• Alexey Kardashevskiy's avatar
    KVM: SEV: Enable data breakpoints in SEV-ES · d1f85fbe
    Alexey Kardashevskiy authored
    Add support for "DebugSwap for SEV-ES guests", which provides support
    for swapping DR[0-3] and DR[0-3]_ADDR_MASK on VMRUN and VMEXIT, i.e.
    allows KVM to expose debug capabilities to SEV-ES guests. Without
    DebugSwap support, the CPU doesn't save/load most _guest_ debug
    registers (except DR6/7), and KVM cannot manually context switch guest
    DRs due the VMSA being encrypted.
    
    Enable DebugSwap if and only if the CPU also supports NoNestedDataBp,
    which causes the CPU to ignore nested #DBs, i.e. #DBs that occur when
    vectoring a #DB.  Without NoNestedDataBp, a malicious guest can DoS
    the host by putting the CPU into an infinite loop of vectoring #DBs
    (see https://bugzilla.redhat.com/show_bug.cgi?id=1278496)
    
    Set the features bit in sev_es_sync_vmsa() which is the last point
    when VMSA is not encrypted yet as sev_(es_)init_vmcb() (where the most
    init happens) is called not only when VCPU is initialised but also on
    intrahost migration when VMSA is encrypted.
    
    Eliminate DR7 intercepts as KVM can't modify guest DR7, and intercepting
    DR7 would completely defeat the purpose of enabling DebugSwap.
    
    Make X86_FEATURE_DEBUG_SWAP appear in /proc/cpuinfo (by not adding "") to
    let the operator know if the VM can debug.
    Signed-off-by: default avatarAlexey Kardashevskiy <aik@amd.com>
    Link: https://lore.kernel.org/r/20230615063757.3039121-7-aik@amd.comSigned-off-by: default avatarSean Christopherson <seanjc@google.com>
    d1f85fbe
sev.c 78.5 KB