From 7de21555730367497eb01edf6e9e9530224105e7 Mon Sep 17 00:00:00 2001 From: Andrew Cooper Date: Mon, 30 Jul 2018 11:29:39 +0200 Subject: [PATCH] x86/hvm: Disallow unknown MSR_EFER bits MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit It turns out that nothing ever prevented HVM guests from trying to set unknown EFER bits. Generally, this results in a vmentry failure. For Intel hardware, all implemented bits are covered by the checks. For AMD hardware, the only EFER bit which isn't covered by the checks is TCE (which AFAICT is specific to AMD Fam15/16 hardware). We never advertise TCE in CPUID, but it isn't a security problem to have TCE unexpected enabled in guest context. Disallow the setting of bits outside of the EFER_KNOWN_MASK, which prevents any vmentry failures for guests, yielding #GP instead. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Wei Liu Acked-by: Jan Beulich master commit: ef0269c6215d642a709866f04ba1a1f9f13f3614 master date: 2018-07-24 11:25:53 +0100 --- xen/arch/x86/hvm/hvm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index d544720876..4cbb688c05 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -907,6 +907,9 @@ const char *hvm_efer_valid(const struct vcpu *v, uint64_t value, else p = &host_cpuid_policy; + if ( value & ~EFER_KNOWN_MASK ) + return "Unknown bits set"; + if ( (value & EFER_SCE) && !p->extd.syscall ) return "SCE without feature"; -- 2.30.2