KVM: SVM: Add NMI support for an SEV-ES guest

The GHCB specification defines how NMIs are to be handled for an SEV-ES
guest. To detect the completion of an NMI the hypervisor must not
intercept the IRET instruction (because a #VC while running the NMI will
issue an IRET) and, instead, must receive an NMI Complete exit event from
the guest.

Update the KVM support for detecting the completion of NMIs in the guest
to follow the GHCB specification. When an SEV-ES guest is active, the
IRET instruction will no longer be intercepted. Now, when the NMI Complete
exit event is received, the iret_interception() function will be called
to simulate the completion of the NMI.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Message-Id: <5ea3dd69b8d4396cefdc9048ebc1ab7caa70a847.1607620209.git.thomas.lendacky@amd.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 154ac7601d0269c6d94db27a72efe0aadaaed21f..c3006e9ef5ae751ebd5d0aee38d39b7ca4e47dd8 100644 (file)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -1449,6 +1449,7 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *svm)
                if (!ghcb_sw_scratch_is_valid(ghcb))
                        goto vmgexit_err;
                break;
+       case SVM_VMGEXIT_NMI_COMPLETE:
        case SVM_VMGEXIT_UNSUPPORTED_EVENT:
                break;
        default:
@@ -1770,6 +1771,9 @@ int sev_handle_vmgexit(struct vcpu_svm *svm)
                                            control->exit_info_2,
                                            svm->ghcb_sa);
                break;
+       case SVM_VMGEXIT_NMI_COMPLETE:
+               ret = svm_invoke_exit_handler(svm, SVM_EXIT_IRET);
+               break;
        case SVM_VMGEXIT_UNSUPPORTED_EVENT:
                vcpu_unimpl(&svm->vcpu,
                            "vmgexit: unsupported event - exit_info_1=%#llx, exit_info_2=%#llx\n",

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index f1c32cdc9d49099dea3ad4f8a56e7dd2426f25a0..2e43f79c27030f64e52a2d3a7e0f792fb9b7b06b 100644 (file)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2319,9 +2319,11 @@ static int cpuid_interception(struct vcpu_svm *svm)
 static int iret_interception(struct vcpu_svm *svm)
 {
        ++svm->vcpu.stat.nmi_window_exits;
-       svm_clr_intercept(svm, INTERCEPT_IRET);
        svm->vcpu.arch.hflags |= HF_IRET_MASK;
-       svm->nmi_iret_rip = kvm_rip_read(&svm->vcpu);
+       if (!sev_es_guest(svm->vcpu.kvm)) {
+               svm_clr_intercept(svm, INTERCEPT_IRET);
+               svm->nmi_iret_rip = kvm_rip_read(&svm->vcpu);
+       }
        kvm_make_request(KVM_REQ_EVENT, &svm->vcpu);
        return 1;
 }
@@ -3302,7 +3304,8 @@ static void svm_inject_nmi(struct kvm_vcpu *vcpu)
 
        svm->vmcb->control.event_inj = SVM_EVTINJ_VALID | SVM_EVTINJ_TYPE_NMI;
        vcpu->arch.hflags |= HF_NMI_MASK;
-       svm_set_intercept(svm, INTERCEPT_IRET);
+       if (!sev_es_guest(svm->vcpu.kvm))
+               svm_set_intercept(svm, INTERCEPT_IRET);
        ++vcpu->stat.nmi_injections;
 }
 
@@ -3386,10 +3389,12 @@ static void svm_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
 
        if (masked) {
                svm->vcpu.arch.hflags |= HF_NMI_MASK;
-               svm_set_intercept(svm, INTERCEPT_IRET);
+               if (!sev_es_guest(svm->vcpu.kvm))
+                       svm_set_intercept(svm, INTERCEPT_IRET);
        } else {
                svm->vcpu.arch.hflags &= ~HF_NMI_MASK;
-               svm_clr_intercept(svm, INTERCEPT_IRET);
+               if (!sev_es_guest(svm->vcpu.kvm))
+                       svm_clr_intercept(svm, INTERCEPT_IRET);
        }
 }
 
@@ -3567,8 +3572,9 @@ static void svm_complete_interrupts(struct vcpu_svm *svm)
         * If we've made progress since setting HF_IRET_MASK, we've
         * executed an IRET and can allow NMI injection.
         */
-       if ((svm->vcpu.arch.hflags & HF_IRET_MASK)
-           && kvm_rip_read(&svm->vcpu) != svm->nmi_iret_rip) {
+       if ((svm->vcpu.arch.hflags & HF_IRET_MASK) &&
+           (sev_es_guest(svm->vcpu.kvm) ||
+            kvm_rip_read(&svm->vcpu) != svm->nmi_iret_rip)) {
                svm->vcpu.arch.hflags &= ~(HF_NMI_MASK | HF_IRET_MASK);
                kvm_make_request(KVM_REQ_EVENT, &svm->vcpu);
        }