KVM: SEV-ES: Eliminate #DB intercept when DebugSwap enabled

Disable #DB for SEV-ES guests when DebugSwap is enabled. There is no point
in such intercept as KVM does not allow guest debug for SEV-ES guests.

Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
Link: https://lore.kernel.org/r/20230615063757.3039121-8-aik@amd.com
[sean: add comment as to why KVM disables #DB intercept iff DebugSwap=1]
Signed-off-by: Sean Christopherson <seanjc@google.com>

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index b7cd0cc..b35cd67 100644 (file)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -2997,6 +2997,17 @@ static void sev_es_init_vmcb(struct vcpu_svm *svm)
                vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_READ);
                vmcb_set_intercept(&vmcb->control, INTERCEPT_DR7_WRITE);
                recalc_intercepts(svm);
+       } else {
+               /*
+                * Disable #DB intercept iff DebugSwap is enabled.  KVM doesn't
+                * allow debugging SEV-ES guests, and enables DebugSwap iff
+                * NO_NESTED_DATA_BP is supported, so there's no reason to
+                * intercept #DB when DebugSwap is enabled.  For simplicity
+                * with respect to guest debug, intercept #DB for other VMs
+                * even if NO_NESTED_DATA_BP is supported, i.e. even if the
+                * guest can't DoS the CPU with infinite #DB vectoring.
+                */
+               clr_exception_intercept(svm, DB_VECTOR);
        }
 
        /* Can't intercept XSETBV, HV can't modify XCR0 directly */