Commit 19e6e083 authored by Sean Christopherson's avatar Sean Christopherson
Browse files

KVM: nVMX: Always forward XSAVES/XRSTORS exits from L2 to L1 



Unconditionally forward XSAVES/XRSTORS VM-Exits from L2 to L1, as KVM
doesn't utilize the XSS-bitmap (KVM relies on controlling the XSS value
in hardware to prevent unauthorized access to XSAVES state).  KVM always
loads vmcs02 with vmcs12's bitmap, and so any exit _must_ be due to
vmcs12's XSS-bitmap.

Drop the comment about XSS never being non-zero in anticipation of
enabling CET_KERNEL and CET_USER support.

Opportunistically WARN if XSAVES is not enabled for L2, as the CPU is
supposed to generate #UD before checking the XSS-bitmap.

Reviewed-by: default avatarXiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by: default avatarChao Gao <chao.gao@intel.com>
Link: https://lore.kernel.org/r/20250919223258.1604852-25-seanjc@google.com


Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
parent b3744c59

arch/x86/kvm/vmx/nested.c

+9 −6
Original line number Diff line number Diff line
@@ -6570,14 +6570,17 @@ static bool nested_vmx_l1_wants_exit(struct kvm_vcpu *vcpu, 
		return nested_cpu_has2(vmcs12, SECONDARY_EXEC_WBINVD_EXITING);

	case EXIT_REASON_XSETBV:

		return true;

	case EXIT_REASON_XSAVES: case EXIT_REASON_XRSTORS:

	case EXIT_REASON_XSAVES:

	case EXIT_REASON_XRSTORS:

		/*

		 * This should never happen, since it is not possible to

		 * set XSS to a non-zero value---neither in L1 nor in L2.

		 * If if it were, XSS would have to be checked against

		 * the XSS exit bitmap in vmcs12.

		 * Always forward XSAVES/XRSTORS to L1 as KVM doesn't utilize

		 * XSS-bitmap, and always loads vmcs02 with vmcs12's XSS-bitmap

		 * verbatim, i.e. any exit is due to L1's bitmap.  WARN if

		 * XSAVES isn't enabled, as the CPU is supposed to inject #UD

		 * in that case, before consulting the XSS-bitmap.

		 */

		return nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_XSAVES);

		WARN_ON_ONCE(!nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_XSAVES));

		return true;

	case EXIT_REASON_UMWAIT:

	case EXIT_REASON_TPAUSE:

		return nested_cpu_has2(vmcs12,