releases/5.11.21/kvm-svm-disable-sev-sev-es-if-npt-is-disabled.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 01fbd6f13170082c1a22dd72bf17c9e99445a835 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Wed, 21 Apr 2021 19:11:13 -0700
 Subject: KVM: SVM: Disable SEV/SEV-ES if NPT is disabled

 From: Sean Christopherson <seanjc@google.com>

 [ Upstream commit fa13680f5668cff05302a2f4753c49334a83a064 ]

 Disable SEV and SEV-ES if NPT is disabled.  While the APM doesn't clearly
 state that NPT is mandatory, it's alluded to by:

   The guest page tables, managed by the guest, may mark data memory pages
   as either private or shared, thus allowing selected pages to be shared
   outside the guest.

 And practically speaking, shadow paging can't work since KVM can't read
 the guest's page tables.

 Fixes: e9df09428996 ("KVM: SVM: Add sev module_param")
 Cc: Brijesh Singh <brijesh.singh@amd.com
 Cc: Tom Lendacky <thomas.lendacky@amd.com>
 Signed-off-by: Sean Christopherson <seanjc@google.com>
 Message-Id: <20210422021125.3417167-4-seanjc@google.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  arch/x86/kvm/svm/svm.c | 20 ++++++++++----------
  1 file changed, 10 insertions(+), 10 deletions(-)

 diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
 index 99592e03658b..15a69500819d 100644
 --- a/arch/x86/kvm/svm/svm.c
 +++ b/arch/x86/kvm/svm/svm.c
 @@ -980,7 +980,16 @@ static __init int svm_hardware_setup(void)
  		kvm_enable_efer_bits(EFER_SVME | EFER_LMSLE);
  	}

 -	if (IS_ENABLED(CONFIG_KVM_AMD_SEV) && sev) {
 +	if (!boot_cpu_has(X86_FEATURE_NPT))
 +		npt_enabled = false;
 +
 +	if (npt_enabled && !npt)
 +		npt_enabled = false;
 +
 +	kvm_configure_mmu(npt_enabled, get_max_npt_level(), PG_LEVEL_1G);
 +	pr_info("kvm: Nested Paging %sabled\n", npt_enabled ? "en" : "dis");
 +
 +	if (IS_ENABLED(CONFIG_KVM_AMD_SEV) && sev && npt_enabled) {
  		sev_hardware_setup();
  	} else {
  		sev = false;
 @@ -995,15 +1004,6 @@ static __init int svm_hardware_setup(void)
  			goto err;
  	}

 -	if (!boot_cpu_has(X86_FEATURE_NPT))
 -		npt_enabled = false;
 -
 -	if (npt_enabled && !npt)
 -		npt_enabled = false;
 -
 -	kvm_configure_mmu(npt_enabled, get_max_npt_level(), PG_LEVEL_1G);
 -	pr_info("kvm: Nested Paging %sabled\n", npt_enabled ? "en" : "dis");
 -
  	if (nrips) {
  		if (!boot_cpu_has(X86_FEATURE_NRIPS))
  			nrips = false;
 --
 2.30.2
	From 01fbd6f13170082c1a22dd72bf17c9e99445a835 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Wed, 21 Apr 2021 19:11:13 -0700
	Subject: KVM: SVM: Disable SEV/SEV-ES if NPT is disabled

	From: Sean Christopherson <seanjc@google.com>

	[ Upstream commit fa13680f5668cff05302a2f4753c49334a83a064 ]

	Disable SEV and SEV-ES if NPT is disabled. While the APM doesn't clearly
	state that NPT is mandatory, it's alluded to by:

	The guest page tables, managed by the guest, may mark data memory pages
	as either private or shared, thus allowing selected pages to be shared
	outside the guest.

	And practically speaking, shadow paging can't work since KVM can't read
	the guest's page tables.

	Fixes: e9df09428996 ("KVM: SVM: Add sev module_param")
	Cc: Brijesh Singh <brijesh.singh@amd.com
	Cc: Tom Lendacky <thomas.lendacky@amd.com>
	Signed-off-by: Sean Christopherson <seanjc@google.com>
	Message-Id: <20210422021125.3417167-4-seanjc@google.com>
	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	arch/x86/kvm/svm/svm.c \| 20 ++++++++++----------
	1 file changed, 10 insertions(+), 10 deletions(-)

	diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
	index 99592e03658b..15a69500819d 100644
	--- a/arch/x86/kvm/svm/svm.c
	+++ b/arch/x86/kvm/svm/svm.c
	@@ -980,7 +980,16 @@ static __init int svm_hardware_setup(void)
	kvm_enable_efer_bits(EFER_SVME \| EFER_LMSLE);
	}

	- if (IS_ENABLED(CONFIG_KVM_AMD_SEV) && sev) {
	+ if (!boot_cpu_has(X86_FEATURE_NPT))
	+ npt_enabled = false;
	+
	+ if (npt_enabled && !npt)
	+ npt_enabled = false;
	+
	+ kvm_configure_mmu(npt_enabled, get_max_npt_level(), PG_LEVEL_1G);
	+ pr_info("kvm: Nested Paging %sabled\n", npt_enabled ? "en" : "dis");
	+
	+ if (IS_ENABLED(CONFIG_KVM_AMD_SEV) && sev && npt_enabled) {
	sev_hardware_setup();
	} else {
	sev = false;
	@@ -995,15 +1004,6 @@ static __init int svm_hardware_setup(void)
	goto err;
	}

	- if (!boot_cpu_has(X86_FEATURE_NPT))
	- npt_enabled = false;
	-
	- if (npt_enabled && !npt)
	- npt_enabled = false;
	-
	- kvm_configure_mmu(npt_enabled, get_max_npt_level(), PG_LEVEL_1G);
	- pr_info("kvm: Nested Paging %sabled\n", npt_enabled ? "en" : "dis");
	-
	if (nrips) {
	if (!boot_cpu_has(X86_FEATURE_NRIPS))
	nrips = false;
	--
	2.30.2