feat_ctl.c source code [linux/arch/x86/kernel/cpu/feat_ctl.c]

1	// SPDX-License-Identifier: GPL-2.0
2	#include <linux/tboot.h>
3
4	#include <asm/cpu.h>
5	#include <asm/cpufeature.h>
6	#include <asm/msr-index.h>
7	#include <asm/msr.h>
8	#include <asm/processor.h>
9	#include <asm/vmx.h>
10
11	#undef pr_fmt
12	#define pr_fmt(fmt) "x86/cpu: " fmt
13
14	#ifdef CONFIG_X86_VMX_FEATURE_NAMES
15	enum vmx_feature_leafs {
16	MISC_FEATURES = `0`,
17	PRIMARY_CTLS,
18	SECONDARY_CTLS,
19	TERTIARY_CTLS_LOW,
20	TERTIARY_CTLS_HIGH,
21	NR_VMX_FEATURE_WORDS,
22	};
23
24	#define VMX_F(x) BIT(VMX_FEATURE_##x & 0x1f)
25
26	static void init_vmx_capabilities(struct cpuinfo_x86 *c)
27	{
28	u32 supported, funcs, ept, vpid, ign, low, high;
29
30	BUILD_BUG_ON(NVMXINTS != NR_VMX_FEATURE_WORDS);
31
32	/*
33	* The high bits contain the allowed-1 settings, i.e. features that can
34	* be turned on. The low bits contain the allowed-0 settings, i.e.
35	* features that can be turned off. Ignore the allowed-0 settings,
36	* if a feature can be turned on then it's supported.
37	*
38	* Use raw rdmsr() for primary processor controls and pin controls MSRs
39	* as they exist on any CPU that supports VMX, i.e. we want the WARN if
40	* the RDMSR faults.
41	*/
42	rdmsr(MSR_IA32_VMX_PROCBASED_CTLS, ign, supported);
43	c->vmx_capability[PRIMARY_CTLS] = supported;
44
45	rdmsr_safe(MSR_IA32_VMX_PROCBASED_CTLS2, &ign, &supported);
46	c->vmx_capability[SECONDARY_CTLS] = supported;
47
48	/ All 64 bits of tertiary controls MSR are allowed-1 settings. /
49	rdmsr_safe(MSR_IA32_VMX_PROCBASED_CTLS3, &low, &high);
50	c->vmx_capability[TERTIARY_CTLS_LOW] = low;
51	c->vmx_capability[TERTIARY_CTLS_HIGH] = high;
52
53	rdmsr(MSR_IA32_VMX_PINBASED_CTLS, ign, supported);
54	rdmsr_safe(MSR_IA32_VMX_VMFUNC, &ign, &funcs);
55
56	/*
57	* Except for EPT+VPID, which enumerates support for both in a single
58	* MSR, low for EPT, high for VPID.
59	*/
60	rdmsr_safe(MSR_IA32_VMX_EPT_VPID_CAP, &ept, &vpid);
61
62	/ Pin, EPT, VPID and VM-Func are merged into a single word. /
63	WARN_ON_ONCE(supported >> `16`);
64	WARN_ON_ONCE(funcs >> `4`);
65	c->vmx_capability[MISC_FEATURES] = (supported & `0xffff`) \|
66	((vpid & `0x1`) << `16`) \|
67	((funcs & `0xf`) << `28`);
68
69	/ EPT bits are full on scattered and must be manually handled. /
70	if (ept & VMX_EPT_EXECUTE_ONLY_BIT)
71	c->vmx_capability[MISC_FEATURES] \|= VMX_F(EPT_EXECUTE_ONLY);
72	if (ept & VMX_EPT_AD_BIT)
73	c->vmx_capability[MISC_FEATURES] \|= VMX_F(EPT_AD);
74	if (ept & VMX_EPT_1GB_PAGE_BIT)
75	c->vmx_capability[MISC_FEATURES] \|= VMX_F(EPT_1GB);
76	if (ept & VMX_EPT_PAGE_WALK_5_BIT)
77	c->vmx_capability[MISC_FEATURES] \|= VMX_F(EPT_5LEVEL);
78
79	/ Synthetic APIC features that are aggregates of multiple features. /
80	if ((c->vmx_capability[PRIMARY_CTLS] & VMX_F(VIRTUAL_TPR)) &&
81	(c->vmx_capability[SECONDARY_CTLS] & VMX_F(VIRT_APIC_ACCESSES)))
82	c->vmx_capability[MISC_FEATURES] \|= VMX_F(FLEXPRIORITY);
83
84	if ((c->vmx_capability[PRIMARY_CTLS] & VMX_F(VIRTUAL_TPR)) &&
85	(c->vmx_capability[SECONDARY_CTLS] & VMX_F(APIC_REGISTER_VIRT)) &&
86	(c->vmx_capability[SECONDARY_CTLS] & VMX_F(VIRT_INTR_DELIVERY)) &&
87	(c->vmx_capability[MISC_FEATURES] & VMX_F(POSTED_INTR)))
88	c->vmx_capability[MISC_FEATURES] \|= VMX_F(APICV);
89
90	/ Set the synthetic cpufeatures to preserve /proc/cpuinfo's ABI. /
91	if (c->vmx_capability[PRIMARY_CTLS] & VMX_F(VIRTUAL_TPR))
92	set_cpu_cap(c, X86_FEATURE_TPR_SHADOW);
93	if (c->vmx_capability[MISC_FEATURES] & VMX_F(FLEXPRIORITY))
94	set_cpu_cap(c, X86_FEATURE_FLEXPRIORITY);
95	if (c->vmx_capability[MISC_FEATURES] & VMX_F(VIRTUAL_NMIS))
96	set_cpu_cap(c, X86_FEATURE_VNMI);
97	if (c->vmx_capability[SECONDARY_CTLS] & VMX_F(EPT))
98	set_cpu_cap(c, X86_FEATURE_EPT);
99	if (c->vmx_capability[MISC_FEATURES] & VMX_F(EPT_AD))
100	set_cpu_cap(c, X86_FEATURE_EPT_AD);
101	if (c->vmx_capability[MISC_FEATURES] & VMX_F(VPID))
102	set_cpu_cap(c, X86_FEATURE_VPID);
103	}
104	#endif /* CONFIG_X86_VMX_FEATURE_NAMES */
105
106	static int __init nosgx(char *str)
107	{
108	setup_clear_cpu_cap(X86_FEATURE_SGX);
109
110	return `0`;
111	}
112
113	early_param("nosgx", nosgx);
114
115	void init_ia32_feat_ctl(struct cpuinfo_x86 *c)
116	{
117	bool enable_sgx_kvm = false, enable_sgx_driver = false;
118	bool tboot = tboot_enabled();
119	bool enable_vmx;
120	u64 msr;
121
122	if (rdmsrq_safe(MSR_IA32_FEAT_CTL, p: &msr)) {
123	clear_cpu_cap(c, X86_FEATURE_VMX);
124	clear_cpu_cap(c, X86_FEATURE_SGX);
125	return;
126	}
127
128	enable_vmx = cpu_has(c, X86_FEATURE_VMX) &&
129	IS_ENABLED(CONFIG_KVM_INTEL);
130
131	if (cpu_has(c, X86_FEATURE_SGX) && IS_ENABLED(CONFIG_X86_SGX)) {
132	/*
133	* Separate out SGX driver enabling from KVM. This allows KVM
134	* guests to use SGX even if the kernel SGX driver refuses to
135	* use it. This happens if flexible Launch Control is not
136	* available.
137	*/
138	enable_sgx_driver = cpu_has(c, X86_FEATURE_SGX_LC);
139	enable_sgx_kvm = enable_vmx && IS_ENABLED(CONFIG_X86_SGX_KVM);
140	}
141
142	if (msr & FEAT_CTL_LOCKED)
143	goto update_caps;
144
145	/*
146	* Ignore whatever value BIOS left in the MSR to avoid enabling random
147	* features or faulting on the WRMSR.
148	*/
149	msr = FEAT_CTL_LOCKED;
150
151	/*
152	* Enable VMX if and only if the kernel may do VMXON at some point,
153	* i.e. KVM is enabled, to avoid unnecessarily adding an attack vector
154	* for the kernel, e.g. using VMX to hide malicious code.
155	*/
156	if (enable_vmx) {
157	msr \|= FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX;
158
159	if (tboot)
160	msr \|= FEAT_CTL_VMX_ENABLED_INSIDE_SMX;
161	}
162
163	if (enable_sgx_kvm \|\| enable_sgx_driver) {
164	msr \|= FEAT_CTL_SGX_ENABLED;
165	if (enable_sgx_driver)
166	msr \|= FEAT_CTL_SGX_LC_ENABLED;
167	}
168
169	wrmsrq(MSR_IA32_FEAT_CTL, val: msr);
170
171	update_caps:
172	set_cpu_cap(c, X86_FEATURE_MSR_IA32_FEAT_CTL);
173
174	if (!cpu_has(c, X86_FEATURE_VMX))
175	goto update_sgx;
176
177	if ( (tboot && !(msr & FEAT_CTL_VMX_ENABLED_INSIDE_SMX)) \|\|
178	(!tboot && !(msr & FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX))) {
179	if (IS_ENABLED(CONFIG_KVM_INTEL))
180	pr_err_once("VMX (%s TXT) disabled by BIOS\n",
181	tboot ? "inside" : "outside");
182	clear_cpu_cap(c, X86_FEATURE_VMX);
183	} else {
184	#ifdef CONFIG_X86_VMX_FEATURE_NAMES
185	init_vmx_capabilities(c);
186	#endif
187	}
188
189	update_sgx:
190	if (!(msr & FEAT_CTL_SGX_ENABLED)) {
191	if (enable_sgx_kvm \|\| enable_sgx_driver)
192	pr_err_once("SGX disabled or unsupported by BIOS.\n");
193	clear_cpu_cap(c, X86_FEATURE_SGX);
194	return;
195	}
196
197	/*
198	* VMX feature bit may be cleared due to being disabled in BIOS,
199	* in which case SGX virtualization cannot be supported either.
200	*/
201	if (!cpu_has(c, X86_FEATURE_VMX) && enable_sgx_kvm) {
202	pr_err_once("SGX virtualization disabled due to lack of VMX.\n");
203	enable_sgx_kvm = `0`;
204	}
205
206	if (!(msr & FEAT_CTL_SGX_LC_ENABLED) && enable_sgx_driver) {
207	if (!enable_sgx_kvm) {
208	pr_err_once("SGX Launch Control is locked. Disable SGX.\n");
209	clear_cpu_cap(c, X86_FEATURE_SGX);
210	} else {
211	pr_err_once("SGX Launch Control is locked. Support SGX virtualization only.\n");
212	clear_cpu_cap(c, X86_FEATURE_SGX_LC);
213	}
214	}
215	}
216

source code of linux/arch/x86/kernel/cpu/feat_ctl.c