KVM: SVM: Require nrips support for SEV guests (and beyond)
authorSean Christopherson <seanjc@google.com>
Fri, 25 Aug 2023 01:36:19 +0000 (18:36 -0700)
committerSean Christopherson <seanjc@google.com>
Fri, 25 Aug 2023 16:00:40 +0000 (09:00 -0700)
Disallow SEV (and beyond) if nrips is disabled via module param, as KVM
can't read guest memory to partially emulate and skip an instruction.  All
CPUs that support SEV support NRIPS, i.e. this is purely stopping the user
from shooting themselves in the foot.

Cc: Tom Lendacky <thomas.lendacky@amd.com>
Link: https://lore.kernel.org/r/20230825013621.2845700-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
arch/x86/kvm/svm/sev.c
arch/x86/kvm/svm/svm.c
arch/x86/kvm/svm/svm.h

index 5585a3556179bd9baa65345efe14a4b70e4b130e..85d1abdf7d7d3cdf4e13ee423cfb790aea28438e 100644 (file)
@@ -2185,7 +2185,7 @@ void __init sev_hardware_setup(void)
        bool sev_es_supported = false;
        bool sev_supported = false;
 
-       if (!sev_enabled || !npt_enabled)
+       if (!sev_enabled || !npt_enabled || !nrips)
                goto out;
 
        /*
index d7a474571ff14f354dd815b2bc87344db8fc7409..5cf2380c89dd66fef243671f485a509efa3939b3 100644 (file)
@@ -203,7 +203,7 @@ static int nested = true;
 module_param(nested, int, S_IRUGO);
 
 /* enable/disable Next RIP Save */
-static int nrips = true;
+int nrips = true;
 module_param(nrips, int, 0444);
 
 /* enable/disable Virtual VMLOAD VMSAVE */
@@ -5156,9 +5156,11 @@ static __init int svm_hardware_setup(void)
 
        svm_adjust_mmio_mask();
 
+       nrips = nrips && boot_cpu_has(X86_FEATURE_NRIPS);
+
        /*
         * Note, SEV setup consumes npt_enabled and enable_mmio_caching (which
-        * may be modified by svm_adjust_mmio_mask()).
+        * may be modified by svm_adjust_mmio_mask()), as well as nrips.
         */
        sev_hardware_setup();
 
@@ -5170,11 +5172,6 @@ static __init int svm_hardware_setup(void)
                        goto err;
        }
 
-       if (nrips) {
-               if (!boot_cpu_has(X86_FEATURE_NRIPS))
-                       nrips = false;
-       }
-
        enable_apicv = avic = avic && avic_hardware_setup();
 
        if (!enable_apicv) {
index 800ca1776b59b0462119b9b9e5062f5629848533..1498956a589fe588f4cf66b7775f3c7bd376c945 100644 (file)
@@ -33,6 +33,7 @@
 #define MSRPM_OFFSETS  32
 extern u32 msrpm_offsets[MSRPM_OFFSETS] __read_mostly;
 extern bool npt_enabled;
+extern int nrips;
 extern int vgif;
 extern bool intercept_smi;
 extern bool x2avic_enabled;