nVMX: Test Host Segment Registers and Descriptor Tables on vmentry of nested guests

According to section "Checks on Host Segment and Descriptor-Table
Registers" in Intel SDM vol 3C, the following ch

nVMX: Test Host Segment Registers and Descriptor Tables on vmentry of nested guests

According to section "Checks on Host Segment and Descriptor-Table
Registers" in Intel SDM vol 3C, the following checks are performed on
vmentry of nested guests:

- In the selector field for each of CS, SS, DS, ES, FS, GS and TR, the
RPL (bits 1:0) and the TI flag (bit 2) must be 0.
- The selector fields for CS and TR cannot be 0000H.
- The selector field for SS cannot be 0000H if the "host address-space
size" VM-exit control is 0.
- On processors that support Intel 64 architecture, the base-address
fields for FS, GS, GDTR, IDTR, and TR must contain canonical
addresses.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: Remove duplicate definitions of write_cr4_checking() and put it in library

..so that it can be re-used.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <

x86: Remove duplicate definitions of write_cr4_checking() and put it in library

..so that it can be re-used.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
[Add 32-bit version of ASM_TRY. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: vmx: Consider CMCI enabled based on IA32_MCG_CAP[10]

CMCI is enabled if IA32_MCG_CAP[10] is set. VMX tests do not respect
this condition. Fix it.

Cc: Marc Orr <marcorr@google.com>
Signed-off-b

x86: vmx: Consider CMCI enabled based on IA32_MCG_CAP[10]

CMCI is enabled if IA32_MCG_CAP[10] is set. VMX tests do not respect
this condition. Fix it.

Cc: Marc Orr <marcorr@google.com>
Signed-off-by: Nadav Amit <nadav.amit@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: Remove assumptions on CR4.MCE

CR4.MCE might be set after boot. Remove the assertion that checks that
it is clear. Change the test to toggle the bit instead of setting it.

Cc: Marc Orr <marcorr

x86: Remove assumptions on CR4.MCE

CR4.MCE might be set after boot. Remove the assertion that checks that
it is clear. Change the test to toggle the bit instead of setting it.

Cc: Marc Orr <marcorr@google.com>
Signed-off-by: Nadav Amit <nadav.amit@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: vmx: Mask undefined bits in exit qualifications

On EPT violation, the exit qualifications may have some undefined bits.

Bit 6 is undefined if "mode-based execute control" is 0.

Bits 9-11 are

x86: vmx: Mask undefined bits in exit qualifications

On EPT violation, the exit qualifications may have some undefined bits.

Bit 6 is undefined if "mode-based execute control" is 0.

Bits 9-11 are undefined unless the processor supports advanced VM-exit
information for EPT violations.

Right now on KVM these bits are always undefined inside the VM (i.e., in
an emulated VM-exit). Mask these bits to avoid potential false
indication of failures.

Signed-off-by: Nadav Amit <nadav.amit@gmail.com>
Message-Id: <20190503174919.13846-1-nadav.amit@gmail.com>
Reviewed-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

nVMX: Test "Load IA32_EFER" VM-exit control on vmentry of nested guests

..to verify KVM performs the appropriate consistency checks for loading
IA32_EFER VM-exit control as part of running a nes

nVMX: Test "Load IA32_EFER" VM-exit control on vmentry of nested guests

..to verify KVM performs the appropriate consistency checks for loading
IA32_EFER VM-exit control as part of running a nested guest.

According to section "Checks on Host Control Registers and MSRs" in Intel
SDM vol 3C, the following checks are performed on vmentry of nested guests:

If the “load IA32_EFER†VM-exit control is 1, bits reserved in the
IA32_EFER MSR must be 0 in the field for that register. In addition,
the values of the LMA and LME bits in the field must each be that of
the “host address-space size†VM-exit control.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Rename report_guest_pat_test to report_guest_state_test

...so that it can be re-used by other tests.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <karl.he

Rename report_guest_pat_test to report_guest_state_test

...so that it can be re-used by other tests.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Rename guest_pat_main to guest_state_test_main

...so that it can be re-used by other tests.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <karl.heubaum@ora

Rename guest_pat_main to guest_state_test_main

...so that it can be re-used by other tests.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

vmx_tests: use enter_guest if guest state is valid

Change one remaining call site where the guest state is valid as far as
PAT is concerned; we should abort on both an early vmentry failure
as well

vmx_tests: use enter_guest if guest state is valid

Change one remaining call site where the guest state is valid as far as
PAT is concerned; we should abort on both an early vmentry failure
as well as an invalid guest state.

Suggested-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: nVMX: Set guest as active after NMI/INTR-window tests

Running tests which are similar to verify_nmi_window_exit() and
verify_intr_window_exit() on bare-metal suggests that real CPUs do not
wake

x86: nVMX: Set guest as active after NMI/INTR-window tests

Running tests which are similar to verify_nmi_window_exit() and
verify_intr_window_exit() on bare-metal suggests that real CPUs do not
wake up. It appears, according to Sean, that the activity state should
not change after NMI/INTR-window.

Remove the offending test and set the activity state to "active" after
each test to prevent the whole test-suite from getting stuck.

Cc: Sean Christopherson <sean.j.christopherson@intel.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Nadav Amit <nadav.amit@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: nVMX: Use #DB in nmi- and intr-window tests

According to Intel SDM 26.3.1.5 "Checks on Guest Non-Register State", if
the activity state is HLT, the only events that can be injected are NMI,
MTF

x86: nVMX: Use #DB in nmi- and intr-window tests

According to Intel SDM 26.3.1.5 "Checks on Guest Non-Register State", if
the activity state is HLT, the only events that can be injected are NMI,
MTF and "Those with interruption type hardware exception and vector 1
(debug exception) or vector 18 (machine-check exception)."

Theverify_nmi_window_exit() and verify_intr_window_exit() tests try
to do something that real hardware disallows (i.e., fail the VM-entry)
by injecting #UD in HLT-state. Inject #DB instead as the injection
should succeed in these tests.

Cc: Sean Christopherson <sean.j.christopherson@intel.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Nadav Amit <nadav.amit@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: Do not run vmx tests if feature is unsupported by CPU

Instruction tests of VMX should not be executed if the feature is
unsupported by the CPU. Even if the execution controls allow to trap
exit

x86: Do not run vmx tests if feature is unsupported by CPU

Instruction tests of VMX should not be executed if the feature is
unsupported by the CPU. Even if the execution controls allow to trap
exits on the feature, the feature might be disabled, for example through
IA32_MISC_ENABLES. Therefore, checking that the feature is supported
through CPUID is needed.

Introduce a general mechanism to check that a feature is supported and
use it for monitor/mwait.

Signed-off-by: Nadav Amit <nadav.amit@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: Restore VMCS state when test_tpr_threshold_values() is done

The VMCS fields of APIC_VIRT_ADDR and TPR_THRESHOLD are modified by
test_tpr_threshold_values() but are not restored to their origina

x86: Restore VMCS state when test_tpr_threshold_values() is done

The VMCS fields of APIC_VIRT_ADDR and TPR_THRESHOLD are modified by
test_tpr_threshold_values() but are not restored to their original value.
Save and restore them.

Signed-off-by: Nadav Amit <nadav.amit@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: Remove redundant page zeroing

Now that alloc_page() zeros the page, remove the redundant page zeroing.

Suggested-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: Nadav Amit <nadav.amit@gma

x86: Remove redundant page zeroing

Now that alloc_page() zeros the page, remove the redundant page zeroing.

Suggested-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: Nadav Amit <nadav.amit@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Check "load IA32_PAT" VM-entry control on vmentry of nested guests

..to verify KVM performs the appropriate consistency checks for loading
IA32_PAT as part of running a nested guest.

According to s

Check "load IA32_PAT" VM-entry control on vmentry of nested guests

..to verify KVM performs the appropriate consistency checks for loading
IA32_PAT as part of running a nested guest.

According to section "Checking and Loading Guest State" in Intel SDM
vol 3C, the following check is performed on vmentry:

If the "load IA32_PAT" VM-entry control is 1, the value of the field
for the IA32_PAT MSR must be one that could be written by WRMSR
without fault at CPL 0. Specifically, each of the 8 bytes in the
field must have one of the values 0 (UC), 1 (WC), 4 (WT), 5 (WP),
6 (WB), or 7 (UC-).

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

vmx: do not XFAIL for virtual-APIC address beyond RAM

We will allow this behavior for KVM in some specific cases
(CR8 load/store exits enabled, virtualize APIC accesses
disabled). Ensure these spec

vmx: do not XFAIL for virtual-APIC address beyond RAM

We will allow this behavior for KVM in some specific cases
(CR8 load/store exits enabled, virtualize APIC accesses
disabled). Ensure these specific values of the controls
are there in the VMCS, and remove the XFAIL.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Check "load IA32_PAT" on vmentry of L2 guests

.to verify KVM performs the appropriate consistency checks for loading
IA32_PAT as part of running a nested guest.

According to section "Checks on Host

Check "load IA32_PAT" on vmentry of L2 guests

.to verify KVM performs the appropriate consistency checks for loading
IA32_PAT as part of running a nested guest.

According to section "Checks on Host Control Registers and MSRs" in Intel
SDM vol 3C, the following check is performed on vmentry:

If the “load IA32_PAT†VM-exit control is 1, the value of the field
for the IA32_PAT MSR must be one that could be written by WRMSR
without fault at CPL 0. Specifically, each of the 8 bytes in the
field must have one of the values 0 (UC), 1 (WC), 4 (WT), 5 (WP),
6 (WB), or 7 (UC-).

Since a PAT value higher than 8 will yield the same test result as that
of 8, we want to confine our tests only up to 8 in order to reduce
redundancy of tests and to avoid too many vmentries.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Karl Heubaum <karl.heubaum@oracle.com>
Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

vmx: do not clobber host APIC registers in virt_x2apic_mode_test

The recently-added virt_x2apic_mode_test has the bad habit of writing
to the host registers when testing passthrough mode, without th

vmx: do not clobber host APIC registers in virt_x2apic_mode_test

The recently-added virt_x2apic_mode_test has the bad habit of writing
to the host registers when testing passthrough mode, without then
restoring the old contents. This causes the subsequent
virt_apic_passthrough test to fail.

(Introducing this failure was my fault, since the original patch added
virt_x2apic_mode_test later in the vmx_tests array. However, it is
still a good idea to fix it instead of simply moving the test later).

Cc: Marc Orr <marcorr@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

vmx: skip new APICv tests on machines that do not support it

Cc: Marc Orr <marcorr@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Test HOST_SYSENTER_ESP and HOST_SYSENTER_EIP fields on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check is performed on vmentry of L2 guest

Test HOST_SYSENTER_ESP and HOST_SYSENTER_EIP fields on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following check is performed on vmentry of L2 guests:

On processors that support Intel 64 architecture, the IA32_SYSENTER_ESP
field and the IA32_SYSENTER_EIP field must each contain a canonical
address.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
Suggested-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Add leak scenario to virt_x2apic_mode_test

While working on virt_x2apic_mode_test, we noticed that KVM allows for a
buggy or malicious L1 to get at L0's x2APIC MSRs via nested. The issue
is in KVM's

Add leak scenario to virt_x2apic_mode_test

While working on virt_x2apic_mode_test, we noticed that KVM allows for a
buggy or malicious L1 to get at L0's x2APIC MSRs via nested. The issue
is in KVM's nested_vmx_prepare_msr_bitmap() function. Specifically, an L1
can execute the following sequence:

1. WRMSR(IA32_SPEC_CTRL, 1), which causes the spec_ctrl variable, in
nested_vmx_prepare_msr_bitmap() to become true.
2. Clear "virtualize x2APIC mode"
3. Set "APIC-register virualization"

Then, KVM will copy L1's MSR bitmap for the x2APIC MSR range into L0,
and run L2 with "Virtualize x2APIC mode" disabled, which gives L2
unfettered access to L0's x2APIC msrs.

Thus, this patch extends virt_x2apic_mode_test with a test case for this
scenario.

Note, this patch was used to discover and fix the issue described in the
KVM patch titled "KVM: x86: nVMX: close leak of L0's x2APIC MSRs".

Signed-off-by: Marc Orr <marcorr@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Test VMX's virtualize x2APIC mode w/ nested

This patch extends x86/vmx_tests.c to test enabling virtualize x2APIC
mode for nested VMX. The basic premises of the test is to pass values
between L1 and

Test VMX's virtualize x2APIC mode w/ nested

This patch extends x86/vmx_tests.c to test enabling virtualize x2APIC
mode for nested VMX. The basic premises of the test is to pass values
between L1 and L2 via the virtual APIC page. Emphasis is placed on
validating that L2 can never read/write L0's APIC registers, which would
be disastrous.

Note, this test was used to detect and fix the issue described in the
KVM patch titled "KVM: x86: nVMX: fix x2APIC VTPR read intercept".

Signed-off-by: Marc Orr <marcorr@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

fix vmx_apic_reg_virt for older platforms

This test was failing because "Use TPR shadow" virtualization behaves
differently across platforms. For example, on Sandy Bridge the upper
three bytes of th

fix vmx_apic_reg_virt for older platforms

This test was failing because "Use TPR shadow" virtualization behaves
differently across platforms. For example, on Sandy Bridge the upper
three bytes of the VTPR are cleared upon VM entry, whereas they
are left as is on Skylake.

This difference in behavior is consistent with the SDM, which according
to Volume 3, Section 26.2.1.1 VM-Execution Control Fields, says:
... bytes 3:1 of VTPR may be cleared (behavior may be
implementation-specific). ...

Signed-off-by: Marc Orr <marcorr@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

apic_reg_virt_test: Make APIC-access addr 4k page

This patch introduces split_large_page(), which is used to force the
APIC-access address to be a 4k page. Otherwise, the apic_reg_virt_test
fails on

apic_reg_virt_test: Make APIC-access addr 4k page

This patch introduces split_large_page(), which is used to force the
APIC-access address to be a 4k page. Otherwise, the apic_reg_virt_test
fails on upstream.

Signed-off-by: Marc Orr <marcorr@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Test odd/incorrect APIC-register virt configs

This patch extends apic_reg_virt_test to test some odd/incorrect VMCS
configurations, where writing the APIC registers behaves oddly (e.g.,
writes the A

Test odd/incorrect APIC-register virt configs

This patch extends apic_reg_virt_test to test some odd/incorrect VMCS
configurations, where writing the APIC registers behaves oddly (e.g.,
writes the APIC access page rather than the APIC virtualization page) or
simply fails VM entry due to invalid VMCS controls.

Signed-off-by: Marc Orr <marcorr@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...