KVM: SVM: Guest FPU state save/restore not needed for SEV-ES guest

The guest FPU state is automatically restored on VMRUN and saved on VMEXIT
by the hardware, so there is no reason to do this in KVM. Eliminate the
allocation of the guest_fpu save area and key off that to skip operations
related to the guest FPU state.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Message-Id: <173e429b4d0d962c6a443c4553ffdaf31b7665a4.1607620209.git.thomas.lendacky@amd.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 2b6f168436c8d81a7d5ff48db2544f569e865639..39707e72b062f861d0dada94668a5945a42e121c 100644 (file)
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1477,6 +1477,8 @@ void kvm_vcpu_deliver_sipi_vector(struct kvm_vcpu *vcpu, u8 vector);
 int kvm_task_switch(struct kvm_vcpu *vcpu, u16 tss_selector, int idt_index,
                    int reason, bool has_error_code, u32 error_code);
 
+void kvm_free_guest_fpu(struct kvm_vcpu *vcpu);
+
 void kvm_post_set_cr0(struct kvm_vcpu *vcpu, unsigned long old_cr0, unsigned long cr0);
 void kvm_post_set_cr4(struct kvm_vcpu *vcpu, unsigned long old_cr4, unsigned long cr4);
 int kvm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0);

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 6064a6035dbbdef955e5829a720ad1add1bdf7fb..f1c32cdc9d49099dea3ad4f8a56e7dd2426f25a0 100644 (file)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1317,6 +1317,14 @@ static int svm_create_vcpu(struct kvm_vcpu *vcpu)
                vmsa_page = alloc_page(GFP_KERNEL_ACCOUNT | __GFP_ZERO);
                if (!vmsa_page)
                        goto error_free_vmcb_page;
+
+               /*
+                * SEV-ES guests maintain an encrypted version of their FPU
+                * state which is restored and saved on VMRUN and VMEXIT.
+                * Free the fpu structure to prevent KVM from attempting to
+                * access the FPU state.
+                */
+               kvm_free_guest_fpu(vcpu);
        }
 
        err = avic_init_vcpu(svm);

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index ba8e6a9b1a77018c79ab68488e484b09739ae658..eea0e9fed62a9c4fe3f8abfcabc2598c0b66d4eb 100644 (file)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4503,6 +4503,9 @@ static void load_xsave(struct kvm_vcpu *vcpu, u8 *src)
 static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
                                         struct kvm_xsave *guest_xsave)
 {
+       if (!vcpu->arch.guest_fpu)
+               return;
+
        if (boot_cpu_has(X86_FEATURE_XSAVE)) {
                memset(guest_xsave, 0, sizeof(struct kvm_xsave));
                fill_xsave((u8 *) guest_xsave->region, vcpu);
@@ -4520,9 +4523,14 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
 static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
                                        struct kvm_xsave *guest_xsave)
 {
-       u64 xstate_bv =
-               *(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)];
-       u32 mxcsr = *(u32 *)&guest_xsave->region[XSAVE_MXCSR_OFFSET / sizeof(u32)];
+       u64 xstate_bv;
+       u32 mxcsr;
+
+       if (!vcpu->arch.guest_fpu)
+               return 0;
+
+       xstate_bv = *(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)];
+       mxcsr = *(u32 *)&guest_xsave->region[XSAVE_MXCSR_OFFSET / sizeof(u32)];
 
        if (boot_cpu_has(X86_FEATURE_XSAVE)) {
                /*
@@ -9245,9 +9253,14 @@ static void kvm_load_guest_fpu(struct kvm_vcpu *vcpu)
 
        kvm_save_current_fpu(vcpu->arch.user_fpu);
 
-       /* PKRU is separately restored in kvm_x86_ops.run.  */
-       __copy_kernel_to_fpregs(&vcpu->arch.guest_fpu->state,
-                               ~XFEATURE_MASK_PKRU);
+       /*
+        * Guests with protected state can't have it set by the hypervisor,
+        * so skip trying to set it.
+        */
+       if (vcpu->arch.guest_fpu)
+               /* PKRU is separately restored in kvm_x86_ops.run. */
+               __copy_kernel_to_fpregs(&vcpu->arch.guest_fpu->state,
+                                       ~XFEATURE_MASK_PKRU);
 
        fpregs_mark_activate();
        fpregs_unlock();
@@ -9260,7 +9273,12 @@ static void kvm_put_guest_fpu(struct kvm_vcpu *vcpu)
 {
        fpregs_lock();
 
-       kvm_save_current_fpu(vcpu->arch.guest_fpu);
+       /*
+        * Guests with protected state can't have it read by the hypervisor,
+        * so skip trying to save it.
+        */
+       if (vcpu->arch.guest_fpu)
+               kvm_save_current_fpu(vcpu->arch.guest_fpu);
 
        copy_kernel_to_fpregs(&vcpu->arch.user_fpu->state);
 
@@ -9770,6 +9788,9 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
 {
        struct fxregs_state *fxsave;
 
+       if (!vcpu->arch.guest_fpu)
+               return 0;
+
        vcpu_load(vcpu);
 
        fxsave = &vcpu->arch.guest_fpu->state.fxsave;
@@ -9790,6 +9811,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
 {
        struct fxregs_state *fxsave;
 
+       if (!vcpu->arch.guest_fpu)
+               return 0;
+
        vcpu_load(vcpu);
 
        fxsave = &vcpu->arch.guest_fpu->state.fxsave;
@@ -9848,6 +9872,9 @@ static int sync_regs(struct kvm_vcpu *vcpu)
 
 static void fx_init(struct kvm_vcpu *vcpu)
 {
+       if (!vcpu->arch.guest_fpu)
+               return;
+
        fpstate_init(&vcpu->arch.guest_fpu->state);
        if (boot_cpu_has(X86_FEATURE_XSAVES))
                vcpu->arch.guest_fpu->state.xsave.header.xcomp_bv =
@@ -9861,6 +9888,15 @@ static void fx_init(struct kvm_vcpu *vcpu)
        vcpu->arch.cr0 |= X86_CR0_ET;
 }
 
+void kvm_free_guest_fpu(struct kvm_vcpu *vcpu)
+{
+       if (vcpu->arch.guest_fpu) {
+               kmem_cache_free(x86_fpu_cache, vcpu->arch.guest_fpu);
+               vcpu->arch.guest_fpu = NULL;
+       }
+}
+EXPORT_SYMBOL_GPL(kvm_free_guest_fpu);
+
 int kvm_arch_vcpu_precreate(struct kvm *kvm, unsigned int id)
 {
        if (kvm_check_tsc_unstable() && atomic_read(&kvm->online_vcpus) != 0)
@@ -9956,7 +9992,7 @@ int kvm_arch_vcpu_create(struct kvm_vcpu *vcpu)
        return 0;
 
 free_guest_fpu:
-       kmem_cache_free(x86_fpu_cache, vcpu->arch.guest_fpu);
+       kvm_free_guest_fpu(vcpu);
 free_user_fpu:
        kmem_cache_free(x86_fpu_cache, vcpu->arch.user_fpu);
 free_emulate_ctxt:
@@ -10010,7 +10046,7 @@ void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu)
        kmem_cache_free(x86_emulator_cache, vcpu->arch.emulate_ctxt);
        free_cpumask_var(vcpu->arch.wbinvd_dirty_mask);
        kmem_cache_free(x86_fpu_cache, vcpu->arch.user_fpu);
-       kmem_cache_free(x86_fpu_cache, vcpu->arch.guest_fpu);
+       kvm_free_guest_fpu(vcpu);
 
        kvm_hv_vcpu_uninit(vcpu);
        kvm_pmu_destroy(vcpu);
@@ -10058,7 +10094,7 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
        kvm_async_pf_hash_reset(vcpu);
        vcpu->arch.apf.halted = false;
 
-       if (kvm_mpx_supported()) {
+       if (vcpu->arch.guest_fpu && kvm_mpx_supported()) {
                void *mpx_state_buffer;
 
                /*