KVM: PPC: Book3S HV: Nested move LPCR sanitising to sanitise_hv_regs

This will get a bit more complicated in future patches. Move it
into the helper function.

This change allows the L1 hypervisor to determine some of the LPCR
bits that the L0 is using to run it, which could be a privilege
violation (LPCR is HV-privileged), although the same problem exists
now for HFSCR for example. Discussion of the HV privilege issue is
ongoing and can be resolved with a later change.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Fabiano Rosas <farosas@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20210412014845.1517916-3-npiggin@gmail.com

diff --git a/arch/powerpc/kvm/book3s_hv_nested.c b/arch/powerpc/kvm/book3s_hv_nested.c
index 0cd0e7aad588b2db32a8c9899af9617bbf9b5791..3060e5deffc8d3cc7f513a82464df9a7012c89fd 100644 (file)
--- a/arch/powerpc/kvm/book3s_hv_nested.c
+++ b/arch/powerpc/kvm/book3s_hv_nested.c
@@ -132,8 +132,27 @@ static void save_hv_return_state(struct kvm_vcpu *vcpu, int trap,
        }
 }
 
+/*
+ * This can result in some L0 HV register state being leaked to an L1
+ * hypervisor when the hv_guest_state is copied back to the guest after
+ * being modified here.
+ *
+ * There is no known problem with such a leak, and in many cases these
+ * register settings could be derived by the guest by observing behaviour
+ * and timing, interrupts, etc., but it is an issue to consider.
+ */
 static void sanitise_hv_regs(struct kvm_vcpu *vcpu, struct hv_guest_state *hr)
 {
+       struct kvmppc_vcore *vc = vcpu->arch.vcore;
+       u64 mask;
+
+       /*
+        * Don't let L1 change LPCR bits for the L2 except these:
+        */
+       mask = LPCR_DPFD | LPCR_ILE | LPCR_TC | LPCR_AIL | LPCR_LD |
+               LPCR_LPES | LPCR_MER;
+       hr->lpcr = (vc->lpcr & ~mask) | (hr->lpcr & mask);
+
        /*
         * Don't let L1 enable features for L2 which we've disabled for L1,
         * but preserve the interrupt cause field.
@@ -271,8 +290,6 @@ long kvmhv_enter_nested_guest(struct kvm_vcpu *vcpu)
        u64 hv_ptr, regs_ptr;
        u64 hdec_exp;
        s64 delta_purr, delta_spurr, delta_ic, delta_vtb;
-       u64 mask;
-       unsigned long lpcr;
 
        if (vcpu->kvm->arch.l1_ptcr == 0)
                return H_NOT_AVAILABLE;
@@ -321,9 +338,7 @@ long kvmhv_enter_nested_guest(struct kvm_vcpu *vcpu)
        vcpu->arch.nested_vcpu_id = l2_hv.vcpu_token;
        vcpu->arch.regs = l2_regs;
        vcpu->arch.shregs.msr = vcpu->arch.regs.msr;
-       mask = LPCR_DPFD | LPCR_ILE | LPCR_TC | LPCR_AIL | LPCR_LD |
-               LPCR_LPES | LPCR_MER;
-       lpcr = (vc->lpcr & ~mask) | (l2_hv.lpcr & mask);
+
        sanitise_hv_regs(vcpu, &l2_hv);
        restore_hv_regs(vcpu, &l2_hv);
 
@@ -335,7 +350,7 @@ long kvmhv_enter_nested_guest(struct kvm_vcpu *vcpu)
                        r = RESUME_HOST;
                        break;
                }
-               r = kvmhv_run_single_vcpu(vcpu, hdec_exp, lpcr);
+               r = kvmhv_run_single_vcpu(vcpu, hdec_exp, l2_hv.lpcr);
        } while (is_kvmppc_resume_guest(r));
 
        /* save L2 state for return */