KVM: VMX: Don't rely _only_ on CPUID to enforce XCR0 restrictions for ECREATE

Explicitly check the vCPU's supported XCR0 when determining whether or not
the XFRM for ECREATE is valid.  Checking CPUID works because KVM updates
guest CPUID.0x12.1 to restrict the leaf to a subset of the guest's allowed
XCR0, but that is rather subtle and KVM should not modify guest CPUID
except for modeling true runtime behavior (allowed XFRM is most definitely
not "runtime" behavior).

Reviewed-by: Kai Huang <kai.huang@intel.com>
Tested-by: Kai Huang <kai.huang@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20230503160838.3412617-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/arch/x86/kvm/vmx/sgx.c b/arch/x86/kvm/vmx/sgx.c
index 0574030b071fbfea9ed7943da13c5d32942b4b14..2261b684a7d4475ab78107114aa5cb8dd5b2179e 100644 (file)
--- a/arch/x86/kvm/vmx/sgx.c
+++ b/arch/x86/kvm/vmx/sgx.c
@@ -170,12 +170,19 @@ static int __handle_encls_ecreate(struct kvm_vcpu *vcpu,
                return 1;
        }
 
-       /* Enforce CPUID restrictions on MISCSELECT, ATTRIBUTES and XFRM. */
+       /*
+        * Enforce CPUID restrictions on MISCSELECT, ATTRIBUTES and XFRM.  Note
+        * that the allowed XFRM (XFeature Request Mask) isn't strictly bound
+        * by the supported XCR0.  FP+SSE *must* be set in XFRM, even if XSAVE
+        * is unsupported, i.e. even if XCR0 itself is completely unsupported.
+        */
        if ((u32)miscselect & ~sgx_12_0->ebx ||
            (u32)attributes & ~sgx_12_1->eax ||
            (u32)(attributes >> 32) & ~sgx_12_1->ebx ||
            (u32)xfrm & ~sgx_12_1->ecx ||
-           (u32)(xfrm >> 32) & ~sgx_12_1->edx) {
+           (u32)(xfrm >> 32) & ~sgx_12_1->edx ||
+           xfrm & ~(vcpu->arch.guest_supported_xcr0 | XFEATURE_MASK_FPSSE) ||
+           (xfrm & XFEATURE_MASK_FPSSE) != XFEATURE_MASK_FPSSE) {
                kvm_inject_gp(vcpu, 0);
                return 1;
        }