Test nested APIC-register virtualization

This patch adds a test to validate the APIC-register virtualization
execution control with nested virtualization. Specific test cases
include: APIC-access vi

Test nested APIC-register virtualization

This patch adds a test to validate the APIC-register virtualization
execution control with nested virtualization. Specific test cases
include: APIC-access virtualization, APIC-access virtualization with Use
TPR Shadow, and APIC-register virtualization.

Signed-off-by: Marc Orr <marcorr@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Restore secondary controls on test_vmcs_addr_reference()

test_vmcs_addr_reference() did not restore the secondary controls
when it was done. Restore them.

Signed-off-by: Nadav Amit <nadav.amit@gmai

Restore secondary controls on test_vmcs_addr_reference()

test_vmcs_addr_reference() did not restore the secondary controls
when it was done. Restore them.

Signed-off-by: Nadav Amit <nadav.amit@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Check Host Control Registers on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following checks are performed on vmentry of L2 guests:

- The CR0 fie

Check Host Control Registers on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following checks are performed on vmentry of L2 guests:

- The CR0 field must not set any bit to a value not supported in VMX
operation.
- The CR4 field must not set any bit to a value not supported in VMX
operation.
- On processors that support Intel 64 architecture, the CR3 field must
be such that bits 63:52 and bits in the range 51:32 beyond the
processor’s physical-address width must be 0.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Conflicts:
x86/vmx_tests.c

show more ...

Check Host Control Registers on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following checks are performed on vmentry of L2 guests:

- The CR0 fie

Check Host Control Registers on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following checks are performed on vmentry of L2 guests:

- The CR0 field must not set any bit to a value not supported in VMX
operation.
- The CR4 field must not set any bit to a value not supported in VMX
operation.
- On processors that support Intel 64 architecture, the CR3 field must
be such that bits 63:52 and bits in the range 51:32 beyond the
processor’s physical-address width must be 0.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Conflicts:
x86/vmx_tests.c

show more ...

Re-name 'test_vmx_controls' to 'test_vmx_vmlaunch' and pass the expected error code to it

The error code returned by KVM when vmlaunch fails, is hard-coded in
'test_vmx_controls'. Because that funct

Re-name 'test_vmx_controls' to 'test_vmx_vmlaunch' and pass the expected error code to it

The error code returned by KVM when vmlaunch fails, is hard-coded in
'test_vmx_controls'. Because that function has been thus far used only for
testing the VMX controls. Re-name the function to 'test_vmx_vmlaunch' and pass
the expected error code to it so that it can be used for testing any VMCS
field.
Add two wrappers around 'test_vmx_vmlaunch' for testing the VMX controls.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Suggested-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Move test_vm_entry_ctls() below test_vm_exit_ctls()

.. to align the checks according to the order in Intel SDM.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Jim Mattson

Move test_vm_entry_ctls() below test_vm_exit_ctls()

.. to align the checks according to the order in Intel SDM.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: nVMX: Add comments to the EPT helper functions

...to document why there are two variations of "setup EPT" and when to
employ each variant.

Suggested-by: Marc Orr <marcorr@google.com>
Signed-of

x86: nVMX: Add comments to the EPT helper functions

...to document why there are two variations of "setup EPT" and when to
employ each variant.

Suggested-by: Marc Orr <marcorr@google.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: nVMX: Rename EPT setup functions to better convey their scope

Krish pointed out that enable_ept() does a lot more than simply set the
EPT bit in secondary execution controls, and setup_eptp() d

x86: nVMX: Rename EPT setup functions to better convey their scope

Krish pointed out that enable_ept() does a lot more than simply set the
EPT bit in secondary execution controls, and setup_eptp() does more than
configure the EPTP field.

Cc: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: nVMX: Require WB for the EPT walks when possible

The memtype used by hardware when walking EPT tables is specified by
software via an encoding in the EPTP. Ignoring the fact that no sane
VMM w

x86: nVMX: Require WB for the EPT walks when possible

The memtype used by hardware when walking EPT tables is specified by
software via an encoding in the EPTP. Ignoring the fact that no sane
VMM would default to UC for page table walks, KVM only supports WB,
and has only ever supported WB (added in commit ca72d970ff9a, "KVM:
nEPT: Advertise WB type EPTP").

Require WB and remove the UC handling altogether. Eliminating what is
effectively dead code also removes the confusing error message (that
never fires) regarding memtype, e.g. "EPT paging-structure memory type
UC&WB are not supported" may be interpreted as stating that KVM unit
tests require WC *and* WB.

Cc: Marc Orr <marcorr@google.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: nVMX: Pre-check EPT requirement for unrestricted guest

...and abort the test if configuring a dummy EPT fails now that all
users pre-check EPT support. There are additional checks in the commo

x86: nVMX: Pre-check EPT requirement for unrestricted guest

...and abort the test if configuring a dummy EPT fails now that all
users pre-check EPT support. There are additional checks in the common
EPT setup code, e.g. for EPT memtype compatibility, but the checks in
question should never fail because they query capabilities that KVM
always bundles with EPT, hence the abort.

Cc: Marc Orr <marcorr@google.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: nVMX: Check the return value of setup_eptp() in setup_ept()

A recent patch neglected to check the return value of the helper
function it factored out of setup_ept().

Fixes: d065566f60288 ("KVM

x86: nVMX: Check the return value of setup_eptp() in setup_ept()

A recent patch neglected to check the return value of the helper
function it factored out of setup_ept().

Fixes: d065566f60288 ("KVM: nVMX: Add enable_ept() helper to configure legal EPTP")
Reported-by: Marc Orr <marcorr@google.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

KVM: nVMX: Properly configured unrestricted guest for event injection

The hardware exception injection test toggles unrestricted guest so that
it can test the case where an event is injected into re

KVM: nVMX: Properly configured unrestricted guest for event injection

The hardware exception injection test toggles unrestricted guest so that
it can test the case where an event is injected into real mode with and
without an error code (exception error codes don't exist in real mode).
Unrestricted guest has its own requirements, specifically that EPT is
also enabled (since IA32 paging could be disabled).

Unfortunately, the enable_unrestricted_guest() helper fails to ensure
EPT is enabled, which causes all subsequent VMLAUNCH instructions to
fail with "invalid control field". Use the new added enable_ept() to
configure unrestricted guest. In addition, assert that unrestricted
guest is disabled at the beginning of the relevant section as things
will likely go sideways if unrestricted guest is already enabled, e.g.
odds are good it was enabled in order to muck with CR0. This allows
for the removal of disable_unrestricted_guest() entirely. And finally,
clean up the control fields after finishing the unrestricted guest
section (instead of invoking the defunct disable_unrestricted_guest()).

Note that it's not the unrestricted guest tests that fail, since there
is no "vmlaunch succeeds" variant, rather its the following tests that
expect success that end up failing (because the shoddy enabling of URG
isn't undone).

Fixes: 8d2cdb3 ("x86: Add test for nested VM entry prereqs")
Reviewed-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Marc Orr <marcorr@google.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

KVM: nVMX: Add enable_ept() helper to configure legal EPTP

Enabling EPT requires a valid EPTP, but that only means the EPTP itself
must satisfy the VM-Enter consistency checks. Split out the EPTP s

KVM: nVMX: Add enable_ept() helper to configure legal EPTP

Enabling EPT requires a valid EPTP, but that only means the EPTP itself
must satisfy the VM-Enter consistency checks. Split out the EPTP setup
to a separate helper and wrap it with a new helper, enable_ept(), that
uses a dummy top-level EPT table, i.e. address 0. This skips allocating
a page and setting up the EPT tables for tests that just want to set
EPT=1 to satisfy a dependent consistency check, e.g. unrestricted guest.

Fixes: b57936c ("If "enable EPT" is enabled in a test, EPT pointer must also be set up")
Cc: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Reviewed-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Marc Orr <marcorr@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

KVM: nVMX: Remove redundant masking with allowed exec controls mask

setup_ept() explicitly checks that it can enable EPT and the starting
values for the controls are pulled from the VMCS. The only

KVM: nVMX: Remove redundant masking with allowed exec controls mask

setup_ept() explicitly checks that it can enable EPT and the starting
values for the controls are pulled from the VMCS. The only way the
masking has any effect is if hardware (or a lower VMM) reads out a
value that conflicts with its allowed settings, i.e. hardware is
seriously borked.

Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Reviewed-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Marc Orr <marcorr@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: vmx: fix required alignment for posted interrupt descriptor

The posted interrupt descriptor only has to be aligned to 64 bytes.
Fix the call to test_vmcs_addr_values to remove the last 6 failur

x86: vmx: fix required alignment for posted interrupt descriptor

The posted interrupt descriptor only has to be aligned to 64 bytes.
Fix the call to test_vmcs_addr_values to remove the last 6 failures!

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: vmx: add test for CVE-2019-7221

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

If "enable EPT" is enabled in a test, EPT pointer must also be set up

Commit,

5b8ba41dafd7 KVM: nVMX: move vmcs12 EPTP consistency check to
check_vmentry_prereqs()

moved the check for EPT poin

If "enable EPT" is enabled in a test, EPT pointer must also be set up

Commit,

5b8ba41dafd7 KVM: nVMX: move vmcs12 EPTP consistency check to
check_vmentry_prereqs()

moved the check for EPT pointer, from nested_ept_get_cr3() to
check_vmentry_prereqs(). As a result, if "enabled EPT" is set in a test
but EPT pointer is not, vmentry will fail even if EPT pointer is not
tested in that particular test.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Mark Kanda <mark.kanda@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Check VM-entry MSR-load address on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following checks performed for the VM-entry MSR-load address if the
the

Check VM-entry MSR-load address on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following checks performed for the VM-entry MSR-load address if the
the VM-entry MSR-load count field is non-zero:

- The lower 4 bits of the VM-entry MSR-load address must be 0.
The address should not set any bits beyond the processor’s
physical-address width.

- The address of the last byte in the VM-entry MSR-load area
should not set any bits beyond the processor’s physical-address
width. The address of this last byte is VM-entry MSR-load address
+ (MSR count * 16) - 1. (The arithmetic used for the computation
uses more bits than the processor’s physical-address width.)

If IA32_VMX_BASIC[48] is read as 1, neither address should set any bits
in the range 63:32.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

vmlaunch_succeeds() needs to check failure of VM-entry MSR-load

.. as that is one of the valid reasons for vmentry failure.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by:

vmlaunch_succeeds() needs to check failure of VM-entry MSR-load

.. as that is one of the valid reasons for vmentry failure.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

KVM nVMX: Check VM-exit MSR-store address on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following checks performed for the VM-exit MSR-store address

KVM nVMX: Check VM-exit MSR-store address on vmentry of L2 guests

According to section "Checks on VMX Controls" in Intel SDM vol 3C, the
following checks performed for the VM-exit MSR-store address if the
the VM-exit MSR-store count field is non-zero:

- The lower 4 bits of the VM-exit MSR-store address must be 0.
The address should not set any bits beyond the processor’s
physical-address width.

- The address of the last byte in the VM-exit MSR-store area
should not set any bits beyond the processor’s physical-address
width. The address of this last byte is VM-exit MSR-store address
+ (MSR count * 16) - 1. (The arithmetic used for the computation
uses more bits than the processor’s physical-address width.)

If IA32_VMX_BASIC[48] is read as 1, neither address should set any bits
in the range 63:32.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

show more ...

KVM nVMX: test_vmcs_page_values() needs to accept a bit range

... because various addresses need to be tested for various bit ranges.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Re

KVM nVMX: test_vmcs_page_values() needs to accept a bit range

... because various addresses need to be tested for various bit ranges.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

show more ...

KVM nVMX: test_vmcs_page_* functions need to accept alignment size as a parameter

.. because not all alignments fall on page size boundary.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.co

KVM nVMX: test_vmcs_page_* functions need to accept alignment size as a parameter

.. because not all alignments fall on page size boundary.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

show more ...

KVM nVMX: Change the names of the functions test_vmcs_page_* to test_vmcs_addr_*

... because these functions can be used for any VMCS address and not just
a page.

Signed-off-by: Krish Sadhukh

KVM nVMX: Change the names of the functions test_vmcs_page_* to test_vmcs_addr_*

... because these functions can be used for any VMCS address and not just
a page.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

show more ...

nVMX: Move all tests for VM-entry control fields to a separate function

... to improve readability and maintainability, and to align the code as per
the layout of the checks in chapter "VM Entries"

nVMX: Move all tests for VM-entry control fields to a separate function

... to improve readability and maintainability, and to align the code as per
the layout of the checks in chapter "VM Entries" in Intel SDM vol 3C.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

show more ...

nVMX: Move all tests for VM-execution control fields to a separate function

... to improve readability and maintainability, and to align the code as per
the layout of the checks in chapter "VM Entr

nVMX: Move all tests for VM-execution control fields to a separate function

... to improve readability and maintainability, and to align the code as per
the layout of the checks in chapter "VM Entries" in Intel SDM vol 3C.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

show more ...