commit 9c0d518eb8dc69430e6a8d767bd101dad19b846a
Author: Jan Beulich <jbeulich@suse.com>
AuthorDate: Tue Mar 5 11:56:31 2024 +0100
Commit: Jan Beulich <jbeulich@suse.com>
CommitDate: Tue Mar 5 11:56:31 2024 +0100
x86/HVM: hide SVM/VMX when their enabling is prohibited by firmware
... or we fail to enable the functionality on the BSP for other reasons.
The only place where hardware announcing the feature is recorded is the
raw CPU policy/featureset.
Inspired by https://lore.kernel.org/all/20230921114940.957141-1-pbonzini@redhat.com/.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
master commit: 0b5f149338e35a795bf609ce584640b0977f9e6c
master date: 2024-01-09 14:06:34 +0100
---
xen/arch/x86/hvm/svm/svm.c | 1 +
xen/arch/x86/hvm/vmx/vmcs.c | 17 +++++++++++++++++
2 files changed, 18 insertions(+)
diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c
index fd32600ae3..3c17464550 100644
--- a/xen/arch/x86/hvm/svm/svm.c
+++ b/xen/arch/x86/hvm/svm/svm.c
@@ -1669,6 +1669,7 @@ const struct hvm_function_table * __init start_svm(void)
if ( _svm_cpu_up(true) )
{
+ setup_clear_cpu_cap(X86_FEATURE_SVM);
printk("SVM: failed to initialise.\n");
return NULL;
}
diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
index bcbecc6945..b5ecc51b43 100644
--- a/xen/arch/x86/hvm/vmx/vmcs.c
+++ b/xen/arch/x86/hvm/vmx/vmcs.c
@@ -2163,6 +2163,23 @@ int __init vmx_vmcs_init(void)
if ( !ret )
register_keyhandler('v', vmcs_dump, "dump VT-x VMCSs", 1);
+ else
+ {
+ setup_clear_cpu_cap(X86_FEATURE_VMX);
+
+ /*
+ * _vmx_vcpu_up() may have made it past feature identification.
+ * Make sure all dependent features are off as well.
+ */
+ vmx_basic_msr = 0;
+ vmx_pin_based_exec_control = 0;
+ vmx_cpu_based_exec_control = 0;
+ vmx_secondary_exec_control = 0;
+ vmx_vmexit_control = 0;
+ vmx_vmentry_control = 0;
+ vmx_ept_vpid_cap = 0;
+ vmx_vmfunc = 0;
+ }
return ret;
}
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.17
Author: Jan Beulich <jbeulich@suse.com>
AuthorDate: Tue Mar 5 11:56:31 2024 +0100
Commit: Jan Beulich <jbeulich@suse.com>
CommitDate: Tue Mar 5 11:56:31 2024 +0100
x86/HVM: hide SVM/VMX when their enabling is prohibited by firmware
... or we fail to enable the functionality on the BSP for other reasons.
The only place where hardware announcing the feature is recorded is the
raw CPU policy/featureset.
Inspired by https://lore.kernel.org/all/20230921114940.957141-1-pbonzini@redhat.com/.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
master commit: 0b5f149338e35a795bf609ce584640b0977f9e6c
master date: 2024-01-09 14:06:34 +0100
---
xen/arch/x86/hvm/svm/svm.c | 1 +
xen/arch/x86/hvm/vmx/vmcs.c | 17 +++++++++++++++++
2 files changed, 18 insertions(+)
diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c
index fd32600ae3..3c17464550 100644
--- a/xen/arch/x86/hvm/svm/svm.c
+++ b/xen/arch/x86/hvm/svm/svm.c
@@ -1669,6 +1669,7 @@ const struct hvm_function_table * __init start_svm(void)
if ( _svm_cpu_up(true) )
{
+ setup_clear_cpu_cap(X86_FEATURE_SVM);
printk("SVM: failed to initialise.\n");
return NULL;
}
diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
index bcbecc6945..b5ecc51b43 100644
--- a/xen/arch/x86/hvm/vmx/vmcs.c
+++ b/xen/arch/x86/hvm/vmx/vmcs.c
@@ -2163,6 +2163,23 @@ int __init vmx_vmcs_init(void)
if ( !ret )
register_keyhandler('v', vmcs_dump, "dump VT-x VMCSs", 1);
+ else
+ {
+ setup_clear_cpu_cap(X86_FEATURE_VMX);
+
+ /*
+ * _vmx_vcpu_up() may have made it past feature identification.
+ * Make sure all dependent features are off as well.
+ */
+ vmx_basic_msr = 0;
+ vmx_pin_based_exec_control = 0;
+ vmx_cpu_based_exec_control = 0;
+ vmx_secondary_exec_control = 0;
+ vmx_vmexit_control = 0;
+ vmx_vmentry_control = 0;
+ vmx_ept_vpid_cap = 0;
+ vmx_vmfunc = 0;
+ }
return ret;
}
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.17