x86/KVM: Warn user if KVM is loaded SMT and L1TF CPU bug being present

If the L1TF CPU bug is present we allow the KVM module to be loaded as the
major of users that use Linux and KVM have trusted guests and do not want a
broken setup.

Cloud vendors are the ones that are uncomfortable with CVE 2018-3620 and as
such they are the ones that should set nosmt to one.

Setting 'nosmt' means that the system administrator also needs to disable
SMT (Hyper-threading) in the BIOS, or via the 'nosmt' command line
parameter, or via the /sys/devices/system/cpu/smt/control. See commit
05736e4ac13c ("cpu/hotplug: Provide knobs to control SMT").

Other mitigations are to use task affinity, cpu sets, interrupt binding,
etc - anything to make sure that _only_ the same guests vCPUs are running
on sibling threads.

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Orabug: 28220674
CVE: CVE-2018-3646

(cherry picked from commit 26acfb666a473d960f0fd971fe68f3e3ad16c70b)

Signed-off-by: Mihai Carabas <mihai.carabas@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Conflicts:
	Documentation/admin-guide/kernel-parameters.txt
	arch/x86/kvm/vmx.c
	kernel/cpu.c
Contextual: different content; This commit needs 03543133
"KVM: x86: Introducing kvm_x86_ops VM init/destroy hooks"

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index dfc5b1a9cbbc495f7318ceb7ad324e1c9caba58d..8b21d64d91b12199f2bd9fe6139847ed2fa1b8e1 100644 (file)
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1714,6 +1714,12 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
                        for all guests.
                        Default is 1 (enabled) if in 64-bit or 32-bit PAE mode.
 
+       kvm-intel.nosmt=[KVM,Intel] If the L1TF CPU bug is present (CVE-2018-3646)
+                       and the system has SMT (aka Hyper-Threading) enabled then
+                       don't allow guests to be created.
+
+                       Default is 0 (allow guests to be created).
+
        kvm-intel.ept=  [KVM,Intel] Disable extended page tables
                        (virtualized MMU) support on capable Intel chips.
                        Default is 1 (enabled)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 4b1b99b5a68c1c540589fec845507097b3db67eb..29ca44ade7535e8bcc25889a1976751f0e34f78a 100644 (file)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -66,6 +66,9 @@ static const struct x86_cpu_id vmx_cpu_id[] = {
 };
 MODULE_DEVICE_TABLE(x86cpu, vmx_cpu_id);
 
+static bool __read_mostly nosmt;
+module_param(nosmt, bool, S_IRUGO);
+
 static bool __read_mostly enable_vpid = 1;
 module_param_named(vpid, enable_vpid, bool, 0444);
 
@@ -8574,6 +8577,20 @@ free_vcpu:
        return ERR_PTR(err);
 }
 
+#define L1TF_MSG "SMT enabled with L1TF CPU bug present. Refer to CVE-2018-3646 for details.\n"
+
+static int vmx_vm_init(struct kvm *kvm)
+{
+       if (boot_cpu_has(X86_BUG_L1TF) && cpu_smt_control == CPU_SMT_ENABLED) {
+               if (nosmt) {
+                       pr_err(L1TF_MSG);
+                       return -EOPNOTSUPP;
+               }
+               pr_warn(L1TF_MSG);
+       }
+       return 0;
+}
+
 static void __init vmx_check_processor_compat(void *rtn)
 {
        struct vmcs_config vmcs_conf;
@@ -10328,6 +10345,8 @@ static struct kvm_x86_ops vmx_x86_ops = {
        .cpu_has_accelerated_tpr = report_flexpriority,
        .has_emulated_msr = vmx_has_emulated_msr,
 
+       .vm_init = vmx_vm_init,
+
        .vcpu_create = vmx_create_vcpu,
        .vcpu_free = vmx_free_vcpu,
        .vcpu_reset = vmx_vcpu_reset,

diff --git a/kernel/cpu.c b/kernel/cpu.c
index 0383a1eee12e9e2c1473c86c94fb5d9077ac5b91..2e6cac10e8e0ab450d5a5a426187916136f7a09f 100644 (file)
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -497,6 +497,7 @@ void __cpuinit smpboot_thread_init(void)
 
 #ifdef CONFIG_HOTPLUG_SMT
 enum cpuhp_smt_control cpu_smt_control __read_mostly = CPU_SMT_ENABLED;
+EXPORT_SYMBOL_GPL(cpu_smt_control);
 
 static int __init smt_cmdline_disable(char *str)
 {