• Nicolai Stange's avatar
    x86/KVM/VMX: Introduce per-host-cpu analogue of l1tf_flush_l1d · 70a63a1f
    Nicolai Stange authored
    Part of the L1TF mitigation for vmx includes flushing the L1D cache upon
    VMENTRY.
    
    L1D flushes are costly and two modes of operations are provided to users:
    "always" and the more selective "conditional" mode.
    
    If operating in the latter, the cache would get flushed only if a host side
    code path considered unconfined had been traversed. "Unconfined" in this
    context means that it might have pulled in sensitive data like user data
    or kernel crypto keys.
    
    The need for L1D flushes is tracked by means of the per-vcpu flag
    l1tf_flush_l1d. KVM exit handlers considered unconfined set it. A
    vmx_l1d_flush() subsequently invoked before the next VMENTER will conduct a
    L1d flush based on its value and reset that flag again.
    
    Currently, interrupts delivered "normally" while in root operation between
    VMEXIT and VMENTER are not taken into account. Part of the reason is that
    these don't leave any traces and thus, the vmx code is unable to tell if
    any such has happened.
    
    As proposed by Paolo Bonzini, prepare for tracking all interrupts by
    introducing a new per-cpu flag, "kvm_cpu_l1tf_flush_l1d". It will be in
    strong analogy to the per-vcpu ->l1tf_flush_l1d.
    
    A later patch will make interrupt handlers set it.
    
    For the sake of cache locality, group kvm_cpu_l1tf_flush_l1d into x86'
    per-cpu irq_cpustat_t as suggested by Peter Zijlstra.
    
    Provide the helpers kvm_set_cpu_l1tf_flush_l1d(),
    kvm_clear_cpu_l1tf_flush_l1d() and kvm_get_cpu_l1tf_flush_l1d(). Make them
    trivial resp. non-existent for !CONFIG_KVM_INTEL as appropriate.
    
    Let vmx_l1d_flush() handle kvm_cpu_l1tf_flush_l1d in the same way as
    l1tf_flush_l1d.
    Suggested-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    Suggested-by: default avatarPeter Zijlstra <peterz@infradead.org>
    Signed-off-by: default avatarNicolai Stange <nstange@suse.de>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    
    CVE-2018-3620
    CVE-2018-3646
    Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
    70a63a1f
hardirq.h 2.25 KB