On Wed, Nov 09, 2022, Paolo Bonzini wrote:
Restoration of the host IA32_SPEC_CTRL value is probably too late with respect to the return thunk training sequence.
With respect to the user/kernel boundary, AMD says, "If software chooses to toggle STIBP (e.g., set STIBP on kernel entry, and clear it on kernel exit), software should set STIBP to 1 before executing the return thunk training sequence." I assume the same requirements apply to the guest/host boundary. The return thunk training sequence is in vmenter.S, quite close to the VM-exit. On hosts without V_SPEC_CTRL, however, the host's IA32_SPEC_CTRL value is not restored until much later.
To avoid this, move the restoration of host SPEC_CTRL to assembly and, for consistency, move the restoration of the guest SPEC_CTRL as well. This is not particularly difficult, apart from some care to cover both 32- and 64-bit, and to share code between SEV-ES and normal vmentry.
Cc: stable@vger.kernel.org Fixes: a149180fbcf3 ("x86: Add magic AMD return-thunk") Suggested-by: Jim Mattson jmattson@google.com Signed-off-by: Paolo Bonzini pbonzini@redhat.com
Reviewed-by: Sean Christopherson seanjc@google.com
+.ifnc _ASM_ARG1, _ASM_DI
- /*
* Stash @svm in RDI early. On 32-bit, arguments are in RAX, RCX* and RDX which are clobbered by RESTORE_GUEST_SPEC_CTRL.*/- mov %_ASM_ARG1, %_ASM_DI
+.endif
Not technically needed since SEV-ES is 64-bit only, but that's a pre-exisiting mess. I'll send a follow-up patch to #ifdef out the entire function and drop all of this internal ifdeffery, and provide a stub in C code stub in C code so that 32-bit can link (and kill the VM if if the stub is reached).