEL_GS_BASE MSR
instead of the GS segment's descriptor cache. As such, the operating
system never changes its runtime GS base address.

Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Signed-off-by: Xin Li <xin3.li@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Shan Kang <shan.kang@intel.com>
Link: https://lore.kernel.org/r/20231205105030.8698-19-xin3.li@intel.com

diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index 0f78b58021bb2af68c3f5acda9c272a2777d9806..4f87f5987ae8c151ffe0cb3371515c55a607a031 100644 (file)
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -166,7 +166,29 @@ static noinstr unsigned long __rdgsbase_inactive(void)
 
        lockdep_assert_irqs_disabled();
 
-       if (!cpu_feature_enabled(X86_FEATURE_XENPV)) {
+       /*
+        * SWAPGS is no longer needed thus NOT allowed with FRED because
+        * FRED transitions ensure that an operating system can _always_
+        * operate with its own GS base address:
+        * - For events that occur in ring 3, FRED event delivery swaps
+        *   the GS base address with the IA32_KERNEL_GS_BASE MSR.
+        * - ERETU (the FRED transition that returns to ring 3) also swaps
+        *   the GS base address with the IA32_KERNEL_GS_BASE MSR.
+        *
+        * And the operating system can still setup the GS segment for a
+        * user thread without the need of loading a user thread GS with:
+        * - Using LKGS, available with FRED, to modify other attributes
+        *   of the GS segment without compromising its ability always to
+        *   operate with its own GS base address.
+        * - Accessing the GS segment base address for a user thread as
+        *   before using RDMSR or WRMSR on the IA32_KERNEL_GS_BASE MSR.
+        *
+        * Note, LKGS loads the GS base address into the IA32_KERNEL_GS_BASE
+        * MSR instead of the GS segment’s descriptor cache. As such, the
+        * operating system never changes its runtime GS base address.
+        */
+       if (!cpu_feature_enabled(X86_FEATURE_FRED) &&
+           !cpu_feature_enabled(X86_FEATURE_XENPV)) {
                native_swapgs();
                gsbase = rdgsbase();
                native_swapgs();
@@ -191,7 +213,8 @@ static noinstr void __wrgsbase_inactive(unsigned long gsbase)
 {
        lockdep_assert_irqs_disabled();
 
-       if (!cpu_feature_enabled(X86_FEATURE_XENPV)) {
+       if (!cpu_feature_enabled(X86_FEATURE_FRED) &&
+           !cpu_feature_enabled(X86_FEATURE_XENPV)) {
                native_swapgs();
                wrgsbase(gsbase);
                native_swapgs();