UBUNTU: SAUCE: x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest

CVE-2018-3639 (x86)

Expose the CPUID.7.EDX[31] bit to the guest, and also guard against various
combinations of SPEC_CTRL MSR values.

The handling of the MSR (to take into account the host value of SPEC_CTRL
Bit(2)) is taken care of in patch:

  KVM/SVM/VMX/x86/spectre_v2: Support the combination of guest and host IBRS
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
[juergh: Context adjustments.]
Signed-off-by: Juerg Haefliger <juergh@canonical.com>

arch/x86/kvm/cpuid.c

@@ -359,7 +359,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
 
 	/* cpuid 7.0.edx */
 	const u32 kvm_supported_7_0_edx_x86_features =
-		F(SPEC_CTRL);
+		F(SPEC_CTRL) | F(RDS);
 
 	/* cpuid 0xD.1.eax */
 	const u32 kvm_supported_word10_x86_features =

arch/x86/kvm/vmx.c

@@ -2936,7 +2936,11 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 		kvm_write_tsc(vcpu, msr_info);
 		break;
 	case MSR_IA32_SPEC_CTRL:
-		vcpu->arch.spec_ctrl = msr_info->data;
+		/* The STIBP bit doesn't fault even if it's not advertised */
+		if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_RDS))
+			return 1;
+
+		vcpu->arch.spec_ctrl = data;
 		break;
 	case MSR_IA32_CR_PAT:
 		if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {