search for: paranoid_entry

On Mon, Sep 07, 2020 at 03:16:08PM +0200, Joerg Roedel wrote: > From: Joerg Roedel <jroedel at suse.de> > > The IDT on 64bit contains vectors which use paranoid_entry() and/or IST > stacks. To make these vectors work the TSS and the getcpu GDT entry need > to be set up before the IDT is loaded. > > Signed-off-by: Joerg Roedel <jroedel at suse.de> > --- > arch/x86/include/asm/processor.h | 1 + > arch/x86/kernel/cpu/common.c | 23...

From: Joerg Roedel <jroedel at suse.de> The IDT on 64bit contains vectors which use paranoid_entry() and/or IST stacks. To make these vectors work the TSS and the getcpu GDT entry need to be set up before the IDT is loaded. Signed-off-by: Joerg Roedel <jroedel at suse.de> --- arch/x86/include/asm/processor.h | 1 + arch/x86/kernel/cpu/common.c | 23 +++++++++++++++++++++++ arch/x86/...

On Mon, Aug 24, 2020 at 10:54:33AM +0200, Joerg Roedel wrote: > From: Joerg Roedel <jroedel at suse.de> > > Early exception handling will use rd/wrgsbase in paranoid_entry/exit. > Enable the feature to avoid #UD exceptions on boot APs. > > Signed-off-by: Joerg Roedel <jroedel at suse.de> > Link: https://lore.kernel.org/r/20200724160336.5435-38-joro at 8bytes.org > --- > arch/x86/kernel/head_64.S | 7 +++++++ > 1 file changed, 7 insertions...

On Mon, Aug 24, 2020 at 10:54:33AM +0200, Joerg Roedel wrote: > From: Joerg Roedel <jroedel at suse.de> > > Early exception handling will use rd/wrgsbase in paranoid_entry/exit. > Enable the feature to avoid #UD exceptions on boot APs. > > Signed-off-by: Joerg Roedel <jroedel at suse.de> > Link: https://lore.kernel.org/r/20200724160336.5435-38-joro at 8bytes.org > --- > arch/x86/kernel/head_64.S | 7 +++++++ > 1 file changed, 7 insertions...

...HV exception. + */ +.macro idtentry_vc vector asmsym cfunc +SYM_CODE_START(\asmsym) + UNWIND_HINT_IRET_REGS + ASM_CLAC + + /* + * If the entry is from userspace, switch stacks and treat it as + * a normal entry. + */ + testb $3, CS-ORIG_RAX(%rsp) + jnz .Lfrom_usermode_switch_stack_\@ + + /* + * paranoid_entry returns SWAPGS flag for paranoid_exit in EBX. + * EBX == 0 -> SWAPGS, EBX == 1 -> no SWAPGS + */ + call paranoid_entry + + UNWIND_HINT_REGS + + /* + * Switch off the IST stack to make it free for nested exceptions. The + * vc_switch_off_ist() function will switch back to the interrupted +...

...That is, APs come up offline; masking out either FSGSBASE or RDPID from the > guest's CPUID results in all CPUs online. > > Is that still expected with this patch set? (As you mentioned in an earlier reply, > I?m testing on a Rome system.) The RDPID fix (removing RDPID usage from paranoid_entry) is probably not yet merged into the base you have been using. But removing RDPID from CPUID should make things work until the fix is merged. Regards, Joerg

From: Joerg Roedel <jroedel at suse.de> Early exception handling will use rd/wrgsbase in paranoid_entry/exit. Enable the feature to avoid #UD exceptions on boot APs. Signed-off-by: Joerg Roedel <jroedel at suse.de> Link: https://lore.kernel.org/r/20200724160336.5435-38-joro at 8bytes.org --- arch/x86/kernel/head_64.S | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/arch/x86/kernel/h...

On Sat, Aug 29, 2020 at 05:55:25PM +0200, Borislav Petkov wrote: > On Mon, Aug 24, 2020 at 10:54:33AM +0200, Joerg Roedel wrote: > > From: Joerg Roedel <jroedel at suse.de> > > > > Early exception handling will use rd/wrgsbase in paranoid_entry/exit. > > Enable the feature to avoid #UD exceptions on boot APs. > > > > Signed-off-by: Joerg Roedel <jroedel at suse.de> > > Link: https://lore.kernel.org/r/20200724160336.5435-38-joro at 8bytes.org > > --- > > arch/x86/kernel/head_64.S | 7 +++++++ >...

On Tue, Feb 11, 2020 at 03:50:08PM +0100, Peter Zijlstra wrote: > Oh gawd; so instead of improving the whole NMI situation, AMD went and > made it worse still ?!? Well, depends on how you want to see it. Under SEV-ES an IRET will not re-open the NMI window, but the guest has to tell the hypervisor explicitly when it is ready to receive new NMIs via the NMI_COMPLETE message. NMIs stay

On Tue, Feb 11, 2020 at 03:50:08PM +0100, Peter Zijlstra wrote: > Oh gawd; so instead of improving the whole NMI situation, AMD went and > made it worse still ?!? Well, depends on how you want to see it. Under SEV-ES an IRET will not re-open the NMI window, but the guest has to tell the hypervisor explicitly when it is ready to receive new NMIs via the NMI_COMPLETE message. NMIs stay

...cannot result in a fault. */ + SEV_ES_NMI_COMPLETE iretq first_nmi: @@ -1687,6 +1698,12 @@ end_repeat_nmi: movq $-1, %rsi call do_nmi + /* + * When running as an SEV-ES guest, jump to the SEV-ES NMI IRET + * path. + */ + SEV_ES_NMI_COMPLETE + /* Always restore stashed CR3 value (see paranoid_entry) */ RESTORE_CR3 scratch_reg=%r15 save_reg=%r14 @@ -1715,6 +1732,9 @@ nmi_restore: std movq $0, 5*8(%rsp) /* clear "NMI executing" */ +nmi_return: + UNWIND_HINT_IRET_REGS + /* * iretq reads the "iret" frame and exits the NMI stack in a * single instruction. We...

...c. This makes the whole early exception handling setup code more robust for kernels that have KASAN and/or Tracing enabled. A side effect of this change is that secondary CPU now don't use the idt_table at early boot, which means that on the secondary CPUs the early handler does not use IST or paranoid_entry() anymore. This allowed to remove a couple of patches from this series which were only needed to setup relevant processor starte early enough for IST exceptions. In particular this means that the early FSGSBASE and TSS setup is gone now. Also the patch which moved the idt_table to the data segement...

...c. This makes the whole early exception handling setup code more robust for kernels that have KASAN and/or Tracing enabled. A side effect of this change is that secondary CPU now don't use the idt_table at early boot, which means that on the secondary CPUs the early handler does not use IST or paranoid_entry() anymore. This allowed to remove a couple of patches from this series which were only needed to setup relevant processor starte early enough for IST exceptions. In particular this means that the early FSGSBASE and TSS setup is gone now. Also the patch which moved the idt_table to the data segement...

...R_GS_BASE is now set up very early too, before calling into any C code that has stack protector checks. - As a result I decided to move the setup code which is needed before the kernel switches to virtual addresses into a C function as well. This should be much easier to maintain. - paranoid_entry/exit now uses FSGSBASE instructions, so some refactoring was needed to make that work early for secondary CPUs too. - As a result, some state of the APs is now set up on the boot-cpu already, like the TSS and the CPU_NODE GDT entry, so that the AP only needs to load the descriptors to...

From: Joerg Roedel <jroedel at suse.de> Hi, here is the new version of the SEV-ES client enabling patch-set. It is based on the latest tip/master branch and contains the necessary changes. In particular those ar: - Enabling CR4.FSGSBASE early on supported processors so that early #VC exceptions on APs can be handled. - Add another patch (patch 1) to fix a KVM frame-size build

From: Joerg Roedel <jroedel at suse.de> Hi, here is the fourth version of the SEV-ES Guest Support patches. I addressed the review comments sent to me for the previous version and rebased the code v5.8-rc5. The biggest change in this version is the IST handling code for the #VC handler. I adapted the entry code for the #VC handler to the big pile of entry code changes merged into

From: Joerg Roedel <jroedel at suse.de> Hi, here is the fourth version of the SEV-ES Guest Support patches. I addressed the review comments sent to me for the previous version and rebased the code v5.8-rc5. The biggest change in this version is the IST handling code for the #VC handler. I adapted the entry code for the #VC handler to the big pile of entry code changes merged into

Hi, here is the first public post of the patch-set to enable Linux to run under SEV-ES enabled hypervisors. The code is mostly feature-complete, but there are still a couple of bugs to fix. Nevertheless, given the size of the patch-set, I think it is about time to ask for initial feedback of the changes that come with it. To better understand the code here is a quick explanation of SEV-ES first.

Hi, here is the first public post of the patch-set to enable Linux to run under SEV-ES enabled hypervisors. The code is mostly feature-complete, but there are still a couple of bugs to fix. Nevertheless, given the size of the patch-set, I think it is about time to ask for initial feedback of the changes that come with it. To better understand the code here is a quick explanation of SEV-ES first.