1 #define pr_fmt(fmt) "SVM: " fmt
3 #include <linux/kvm_host.h>
7 #include "kvm_cache_regs.h"
12 #include <linux/module.h>
13 #include <linux/mod_devicetable.h>
14 #include <linux/kernel.h>
15 #include <linux/vmalloc.h>
16 #include <linux/highmem.h>
17 #include <linux/amd-iommu.h>
18 #include <linux/sched.h>
19 #include <linux/trace_events.h>
20 #include <linux/slab.h>
21 #include <linux/hashtable.h>
22 #include <linux/frame.h>
23 #include <linux/psp-sev.h>
24 #include <linux/file.h>
25 #include <linux/pagemap.h>
26 #include <linux/swap.h>
27 #include <linux/rwsem.h>
30 #include <asm/perf_event.h>
31 #include <asm/tlbflush.h>
33 #include <asm/debugreg.h>
34 #include <asm/kvm_para.h>
35 #include <asm/irq_remapping.h>
37 #include <asm/spec-ctrl.h>
38 #include <asm/cpu_device_id.h>
40 #include <asm/virtext.h>
45 #define __ex(x) __kvm_handle_fault_on_reboot(x)
47 MODULE_AUTHOR("Qumranet");
48 MODULE_LICENSE("GPL");
51 static const struct x86_cpu_id svm_cpu_id[] = {
52 X86_MATCH_FEATURE(X86_FEATURE_SVM, NULL),
55 MODULE_DEVICE_TABLE(x86cpu, svm_cpu_id);
58 #define IOPM_ALLOC_ORDER 2
59 #define MSRPM_ALLOC_ORDER 1
61 #define SEG_TYPE_LDT 2
62 #define SEG_TYPE_BUSY_TSS16 3
64 #define SVM_FEATURE_LBRV (1 << 1)
65 #define SVM_FEATURE_SVML (1 << 2)
66 #define SVM_FEATURE_TSC_RATE (1 << 4)
67 #define SVM_FEATURE_VMCB_CLEAN (1 << 5)
68 #define SVM_FEATURE_FLUSH_ASID (1 << 6)
69 #define SVM_FEATURE_DECODE_ASSIST (1 << 7)
70 #define SVM_FEATURE_PAUSE_FILTER (1 << 10)
72 #define DEBUGCTL_RESERVED_BITS (~(0x3fULL))
74 #define TSC_RATIO_RSVD 0xffffff0000000000ULL
75 #define TSC_RATIO_MIN 0x0000000000000001ULL
76 #define TSC_RATIO_MAX 0x000000ffffffffffULL
78 static bool erratum_383_found __read_mostly;
80 u32 msrpm_offsets[MSRPM_OFFSETS] __read_mostly;
83 * Set osvw_len to higher value when updated Revision Guides
84 * are published and we know what the new status bits are
86 static uint64_t osvw_len = 4, osvw_status;
88 static DEFINE_PER_CPU(u64, current_tsc_ratio);
89 #define TSC_RATIO_DEFAULT 0x0100000000ULL
91 static const struct svm_direct_access_msrs {
92 u32 index; /* Index of the MSR */
93 bool always; /* True if intercept is always on */
94 } direct_access_msrs[] = {
95 { .index = MSR_STAR, .always = true },
96 { .index = MSR_IA32_SYSENTER_CS, .always = true },
98 { .index = MSR_GS_BASE, .always = true },
99 { .index = MSR_FS_BASE, .always = true },
100 { .index = MSR_KERNEL_GS_BASE, .always = true },
101 { .index = MSR_LSTAR, .always = true },
102 { .index = MSR_CSTAR, .always = true },
103 { .index = MSR_SYSCALL_MASK, .always = true },
105 { .index = MSR_IA32_SPEC_CTRL, .always = false },
106 { .index = MSR_IA32_PRED_CMD, .always = false },
107 { .index = MSR_IA32_LASTBRANCHFROMIP, .always = false },
108 { .index = MSR_IA32_LASTBRANCHTOIP, .always = false },
109 { .index = MSR_IA32_LASTINTFROMIP, .always = false },
110 { .index = MSR_IA32_LASTINTTOIP, .always = false },
111 { .index = MSR_INVALID, .always = false },
114 /* enable NPT for AMD64 and X86 with PAE */
115 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
116 bool npt_enabled = true;
122 * These 2 parameters are used to config the controls for Pause-Loop Exiting:
123 * pause_filter_count: On processors that support Pause filtering(indicated
124 * by CPUID Fn8000_000A_EDX), the VMCB provides a 16 bit pause filter
125 * count value. On VMRUN this value is loaded into an internal counter.
126 * Each time a pause instruction is executed, this counter is decremented
127 * until it reaches zero at which time a #VMEXIT is generated if pause
128 * intercept is enabled. Refer to AMD APM Vol 2 Section 15.14.4 Pause
129 * Intercept Filtering for more details.
130 * This also indicate if ple logic enabled.
132 * pause_filter_thresh: In addition, some processor families support advanced
133 * pause filtering (indicated by CPUID Fn8000_000A_EDX) upper bound on
134 * the amount of time a guest is allowed to execute in a pause loop.
135 * In this mode, a 16-bit pause filter threshold field is added in the
136 * VMCB. The threshold value is a cycle count that is used to reset the
137 * pause counter. As with simple pause filtering, VMRUN loads the pause
138 * count value from VMCB into an internal counter. Then, on each pause
139 * instruction the hardware checks the elapsed number of cycles since
140 * the most recent pause instruction against the pause filter threshold.
141 * If the elapsed cycle count is greater than the pause filter threshold,
142 * then the internal pause count is reloaded from the VMCB and execution
143 * continues. If the elapsed cycle count is less than the pause filter
144 * threshold, then the internal pause count is decremented. If the count
145 * value is less than zero and PAUSE intercept is enabled, a #VMEXIT is
146 * triggered. If advanced pause filtering is supported and pause filter
147 * threshold field is set to zero, the filter will operate in the simpler,
151 static unsigned short pause_filter_thresh = KVM_DEFAULT_PLE_GAP;
152 module_param(pause_filter_thresh, ushort, 0444);
154 static unsigned short pause_filter_count = KVM_SVM_DEFAULT_PLE_WINDOW;
155 module_param(pause_filter_count, ushort, 0444);
157 /* Default doubles per-vcpu window every exit. */
158 static unsigned short pause_filter_count_grow = KVM_DEFAULT_PLE_WINDOW_GROW;
159 module_param(pause_filter_count_grow, ushort, 0444);
161 /* Default resets per-vcpu window every exit to pause_filter_count. */
162 static unsigned short pause_filter_count_shrink = KVM_DEFAULT_PLE_WINDOW_SHRINK;
163 module_param(pause_filter_count_shrink, ushort, 0444);
165 /* Default is to compute the maximum so we can never overflow. */
166 static unsigned short pause_filter_count_max = KVM_SVM_DEFAULT_PLE_WINDOW_MAX;
167 module_param(pause_filter_count_max, ushort, 0444);
169 /* allow nested paging (virtualized MMU) for all guests */
170 static int npt = true;
171 module_param(npt, int, S_IRUGO);
173 /* allow nested virtualization in KVM/SVM */
174 static int nested = true;
175 module_param(nested, int, S_IRUGO);
177 /* enable/disable Next RIP Save */
178 static int nrips = true;
179 module_param(nrips, int, 0444);
181 /* enable/disable Virtual VMLOAD VMSAVE */
182 static int vls = true;
183 module_param(vls, int, 0444);
185 /* enable/disable Virtual GIF */
186 static int vgif = true;
187 module_param(vgif, int, 0444);
189 /* enable/disable SEV support */
190 static int sev = IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT);
191 module_param(sev, int, 0444);
193 static bool __read_mostly dump_invalid_vmcb = 0;
194 module_param(dump_invalid_vmcb, bool, 0644);
196 static u8 rsm_ins_bytes[] = "\x0f\xaa";
198 static void svm_complete_interrupts(struct vcpu_svm *svm);
200 static unsigned long iopm_base;
202 struct kvm_ldttss_desc {
205 unsigned base1:8, type:5, dpl:2, p:1;
206 unsigned limit1:4, zero0:3, g:1, base2:8;
209 } __attribute__((packed));
211 DEFINE_PER_CPU(struct svm_cpu_data *, svm_data);
213 static const u32 msrpm_ranges[] = {0, 0xc0000000, 0xc0010000};
215 #define NUM_MSR_MAPS ARRAY_SIZE(msrpm_ranges)
216 #define MSRS_RANGE_SIZE 2048
217 #define MSRS_IN_RANGE (MSRS_RANGE_SIZE * 8 / 2)
219 u32 svm_msrpm_offset(u32 msr)
224 for (i = 0; i < NUM_MSR_MAPS; i++) {
225 if (msr < msrpm_ranges[i] ||
226 msr >= msrpm_ranges[i] + MSRS_IN_RANGE)
229 offset = (msr - msrpm_ranges[i]) / 4; /* 4 msrs per u8 */
230 offset += (i * MSRS_RANGE_SIZE); /* add range offset */
232 /* Now we have the u8 offset - but need the u32 offset */
236 /* MSR not in any range */
240 #define MAX_INST_SIZE 15
242 static inline void clgi(void)
244 asm volatile (__ex("clgi"));
247 static inline void stgi(void)
249 asm volatile (__ex("stgi"));
252 static inline void invlpga(unsigned long addr, u32 asid)
254 asm volatile (__ex("invlpga %1, %0") : : "c"(asid), "a"(addr));
257 static int get_npt_level(struct kvm_vcpu *vcpu)
260 return PT64_ROOT_4LEVEL;
262 return PT32E_ROOT_LEVEL;
266 void svm_set_efer(struct kvm_vcpu *vcpu, u64 efer)
268 vcpu->arch.efer = efer;
271 /* Shadow paging assumes NX to be available. */
274 if (!(efer & EFER_LMA))
278 to_svm(vcpu)->vmcb->save.efer = efer | EFER_SVME;
279 mark_dirty(to_svm(vcpu)->vmcb, VMCB_CR);
282 static int is_external_interrupt(u32 info)
284 info &= SVM_EVTINJ_TYPE_MASK | SVM_EVTINJ_VALID;
285 return info == (SVM_EVTINJ_VALID | SVM_EVTINJ_TYPE_INTR);
288 static u32 svm_get_interrupt_shadow(struct kvm_vcpu *vcpu)
290 struct vcpu_svm *svm = to_svm(vcpu);
293 if (svm->vmcb->control.int_state & SVM_INTERRUPT_SHADOW_MASK)
294 ret = KVM_X86_SHADOW_INT_STI | KVM_X86_SHADOW_INT_MOV_SS;
298 static void svm_set_interrupt_shadow(struct kvm_vcpu *vcpu, int mask)
300 struct vcpu_svm *svm = to_svm(vcpu);
303 svm->vmcb->control.int_state &= ~SVM_INTERRUPT_SHADOW_MASK;
305 svm->vmcb->control.int_state |= SVM_INTERRUPT_SHADOW_MASK;
309 static int skip_emulated_instruction(struct kvm_vcpu *vcpu)
311 struct vcpu_svm *svm = to_svm(vcpu);
313 if (nrips && svm->vmcb->control.next_rip != 0) {
314 WARN_ON_ONCE(!static_cpu_has(X86_FEATURE_NRIPS));
315 svm->next_rip = svm->vmcb->control.next_rip;
318 if (!svm->next_rip) {
319 if (!kvm_emulate_instruction(vcpu, EMULTYPE_SKIP))
322 kvm_rip_write(vcpu, svm->next_rip);
324 svm_set_interrupt_shadow(vcpu, 0);
329 static void svm_queue_exception(struct kvm_vcpu *vcpu)
331 struct vcpu_svm *svm = to_svm(vcpu);
332 unsigned nr = vcpu->arch.exception.nr;
333 bool has_error_code = vcpu->arch.exception.has_error_code;
334 u32 error_code = vcpu->arch.exception.error_code;
336 kvm_deliver_exception_payload(&svm->vcpu);
338 if (nr == BP_VECTOR && !nrips) {
339 unsigned long rip, old_rip = kvm_rip_read(&svm->vcpu);
342 * For guest debugging where we have to reinject #BP if some
343 * INT3 is guest-owned:
344 * Emulate nRIP by moving RIP forward. Will fail if injection
345 * raises a fault that is not intercepted. Still better than
346 * failing in all cases.
348 (void)skip_emulated_instruction(&svm->vcpu);
349 rip = kvm_rip_read(&svm->vcpu);
350 svm->int3_rip = rip + svm->vmcb->save.cs.base;
351 svm->int3_injected = rip - old_rip;
354 svm->vmcb->control.event_inj = nr
356 | (has_error_code ? SVM_EVTINJ_VALID_ERR : 0)
357 | SVM_EVTINJ_TYPE_EXEPT;
358 svm->vmcb->control.event_inj_err = error_code;
361 static void svm_init_erratum_383(void)
367 if (!static_cpu_has_bug(X86_BUG_AMD_TLB_MMATCH))
370 /* Use _safe variants to not break nested virtualization */
371 val = native_read_msr_safe(MSR_AMD64_DC_CFG, &err);
377 low = lower_32_bits(val);
378 high = upper_32_bits(val);
380 native_write_msr_safe(MSR_AMD64_DC_CFG, low, high);
382 erratum_383_found = true;
385 static void svm_init_osvw(struct kvm_vcpu *vcpu)
388 * Guests should see errata 400 and 415 as fixed (assuming that
389 * HLT and IO instructions are intercepted).
391 vcpu->arch.osvw.length = (osvw_len >= 3) ? (osvw_len) : 3;
392 vcpu->arch.osvw.status = osvw_status & ~(6ULL);
395 * By increasing VCPU's osvw.length to 3 we are telling the guest that
396 * all osvw.status bits inside that length, including bit 0 (which is
397 * reserved for erratum 298), are valid. However, if host processor's
398 * osvw_len is 0 then osvw_status[0] carries no information. We need to
399 * be conservative here and therefore we tell the guest that erratum 298
400 * is present (because we really don't know).
402 if (osvw_len == 0 && boot_cpu_data.x86 == 0x10)
403 vcpu->arch.osvw.status |= 1;
406 static int has_svm(void)
410 if (!cpu_has_svm(&msg)) {
411 printk(KERN_INFO "has_svm: %s\n", msg);
418 static void svm_hardware_disable(void)
420 /* Make sure we clean up behind us */
421 if (static_cpu_has(X86_FEATURE_TSCRATEMSR))
422 wrmsrl(MSR_AMD64_TSC_RATIO, TSC_RATIO_DEFAULT);
426 amd_pmu_disable_virt();
429 static int svm_hardware_enable(void)
432 struct svm_cpu_data *sd;
434 struct desc_struct *gdt;
435 int me = raw_smp_processor_id();
437 rdmsrl(MSR_EFER, efer);
438 if (efer & EFER_SVME)
442 pr_err("%s: err EOPNOTSUPP on %d\n", __func__, me);
445 sd = per_cpu(svm_data, me);
447 pr_err("%s: svm_data is NULL on %d\n", __func__, me);
451 sd->asid_generation = 1;
452 sd->max_asid = cpuid_ebx(SVM_CPUID_FUNC) - 1;
453 sd->next_asid = sd->max_asid + 1;
454 sd->min_asid = max_sev_asid + 1;
456 gdt = get_current_gdt_rw();
457 sd->tss_desc = (struct kvm_ldttss_desc *)(gdt + GDT_ENTRY_TSS);
459 wrmsrl(MSR_EFER, efer | EFER_SVME);
461 wrmsrl(MSR_VM_HSAVE_PA, page_to_pfn(sd->save_area) << PAGE_SHIFT);
463 if (static_cpu_has(X86_FEATURE_TSCRATEMSR)) {
464 wrmsrl(MSR_AMD64_TSC_RATIO, TSC_RATIO_DEFAULT);
465 __this_cpu_write(current_tsc_ratio, TSC_RATIO_DEFAULT);
472 * Note that it is possible to have a system with mixed processor
473 * revisions and therefore different OSVW bits. If bits are not the same
474 * on different processors then choose the worst case (i.e. if erratum
475 * is present on one processor and not on another then assume that the
476 * erratum is present everywhere).
478 if (cpu_has(&boot_cpu_data, X86_FEATURE_OSVW)) {
479 uint64_t len, status = 0;
482 len = native_read_msr_safe(MSR_AMD64_OSVW_ID_LENGTH, &err);
484 status = native_read_msr_safe(MSR_AMD64_OSVW_STATUS,
488 osvw_status = osvw_len = 0;
492 osvw_status |= status;
493 osvw_status &= (1ULL << osvw_len) - 1;
496 osvw_status = osvw_len = 0;
498 svm_init_erratum_383();
500 amd_pmu_enable_virt();
505 static void svm_cpu_uninit(int cpu)
507 struct svm_cpu_data *sd = per_cpu(svm_data, raw_smp_processor_id());
512 per_cpu(svm_data, raw_smp_processor_id()) = NULL;
513 kfree(sd->sev_vmcbs);
514 __free_page(sd->save_area);
518 static int svm_cpu_init(int cpu)
520 struct svm_cpu_data *sd;
522 sd = kzalloc(sizeof(struct svm_cpu_data), GFP_KERNEL);
526 sd->save_area = alloc_page(GFP_KERNEL);
530 if (svm_sev_enabled()) {
531 sd->sev_vmcbs = kmalloc_array(max_sev_asid + 1,
538 per_cpu(svm_data, cpu) = sd;
543 __free_page(sd->save_area);
550 static bool valid_msr_intercept(u32 index)
554 for (i = 0; direct_access_msrs[i].index != MSR_INVALID; i++)
555 if (direct_access_msrs[i].index == index)
561 static bool msr_write_intercepted(struct kvm_vcpu *vcpu, unsigned msr)
568 msrpm = is_guest_mode(vcpu) ? to_svm(vcpu)->nested.msrpm:
571 offset = svm_msrpm_offset(msr);
572 bit_write = 2 * (msr & 0x0f) + 1;
575 BUG_ON(offset == MSR_INVALID);
577 return !!test_bit(bit_write, &tmp);
580 static void set_msr_interception(u32 *msrpm, unsigned msr,
583 u8 bit_read, bit_write;
588 * If this warning triggers extend the direct_access_msrs list at the
589 * beginning of the file
591 WARN_ON(!valid_msr_intercept(msr));
593 offset = svm_msrpm_offset(msr);
594 bit_read = 2 * (msr & 0x0f);
595 bit_write = 2 * (msr & 0x0f) + 1;
598 BUG_ON(offset == MSR_INVALID);
600 read ? clear_bit(bit_read, &tmp) : set_bit(bit_read, &tmp);
601 write ? clear_bit(bit_write, &tmp) : set_bit(bit_write, &tmp);
606 static void svm_vcpu_init_msrpm(u32 *msrpm)
610 memset(msrpm, 0xff, PAGE_SIZE * (1 << MSRPM_ALLOC_ORDER));
612 for (i = 0; direct_access_msrs[i].index != MSR_INVALID; i++) {
613 if (!direct_access_msrs[i].always)
616 set_msr_interception(msrpm, direct_access_msrs[i].index, 1, 1);
620 static void add_msr_offset(u32 offset)
624 for (i = 0; i < MSRPM_OFFSETS; ++i) {
626 /* Offset already in list? */
627 if (msrpm_offsets[i] == offset)
630 /* Slot used by another offset? */
631 if (msrpm_offsets[i] != MSR_INVALID)
634 /* Add offset to list */
635 msrpm_offsets[i] = offset;
641 * If this BUG triggers the msrpm_offsets table has an overflow. Just
642 * increase MSRPM_OFFSETS in this case.
647 static void init_msrpm_offsets(void)
651 memset(msrpm_offsets, 0xff, sizeof(msrpm_offsets));
653 for (i = 0; direct_access_msrs[i].index != MSR_INVALID; i++) {
656 offset = svm_msrpm_offset(direct_access_msrs[i].index);
657 BUG_ON(offset == MSR_INVALID);
659 add_msr_offset(offset);
663 static void svm_enable_lbrv(struct vcpu_svm *svm)
665 u32 *msrpm = svm->msrpm;
667 svm->vmcb->control.virt_ext |= LBR_CTL_ENABLE_MASK;
668 set_msr_interception(msrpm, MSR_IA32_LASTBRANCHFROMIP, 1, 1);
669 set_msr_interception(msrpm, MSR_IA32_LASTBRANCHTOIP, 1, 1);
670 set_msr_interception(msrpm, MSR_IA32_LASTINTFROMIP, 1, 1);
671 set_msr_interception(msrpm, MSR_IA32_LASTINTTOIP, 1, 1);
674 static void svm_disable_lbrv(struct vcpu_svm *svm)
676 u32 *msrpm = svm->msrpm;
678 svm->vmcb->control.virt_ext &= ~LBR_CTL_ENABLE_MASK;
679 set_msr_interception(msrpm, MSR_IA32_LASTBRANCHFROMIP, 0, 0);
680 set_msr_interception(msrpm, MSR_IA32_LASTBRANCHTOIP, 0, 0);
681 set_msr_interception(msrpm, MSR_IA32_LASTINTFROMIP, 0, 0);
682 set_msr_interception(msrpm, MSR_IA32_LASTINTTOIP, 0, 0);
685 void disable_nmi_singlestep(struct vcpu_svm *svm)
687 svm->nmi_singlestep = false;
689 if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) {
690 /* Clear our flags if they were not set by the guest */
691 if (!(svm->nmi_singlestep_guest_rflags & X86_EFLAGS_TF))
692 svm->vmcb->save.rflags &= ~X86_EFLAGS_TF;
693 if (!(svm->nmi_singlestep_guest_rflags & X86_EFLAGS_RF))
694 svm->vmcb->save.rflags &= ~X86_EFLAGS_RF;
698 static void grow_ple_window(struct kvm_vcpu *vcpu)
700 struct vcpu_svm *svm = to_svm(vcpu);
701 struct vmcb_control_area *control = &svm->vmcb->control;
702 int old = control->pause_filter_count;
704 control->pause_filter_count = __grow_ple_window(old,
706 pause_filter_count_grow,
707 pause_filter_count_max);
709 if (control->pause_filter_count != old) {
710 mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
711 trace_kvm_ple_window_update(vcpu->vcpu_id,
712 control->pause_filter_count, old);
716 static void shrink_ple_window(struct kvm_vcpu *vcpu)
718 struct vcpu_svm *svm = to_svm(vcpu);
719 struct vmcb_control_area *control = &svm->vmcb->control;
720 int old = control->pause_filter_count;
722 control->pause_filter_count =
723 __shrink_ple_window(old,
725 pause_filter_count_shrink,
727 if (control->pause_filter_count != old) {
728 mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
729 trace_kvm_ple_window_update(vcpu->vcpu_id,
730 control->pause_filter_count, old);
735 * The default MMIO mask is a single bit (excluding the present bit),
736 * which could conflict with the memory encryption bit. Check for
737 * memory encryption support and override the default MMIO mask if
738 * memory encryption is enabled.
740 static __init void svm_adjust_mmio_mask(void)
742 unsigned int enc_bit, mask_bit;
745 /* If there is no memory encryption support, use existing mask */
746 if (cpuid_eax(0x80000000) < 0x8000001f)
749 /* If memory encryption is not enabled, use existing mask */
750 rdmsrl(MSR_K8_SYSCFG, msr);
751 if (!(msr & MSR_K8_SYSCFG_MEM_ENCRYPT))
754 enc_bit = cpuid_ebx(0x8000001f) & 0x3f;
755 mask_bit = boot_cpu_data.x86_phys_bits;
757 /* Increment the mask bit if it is the same as the encryption bit */
758 if (enc_bit == mask_bit)
762 * If the mask bit location is below 52, then some bits above the
763 * physical addressing limit will always be reserved, so use the
764 * rsvd_bits() function to generate the mask. This mask, along with
765 * the present bit, will be used to generate a page fault with
768 * If the mask bit location is 52 (or above), then clear the mask.
770 mask = (mask_bit < 52) ? rsvd_bits(mask_bit, 51) | PT_PRESENT_MASK : 0;
772 kvm_mmu_set_mmio_spte_mask(mask, PT_WRITABLE_MASK | PT_USER_MASK);
775 static void svm_hardware_teardown(void)
779 if (svm_sev_enabled())
780 sev_hardware_teardown();
782 for_each_possible_cpu(cpu)
785 __free_pages(pfn_to_page(iopm_base >> PAGE_SHIFT), IOPM_ALLOC_ORDER);
789 static __init void svm_set_cpu_caps(void)
795 /* CPUID 0x80000001 and 0x8000000A (SVM features) */
797 kvm_cpu_cap_set(X86_FEATURE_SVM);
800 kvm_cpu_cap_set(X86_FEATURE_NRIPS);
803 kvm_cpu_cap_set(X86_FEATURE_NPT);
806 /* CPUID 0x80000008 */
807 if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD) ||
808 boot_cpu_has(X86_FEATURE_AMD_SSBD))
809 kvm_cpu_cap_set(X86_FEATURE_VIRT_SSBD);
812 static __init int svm_hardware_setup(void)
815 struct page *iopm_pages;
819 iopm_pages = alloc_pages(GFP_KERNEL, IOPM_ALLOC_ORDER);
824 iopm_va = page_address(iopm_pages);
825 memset(iopm_va, 0xff, PAGE_SIZE * (1 << IOPM_ALLOC_ORDER));
826 iopm_base = page_to_pfn(iopm_pages) << PAGE_SHIFT;
828 init_msrpm_offsets();
830 supported_xcr0 &= ~(XFEATURE_MASK_BNDREGS | XFEATURE_MASK_BNDCSR);
832 if (boot_cpu_has(X86_FEATURE_NX))
833 kvm_enable_efer_bits(EFER_NX);
835 if (boot_cpu_has(X86_FEATURE_FXSR_OPT))
836 kvm_enable_efer_bits(EFER_FFXSR);
838 if (boot_cpu_has(X86_FEATURE_TSCRATEMSR)) {
839 kvm_has_tsc_control = true;
840 kvm_max_tsc_scaling_ratio = TSC_RATIO_MAX;
841 kvm_tsc_scaling_ratio_frac_bits = 32;
844 /* Check for pause filtering support */
845 if (!boot_cpu_has(X86_FEATURE_PAUSEFILTER)) {
846 pause_filter_count = 0;
847 pause_filter_thresh = 0;
848 } else if (!boot_cpu_has(X86_FEATURE_PFTHRESHOLD)) {
849 pause_filter_thresh = 0;
853 printk(KERN_INFO "kvm: Nested Virtualization enabled\n");
854 kvm_enable_efer_bits(EFER_SVME | EFER_LMSLE);
858 if (boot_cpu_has(X86_FEATURE_SEV) &&
859 IS_ENABLED(CONFIG_KVM_AMD_SEV)) {
860 r = sev_hardware_setup();
868 svm_adjust_mmio_mask();
870 for_each_possible_cpu(cpu) {
871 r = svm_cpu_init(cpu);
876 if (!boot_cpu_has(X86_FEATURE_NPT))
879 if (npt_enabled && !npt)
882 kvm_configure_mmu(npt_enabled, PG_LEVEL_1G);
883 pr_info("kvm: Nested Paging %sabled\n", npt_enabled ? "en" : "dis");
886 if (!boot_cpu_has(X86_FEATURE_NRIPS))
892 !boot_cpu_has(X86_FEATURE_AVIC) ||
893 !IS_ENABLED(CONFIG_X86_LOCAL_APIC)) {
896 pr_info("AVIC enabled\n");
898 amd_iommu_register_ga_log_notifier(&avic_ga_log_notifier);
904 !boot_cpu_has(X86_FEATURE_V_VMSAVE_VMLOAD) ||
905 !IS_ENABLED(CONFIG_X86_64)) {
908 pr_info("Virtual VMLOAD VMSAVE supported\n");
913 if (!boot_cpu_has(X86_FEATURE_VGIF))
916 pr_info("Virtual GIF supported\n");
924 svm_hardware_teardown();
928 static void init_seg(struct vmcb_seg *seg)
931 seg->attrib = SVM_SELECTOR_P_MASK | SVM_SELECTOR_S_MASK |
932 SVM_SELECTOR_WRITE_MASK; /* Read/Write Data Segment */
937 static void init_sys_seg(struct vmcb_seg *seg, uint32_t type)
940 seg->attrib = SVM_SELECTOR_P_MASK | type;
945 static u64 svm_write_l1_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
947 struct vcpu_svm *svm = to_svm(vcpu);
948 u64 g_tsc_offset = 0;
950 if (is_guest_mode(vcpu)) {
951 /* Write L1's TSC offset. */
952 g_tsc_offset = svm->vmcb->control.tsc_offset -
953 svm->nested.hsave->control.tsc_offset;
954 svm->nested.hsave->control.tsc_offset = offset;
957 trace_kvm_write_tsc_offset(vcpu->vcpu_id,
958 svm->vmcb->control.tsc_offset - g_tsc_offset,
961 svm->vmcb->control.tsc_offset = offset + g_tsc_offset;
963 mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
964 return svm->vmcb->control.tsc_offset;
967 static void init_vmcb(struct vcpu_svm *svm)
969 struct vmcb_control_area *control = &svm->vmcb->control;
970 struct vmcb_save_area *save = &svm->vmcb->save;
972 svm->vcpu.arch.hflags = 0;
974 set_cr_intercept(svm, INTERCEPT_CR0_READ);
975 set_cr_intercept(svm, INTERCEPT_CR3_READ);
976 set_cr_intercept(svm, INTERCEPT_CR4_READ);
977 set_cr_intercept(svm, INTERCEPT_CR0_WRITE);
978 set_cr_intercept(svm, INTERCEPT_CR3_WRITE);
979 set_cr_intercept(svm, INTERCEPT_CR4_WRITE);
980 if (!kvm_vcpu_apicv_active(&svm->vcpu))
981 set_cr_intercept(svm, INTERCEPT_CR8_WRITE);
983 set_dr_intercepts(svm);
985 set_exception_intercept(svm, PF_VECTOR);
986 set_exception_intercept(svm, UD_VECTOR);
987 set_exception_intercept(svm, MC_VECTOR);
988 set_exception_intercept(svm, AC_VECTOR);
989 set_exception_intercept(svm, DB_VECTOR);
991 * Guest access to VMware backdoor ports could legitimately
992 * trigger #GP because of TSS I/O permission bitmap.
993 * We intercept those #GP and allow access to them anyway
996 if (enable_vmware_backdoor)
997 set_exception_intercept(svm, GP_VECTOR);
999 set_intercept(svm, INTERCEPT_INTR);
1000 set_intercept(svm, INTERCEPT_NMI);
1001 set_intercept(svm, INTERCEPT_SMI);
1002 set_intercept(svm, INTERCEPT_SELECTIVE_CR0);
1003 set_intercept(svm, INTERCEPT_RDPMC);
1004 set_intercept(svm, INTERCEPT_CPUID);
1005 set_intercept(svm, INTERCEPT_INVD);
1006 set_intercept(svm, INTERCEPT_INVLPG);
1007 set_intercept(svm, INTERCEPT_INVLPGA);
1008 set_intercept(svm, INTERCEPT_IOIO_PROT);
1009 set_intercept(svm, INTERCEPT_MSR_PROT);
1010 set_intercept(svm, INTERCEPT_TASK_SWITCH);
1011 set_intercept(svm, INTERCEPT_SHUTDOWN);
1012 set_intercept(svm, INTERCEPT_VMRUN);
1013 set_intercept(svm, INTERCEPT_VMMCALL);
1014 set_intercept(svm, INTERCEPT_VMLOAD);
1015 set_intercept(svm, INTERCEPT_VMSAVE);
1016 set_intercept(svm, INTERCEPT_STGI);
1017 set_intercept(svm, INTERCEPT_CLGI);
1018 set_intercept(svm, INTERCEPT_SKINIT);
1019 set_intercept(svm, INTERCEPT_WBINVD);
1020 set_intercept(svm, INTERCEPT_XSETBV);
1021 set_intercept(svm, INTERCEPT_RDPRU);
1022 set_intercept(svm, INTERCEPT_RSM);
1024 if (!kvm_mwait_in_guest(svm->vcpu.kvm)) {
1025 set_intercept(svm, INTERCEPT_MONITOR);
1026 set_intercept(svm, INTERCEPT_MWAIT);
1029 if (!kvm_hlt_in_guest(svm->vcpu.kvm))
1030 set_intercept(svm, INTERCEPT_HLT);
1032 control->iopm_base_pa = __sme_set(iopm_base);
1033 control->msrpm_base_pa = __sme_set(__pa(svm->msrpm));
1034 control->int_ctl = V_INTR_MASKING_MASK;
1036 init_seg(&save->es);
1037 init_seg(&save->ss);
1038 init_seg(&save->ds);
1039 init_seg(&save->fs);
1040 init_seg(&save->gs);
1042 save->cs.selector = 0xf000;
1043 save->cs.base = 0xffff0000;
1044 /* Executable/Readable Code Segment */
1045 save->cs.attrib = SVM_SELECTOR_READ_MASK | SVM_SELECTOR_P_MASK |
1046 SVM_SELECTOR_S_MASK | SVM_SELECTOR_CODE_MASK;
1047 save->cs.limit = 0xffff;
1049 save->gdtr.limit = 0xffff;
1050 save->idtr.limit = 0xffff;
1052 init_sys_seg(&save->ldtr, SEG_TYPE_LDT);
1053 init_sys_seg(&save->tr, SEG_TYPE_BUSY_TSS16);
1055 svm_set_efer(&svm->vcpu, 0);
1056 save->dr6 = 0xffff0ff0;
1057 kvm_set_rflags(&svm->vcpu, 2);
1058 save->rip = 0x0000fff0;
1059 svm->vcpu.arch.regs[VCPU_REGS_RIP] = save->rip;
1062 * svm_set_cr0() sets PG and WP and clears NW and CD on save->cr0.
1063 * It also updates the guest-visible cr0 value.
1065 svm_set_cr0(&svm->vcpu, X86_CR0_NW | X86_CR0_CD | X86_CR0_ET);
1066 kvm_mmu_reset_context(&svm->vcpu);
1068 save->cr4 = X86_CR4_PAE;
1072 /* Setup VMCB for Nested Paging */
1073 control->nested_ctl |= SVM_NESTED_CTL_NP_ENABLE;
1074 clr_intercept(svm, INTERCEPT_INVLPG);
1075 clr_exception_intercept(svm, PF_VECTOR);
1076 clr_cr_intercept(svm, INTERCEPT_CR3_READ);
1077 clr_cr_intercept(svm, INTERCEPT_CR3_WRITE);
1078 save->g_pat = svm->vcpu.arch.pat;
1082 svm->asid_generation = 0;
1084 svm->nested.vmcb = 0;
1085 svm->vcpu.arch.hflags = 0;
1087 if (pause_filter_count) {
1088 control->pause_filter_count = pause_filter_count;
1089 if (pause_filter_thresh)
1090 control->pause_filter_thresh = pause_filter_thresh;
1091 set_intercept(svm, INTERCEPT_PAUSE);
1093 clr_intercept(svm, INTERCEPT_PAUSE);
1096 if (kvm_vcpu_apicv_active(&svm->vcpu))
1097 avic_init_vmcb(svm);
1100 * If hardware supports Virtual VMLOAD VMSAVE then enable it
1101 * in VMCB and clear intercepts to avoid #VMEXIT.
1104 clr_intercept(svm, INTERCEPT_VMLOAD);
1105 clr_intercept(svm, INTERCEPT_VMSAVE);
1106 svm->vmcb->control.virt_ext |= VIRTUAL_VMLOAD_VMSAVE_ENABLE_MASK;
1110 clr_intercept(svm, INTERCEPT_STGI);
1111 clr_intercept(svm, INTERCEPT_CLGI);
1112 svm->vmcb->control.int_ctl |= V_GIF_ENABLE_MASK;
1115 if (sev_guest(svm->vcpu.kvm)) {
1116 svm->vmcb->control.nested_ctl |= SVM_NESTED_CTL_SEV_ENABLE;
1117 clr_exception_intercept(svm, UD_VECTOR);
1120 mark_all_dirty(svm->vmcb);
1126 static void svm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
1128 struct vcpu_svm *svm = to_svm(vcpu);
1133 svm->virt_spec_ctrl = 0;
1136 svm->vcpu.arch.apic_base = APIC_DEFAULT_PHYS_BASE |
1137 MSR_IA32_APICBASE_ENABLE;
1138 if (kvm_vcpu_is_reset_bsp(&svm->vcpu))
1139 svm->vcpu.arch.apic_base |= MSR_IA32_APICBASE_BSP;
1143 kvm_cpuid(vcpu, &eax, &dummy, &dummy, &dummy, false);
1144 kvm_rdx_write(vcpu, eax);
1146 if (kvm_vcpu_apicv_active(vcpu) && !init_event)
1147 avic_update_vapic_bar(svm, APIC_DEFAULT_PHYS_BASE);
1150 static int svm_create_vcpu(struct kvm_vcpu *vcpu)
1152 struct vcpu_svm *svm;
1154 struct page *msrpm_pages;
1155 struct page *hsave_page;
1156 struct page *nested_msrpm_pages;
1159 BUILD_BUG_ON(offsetof(struct vcpu_svm, vcpu) != 0);
1163 page = alloc_page(GFP_KERNEL_ACCOUNT);
1167 msrpm_pages = alloc_pages(GFP_KERNEL_ACCOUNT, MSRPM_ALLOC_ORDER);
1171 nested_msrpm_pages = alloc_pages(GFP_KERNEL_ACCOUNT, MSRPM_ALLOC_ORDER);
1172 if (!nested_msrpm_pages)
1175 hsave_page = alloc_page(GFP_KERNEL_ACCOUNT);
1179 err = avic_init_vcpu(svm);
1183 /* We initialize this flag to true to make sure that the is_running
1184 * bit would be set the first time the vcpu is loaded.
1186 if (irqchip_in_kernel(vcpu->kvm) && kvm_apicv_activated(vcpu->kvm))
1187 svm->avic_is_running = true;
1189 svm->nested.hsave = page_address(hsave_page);
1191 svm->msrpm = page_address(msrpm_pages);
1192 svm_vcpu_init_msrpm(svm->msrpm);
1194 svm->nested.msrpm = page_address(nested_msrpm_pages);
1195 svm_vcpu_init_msrpm(svm->nested.msrpm);
1197 svm->vmcb = page_address(page);
1198 clear_page(svm->vmcb);
1199 svm->vmcb_pa = __sme_set(page_to_pfn(page) << PAGE_SHIFT);
1200 svm->asid_generation = 0;
1203 svm_init_osvw(vcpu);
1204 vcpu->arch.microcode_version = 0x01000065;
1209 __free_page(hsave_page);
1211 __free_pages(nested_msrpm_pages, MSRPM_ALLOC_ORDER);
1213 __free_pages(msrpm_pages, MSRPM_ALLOC_ORDER);
1220 static void svm_clear_current_vmcb(struct vmcb *vmcb)
1224 for_each_online_cpu(i)
1225 cmpxchg(&per_cpu(svm_data, i)->current_vmcb, vmcb, NULL);
1228 static void svm_free_vcpu(struct kvm_vcpu *vcpu)
1230 struct vcpu_svm *svm = to_svm(vcpu);
1233 * The vmcb page can be recycled, causing a false negative in
1234 * svm_vcpu_load(). So, ensure that no logical CPU has this
1235 * vmcb page recorded as its current vmcb.
1237 svm_clear_current_vmcb(svm->vmcb);
1239 __free_page(pfn_to_page(__sme_clr(svm->vmcb_pa) >> PAGE_SHIFT));
1240 __free_pages(virt_to_page(svm->msrpm), MSRPM_ALLOC_ORDER);
1241 __free_page(virt_to_page(svm->nested.hsave));
1242 __free_pages(virt_to_page(svm->nested.msrpm), MSRPM_ALLOC_ORDER);
1245 static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
1247 struct vcpu_svm *svm = to_svm(vcpu);
1248 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
1251 if (unlikely(cpu != vcpu->cpu)) {
1252 svm->asid_generation = 0;
1253 mark_all_dirty(svm->vmcb);
1256 #ifdef CONFIG_X86_64
1257 rdmsrl(MSR_GS_BASE, to_svm(vcpu)->host.gs_base);
1259 savesegment(fs, svm->host.fs);
1260 savesegment(gs, svm->host.gs);
1261 svm->host.ldt = kvm_read_ldt();
1263 for (i = 0; i < NR_HOST_SAVE_USER_MSRS; i++)
1264 rdmsrl(host_save_user_msrs[i], svm->host_user_msrs[i]);
1266 if (static_cpu_has(X86_FEATURE_TSCRATEMSR)) {
1267 u64 tsc_ratio = vcpu->arch.tsc_scaling_ratio;
1268 if (tsc_ratio != __this_cpu_read(current_tsc_ratio)) {
1269 __this_cpu_write(current_tsc_ratio, tsc_ratio);
1270 wrmsrl(MSR_AMD64_TSC_RATIO, tsc_ratio);
1273 /* This assumes that the kernel never uses MSR_TSC_AUX */
1274 if (static_cpu_has(X86_FEATURE_RDTSCP))
1275 wrmsrl(MSR_TSC_AUX, svm->tsc_aux);
1277 if (sd->current_vmcb != svm->vmcb) {
1278 sd->current_vmcb = svm->vmcb;
1279 indirect_branch_prediction_barrier();
1281 avic_vcpu_load(vcpu, cpu);
1284 static void svm_vcpu_put(struct kvm_vcpu *vcpu)
1286 struct vcpu_svm *svm = to_svm(vcpu);
1289 avic_vcpu_put(vcpu);
1291 ++vcpu->stat.host_state_reload;
1292 kvm_load_ldt(svm->host.ldt);
1293 #ifdef CONFIG_X86_64
1294 loadsegment(fs, svm->host.fs);
1295 wrmsrl(MSR_KERNEL_GS_BASE, current->thread.gsbase);
1296 load_gs_index(svm->host.gs);
1298 #ifdef CONFIG_X86_32_LAZY_GS
1299 loadsegment(gs, svm->host.gs);
1302 for (i = 0; i < NR_HOST_SAVE_USER_MSRS; i++)
1303 wrmsrl(host_save_user_msrs[i], svm->host_user_msrs[i]);
1306 static unsigned long svm_get_rflags(struct kvm_vcpu *vcpu)
1308 struct vcpu_svm *svm = to_svm(vcpu);
1309 unsigned long rflags = svm->vmcb->save.rflags;
1311 if (svm->nmi_singlestep) {
1312 /* Hide our flags if they were not set by the guest */
1313 if (!(svm->nmi_singlestep_guest_rflags & X86_EFLAGS_TF))
1314 rflags &= ~X86_EFLAGS_TF;
1315 if (!(svm->nmi_singlestep_guest_rflags & X86_EFLAGS_RF))
1316 rflags &= ~X86_EFLAGS_RF;
1321 static void svm_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags)
1323 if (to_svm(vcpu)->nmi_singlestep)
1324 rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
1327 * Any change of EFLAGS.VM is accompanied by a reload of SS
1328 * (caused by either a task switch or an inter-privilege IRET),
1329 * so we do not need to update the CPL here.
1331 to_svm(vcpu)->vmcb->save.rflags = rflags;
1334 static void svm_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg)
1337 case VCPU_EXREG_PDPTR:
1338 BUG_ON(!npt_enabled);
1339 load_pdptrs(vcpu, vcpu->arch.walk_mmu, kvm_read_cr3(vcpu));
1346 static void svm_set_vintr(struct vcpu_svm *svm)
1348 struct vmcb_control_area *control;
1350 /* The following fields are ignored when AVIC is enabled */
1351 WARN_ON(kvm_vcpu_apicv_active(&svm->vcpu));
1352 set_intercept(svm, INTERCEPT_VINTR);
1355 * This is just a dummy VINTR to actually cause a vmexit to happen.
1356 * Actual injection of virtual interrupts happens through EVENTINJ.
1358 control = &svm->vmcb->control;
1359 control->int_vector = 0x0;
1360 control->int_ctl &= ~V_INTR_PRIO_MASK;
1361 control->int_ctl |= V_IRQ_MASK |
1362 ((/*control->int_vector >> 4*/ 0xf) << V_INTR_PRIO_SHIFT);
1363 mark_dirty(svm->vmcb, VMCB_INTR);
1366 static void svm_clear_vintr(struct vcpu_svm *svm)
1368 clr_intercept(svm, INTERCEPT_VINTR);
1370 svm->vmcb->control.int_ctl &= ~V_IRQ_MASK;
1371 mark_dirty(svm->vmcb, VMCB_INTR);
1374 static struct vmcb_seg *svm_seg(struct kvm_vcpu *vcpu, int seg)
1376 struct vmcb_save_area *save = &to_svm(vcpu)->vmcb->save;
1379 case VCPU_SREG_CS: return &save->cs;
1380 case VCPU_SREG_DS: return &save->ds;
1381 case VCPU_SREG_ES: return &save->es;
1382 case VCPU_SREG_FS: return &save->fs;
1383 case VCPU_SREG_GS: return &save->gs;
1384 case VCPU_SREG_SS: return &save->ss;
1385 case VCPU_SREG_TR: return &save->tr;
1386 case VCPU_SREG_LDTR: return &save->ldtr;
1392 static u64 svm_get_segment_base(struct kvm_vcpu *vcpu, int seg)
1394 struct vmcb_seg *s = svm_seg(vcpu, seg);
1399 static void svm_get_segment(struct kvm_vcpu *vcpu,
1400 struct kvm_segment *var, int seg)
1402 struct vmcb_seg *s = svm_seg(vcpu, seg);
1404 var->base = s->base;
1405 var->limit = s->limit;
1406 var->selector = s->selector;
1407 var->type = s->attrib & SVM_SELECTOR_TYPE_MASK;
1408 var->s = (s->attrib >> SVM_SELECTOR_S_SHIFT) & 1;
1409 var->dpl = (s->attrib >> SVM_SELECTOR_DPL_SHIFT) & 3;
1410 var->present = (s->attrib >> SVM_SELECTOR_P_SHIFT) & 1;
1411 var->avl = (s->attrib >> SVM_SELECTOR_AVL_SHIFT) & 1;
1412 var->l = (s->attrib >> SVM_SELECTOR_L_SHIFT) & 1;
1413 var->db = (s->attrib >> SVM_SELECTOR_DB_SHIFT) & 1;
1416 * AMD CPUs circa 2014 track the G bit for all segments except CS.
1417 * However, the SVM spec states that the G bit is not observed by the
1418 * CPU, and some VMware virtual CPUs drop the G bit for all segments.
1419 * So let's synthesize a legal G bit for all segments, this helps
1420 * running KVM nested. It also helps cross-vendor migration, because
1421 * Intel's vmentry has a check on the 'G' bit.
1423 var->g = s->limit > 0xfffff;
1426 * AMD's VMCB does not have an explicit unusable field, so emulate it
1427 * for cross vendor migration purposes by "not present"
1429 var->unusable = !var->present;
1434 * Work around a bug where the busy flag in the tr selector
1444 * The accessed bit must always be set in the segment
1445 * descriptor cache, although it can be cleared in the
1446 * descriptor, the cached bit always remains at 1. Since
1447 * Intel has a check on this, set it here to support
1448 * cross-vendor migration.
1455 * On AMD CPUs sometimes the DB bit in the segment
1456 * descriptor is left as 1, although the whole segment has
1457 * been made unusable. Clear it here to pass an Intel VMX
1458 * entry check when cross vendor migrating.
1462 /* This is symmetric with svm_set_segment() */
1463 var->dpl = to_svm(vcpu)->vmcb->save.cpl;
1468 static int svm_get_cpl(struct kvm_vcpu *vcpu)
1470 struct vmcb_save_area *save = &to_svm(vcpu)->vmcb->save;
1475 static void svm_get_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
1477 struct vcpu_svm *svm = to_svm(vcpu);
1479 dt->size = svm->vmcb->save.idtr.limit;
1480 dt->address = svm->vmcb->save.idtr.base;
1483 static void svm_set_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
1485 struct vcpu_svm *svm = to_svm(vcpu);
1487 svm->vmcb->save.idtr.limit = dt->size;
1488 svm->vmcb->save.idtr.base = dt->address ;
1489 mark_dirty(svm->vmcb, VMCB_DT);
1492 static void svm_get_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
1494 struct vcpu_svm *svm = to_svm(vcpu);
1496 dt->size = svm->vmcb->save.gdtr.limit;
1497 dt->address = svm->vmcb->save.gdtr.base;
1500 static void svm_set_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
1502 struct vcpu_svm *svm = to_svm(vcpu);
1504 svm->vmcb->save.gdtr.limit = dt->size;
1505 svm->vmcb->save.gdtr.base = dt->address ;
1506 mark_dirty(svm->vmcb, VMCB_DT);
1509 static void update_cr0_intercept(struct vcpu_svm *svm)
1511 ulong gcr0 = svm->vcpu.arch.cr0;
1512 u64 *hcr0 = &svm->vmcb->save.cr0;
1514 *hcr0 = (*hcr0 & ~SVM_CR0_SELECTIVE_MASK)
1515 | (gcr0 & SVM_CR0_SELECTIVE_MASK);
1517 mark_dirty(svm->vmcb, VMCB_CR);
1519 if (gcr0 == *hcr0) {
1520 clr_cr_intercept(svm, INTERCEPT_CR0_READ);
1521 clr_cr_intercept(svm, INTERCEPT_CR0_WRITE);
1523 set_cr_intercept(svm, INTERCEPT_CR0_READ);
1524 set_cr_intercept(svm, INTERCEPT_CR0_WRITE);
1528 void svm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
1530 struct vcpu_svm *svm = to_svm(vcpu);
1532 #ifdef CONFIG_X86_64
1533 if (vcpu->arch.efer & EFER_LME) {
1534 if (!is_paging(vcpu) && (cr0 & X86_CR0_PG)) {
1535 vcpu->arch.efer |= EFER_LMA;
1536 svm->vmcb->save.efer |= EFER_LMA | EFER_LME;
1539 if (is_paging(vcpu) && !(cr0 & X86_CR0_PG)) {
1540 vcpu->arch.efer &= ~EFER_LMA;
1541 svm->vmcb->save.efer &= ~(EFER_LMA | EFER_LME);
1545 vcpu->arch.cr0 = cr0;
1548 cr0 |= X86_CR0_PG | X86_CR0_WP;
1551 * re-enable caching here because the QEMU bios
1552 * does not do it - this results in some delay at
1555 if (kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_CD_NW_CLEARED))
1556 cr0 &= ~(X86_CR0_CD | X86_CR0_NW);
1557 svm->vmcb->save.cr0 = cr0;
1558 mark_dirty(svm->vmcb, VMCB_CR);
1559 update_cr0_intercept(svm);
1562 int svm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
1564 unsigned long host_cr4_mce = cr4_read_shadow() & X86_CR4_MCE;
1565 unsigned long old_cr4 = to_svm(vcpu)->vmcb->save.cr4;
1567 if (cr4 & X86_CR4_VMXE)
1570 if (npt_enabled && ((old_cr4 ^ cr4) & X86_CR4_PGE))
1571 svm_flush_tlb(vcpu);
1573 vcpu->arch.cr4 = cr4;
1576 cr4 |= host_cr4_mce;
1577 to_svm(vcpu)->vmcb->save.cr4 = cr4;
1578 mark_dirty(to_svm(vcpu)->vmcb, VMCB_CR);
1582 static void svm_set_segment(struct kvm_vcpu *vcpu,
1583 struct kvm_segment *var, int seg)
1585 struct vcpu_svm *svm = to_svm(vcpu);
1586 struct vmcb_seg *s = svm_seg(vcpu, seg);
1588 s->base = var->base;
1589 s->limit = var->limit;
1590 s->selector = var->selector;
1591 s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK);
1592 s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT;
1593 s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT;
1594 s->attrib |= ((var->present & 1) && !var->unusable) << SVM_SELECTOR_P_SHIFT;
1595 s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT;
1596 s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT;
1597 s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT;
1598 s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT;
1601 * This is always accurate, except if SYSRET returned to a segment
1602 * with SS.DPL != 3. Intel does not have this quirk, and always
1603 * forces SS.DPL to 3 on sysret, so we ignore that case; fixing it
1604 * would entail passing the CPL to userspace and back.
1606 if (seg == VCPU_SREG_SS)
1607 /* This is symmetric with svm_get_segment() */
1608 svm->vmcb->save.cpl = (var->dpl & 3);
1610 mark_dirty(svm->vmcb, VMCB_SEG);
1613 static void update_bp_intercept(struct kvm_vcpu *vcpu)
1615 struct vcpu_svm *svm = to_svm(vcpu);
1617 clr_exception_intercept(svm, BP_VECTOR);
1619 if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
1620 if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
1621 set_exception_intercept(svm, BP_VECTOR);
1623 vcpu->guest_debug = 0;
1626 static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd)
1628 if (sd->next_asid > sd->max_asid) {
1629 ++sd->asid_generation;
1630 sd->next_asid = sd->min_asid;
1631 svm->vmcb->control.tlb_ctl = TLB_CONTROL_FLUSH_ALL_ASID;
1634 svm->asid_generation = sd->asid_generation;
1635 svm->vmcb->control.asid = sd->next_asid++;
1637 mark_dirty(svm->vmcb, VMCB_ASID);
1640 static void svm_set_dr6(struct vcpu_svm *svm, unsigned long value)
1642 struct vmcb *vmcb = svm->vmcb;
1644 if (unlikely(value != vmcb->save.dr6)) {
1645 vmcb->save.dr6 = value;
1646 mark_dirty(vmcb, VMCB_DR);
1650 static void svm_sync_dirty_debug_regs(struct kvm_vcpu *vcpu)
1652 struct vcpu_svm *svm = to_svm(vcpu);
1654 get_debugreg(vcpu->arch.db[0], 0);
1655 get_debugreg(vcpu->arch.db[1], 1);
1656 get_debugreg(vcpu->arch.db[2], 2);
1657 get_debugreg(vcpu->arch.db[3], 3);
1659 * We cannot reset svm->vmcb->save.dr6 to DR6_FIXED_1|DR6_RTM here,
1660 * because db_interception might need it. We can do it before vmentry.
1662 vcpu->arch.dr6 = svm->vmcb->save.dr6;
1663 vcpu->arch.dr7 = svm->vmcb->save.dr7;
1664 vcpu->arch.switch_db_regs &= ~KVM_DEBUGREG_WONT_EXIT;
1665 set_dr_intercepts(svm);
1668 static void svm_set_dr7(struct kvm_vcpu *vcpu, unsigned long value)
1670 struct vcpu_svm *svm = to_svm(vcpu);
1672 svm->vmcb->save.dr7 = value;
1673 mark_dirty(svm->vmcb, VMCB_DR);
1676 static int pf_interception(struct vcpu_svm *svm)
1678 u64 fault_address = __sme_clr(svm->vmcb->control.exit_info_2);
1679 u64 error_code = svm->vmcb->control.exit_info_1;
1681 return kvm_handle_page_fault(&svm->vcpu, error_code, fault_address,
1682 static_cpu_has(X86_FEATURE_DECODEASSISTS) ?
1683 svm->vmcb->control.insn_bytes : NULL,
1684 svm->vmcb->control.insn_len);
1687 static int npf_interception(struct vcpu_svm *svm)
1689 u64 fault_address = __sme_clr(svm->vmcb->control.exit_info_2);
1690 u64 error_code = svm->vmcb->control.exit_info_1;
1692 trace_kvm_page_fault(fault_address, error_code);
1693 return kvm_mmu_page_fault(&svm->vcpu, fault_address, error_code,
1694 static_cpu_has(X86_FEATURE_DECODEASSISTS) ?
1695 svm->vmcb->control.insn_bytes : NULL,
1696 svm->vmcb->control.insn_len);
1699 static int db_interception(struct vcpu_svm *svm)
1701 struct kvm_run *kvm_run = svm->vcpu.run;
1702 struct kvm_vcpu *vcpu = &svm->vcpu;
1704 if (!(svm->vcpu.guest_debug &
1705 (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) &&
1706 !svm->nmi_singlestep) {
1707 u32 payload = (svm->vmcb->save.dr6 ^ DR6_RTM) & ~DR6_FIXED_1;
1708 kvm_queue_exception_p(&svm->vcpu, DB_VECTOR, payload);
1712 if (svm->nmi_singlestep) {
1713 disable_nmi_singlestep(svm);
1714 /* Make sure we check for pending NMIs upon entry */
1715 kvm_make_request(KVM_REQ_EVENT, vcpu);
1718 if (svm->vcpu.guest_debug &
1719 (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) {
1720 kvm_run->exit_reason = KVM_EXIT_DEBUG;
1721 kvm_run->debug.arch.dr6 = svm->vmcb->save.dr6;
1722 kvm_run->debug.arch.dr7 = svm->vmcb->save.dr7;
1723 kvm_run->debug.arch.pc =
1724 svm->vmcb->save.cs.base + svm->vmcb->save.rip;
1725 kvm_run->debug.arch.exception = DB_VECTOR;
1732 static int bp_interception(struct vcpu_svm *svm)
1734 struct kvm_run *kvm_run = svm->vcpu.run;
1736 kvm_run->exit_reason = KVM_EXIT_DEBUG;
1737 kvm_run->debug.arch.pc = svm->vmcb->save.cs.base + svm->vmcb->save.rip;
1738 kvm_run->debug.arch.exception = BP_VECTOR;
1742 static int ud_interception(struct vcpu_svm *svm)
1744 return handle_ud(&svm->vcpu);
1747 static int ac_interception(struct vcpu_svm *svm)
1749 kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0);
1753 static int gp_interception(struct vcpu_svm *svm)
1755 struct kvm_vcpu *vcpu = &svm->vcpu;
1756 u32 error_code = svm->vmcb->control.exit_info_1;
1758 WARN_ON_ONCE(!enable_vmware_backdoor);
1761 * VMware backdoor emulation on #GP interception only handles IN{S},
1762 * OUT{S}, and RDPMC, none of which generate a non-zero error code.
1765 kvm_queue_exception_e(vcpu, GP_VECTOR, error_code);
1768 return kvm_emulate_instruction(vcpu, EMULTYPE_VMWARE_GP);
1771 static bool is_erratum_383(void)
1776 if (!erratum_383_found)
1779 value = native_read_msr_safe(MSR_IA32_MC0_STATUS, &err);
1783 /* Bit 62 may or may not be set for this mce */
1784 value &= ~(1ULL << 62);
1786 if (value != 0xb600000000010015ULL)
1789 /* Clear MCi_STATUS registers */
1790 for (i = 0; i < 6; ++i)
1791 native_write_msr_safe(MSR_IA32_MCx_STATUS(i), 0, 0);
1793 value = native_read_msr_safe(MSR_IA32_MCG_STATUS, &err);
1797 value &= ~(1ULL << 2);
1798 low = lower_32_bits(value);
1799 high = upper_32_bits(value);
1801 native_write_msr_safe(MSR_IA32_MCG_STATUS, low, high);
1804 /* Flush tlb to evict multi-match entries */
1811 * Trigger machine check on the host. We assume all the MSRs are already set up
1812 * by the CPU and that we still run on the same CPU as the MCE occurred on.
1813 * We pass a fake environment to the machine check handler because we want
1814 * the guest to be always treated like user space, no matter what context
1815 * it used internally.
1817 static void kvm_machine_check(void)
1819 #if defined(CONFIG_X86_MCE)
1820 struct pt_regs regs = {
1821 .cs = 3, /* Fake ring 3 no matter what the guest ran on */
1822 .flags = X86_EFLAGS_IF,
1825 do_machine_check(®s, 0);
1829 static void svm_handle_mce(struct vcpu_svm *svm)
1831 if (is_erratum_383()) {
1833 * Erratum 383 triggered. Guest state is corrupt so kill the
1836 pr_err("KVM: Guest triggered AMD Erratum 383\n");
1838 kvm_make_request(KVM_REQ_TRIPLE_FAULT, &svm->vcpu);
1844 * On an #MC intercept the MCE handler is not called automatically in
1845 * the host. So do it by hand here.
1847 kvm_machine_check();
1850 static int mc_interception(struct vcpu_svm *svm)
1855 static int shutdown_interception(struct vcpu_svm *svm)
1857 struct kvm_run *kvm_run = svm->vcpu.run;
1860 * VMCB is undefined after a SHUTDOWN intercept
1861 * so reinitialize it.
1863 clear_page(svm->vmcb);
1866 kvm_run->exit_reason = KVM_EXIT_SHUTDOWN;
1870 static int io_interception(struct vcpu_svm *svm)
1872 struct kvm_vcpu *vcpu = &svm->vcpu;
1873 u32 io_info = svm->vmcb->control.exit_info_1; /* address size bug? */
1874 int size, in, string;
1877 ++svm->vcpu.stat.io_exits;
1878 string = (io_info & SVM_IOIO_STR_MASK) != 0;
1879 in = (io_info & SVM_IOIO_TYPE_MASK) != 0;
1881 return kvm_emulate_instruction(vcpu, 0);
1883 port = io_info >> 16;
1884 size = (io_info & SVM_IOIO_SIZE_MASK) >> SVM_IOIO_SIZE_SHIFT;
1885 svm->next_rip = svm->vmcb->control.exit_info_2;
1887 return kvm_fast_pio(&svm->vcpu, size, port, in);
1890 static int nmi_interception(struct vcpu_svm *svm)
1895 static int intr_interception(struct vcpu_svm *svm)
1897 ++svm->vcpu.stat.irq_exits;
1901 static int nop_on_interception(struct vcpu_svm *svm)
1906 static int halt_interception(struct vcpu_svm *svm)
1908 return kvm_emulate_halt(&svm->vcpu);
1911 static int vmmcall_interception(struct vcpu_svm *svm)
1913 return kvm_emulate_hypercall(&svm->vcpu);
1916 static int vmload_interception(struct vcpu_svm *svm)
1918 struct vmcb *nested_vmcb;
1919 struct kvm_host_map map;
1922 if (nested_svm_check_permissions(svm))
1925 ret = kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(svm->vmcb->save.rax), &map);
1928 kvm_inject_gp(&svm->vcpu, 0);
1932 nested_vmcb = map.hva;
1934 ret = kvm_skip_emulated_instruction(&svm->vcpu);
1936 nested_svm_vmloadsave(nested_vmcb, svm->vmcb);
1937 kvm_vcpu_unmap(&svm->vcpu, &map, true);
1942 static int vmsave_interception(struct vcpu_svm *svm)
1944 struct vmcb *nested_vmcb;
1945 struct kvm_host_map map;
1948 if (nested_svm_check_permissions(svm))
1951 ret = kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(svm->vmcb->save.rax), &map);
1954 kvm_inject_gp(&svm->vcpu, 0);
1958 nested_vmcb = map.hva;
1960 ret = kvm_skip_emulated_instruction(&svm->vcpu);
1962 nested_svm_vmloadsave(svm->vmcb, nested_vmcb);
1963 kvm_vcpu_unmap(&svm->vcpu, &map, true);
1968 static int vmrun_interception(struct vcpu_svm *svm)
1970 if (nested_svm_check_permissions(svm))
1973 return nested_svm_vmrun(svm);
1976 static int stgi_interception(struct vcpu_svm *svm)
1980 if (nested_svm_check_permissions(svm))
1984 * If VGIF is enabled, the STGI intercept is only added to
1985 * detect the opening of the SMI/NMI window; remove it now.
1987 if (vgif_enabled(svm))
1988 clr_intercept(svm, INTERCEPT_STGI);
1990 ret = kvm_skip_emulated_instruction(&svm->vcpu);
1991 kvm_make_request(KVM_REQ_EVENT, &svm->vcpu);
1998 static int clgi_interception(struct vcpu_svm *svm)
2002 if (nested_svm_check_permissions(svm))
2005 ret = kvm_skip_emulated_instruction(&svm->vcpu);
2009 /* After a CLGI no interrupts should come */
2010 if (!kvm_vcpu_apicv_active(&svm->vcpu))
2011 svm_clear_vintr(svm);
2016 static int invlpga_interception(struct vcpu_svm *svm)
2018 struct kvm_vcpu *vcpu = &svm->vcpu;
2020 trace_kvm_invlpga(svm->vmcb->save.rip, kvm_rcx_read(&svm->vcpu),
2021 kvm_rax_read(&svm->vcpu));
2023 /* Let's treat INVLPGA the same as INVLPG (can be optimized!) */
2024 kvm_mmu_invlpg(vcpu, kvm_rax_read(&svm->vcpu));
2026 return kvm_skip_emulated_instruction(&svm->vcpu);
2029 static int skinit_interception(struct vcpu_svm *svm)
2031 trace_kvm_skinit(svm->vmcb->save.rip, kvm_rax_read(&svm->vcpu));
2033 kvm_queue_exception(&svm->vcpu, UD_VECTOR);
2037 static int wbinvd_interception(struct vcpu_svm *svm)
2039 return kvm_emulate_wbinvd(&svm->vcpu);
2042 static int xsetbv_interception(struct vcpu_svm *svm)
2044 u64 new_bv = kvm_read_edx_eax(&svm->vcpu);
2045 u32 index = kvm_rcx_read(&svm->vcpu);
2047 if (kvm_set_xcr(&svm->vcpu, index, new_bv) == 0) {
2048 return kvm_skip_emulated_instruction(&svm->vcpu);
2054 static int rdpru_interception(struct vcpu_svm *svm)
2056 kvm_queue_exception(&svm->vcpu, UD_VECTOR);
2060 static int task_switch_interception(struct vcpu_svm *svm)
2064 int int_type = svm->vmcb->control.exit_int_info &
2065 SVM_EXITINTINFO_TYPE_MASK;
2066 int int_vec = svm->vmcb->control.exit_int_info & SVM_EVTINJ_VEC_MASK;
2068 svm->vmcb->control.exit_int_info & SVM_EXITINTINFO_TYPE_MASK;
2070 svm->vmcb->control.exit_int_info & SVM_EXITINTINFO_VALID;
2071 bool has_error_code = false;
2074 tss_selector = (u16)svm->vmcb->control.exit_info_1;
2076 if (svm->vmcb->control.exit_info_2 &
2077 (1ULL << SVM_EXITINFOSHIFT_TS_REASON_IRET))
2078 reason = TASK_SWITCH_IRET;
2079 else if (svm->vmcb->control.exit_info_2 &
2080 (1ULL << SVM_EXITINFOSHIFT_TS_REASON_JMP))
2081 reason = TASK_SWITCH_JMP;
2083 reason = TASK_SWITCH_GATE;
2085 reason = TASK_SWITCH_CALL;
2087 if (reason == TASK_SWITCH_GATE) {
2089 case SVM_EXITINTINFO_TYPE_NMI:
2090 svm->vcpu.arch.nmi_injected = false;
2092 case SVM_EXITINTINFO_TYPE_EXEPT:
2093 if (svm->vmcb->control.exit_info_2 &
2094 (1ULL << SVM_EXITINFOSHIFT_TS_HAS_ERROR_CODE)) {
2095 has_error_code = true;
2097 (u32)svm->vmcb->control.exit_info_2;
2099 kvm_clear_exception_queue(&svm->vcpu);
2101 case SVM_EXITINTINFO_TYPE_INTR:
2102 kvm_clear_interrupt_queue(&svm->vcpu);
2109 if (reason != TASK_SWITCH_GATE ||
2110 int_type == SVM_EXITINTINFO_TYPE_SOFT ||
2111 (int_type == SVM_EXITINTINFO_TYPE_EXEPT &&
2112 (int_vec == OF_VECTOR || int_vec == BP_VECTOR))) {
2113 if (!skip_emulated_instruction(&svm->vcpu))
2117 if (int_type != SVM_EXITINTINFO_TYPE_SOFT)
2120 return kvm_task_switch(&svm->vcpu, tss_selector, int_vec, reason,
2121 has_error_code, error_code);
2124 static int cpuid_interception(struct vcpu_svm *svm)
2126 return kvm_emulate_cpuid(&svm->vcpu);
2129 static int iret_interception(struct vcpu_svm *svm)
2131 ++svm->vcpu.stat.nmi_window_exits;
2132 clr_intercept(svm, INTERCEPT_IRET);
2133 svm->vcpu.arch.hflags |= HF_IRET_MASK;
2134 svm->nmi_iret_rip = kvm_rip_read(&svm->vcpu);
2135 kvm_make_request(KVM_REQ_EVENT, &svm->vcpu);
2139 static int invlpg_interception(struct vcpu_svm *svm)
2141 if (!static_cpu_has(X86_FEATURE_DECODEASSISTS))
2142 return kvm_emulate_instruction(&svm->vcpu, 0);
2144 kvm_mmu_invlpg(&svm->vcpu, svm->vmcb->control.exit_info_1);
2145 return kvm_skip_emulated_instruction(&svm->vcpu);
2148 static int emulate_on_interception(struct vcpu_svm *svm)
2150 return kvm_emulate_instruction(&svm->vcpu, 0);
2153 static int rsm_interception(struct vcpu_svm *svm)
2155 return kvm_emulate_instruction_from_buffer(&svm->vcpu, rsm_ins_bytes, 2);
2158 static int rdpmc_interception(struct vcpu_svm *svm)
2163 return emulate_on_interception(svm);
2165 err = kvm_rdpmc(&svm->vcpu);
2166 return kvm_complete_insn_gp(&svm->vcpu, err);
2169 static bool check_selective_cr0_intercepted(struct vcpu_svm *svm,
2172 unsigned long cr0 = svm->vcpu.arch.cr0;
2176 intercept = svm->nested.intercept;
2178 if (!is_guest_mode(&svm->vcpu) ||
2179 (!(intercept & (1ULL << INTERCEPT_SELECTIVE_CR0))))
2182 cr0 &= ~SVM_CR0_SELECTIVE_MASK;
2183 val &= ~SVM_CR0_SELECTIVE_MASK;
2186 svm->vmcb->control.exit_code = SVM_EXIT_CR0_SEL_WRITE;
2187 ret = (nested_svm_exit_handled(svm) == NESTED_EXIT_DONE);
2193 #define CR_VALID (1ULL << 63)
2195 static int cr_interception(struct vcpu_svm *svm)
2201 if (!static_cpu_has(X86_FEATURE_DECODEASSISTS))
2202 return emulate_on_interception(svm);
2204 if (unlikely((svm->vmcb->control.exit_info_1 & CR_VALID) == 0))
2205 return emulate_on_interception(svm);
2207 reg = svm->vmcb->control.exit_info_1 & SVM_EXITINFO_REG_MASK;
2208 if (svm->vmcb->control.exit_code == SVM_EXIT_CR0_SEL_WRITE)
2209 cr = SVM_EXIT_WRITE_CR0 - SVM_EXIT_READ_CR0;
2211 cr = svm->vmcb->control.exit_code - SVM_EXIT_READ_CR0;
2214 if (cr >= 16) { /* mov to cr */
2216 val = kvm_register_read(&svm->vcpu, reg);
2219 if (!check_selective_cr0_intercepted(svm, val))
2220 err = kvm_set_cr0(&svm->vcpu, val);
2226 err = kvm_set_cr3(&svm->vcpu, val);
2229 err = kvm_set_cr4(&svm->vcpu, val);
2232 err = kvm_set_cr8(&svm->vcpu, val);
2235 WARN(1, "unhandled write to CR%d", cr);
2236 kvm_queue_exception(&svm->vcpu, UD_VECTOR);
2239 } else { /* mov from cr */
2242 val = kvm_read_cr0(&svm->vcpu);
2245 val = svm->vcpu.arch.cr2;
2248 val = kvm_read_cr3(&svm->vcpu);
2251 val = kvm_read_cr4(&svm->vcpu);
2254 val = kvm_get_cr8(&svm->vcpu);
2257 WARN(1, "unhandled read from CR%d", cr);
2258 kvm_queue_exception(&svm->vcpu, UD_VECTOR);
2261 kvm_register_write(&svm->vcpu, reg, val);
2263 return kvm_complete_insn_gp(&svm->vcpu, err);
2266 static int dr_interception(struct vcpu_svm *svm)
2271 if (svm->vcpu.guest_debug == 0) {
2273 * No more DR vmexits; force a reload of the debug registers
2274 * and reenter on this instruction. The next vmexit will
2275 * retrieve the full state of the debug registers.
2277 clr_dr_intercepts(svm);
2278 svm->vcpu.arch.switch_db_regs |= KVM_DEBUGREG_WONT_EXIT;
2282 if (!boot_cpu_has(X86_FEATURE_DECODEASSISTS))
2283 return emulate_on_interception(svm);
2285 reg = svm->vmcb->control.exit_info_1 & SVM_EXITINFO_REG_MASK;
2286 dr = svm->vmcb->control.exit_code - SVM_EXIT_READ_DR0;
2288 if (dr >= 16) { /* mov to DRn */
2289 if (!kvm_require_dr(&svm->vcpu, dr - 16))
2291 val = kvm_register_read(&svm->vcpu, reg);
2292 kvm_set_dr(&svm->vcpu, dr - 16, val);
2294 if (!kvm_require_dr(&svm->vcpu, dr))
2296 kvm_get_dr(&svm->vcpu, dr, &val);
2297 kvm_register_write(&svm->vcpu, reg, val);
2300 return kvm_skip_emulated_instruction(&svm->vcpu);
2303 static int cr8_write_interception(struct vcpu_svm *svm)
2305 struct kvm_run *kvm_run = svm->vcpu.run;
2308 u8 cr8_prev = kvm_get_cr8(&svm->vcpu);
2309 /* instruction emulation calls kvm_set_cr8() */
2310 r = cr_interception(svm);
2311 if (lapic_in_kernel(&svm->vcpu))
2313 if (cr8_prev <= kvm_get_cr8(&svm->vcpu))
2315 kvm_run->exit_reason = KVM_EXIT_SET_TPR;
2319 static int svm_get_msr_feature(struct kvm_msr_entry *msr)
2323 switch (msr->index) {
2324 case MSR_F10H_DECFG:
2325 if (boot_cpu_has(X86_FEATURE_LFENCE_RDTSC))
2326 msr->data |= MSR_F10H_DECFG_LFENCE_SERIALIZE;
2335 static int svm_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
2337 struct vcpu_svm *svm = to_svm(vcpu);
2339 switch (msr_info->index) {
2341 msr_info->data = svm->vmcb->save.star;
2343 #ifdef CONFIG_X86_64
2345 msr_info->data = svm->vmcb->save.lstar;
2348 msr_info->data = svm->vmcb->save.cstar;
2350 case MSR_KERNEL_GS_BASE:
2351 msr_info->data = svm->vmcb->save.kernel_gs_base;
2353 case MSR_SYSCALL_MASK:
2354 msr_info->data = svm->vmcb->save.sfmask;
2357 case MSR_IA32_SYSENTER_CS:
2358 msr_info->data = svm->vmcb->save.sysenter_cs;
2360 case MSR_IA32_SYSENTER_EIP:
2361 msr_info->data = svm->sysenter_eip;
2363 case MSR_IA32_SYSENTER_ESP:
2364 msr_info->data = svm->sysenter_esp;
2367 if (!boot_cpu_has(X86_FEATURE_RDTSCP))
2369 msr_info->data = svm->tsc_aux;
2372 * Nobody will change the following 5 values in the VMCB so we can
2373 * safely return them on rdmsr. They will always be 0 until LBRV is
2376 case MSR_IA32_DEBUGCTLMSR:
2377 msr_info->data = svm->vmcb->save.dbgctl;
2379 case MSR_IA32_LASTBRANCHFROMIP:
2380 msr_info->data = svm->vmcb->save.br_from;
2382 case MSR_IA32_LASTBRANCHTOIP:
2383 msr_info->data = svm->vmcb->save.br_to;
2385 case MSR_IA32_LASTINTFROMIP:
2386 msr_info->data = svm->vmcb->save.last_excp_from;
2388 case MSR_IA32_LASTINTTOIP:
2389 msr_info->data = svm->vmcb->save.last_excp_to;
2391 case MSR_VM_HSAVE_PA:
2392 msr_info->data = svm->nested.hsave_msr;
2395 msr_info->data = svm->nested.vm_cr_msr;
2397 case MSR_IA32_SPEC_CTRL:
2398 if (!msr_info->host_initiated &&
2399 !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) &&
2400 !guest_cpuid_has(vcpu, X86_FEATURE_AMD_STIBP) &&
2401 !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBRS) &&
2402 !guest_cpuid_has(vcpu, X86_FEATURE_AMD_SSBD))
2405 msr_info->data = svm->spec_ctrl;
2407 case MSR_AMD64_VIRT_SPEC_CTRL:
2408 if (!msr_info->host_initiated &&
2409 !guest_cpuid_has(vcpu, X86_FEATURE_VIRT_SSBD))
2412 msr_info->data = svm->virt_spec_ctrl;
2414 case MSR_F15H_IC_CFG: {
2418 family = guest_cpuid_family(vcpu);
2419 model = guest_cpuid_model(vcpu);
2421 if (family < 0 || model < 0)
2422 return kvm_get_msr_common(vcpu, msr_info);
2426 if (family == 0x15 &&
2427 (model >= 0x2 && model < 0x20))
2428 msr_info->data = 0x1E;
2431 case MSR_F10H_DECFG:
2432 msr_info->data = svm->msr_decfg;
2435 return kvm_get_msr_common(vcpu, msr_info);
2440 static int rdmsr_interception(struct vcpu_svm *svm)
2442 return kvm_emulate_rdmsr(&svm->vcpu);
2445 static int svm_set_vm_cr(struct kvm_vcpu *vcpu, u64 data)
2447 struct vcpu_svm *svm = to_svm(vcpu);
2448 int svm_dis, chg_mask;
2450 if (data & ~SVM_VM_CR_VALID_MASK)
2453 chg_mask = SVM_VM_CR_VALID_MASK;
2455 if (svm->nested.vm_cr_msr & SVM_VM_CR_SVM_DIS_MASK)
2456 chg_mask &= ~(SVM_VM_CR_SVM_LOCK_MASK | SVM_VM_CR_SVM_DIS_MASK);
2458 svm->nested.vm_cr_msr &= ~chg_mask;
2459 svm->nested.vm_cr_msr |= (data & chg_mask);
2461 svm_dis = svm->nested.vm_cr_msr & SVM_VM_CR_SVM_DIS_MASK;
2463 /* check for svm_disable while efer.svme is set */
2464 if (svm_dis && (vcpu->arch.efer & EFER_SVME))
2470 static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
2472 struct vcpu_svm *svm = to_svm(vcpu);
2474 u32 ecx = msr->index;
2475 u64 data = msr->data;
2477 case MSR_IA32_CR_PAT:
2478 if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
2480 vcpu->arch.pat = data;
2481 svm->vmcb->save.g_pat = data;
2482 mark_dirty(svm->vmcb, VMCB_NPT);
2484 case MSR_IA32_SPEC_CTRL:
2485 if (!msr->host_initiated &&
2486 !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) &&
2487 !guest_cpuid_has(vcpu, X86_FEATURE_AMD_STIBP) &&
2488 !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBRS) &&
2489 !guest_cpuid_has(vcpu, X86_FEATURE_AMD_SSBD))
2492 if (data & ~kvm_spec_ctrl_valid_bits(vcpu))
2495 svm->spec_ctrl = data;
2501 * When it's written (to non-zero) for the first time, pass
2505 * The handling of the MSR bitmap for L2 guests is done in
2506 * nested_svm_vmrun_msrpm.
2507 * We update the L1 MSR bit as well since it will end up
2508 * touching the MSR anyway now.
2510 set_msr_interception(svm->msrpm, MSR_IA32_SPEC_CTRL, 1, 1);
2512 case MSR_IA32_PRED_CMD:
2513 if (!msr->host_initiated &&
2514 !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBPB))
2517 if (data & ~PRED_CMD_IBPB)
2519 if (!boot_cpu_has(X86_FEATURE_AMD_IBPB))
2524 wrmsrl(MSR_IA32_PRED_CMD, PRED_CMD_IBPB);
2525 set_msr_interception(svm->msrpm, MSR_IA32_PRED_CMD, 0, 1);
2527 case MSR_AMD64_VIRT_SPEC_CTRL:
2528 if (!msr->host_initiated &&
2529 !guest_cpuid_has(vcpu, X86_FEATURE_VIRT_SSBD))
2532 if (data & ~SPEC_CTRL_SSBD)
2535 svm->virt_spec_ctrl = data;
2538 svm->vmcb->save.star = data;
2540 #ifdef CONFIG_X86_64
2542 svm->vmcb->save.lstar = data;
2545 svm->vmcb->save.cstar = data;
2547 case MSR_KERNEL_GS_BASE:
2548 svm->vmcb->save.kernel_gs_base = data;
2550 case MSR_SYSCALL_MASK:
2551 svm->vmcb->save.sfmask = data;
2554 case MSR_IA32_SYSENTER_CS:
2555 svm->vmcb->save.sysenter_cs = data;
2557 case MSR_IA32_SYSENTER_EIP:
2558 svm->sysenter_eip = data;
2559 svm->vmcb->save.sysenter_eip = data;
2561 case MSR_IA32_SYSENTER_ESP:
2562 svm->sysenter_esp = data;
2563 svm->vmcb->save.sysenter_esp = data;
2566 if (!boot_cpu_has(X86_FEATURE_RDTSCP))
2570 * This is rare, so we update the MSR here instead of using
2571 * direct_access_msrs. Doing that would require a rdmsr in
2574 svm->tsc_aux = data;
2575 wrmsrl(MSR_TSC_AUX, svm->tsc_aux);
2577 case MSR_IA32_DEBUGCTLMSR:
2578 if (!boot_cpu_has(X86_FEATURE_LBRV)) {
2579 vcpu_unimpl(vcpu, "%s: MSR_IA32_DEBUGCTL 0x%llx, nop\n",
2583 if (data & DEBUGCTL_RESERVED_BITS)
2586 svm->vmcb->save.dbgctl = data;
2587 mark_dirty(svm->vmcb, VMCB_LBR);
2588 if (data & (1ULL<<0))
2589 svm_enable_lbrv(svm);
2591 svm_disable_lbrv(svm);
2593 case MSR_VM_HSAVE_PA:
2594 svm->nested.hsave_msr = data;
2597 return svm_set_vm_cr(vcpu, data);
2599 vcpu_unimpl(vcpu, "unimplemented wrmsr: 0x%x data 0x%llx\n", ecx, data);
2601 case MSR_F10H_DECFG: {
2602 struct kvm_msr_entry msr_entry;
2604 msr_entry.index = msr->index;
2605 if (svm_get_msr_feature(&msr_entry))
2608 /* Check the supported bits */
2609 if (data & ~msr_entry.data)
2612 /* Don't allow the guest to change a bit, #GP */
2613 if (!msr->host_initiated && (data ^ msr_entry.data))
2616 svm->msr_decfg = data;
2619 case MSR_IA32_APICBASE:
2620 if (kvm_vcpu_apicv_active(vcpu))
2621 avic_update_vapic_bar(to_svm(vcpu), data);
2624 return kvm_set_msr_common(vcpu, msr);
2629 static int wrmsr_interception(struct vcpu_svm *svm)
2631 return kvm_emulate_wrmsr(&svm->vcpu);
2634 static int msr_interception(struct vcpu_svm *svm)
2636 if (svm->vmcb->control.exit_info_1)
2637 return wrmsr_interception(svm);
2639 return rdmsr_interception(svm);
2642 static int interrupt_window_interception(struct vcpu_svm *svm)
2644 kvm_make_request(KVM_REQ_EVENT, &svm->vcpu);
2645 svm_clear_vintr(svm);
2648 * For AVIC, the only reason to end up here is ExtINTs.
2649 * In this case AVIC was temporarily disabled for
2650 * requesting the IRQ window and we have to re-enable it.
2652 svm_toggle_avic_for_irq_window(&svm->vcpu, true);
2654 ++svm->vcpu.stat.irq_window_exits;
2658 static int pause_interception(struct vcpu_svm *svm)
2660 struct kvm_vcpu *vcpu = &svm->vcpu;
2661 bool in_kernel = (svm_get_cpl(vcpu) == 0);
2663 if (pause_filter_thresh)
2664 grow_ple_window(vcpu);
2666 kvm_vcpu_on_spin(vcpu, in_kernel);
2670 static int nop_interception(struct vcpu_svm *svm)
2672 return kvm_skip_emulated_instruction(&(svm->vcpu));
2675 static int monitor_interception(struct vcpu_svm *svm)
2677 printk_once(KERN_WARNING "kvm: MONITOR instruction emulated as NOP!\n");
2678 return nop_interception(svm);
2681 static int mwait_interception(struct vcpu_svm *svm)
2683 printk_once(KERN_WARNING "kvm: MWAIT instruction emulated as NOP!\n");
2684 return nop_interception(svm);
2687 static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = {
2688 [SVM_EXIT_READ_CR0] = cr_interception,
2689 [SVM_EXIT_READ_CR3] = cr_interception,
2690 [SVM_EXIT_READ_CR4] = cr_interception,
2691 [SVM_EXIT_READ_CR8] = cr_interception,
2692 [SVM_EXIT_CR0_SEL_WRITE] = cr_interception,
2693 [SVM_EXIT_WRITE_CR0] = cr_interception,
2694 [SVM_EXIT_WRITE_CR3] = cr_interception,
2695 [SVM_EXIT_WRITE_CR4] = cr_interception,
2696 [SVM_EXIT_WRITE_CR8] = cr8_write_interception,
2697 [SVM_EXIT_READ_DR0] = dr_interception,
2698 [SVM_EXIT_READ_DR1] = dr_interception,
2699 [SVM_EXIT_READ_DR2] = dr_interception,
2700 [SVM_EXIT_READ_DR3] = dr_interception,
2701 [SVM_EXIT_READ_DR4] = dr_interception,
2702 [SVM_EXIT_READ_DR5] = dr_interception,
2703 [SVM_EXIT_READ_DR6] = dr_interception,
2704 [SVM_EXIT_READ_DR7] = dr_interception,
2705 [SVM_EXIT_WRITE_DR0] = dr_interception,
2706 [SVM_EXIT_WRITE_DR1] = dr_interception,
2707 [SVM_EXIT_WRITE_DR2] = dr_interception,
2708 [SVM_EXIT_WRITE_DR3] = dr_interception,
2709 [SVM_EXIT_WRITE_DR4] = dr_interception,
2710 [SVM_EXIT_WRITE_DR5] = dr_interception,
2711 [SVM_EXIT_WRITE_DR6] = dr_interception,
2712 [SVM_EXIT_WRITE_DR7] = dr_interception,
2713 [SVM_EXIT_EXCP_BASE + DB_VECTOR] = db_interception,
2714 [SVM_EXIT_EXCP_BASE + BP_VECTOR] = bp_interception,
2715 [SVM_EXIT_EXCP_BASE + UD_VECTOR] = ud_interception,
2716 [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception,
2717 [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception,
2718 [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception,
2719 [SVM_EXIT_EXCP_BASE + GP_VECTOR] = gp_interception,
2720 [SVM_EXIT_INTR] = intr_interception,
2721 [SVM_EXIT_NMI] = nmi_interception,
2722 [SVM_EXIT_SMI] = nop_on_interception,
2723 [SVM_EXIT_INIT] = nop_on_interception,
2724 [SVM_EXIT_VINTR] = interrupt_window_interception,
2725 [SVM_EXIT_RDPMC] = rdpmc_interception,
2726 [SVM_EXIT_CPUID] = cpuid_interception,
2727 [SVM_EXIT_IRET] = iret_interception,
2728 [SVM_EXIT_INVD] = emulate_on_interception,
2729 [SVM_EXIT_PAUSE] = pause_interception,
2730 [SVM_EXIT_HLT] = halt_interception,
2731 [SVM_EXIT_INVLPG] = invlpg_interception,
2732 [SVM_EXIT_INVLPGA] = invlpga_interception,
2733 [SVM_EXIT_IOIO] = io_interception,
2734 [SVM_EXIT_MSR] = msr_interception,
2735 [SVM_EXIT_TASK_SWITCH] = task_switch_interception,
2736 [SVM_EXIT_SHUTDOWN] = shutdown_interception,
2737 [SVM_EXIT_VMRUN] = vmrun_interception,
2738 [SVM_EXIT_VMMCALL] = vmmcall_interception,
2739 [SVM_EXIT_VMLOAD] = vmload_interception,
2740 [SVM_EXIT_VMSAVE] = vmsave_interception,
2741 [SVM_EXIT_STGI] = stgi_interception,
2742 [SVM_EXIT_CLGI] = clgi_interception,
2743 [SVM_EXIT_SKINIT] = skinit_interception,
2744 [SVM_EXIT_WBINVD] = wbinvd_interception,
2745 [SVM_EXIT_MONITOR] = monitor_interception,
2746 [SVM_EXIT_MWAIT] = mwait_interception,
2747 [SVM_EXIT_XSETBV] = xsetbv_interception,
2748 [SVM_EXIT_RDPRU] = rdpru_interception,
2749 [SVM_EXIT_NPF] = npf_interception,
2750 [SVM_EXIT_RSM] = rsm_interception,
2751 [SVM_EXIT_AVIC_INCOMPLETE_IPI] = avic_incomplete_ipi_interception,
2752 [SVM_EXIT_AVIC_UNACCELERATED_ACCESS] = avic_unaccelerated_access_interception,
2755 static void dump_vmcb(struct kvm_vcpu *vcpu)
2757 struct vcpu_svm *svm = to_svm(vcpu);
2758 struct vmcb_control_area *control = &svm->vmcb->control;
2759 struct vmcb_save_area *save = &svm->vmcb->save;
2761 if (!dump_invalid_vmcb) {
2762 pr_warn_ratelimited("set kvm_amd.dump_invalid_vmcb=1 to dump internal KVM state.\n");
2766 pr_err("VMCB Control Area:\n");
2767 pr_err("%-20s%04x\n", "cr_read:", control->intercept_cr & 0xffff);
2768 pr_err("%-20s%04x\n", "cr_write:", control->intercept_cr >> 16);
2769 pr_err("%-20s%04x\n", "dr_read:", control->intercept_dr & 0xffff);
2770 pr_err("%-20s%04x\n", "dr_write:", control->intercept_dr >> 16);
2771 pr_err("%-20s%08x\n", "exceptions:", control->intercept_exceptions);
2772 pr_err("%-20s%016llx\n", "intercepts:", control->intercept);
2773 pr_err("%-20s%d\n", "pause filter count:", control->pause_filter_count);
2774 pr_err("%-20s%d\n", "pause filter threshold:",
2775 control->pause_filter_thresh);
2776 pr_err("%-20s%016llx\n", "iopm_base_pa:", control->iopm_base_pa);
2777 pr_err("%-20s%016llx\n", "msrpm_base_pa:", control->msrpm_base_pa);
2778 pr_err("%-20s%016llx\n", "tsc_offset:", control->tsc_offset);
2779 pr_err("%-20s%d\n", "asid:", control->asid);
2780 pr_err("%-20s%d\n", "tlb_ctl:", control->tlb_ctl);
2781 pr_err("%-20s%08x\n", "int_ctl:", control->int_ctl);
2782 pr_err("%-20s%08x\n", "int_vector:", control->int_vector);
2783 pr_err("%-20s%08x\n", "int_state:", control->int_state);
2784 pr_err("%-20s%08x\n", "exit_code:", control->exit_code);
2785 pr_err("%-20s%016llx\n", "exit_info1:", control->exit_info_1);
2786 pr_err("%-20s%016llx\n", "exit_info2:", control->exit_info_2);
2787 pr_err("%-20s%08x\n", "exit_int_info:", control->exit_int_info);
2788 pr_err("%-20s%08x\n", "exit_int_info_err:", control->exit_int_info_err);
2789 pr_err("%-20s%lld\n", "nested_ctl:", control->nested_ctl);
2790 pr_err("%-20s%016llx\n", "nested_cr3:", control->nested_cr3);
2791 pr_err("%-20s%016llx\n", "avic_vapic_bar:", control->avic_vapic_bar);
2792 pr_err("%-20s%08x\n", "event_inj:", control->event_inj);
2793 pr_err("%-20s%08x\n", "event_inj_err:", control->event_inj_err);
2794 pr_err("%-20s%lld\n", "virt_ext:", control->virt_ext);
2795 pr_err("%-20s%016llx\n", "next_rip:", control->next_rip);
2796 pr_err("%-20s%016llx\n", "avic_backing_page:", control->avic_backing_page);
2797 pr_err("%-20s%016llx\n", "avic_logical_id:", control->avic_logical_id);
2798 pr_err("%-20s%016llx\n", "avic_physical_id:", control->avic_physical_id);
2799 pr_err("VMCB State Save Area:\n");
2800 pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
2802 save->es.selector, save->es.attrib,
2803 save->es.limit, save->es.base);
2804 pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
2806 save->cs.selector, save->cs.attrib,
2807 save->cs.limit, save->cs.base);
2808 pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
2810 save->ss.selector, save->ss.attrib,
2811 save->ss.limit, save->ss.base);
2812 pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
2814 save->ds.selector, save->ds.attrib,
2815 save->ds.limit, save->ds.base);
2816 pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
2818 save->fs.selector, save->fs.attrib,
2819 save->fs.limit, save->fs.base);
2820 pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
2822 save->gs.selector, save->gs.attrib,
2823 save->gs.limit, save->gs.base);
2824 pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
2826 save->gdtr.selector, save->gdtr.attrib,
2827 save->gdtr.limit, save->gdtr.base);
2828 pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
2830 save->ldtr.selector, save->ldtr.attrib,
2831 save->ldtr.limit, save->ldtr.base);
2832 pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
2834 save->idtr.selector, save->idtr.attrib,
2835 save->idtr.limit, save->idtr.base);
2836 pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
2838 save->tr.selector, save->tr.attrib,
2839 save->tr.limit, save->tr.base);
2840 pr_err("cpl: %d efer: %016llx\n",
2841 save->cpl, save->efer);
2842 pr_err("%-15s %016llx %-13s %016llx\n",
2843 "cr0:", save->cr0, "cr2:", save->cr2);
2844 pr_err("%-15s %016llx %-13s %016llx\n",
2845 "cr3:", save->cr3, "cr4:", save->cr4);
2846 pr_err("%-15s %016llx %-13s %016llx\n",
2847 "dr6:", save->dr6, "dr7:", save->dr7);
2848 pr_err("%-15s %016llx %-13s %016llx\n",
2849 "rip:", save->rip, "rflags:", save->rflags);
2850 pr_err("%-15s %016llx %-13s %016llx\n",
2851 "rsp:", save->rsp, "rax:", save->rax);
2852 pr_err("%-15s %016llx %-13s %016llx\n",
2853 "star:", save->star, "lstar:", save->lstar);
2854 pr_err("%-15s %016llx %-13s %016llx\n",
2855 "cstar:", save->cstar, "sfmask:", save->sfmask);
2856 pr_err("%-15s %016llx %-13s %016llx\n",
2857 "kernel_gs_base:", save->kernel_gs_base,
2858 "sysenter_cs:", save->sysenter_cs);
2859 pr_err("%-15s %016llx %-13s %016llx\n",
2860 "sysenter_esp:", save->sysenter_esp,
2861 "sysenter_eip:", save->sysenter_eip);
2862 pr_err("%-15s %016llx %-13s %016llx\n",
2863 "gpat:", save->g_pat, "dbgctl:", save->dbgctl);
2864 pr_err("%-15s %016llx %-13s %016llx\n",
2865 "br_from:", save->br_from, "br_to:", save->br_to);
2866 pr_err("%-15s %016llx %-13s %016llx\n",
2867 "excp_from:", save->last_excp_from,
2868 "excp_to:", save->last_excp_to);
2871 static void svm_get_exit_info(struct kvm_vcpu *vcpu, u64 *info1, u64 *info2)
2873 struct vmcb_control_area *control = &to_svm(vcpu)->vmcb->control;
2875 *info1 = control->exit_info_1;
2876 *info2 = control->exit_info_2;
2879 static int handle_exit(struct kvm_vcpu *vcpu, fastpath_t exit_fastpath)
2881 struct vcpu_svm *svm = to_svm(vcpu);
2882 struct kvm_run *kvm_run = vcpu->run;
2883 u32 exit_code = svm->vmcb->control.exit_code;
2885 trace_kvm_exit(exit_code, vcpu, KVM_ISA_SVM);
2887 if (!is_cr_intercept(svm, INTERCEPT_CR0_WRITE))
2888 vcpu->arch.cr0 = svm->vmcb->save.cr0;
2890 vcpu->arch.cr3 = svm->vmcb->save.cr3;
2892 if (is_guest_mode(vcpu)) {
2895 trace_kvm_nested_vmexit(svm->vmcb->save.rip, exit_code,
2896 svm->vmcb->control.exit_info_1,
2897 svm->vmcb->control.exit_info_2,
2898 svm->vmcb->control.exit_int_info,
2899 svm->vmcb->control.exit_int_info_err,
2902 vmexit = nested_svm_exit_special(svm);
2904 if (vmexit == NESTED_EXIT_CONTINUE)
2905 vmexit = nested_svm_exit_handled(svm);
2907 if (vmexit == NESTED_EXIT_DONE)
2911 svm_complete_interrupts(svm);
2913 if (svm->vmcb->control.exit_code == SVM_EXIT_ERR) {
2914 kvm_run->exit_reason = KVM_EXIT_FAIL_ENTRY;
2915 kvm_run->fail_entry.hardware_entry_failure_reason
2916 = svm->vmcb->control.exit_code;
2921 if (is_external_interrupt(svm->vmcb->control.exit_int_info) &&
2922 exit_code != SVM_EXIT_EXCP_BASE + PF_VECTOR &&
2923 exit_code != SVM_EXIT_NPF && exit_code != SVM_EXIT_TASK_SWITCH &&
2924 exit_code != SVM_EXIT_INTR && exit_code != SVM_EXIT_NMI)
2925 printk(KERN_ERR "%s: unexpected exit_int_info 0x%x "
2927 __func__, svm->vmcb->control.exit_int_info,
2930 if (exit_fastpath != EXIT_FASTPATH_NONE)
2933 if (exit_code >= ARRAY_SIZE(svm_exit_handlers)
2934 || !svm_exit_handlers[exit_code]) {
2935 vcpu_unimpl(vcpu, "svm: unexpected exit reason 0x%x\n", exit_code);
2937 vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
2938 vcpu->run->internal.suberror =
2939 KVM_INTERNAL_ERROR_UNEXPECTED_EXIT_REASON;
2940 vcpu->run->internal.ndata = 1;
2941 vcpu->run->internal.data[0] = exit_code;
2945 #ifdef CONFIG_RETPOLINE
2946 if (exit_code == SVM_EXIT_MSR)
2947 return msr_interception(svm);
2948 else if (exit_code == SVM_EXIT_VINTR)
2949 return interrupt_window_interception(svm);
2950 else if (exit_code == SVM_EXIT_INTR)
2951 return intr_interception(svm);
2952 else if (exit_code == SVM_EXIT_HLT)
2953 return halt_interception(svm);
2954 else if (exit_code == SVM_EXIT_NPF)
2955 return npf_interception(svm);
2957 return svm_exit_handlers[exit_code](svm);
2960 static void reload_tss(struct kvm_vcpu *vcpu)
2962 int cpu = raw_smp_processor_id();
2964 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
2965 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
2969 static void pre_svm_run(struct vcpu_svm *svm)
2971 int cpu = raw_smp_processor_id();
2973 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
2975 if (sev_guest(svm->vcpu.kvm))
2976 return pre_sev_run(svm, cpu);
2978 /* FIXME: handle wraparound of asid_generation */
2979 if (svm->asid_generation != sd->asid_generation)
2983 static void svm_inject_nmi(struct kvm_vcpu *vcpu)
2985 struct vcpu_svm *svm = to_svm(vcpu);
2987 svm->vmcb->control.event_inj = SVM_EVTINJ_VALID | SVM_EVTINJ_TYPE_NMI;
2988 vcpu->arch.hflags |= HF_NMI_MASK;
2989 set_intercept(svm, INTERCEPT_IRET);
2990 ++vcpu->stat.nmi_injections;
2993 static void svm_set_irq(struct kvm_vcpu *vcpu)
2995 struct vcpu_svm *svm = to_svm(vcpu);
2997 BUG_ON(!(gif_set(svm)));
2999 trace_kvm_inj_virq(vcpu->arch.interrupt.nr);
3000 ++vcpu->stat.irq_injections;
3002 svm->vmcb->control.event_inj = vcpu->arch.interrupt.nr |
3003 SVM_EVTINJ_VALID | SVM_EVTINJ_TYPE_INTR;
3006 static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)
3008 struct vcpu_svm *svm = to_svm(vcpu);
3010 if (svm_nested_virtualize_tpr(vcpu))
3013 clr_cr_intercept(svm, INTERCEPT_CR8_WRITE);
3019 set_cr_intercept(svm, INTERCEPT_CR8_WRITE);
3022 bool svm_nmi_blocked(struct kvm_vcpu *vcpu)
3024 struct vcpu_svm *svm = to_svm(vcpu);
3025 struct vmcb *vmcb = svm->vmcb;
3031 if (is_guest_mode(vcpu) && nested_exit_on_nmi(svm))
3034 ret = (vmcb->control.int_state & SVM_INTERRUPT_SHADOW_MASK) ||
3035 (svm->vcpu.arch.hflags & HF_NMI_MASK);
3040 static int svm_nmi_allowed(struct kvm_vcpu *vcpu, bool for_injection)
3042 struct vcpu_svm *svm = to_svm(vcpu);
3043 if (svm->nested.nested_run_pending)
3046 /* An NMI must not be injected into L2 if it's supposed to VM-Exit. */
3047 if (for_injection && is_guest_mode(vcpu) && nested_exit_on_nmi(svm))
3050 return !svm_nmi_blocked(vcpu);
3053 static bool svm_get_nmi_mask(struct kvm_vcpu *vcpu)
3055 struct vcpu_svm *svm = to_svm(vcpu);
3057 return !!(svm->vcpu.arch.hflags & HF_NMI_MASK);
3060 static void svm_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
3062 struct vcpu_svm *svm = to_svm(vcpu);
3065 svm->vcpu.arch.hflags |= HF_NMI_MASK;
3066 set_intercept(svm, INTERCEPT_IRET);
3068 svm->vcpu.arch.hflags &= ~HF_NMI_MASK;
3069 clr_intercept(svm, INTERCEPT_IRET);
3073 bool svm_interrupt_blocked(struct kvm_vcpu *vcpu)
3075 struct vcpu_svm *svm = to_svm(vcpu);
3076 struct vmcb *vmcb = svm->vmcb;
3081 if (is_guest_mode(vcpu)) {
3082 /* As long as interrupts are being delivered... */
3083 if ((svm->vcpu.arch.hflags & HF_VINTR_MASK)
3084 ? !(svm->vcpu.arch.hflags & HF_HIF_MASK)
3085 : !(kvm_get_rflags(vcpu) & X86_EFLAGS_IF))
3088 /* ... vmexits aren't blocked by the interrupt shadow */
3089 if (nested_exit_on_intr(svm))
3092 if (!(kvm_get_rflags(vcpu) & X86_EFLAGS_IF))
3096 return (vmcb->control.int_state & SVM_INTERRUPT_SHADOW_MASK);
3099 static int svm_interrupt_allowed(struct kvm_vcpu *vcpu, bool for_injection)
3101 struct vcpu_svm *svm = to_svm(vcpu);
3102 if (svm->nested.nested_run_pending)
3106 * An IRQ must not be injected into L2 if it's supposed to VM-Exit,
3107 * e.g. if the IRQ arrived asynchronously after checking nested events.
3109 if (for_injection && is_guest_mode(vcpu) && nested_exit_on_intr(svm))
3112 return !svm_interrupt_blocked(vcpu);
3115 static void enable_irq_window(struct kvm_vcpu *vcpu)
3117 struct vcpu_svm *svm = to_svm(vcpu);
3120 * In case GIF=0 we can't rely on the CPU to tell us when GIF becomes
3121 * 1, because that's a separate STGI/VMRUN intercept. The next time we
3122 * get that intercept, this function will be called again though and
3123 * we'll get the vintr intercept. However, if the vGIF feature is
3124 * enabled, the STGI interception will not occur. Enable the irq
3125 * window under the assumption that the hardware will set the GIF.
3127 if (vgif_enabled(svm) || gif_set(svm)) {
3129 * IRQ window is not needed when AVIC is enabled,
3130 * unless we have pending ExtINT since it cannot be injected
3131 * via AVIC. In such case, we need to temporarily disable AVIC,
3132 * and fallback to injecting IRQ via V_IRQ.
3134 svm_toggle_avic_for_irq_window(vcpu, false);
3139 static void enable_nmi_window(struct kvm_vcpu *vcpu)
3141 struct vcpu_svm *svm = to_svm(vcpu);
3143 if ((svm->vcpu.arch.hflags & (HF_NMI_MASK | HF_IRET_MASK))
3145 return; /* IRET will cause a vm exit */
3147 if (!gif_set(svm)) {
3148 if (vgif_enabled(svm))
3149 set_intercept(svm, INTERCEPT_STGI);
3150 return; /* STGI will cause a vm exit */
3154 * Something prevents NMI from been injected. Single step over possible
3155 * problem (IRET or exception injection or interrupt shadow)
3157 svm->nmi_singlestep_guest_rflags = svm_get_rflags(vcpu);
3158 svm->nmi_singlestep = true;
3159 svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
3162 static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
3167 static int svm_set_identity_map_addr(struct kvm *kvm, u64 ident_addr)
3172 void svm_flush_tlb(struct kvm_vcpu *vcpu)
3174 struct vcpu_svm *svm = to_svm(vcpu);
3177 * Flush only the current ASID even if the TLB flush was invoked via
3178 * kvm_flush_remote_tlbs(). Although flushing remote TLBs requires all
3179 * ASIDs to be flushed, KVM uses a single ASID for L1 and L2, and
3180 * unconditionally does a TLB flush on both nested VM-Enter and nested
3181 * VM-Exit (via kvm_mmu_reset_context()).
3183 if (static_cpu_has(X86_FEATURE_FLUSHBYASID))
3184 svm->vmcb->control.tlb_ctl = TLB_CONTROL_FLUSH_ASID;
3186 svm->asid_generation--;
3189 static void svm_flush_tlb_gva(struct kvm_vcpu *vcpu, gva_t gva)
3191 struct vcpu_svm *svm = to_svm(vcpu);
3193 invlpga(gva, svm->vmcb->control.asid);
3196 static void svm_prepare_guest_switch(struct kvm_vcpu *vcpu)
3200 static inline void sync_cr8_to_lapic(struct kvm_vcpu *vcpu)
3202 struct vcpu_svm *svm = to_svm(vcpu);
3204 if (svm_nested_virtualize_tpr(vcpu))
3207 if (!is_cr_intercept(svm, INTERCEPT_CR8_WRITE)) {
3208 int cr8 = svm->vmcb->control.int_ctl & V_TPR_MASK;
3209 kvm_set_cr8(vcpu, cr8);
3213 static inline void sync_lapic_to_cr8(struct kvm_vcpu *vcpu)
3215 struct vcpu_svm *svm = to_svm(vcpu);
3218 if (svm_nested_virtualize_tpr(vcpu) ||
3219 kvm_vcpu_apicv_active(vcpu))
3222 cr8 = kvm_get_cr8(vcpu);
3223 svm->vmcb->control.int_ctl &= ~V_TPR_MASK;
3224 svm->vmcb->control.int_ctl |= cr8 & V_TPR_MASK;
3227 static void svm_complete_interrupts(struct vcpu_svm *svm)
3231 u32 exitintinfo = svm->vmcb->control.exit_int_info;
3232 unsigned int3_injected = svm->int3_injected;
3234 svm->int3_injected = 0;
3237 * If we've made progress since setting HF_IRET_MASK, we've
3238 * executed an IRET and can allow NMI injection.
3240 if ((svm->vcpu.arch.hflags & HF_IRET_MASK)
3241 && kvm_rip_read(&svm->vcpu) != svm->nmi_iret_rip) {
3242 svm->vcpu.arch.hflags &= ~(HF_NMI_MASK | HF_IRET_MASK);
3243 kvm_make_request(KVM_REQ_EVENT, &svm->vcpu);
3246 svm->vcpu.arch.nmi_injected = false;
3247 kvm_clear_exception_queue(&svm->vcpu);
3248 kvm_clear_interrupt_queue(&svm->vcpu);
3250 if (!(exitintinfo & SVM_EXITINTINFO_VALID))
3253 kvm_make_request(KVM_REQ_EVENT, &svm->vcpu);
3255 vector = exitintinfo & SVM_EXITINTINFO_VEC_MASK;
3256 type = exitintinfo & SVM_EXITINTINFO_TYPE_MASK;
3259 case SVM_EXITINTINFO_TYPE_NMI:
3260 svm->vcpu.arch.nmi_injected = true;
3262 case SVM_EXITINTINFO_TYPE_EXEPT:
3264 * In case of software exceptions, do not reinject the vector,
3265 * but re-execute the instruction instead. Rewind RIP first
3266 * if we emulated INT3 before.
3268 if (kvm_exception_is_soft(vector)) {
3269 if (vector == BP_VECTOR && int3_injected &&
3270 kvm_is_linear_rip(&svm->vcpu, svm->int3_rip))
3271 kvm_rip_write(&svm->vcpu,
3272 kvm_rip_read(&svm->vcpu) -
3276 if (exitintinfo & SVM_EXITINTINFO_VALID_ERR) {
3277 u32 err = svm->vmcb->control.exit_int_info_err;
3278 kvm_requeue_exception_e(&svm->vcpu, vector, err);
3281 kvm_requeue_exception(&svm->vcpu, vector);
3283 case SVM_EXITINTINFO_TYPE_INTR:
3284 kvm_queue_interrupt(&svm->vcpu, vector, false);
3291 static void svm_cancel_injection(struct kvm_vcpu *vcpu)
3293 struct vcpu_svm *svm = to_svm(vcpu);
3294 struct vmcb_control_area *control = &svm->vmcb->control;
3296 control->exit_int_info = control->event_inj;
3297 control->exit_int_info_err = control->event_inj_err;
3298 control->event_inj = 0;
3299 svm_complete_interrupts(svm);
3302 static fastpath_t svm_exit_handlers_fastpath(struct kvm_vcpu *vcpu)
3304 if (!is_guest_mode(vcpu) &&
3305 to_svm(vcpu)->vmcb->control.exit_code == SVM_EXIT_MSR &&
3306 to_svm(vcpu)->vmcb->control.exit_info_1)
3307 return handle_fastpath_set_msr_irqoff(vcpu);
3309 return EXIT_FASTPATH_NONE;
3312 void __svm_vcpu_run(unsigned long vmcb_pa, unsigned long *regs);
3314 static fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu)
3316 fastpath_t exit_fastpath;
3317 struct vcpu_svm *svm = to_svm(vcpu);
3319 svm->vmcb->save.rax = vcpu->arch.regs[VCPU_REGS_RAX];
3320 svm->vmcb->save.rsp = vcpu->arch.regs[VCPU_REGS_RSP];
3321 svm->vmcb->save.rip = vcpu->arch.regs[VCPU_REGS_RIP];
3324 * Disable singlestep if we're injecting an interrupt/exception.
3325 * We don't want our modified rflags to be pushed on the stack where
3326 * we might not be able to easily reset them if we disabled NMI
3329 if (svm->nmi_singlestep && svm->vmcb->control.event_inj) {
3331 * Event injection happens before external interrupts cause a
3332 * vmexit and interrupts are disabled here, so smp_send_reschedule
3333 * is enough to force an immediate vmexit.
3335 disable_nmi_singlestep(svm);
3336 smp_send_reschedule(vcpu->cpu);
3341 sync_lapic_to_cr8(vcpu);
3343 svm->vmcb->save.cr2 = vcpu->arch.cr2;
3346 * Run with all-zero DR6 unless needed, so that we can get the exact cause
3349 if (unlikely(svm->vcpu.arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))
3350 svm_set_dr6(svm, vcpu->arch.dr6);
3352 svm_set_dr6(svm, DR6_FIXED_1 | DR6_RTM);
3355 kvm_load_guest_xsave_state(vcpu);
3357 if (lapic_in_kernel(vcpu) &&
3358 vcpu->arch.apic->lapic_timer.timer_advance_ns)
3359 kvm_wait_lapic_expire(vcpu);
3362 * If this vCPU has touched SPEC_CTRL, restore the guest's value if
3363 * it's non-zero. Since vmentry is serialising on affected CPUs, there
3364 * is no need to worry about the conditional branch over the wrmsr
3365 * being speculatively taken.
3367 x86_spec_ctrl_set_guest(svm->spec_ctrl, svm->virt_spec_ctrl);
3369 __svm_vcpu_run(svm->vmcb_pa, (unsigned long *)&svm->vcpu.arch.regs);
3371 #ifdef CONFIG_X86_64
3372 wrmsrl(MSR_GS_BASE, svm->host.gs_base);
3374 loadsegment(fs, svm->host.fs);
3375 #ifndef CONFIG_X86_32_LAZY_GS
3376 loadsegment(gs, svm->host.gs);
3381 * We do not use IBRS in the kernel. If this vCPU has used the
3382 * SPEC_CTRL MSR it may have left it on; save the value and
3383 * turn it off. This is much more efficient than blindly adding
3384 * it to the atomic save/restore list. Especially as the former
3385 * (Saving guest MSRs on vmexit) doesn't even exist in KVM.
3387 * For non-nested case:
3388 * If the L01 MSR bitmap does not intercept the MSR, then we need to
3392 * If the L02 MSR bitmap does not intercept the MSR, then we need to
3395 if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)))
3396 svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
3400 x86_spec_ctrl_restore_host(svm->spec_ctrl, svm->virt_spec_ctrl);
3402 vcpu->arch.cr2 = svm->vmcb->save.cr2;
3403 vcpu->arch.regs[VCPU_REGS_RAX] = svm->vmcb->save.rax;
3404 vcpu->arch.regs[VCPU_REGS_RSP] = svm->vmcb->save.rsp;
3405 vcpu->arch.regs[VCPU_REGS_RIP] = svm->vmcb->save.rip;
3407 if (unlikely(svm->vmcb->control.exit_code == SVM_EXIT_NMI))
3408 kvm_before_interrupt(&svm->vcpu);
3410 kvm_load_host_xsave_state(vcpu);
3413 /* Any pending NMI will happen here */
3414 exit_fastpath = svm_exit_handlers_fastpath(vcpu);
3416 if (unlikely(svm->vmcb->control.exit_code == SVM_EXIT_NMI))
3417 kvm_after_interrupt(&svm->vcpu);
3419 sync_cr8_to_lapic(vcpu);
3422 svm->nested.nested_run_pending = 0;
3424 svm->vmcb->control.tlb_ctl = TLB_CONTROL_DO_NOTHING;
3426 /* if exit due to PF check for async PF */
3427 if (svm->vmcb->control.exit_code == SVM_EXIT_EXCP_BASE + PF_VECTOR)
3428 svm->vcpu.arch.apf.host_apf_reason = kvm_read_and_reset_pf_reason();
3431 vcpu->arch.regs_avail &= ~(1 << VCPU_EXREG_PDPTR);
3432 vcpu->arch.regs_dirty &= ~(1 << VCPU_EXREG_PDPTR);
3436 * We need to handle MC intercepts here before the vcpu has a chance to
3437 * change the physical cpu
3439 if (unlikely(svm->vmcb->control.exit_code ==
3440 SVM_EXIT_EXCP_BASE + MC_VECTOR))
3441 svm_handle_mce(svm);
3443 mark_all_clean(svm->vmcb);
3444 return exit_fastpath;
3447 static void svm_load_mmu_pgd(struct kvm_vcpu *vcpu, unsigned long root)
3449 struct vcpu_svm *svm = to_svm(vcpu);
3452 cr3 = __sme_set(root);
3454 svm->vmcb->control.nested_cr3 = cr3;
3455 mark_dirty(svm->vmcb, VMCB_NPT);
3457 /* Loading L2's CR3 is handled by enter_svm_guest_mode. */
3458 if (!test_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail))
3460 cr3 = vcpu->arch.cr3;
3463 svm->vmcb->save.cr3 = cr3;
3464 mark_dirty(svm->vmcb, VMCB_CR);
3467 static int is_disabled(void)
3471 rdmsrl(MSR_VM_CR, vm_cr);
3472 if (vm_cr & (1 << SVM_VM_CR_SVM_DISABLE))
3479 svm_patch_hypercall(struct kvm_vcpu *vcpu, unsigned char *hypercall)
3482 * Patch in the VMMCALL instruction:
3484 hypercall[0] = 0x0f;
3485 hypercall[1] = 0x01;
3486 hypercall[2] = 0xd9;
3489 static int __init svm_check_processor_compat(void)
3494 static bool svm_cpu_has_accelerated_tpr(void)
3499 static bool svm_has_emulated_msr(u32 index)
3502 case MSR_IA32_MCG_EXT_CTL:
3503 case MSR_IA32_VMX_BASIC ... MSR_IA32_VMX_VMFUNC:
3512 static u64 svm_get_mt_mask(struct kvm_vcpu *vcpu, gfn_t gfn, bool is_mmio)
3517 static void svm_cpuid_update(struct kvm_vcpu *vcpu)
3519 struct vcpu_svm *svm = to_svm(vcpu);
3521 vcpu->arch.xsaves_enabled = guest_cpuid_has(vcpu, X86_FEATURE_XSAVE) &&
3522 boot_cpu_has(X86_FEATURE_XSAVE) &&
3523 boot_cpu_has(X86_FEATURE_XSAVES);
3525 /* Update nrips enabled cache */
3526 svm->nrips_enabled = kvm_cpu_cap_has(X86_FEATURE_NRIPS) &&
3527 guest_cpuid_has(&svm->vcpu, X86_FEATURE_NRIPS);
3529 if (!kvm_vcpu_apicv_active(vcpu))
3533 * AVIC does not work with an x2APIC mode guest. If the X2APIC feature
3534 * is exposed to the guest, disable AVIC.
3536 if (guest_cpuid_has(vcpu, X86_FEATURE_X2APIC))
3537 kvm_request_apicv_update(vcpu->kvm, false,
3538 APICV_INHIBIT_REASON_X2APIC);
3541 * Currently, AVIC does not work with nested virtualization.
3542 * So, we disable AVIC when cpuid for SVM is set in the L1 guest.
3544 if (nested && guest_cpuid_has(vcpu, X86_FEATURE_SVM))
3545 kvm_request_apicv_update(vcpu->kvm, false,
3546 APICV_INHIBIT_REASON_NESTED);
3549 static bool svm_has_wbinvd_exit(void)
3554 #define PRE_EX(exit) { .exit_code = (exit), \
3555 .stage = X86_ICPT_PRE_EXCEPT, }
3556 #define POST_EX(exit) { .exit_code = (exit), \
3557 .stage = X86_ICPT_POST_EXCEPT, }
3558 #define POST_MEM(exit) { .exit_code = (exit), \
3559 .stage = X86_ICPT_POST_MEMACCESS, }
3561 static const struct __x86_intercept {
3563 enum x86_intercept_stage stage;
3564 } x86_intercept_map[] = {
3565 [x86_intercept_cr_read] = POST_EX(SVM_EXIT_READ_CR0),
3566 [x86_intercept_cr_write] = POST_EX(SVM_EXIT_WRITE_CR0),
3567 [x86_intercept_clts] = POST_EX(SVM_EXIT_WRITE_CR0),
3568 [x86_intercept_lmsw] = POST_EX(SVM_EXIT_WRITE_CR0),
3569 [x86_intercept_smsw] = POST_EX(SVM_EXIT_READ_CR0),
3570 [x86_intercept_dr_read] = POST_EX(SVM_EXIT_READ_DR0),
3571 [x86_intercept_dr_write] = POST_EX(SVM_EXIT_WRITE_DR0),
3572 [x86_intercept_sldt] = POST_EX(SVM_EXIT_LDTR_READ),
3573 [x86_intercept_str] = POST_EX(SVM_EXIT_TR_READ),
3574 [x86_intercept_lldt] = POST_EX(SVM_EXIT_LDTR_WRITE),
3575 [x86_intercept_ltr] = POST_EX(SVM_EXIT_TR_WRITE),
3576 [x86_intercept_sgdt] = POST_EX(SVM_EXIT_GDTR_READ),
3577 [x86_intercept_sidt] = POST_EX(SVM_EXIT_IDTR_READ),
3578 [x86_intercept_lgdt] = POST_EX(SVM_EXIT_GDTR_WRITE),
3579 [x86_intercept_lidt] = POST_EX(SVM_EXIT_IDTR_WRITE),
3580 [x86_intercept_vmrun] = POST_EX(SVM_EXIT_VMRUN),
3581 [x86_intercept_vmmcall] = POST_EX(SVM_EXIT_VMMCALL),
3582 [x86_intercept_vmload] = POST_EX(SVM_EXIT_VMLOAD),
3583 [x86_intercept_vmsave] = POST_EX(SVM_EXIT_VMSAVE),
3584 [x86_intercept_stgi] = POST_EX(SVM_EXIT_STGI),
3585 [x86_intercept_clgi] = POST_EX(SVM_EXIT_CLGI),
3586 [x86_intercept_skinit] = POST_EX(SVM_EXIT_SKINIT),
3587 [x86_intercept_invlpga] = POST_EX(SVM_EXIT_INVLPGA),
3588 [x86_intercept_rdtscp] = POST_EX(SVM_EXIT_RDTSCP),
3589 [x86_intercept_monitor] = POST_MEM(SVM_EXIT_MONITOR),
3590 [x86_intercept_mwait] = POST_EX(SVM_EXIT_MWAIT),
3591 [x86_intercept_invlpg] = POST_EX(SVM_EXIT_INVLPG),
3592 [x86_intercept_invd] = POST_EX(SVM_EXIT_INVD),
3593 [x86_intercept_wbinvd] = POST_EX(SVM_EXIT_WBINVD),
3594 [x86_intercept_wrmsr] = POST_EX(SVM_EXIT_MSR),
3595 [x86_intercept_rdtsc] = POST_EX(SVM_EXIT_RDTSC),
3596 [x86_intercept_rdmsr] = POST_EX(SVM_EXIT_MSR),
3597 [x86_intercept_rdpmc] = POST_EX(SVM_EXIT_RDPMC),
3598 [x86_intercept_cpuid] = PRE_EX(SVM_EXIT_CPUID),
3599 [x86_intercept_rsm] = PRE_EX(SVM_EXIT_RSM),
3600 [x86_intercept_pause] = PRE_EX(SVM_EXIT_PAUSE),
3601 [x86_intercept_pushf] = PRE_EX(SVM_EXIT_PUSHF),
3602 [x86_intercept_popf] = PRE_EX(SVM_EXIT_POPF),
3603 [x86_intercept_intn] = PRE_EX(SVM_EXIT_SWINT),
3604 [x86_intercept_iret] = PRE_EX(SVM_EXIT_IRET),
3605 [x86_intercept_icebp] = PRE_EX(SVM_EXIT_ICEBP),
3606 [x86_intercept_hlt] = POST_EX(SVM_EXIT_HLT),
3607 [x86_intercept_in] = POST_EX(SVM_EXIT_IOIO),
3608 [x86_intercept_ins] = POST_EX(SVM_EXIT_IOIO),
3609 [x86_intercept_out] = POST_EX(SVM_EXIT_IOIO),
3610 [x86_intercept_outs] = POST_EX(SVM_EXIT_IOIO),
3611 [x86_intercept_xsetbv] = PRE_EX(SVM_EXIT_XSETBV),
3618 static int svm_check_intercept(struct kvm_vcpu *vcpu,
3619 struct x86_instruction_info *info,
3620 enum x86_intercept_stage stage,
3621 struct x86_exception *exception)
3623 struct vcpu_svm *svm = to_svm(vcpu);
3624 int vmexit, ret = X86EMUL_CONTINUE;
3625 struct __x86_intercept icpt_info;
3626 struct vmcb *vmcb = svm->vmcb;
3628 if (info->intercept >= ARRAY_SIZE(x86_intercept_map))
3631 icpt_info = x86_intercept_map[info->intercept];
3633 if (stage != icpt_info.stage)
3636 switch (icpt_info.exit_code) {
3637 case SVM_EXIT_READ_CR0:
3638 if (info->intercept == x86_intercept_cr_read)
3639 icpt_info.exit_code += info->modrm_reg;
3641 case SVM_EXIT_WRITE_CR0: {
3642 unsigned long cr0, val;
3645 if (info->intercept == x86_intercept_cr_write)
3646 icpt_info.exit_code += info->modrm_reg;
3648 if (icpt_info.exit_code != SVM_EXIT_WRITE_CR0 ||
3649 info->intercept == x86_intercept_clts)
3652 intercept = svm->nested.intercept;
3654 if (!(intercept & (1ULL << INTERCEPT_SELECTIVE_CR0)))
3657 cr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK;
3658 val = info->src_val & ~SVM_CR0_SELECTIVE_MASK;
3660 if (info->intercept == x86_intercept_lmsw) {
3663 /* lmsw can't clear PE - catch this here */
3664 if (cr0 & X86_CR0_PE)
3669 icpt_info.exit_code = SVM_EXIT_CR0_SEL_WRITE;
3673 case SVM_EXIT_READ_DR0:
3674 case SVM_EXIT_WRITE_DR0:
3675 icpt_info.exit_code += info->modrm_reg;
3678 if (info->intercept == x86_intercept_wrmsr)
3679 vmcb->control.exit_info_1 = 1;
3681 vmcb->control.exit_info_1 = 0;
3683 case SVM_EXIT_PAUSE:
3685 * We get this for NOP only, but pause
3686 * is rep not, check this here
3688 if (info->rep_prefix != REPE_PREFIX)
3691 case SVM_EXIT_IOIO: {
3695 if (info->intercept == x86_intercept_in ||
3696 info->intercept == x86_intercept_ins) {
3697 exit_info = ((info->src_val & 0xffff) << 16) |
3699 bytes = info->dst_bytes;
3701 exit_info = (info->dst_val & 0xffff) << 16;
3702 bytes = info->src_bytes;
3705 if (info->intercept == x86_intercept_outs ||
3706 info->intercept == x86_intercept_ins)
3707 exit_info |= SVM_IOIO_STR_MASK;
3709 if (info->rep_prefix)
3710 exit_info |= SVM_IOIO_REP_MASK;
3712 bytes = min(bytes, 4u);
3714 exit_info |= bytes << SVM_IOIO_SIZE_SHIFT;
3716 exit_info |= (u32)info->ad_bytes << (SVM_IOIO_ASIZE_SHIFT - 1);
3718 vmcb->control.exit_info_1 = exit_info;
3719 vmcb->control.exit_info_2 = info->next_rip;
3727 /* TODO: Advertise NRIPS to guest hypervisor unconditionally */
3728 if (static_cpu_has(X86_FEATURE_NRIPS))
3729 vmcb->control.next_rip = info->next_rip;
3730 vmcb->control.exit_code = icpt_info.exit_code;
3731 vmexit = nested_svm_exit_handled(svm);
3733 ret = (vmexit == NESTED_EXIT_DONE) ? X86EMUL_INTERCEPTED
3740 static void svm_handle_exit_irqoff(struct kvm_vcpu *vcpu)
3744 static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu)
3746 if (pause_filter_thresh)
3747 shrink_ple_window(vcpu);
3750 static void svm_setup_mce(struct kvm_vcpu *vcpu)
3752 /* [63:9] are reserved. */
3753 vcpu->arch.mcg_cap &= 0x1ff;
3756 bool svm_smi_blocked(struct kvm_vcpu *vcpu)
3758 struct vcpu_svm *svm = to_svm(vcpu);
3760 /* Per APM Vol.2 15.22.2 "Response to SMI" */
3764 return is_smm(vcpu);
3767 static int svm_smi_allowed(struct kvm_vcpu *vcpu, bool for_injection)
3769 struct vcpu_svm *svm = to_svm(vcpu);
3770 if (svm->nested.nested_run_pending)
3773 /* An SMI must not be injected into L2 if it's supposed to VM-Exit. */
3774 if (for_injection && is_guest_mode(vcpu) && nested_exit_on_smi(svm))
3777 return !svm_smi_blocked(vcpu);
3780 static int svm_pre_enter_smm(struct kvm_vcpu *vcpu, char *smstate)
3782 struct vcpu_svm *svm = to_svm(vcpu);
3785 if (is_guest_mode(vcpu)) {
3786 /* FED8h - SVM Guest */
3787 put_smstate(u64, smstate, 0x7ed8, 1);
3788 /* FEE0h - SVM Guest VMCB Physical Address */
3789 put_smstate(u64, smstate, 0x7ee0, svm->nested.vmcb);
3791 svm->vmcb->save.rax = vcpu->arch.regs[VCPU_REGS_RAX];
3792 svm->vmcb->save.rsp = vcpu->arch.regs[VCPU_REGS_RSP];
3793 svm->vmcb->save.rip = vcpu->arch.regs[VCPU_REGS_RIP];
3795 ret = nested_svm_vmexit(svm);
3802 static int svm_pre_leave_smm(struct kvm_vcpu *vcpu, const char *smstate)
3804 struct vcpu_svm *svm = to_svm(vcpu);
3805 struct vmcb *nested_vmcb;
3806 struct kvm_host_map map;
3810 guest = GET_SMSTATE(u64, smstate, 0x7ed8);
3811 vmcb = GET_SMSTATE(u64, smstate, 0x7ee0);
3814 if (kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(vmcb), &map) == -EINVAL)
3816 nested_vmcb = map.hva;
3817 enter_svm_guest_mode(svm, vmcb, nested_vmcb, &map);
3822 static void enable_smi_window(struct kvm_vcpu *vcpu)
3824 struct vcpu_svm *svm = to_svm(vcpu);
3826 if (!gif_set(svm)) {
3827 if (vgif_enabled(svm))
3828 set_intercept(svm, INTERCEPT_STGI);
3829 /* STGI will cause a vm exit */
3831 /* We must be in SMM; RSM will cause a vmexit anyway. */
3835 static bool svm_need_emulation_on_page_fault(struct kvm_vcpu *vcpu)
3837 unsigned long cr4 = kvm_read_cr4(vcpu);
3838 bool smep = cr4 & X86_CR4_SMEP;
3839 bool smap = cr4 & X86_CR4_SMAP;
3840 bool is_user = svm_get_cpl(vcpu) == 3;
3843 * If RIP is invalid, go ahead with emulation which will cause an
3844 * internal error exit.
3846 if (!kvm_vcpu_gfn_to_memslot(vcpu, kvm_rip_read(vcpu) >> PAGE_SHIFT))
3850 * Detect and workaround Errata 1096 Fam_17h_00_0Fh.
3853 * When CPU raise #NPF on guest data access and vCPU CR4.SMAP=1, it is
3854 * possible that CPU microcode implementing DecodeAssist will fail
3855 * to read bytes of instruction which caused #NPF. In this case,
3856 * GuestIntrBytes field of the VMCB on a VMEXIT will incorrectly
3857 * return 0 instead of the correct guest instruction bytes.
3859 * This happens because CPU microcode reading instruction bytes
3860 * uses a special opcode which attempts to read data using CPL=0
3861 * priviledges. The microcode reads CS:RIP and if it hits a SMAP
3862 * fault, it gives up and returns no instruction bytes.
3865 * We reach here in case CPU supports DecodeAssist, raised #NPF and
3866 * returned 0 in GuestIntrBytes field of the VMCB.
3867 * First, errata can only be triggered in case vCPU CR4.SMAP=1.
3868 * Second, if vCPU CR4.SMEP=1, errata could only be triggered
3869 * in case vCPU CPL==3 (Because otherwise guest would have triggered
3870 * a SMEP fault instead of #NPF).
3871 * Otherwise, vCPU CR4.SMEP=0, errata could be triggered by any vCPU CPL.
3872 * As most guests enable SMAP if they have also enabled SMEP, use above
3873 * logic in order to attempt minimize false-positive of detecting errata
3874 * while still preserving all cases semantic correctness.
3877 * To determine what instruction the guest was executing, the hypervisor
3878 * will have to decode the instruction at the instruction pointer.
3880 * In non SEV guest, hypervisor will be able to read the guest
3881 * memory to decode the instruction pointer when insn_len is zero
3882 * so we return true to indicate that decoding is possible.
3884 * But in the SEV guest, the guest memory is encrypted with the
3885 * guest specific key and hypervisor will not be able to decode the
3886 * instruction pointer so we will not able to workaround it. Lets
3887 * print the error and request to kill the guest.
3889 if (smap && (!smep || is_user)) {
3890 if (!sev_guest(vcpu->kvm))
3893 pr_err_ratelimited("KVM: SEV Guest triggered AMD Erratum 1096\n");
3894 kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
3900 static bool svm_apic_init_signal_blocked(struct kvm_vcpu *vcpu)
3902 struct vcpu_svm *svm = to_svm(vcpu);
3905 * TODO: Last condition latch INIT signals on vCPU when
3906 * vCPU is in guest-mode and vmcb12 defines intercept on INIT.
3907 * To properly emulate the INIT intercept,
3908 * svm_check_nested_events() should call nested_svm_vmexit()
3909 * if an INIT signal is pending.
3911 return !gif_set(svm) ||
3912 (svm->vmcb->control.intercept & (1ULL << INTERCEPT_INIT));
3915 static void svm_vm_destroy(struct kvm *kvm)
3917 avic_vm_destroy(kvm);
3918 sev_vm_destroy(kvm);
3921 static int svm_vm_init(struct kvm *kvm)
3924 int ret = avic_vm_init(kvm);
3929 kvm_apicv_init(kvm, avic);
3933 static struct kvm_x86_ops svm_x86_ops __initdata = {
3934 .hardware_unsetup = svm_hardware_teardown,
3935 .hardware_enable = svm_hardware_enable,
3936 .hardware_disable = svm_hardware_disable,
3937 .cpu_has_accelerated_tpr = svm_cpu_has_accelerated_tpr,
3938 .has_emulated_msr = svm_has_emulated_msr,
3940 .vcpu_create = svm_create_vcpu,
3941 .vcpu_free = svm_free_vcpu,
3942 .vcpu_reset = svm_vcpu_reset,
3944 .vm_size = sizeof(struct kvm_svm),
3945 .vm_init = svm_vm_init,
3946 .vm_destroy = svm_vm_destroy,
3948 .prepare_guest_switch = svm_prepare_guest_switch,
3949 .vcpu_load = svm_vcpu_load,
3950 .vcpu_put = svm_vcpu_put,
3951 .vcpu_blocking = svm_vcpu_blocking,
3952 .vcpu_unblocking = svm_vcpu_unblocking,
3954 .update_bp_intercept = update_bp_intercept,
3955 .get_msr_feature = svm_get_msr_feature,
3956 .get_msr = svm_get_msr,
3957 .set_msr = svm_set_msr,
3958 .get_segment_base = svm_get_segment_base,
3959 .get_segment = svm_get_segment,
3960 .set_segment = svm_set_segment,
3961 .get_cpl = svm_get_cpl,
3962 .get_cs_db_l_bits = kvm_get_cs_db_l_bits,
3963 .set_cr0 = svm_set_cr0,
3964 .set_cr4 = svm_set_cr4,
3965 .set_efer = svm_set_efer,
3966 .get_idt = svm_get_idt,
3967 .set_idt = svm_set_idt,
3968 .get_gdt = svm_get_gdt,
3969 .set_gdt = svm_set_gdt,
3970 .set_dr7 = svm_set_dr7,
3971 .sync_dirty_debug_regs = svm_sync_dirty_debug_regs,
3972 .cache_reg = svm_cache_reg,
3973 .get_rflags = svm_get_rflags,
3974 .set_rflags = svm_set_rflags,
3976 .tlb_flush_all = svm_flush_tlb,
3977 .tlb_flush_current = svm_flush_tlb,
3978 .tlb_flush_gva = svm_flush_tlb_gva,
3979 .tlb_flush_guest = svm_flush_tlb,
3981 .run = svm_vcpu_run,
3982 .handle_exit = handle_exit,
3983 .skip_emulated_instruction = skip_emulated_instruction,
3984 .update_emulated_instruction = NULL,
3985 .set_interrupt_shadow = svm_set_interrupt_shadow,
3986 .get_interrupt_shadow = svm_get_interrupt_shadow,
3987 .patch_hypercall = svm_patch_hypercall,
3988 .set_irq = svm_set_irq,
3989 .set_nmi = svm_inject_nmi,
3990 .queue_exception = svm_queue_exception,
3991 .cancel_injection = svm_cancel_injection,
3992 .interrupt_allowed = svm_interrupt_allowed,
3993 .nmi_allowed = svm_nmi_allowed,
3994 .get_nmi_mask = svm_get_nmi_mask,
3995 .set_nmi_mask = svm_set_nmi_mask,
3996 .enable_nmi_window = enable_nmi_window,
3997 .enable_irq_window = enable_irq_window,
3998 .update_cr8_intercept = update_cr8_intercept,
3999 .set_virtual_apic_mode = svm_set_virtual_apic_mode,
4000 .refresh_apicv_exec_ctrl = svm_refresh_apicv_exec_ctrl,
4001 .check_apicv_inhibit_reasons = svm_check_apicv_inhibit_reasons,
4002 .pre_update_apicv_exec_ctrl = svm_pre_update_apicv_exec_ctrl,
4003 .load_eoi_exitmap = svm_load_eoi_exitmap,
4004 .hwapic_irr_update = svm_hwapic_irr_update,
4005 .hwapic_isr_update = svm_hwapic_isr_update,
4006 .sync_pir_to_irr = kvm_lapic_find_highest_irr,
4007 .apicv_post_state_restore = avic_post_state_restore,
4009 .set_tss_addr = svm_set_tss_addr,
4010 .set_identity_map_addr = svm_set_identity_map_addr,
4011 .get_tdp_level = get_npt_level,
4012 .get_mt_mask = svm_get_mt_mask,
4014 .get_exit_info = svm_get_exit_info,
4016 .cpuid_update = svm_cpuid_update,
4018 .has_wbinvd_exit = svm_has_wbinvd_exit,
4020 .write_l1_tsc_offset = svm_write_l1_tsc_offset,
4022 .load_mmu_pgd = svm_load_mmu_pgd,
4024 .check_intercept = svm_check_intercept,
4025 .handle_exit_irqoff = svm_handle_exit_irqoff,
4027 .request_immediate_exit = __kvm_request_immediate_exit,
4029 .sched_in = svm_sched_in,
4031 .pmu_ops = &amd_pmu_ops,
4032 .nested_ops = &svm_nested_ops,
4034 .deliver_posted_interrupt = svm_deliver_avic_intr,
4035 .dy_apicv_has_pending_interrupt = svm_dy_apicv_has_pending_interrupt,
4036 .update_pi_irte = svm_update_pi_irte,
4037 .setup_mce = svm_setup_mce,
4039 .smi_allowed = svm_smi_allowed,
4040 .pre_enter_smm = svm_pre_enter_smm,
4041 .pre_leave_smm = svm_pre_leave_smm,
4042 .enable_smi_window = enable_smi_window,
4044 .mem_enc_op = svm_mem_enc_op,
4045 .mem_enc_reg_region = svm_register_enc_region,
4046 .mem_enc_unreg_region = svm_unregister_enc_region,
4048 .need_emulation_on_page_fault = svm_need_emulation_on_page_fault,
4050 .apic_init_signal_blocked = svm_apic_init_signal_blocked,
4053 static struct kvm_x86_init_ops svm_init_ops __initdata = {
4054 .cpu_has_kvm_support = has_svm,
4055 .disabled_by_bios = is_disabled,
4056 .hardware_setup = svm_hardware_setup,
4057 .check_processor_compatibility = svm_check_processor_compat,
4059 .runtime_ops = &svm_x86_ops,
4062 static int __init svm_init(void)
4064 return kvm_init(&svm_init_ops, sizeof(struct vcpu_svm),
4065 __alignof__(struct vcpu_svm), THIS_MODULE);
4068 static void __exit svm_exit(void)
4073 module_init(svm_init)
4074 module_exit(svm_exit)
git.samba.org / sfrench / cifs-2.6.git / blob