feat_ctl.c source code [linux/arch/x86/kernel/cpu/feat_ctl.c]

1	// SPDX-License-Identifier: GPL-2.0
2	#include <linux/tboot.h>
3
4	#include <asm/cpu.h>
5	#include <asm/cpufeature.h>
6	#include <asm/msr-index.h>
7	#include <asm/processor.h>
8	#include <asm/vmx.h>
9
10	#undef pr_fmt
11	#define pr_fmt(fmt) "x86/cpu: " fmt
12
13	#ifdef CONFIG_X86_VMX_FEATURE_NAMES
14	enum vmx_feature_leafs {
15	MISC_FEATURES = `0`,
16	PRIMARY_CTLS,
17	SECONDARY_CTLS,
18	TERTIARY_CTLS_LOW,
19	TERTIARY_CTLS_HIGH,
20	NR_VMX_FEATURE_WORDS,
21	};
22
23	#define VMX_F(x) BIT(VMX_FEATURE_##x & 0x1f)
24
25	static void init_vmx_capabilities(struct cpuinfo_x86 *c)
26	{
27	u32 supported, funcs, ept, vpid, ign, low, high;
28
29	BUILD_BUG_ON(NVMXINTS != NR_VMX_FEATURE_WORDS);
30
31	/*
32	* The high bits contain the allowed-1 settings, i.e. features that can
33	* be turned on. The low bits contain the allowed-0 settings, i.e.
34	* features that can be turned off. Ignore the allowed-0 settings,
35	* if a feature can be turned on then it's supported.
36	*
37	* Use raw rdmsr() for primary processor controls and pin controls MSRs
38	* as they exist on any CPU that supports VMX, i.e. we want the WARN if
39	* the RDMSR faults.
40	*/
41	rdmsr(MSR_IA32_VMX_PROCBASED_CTLS, ign, supported);
42	c->vmx_capability[PRIMARY_CTLS] = supported;
43
44	rdmsr_safe(MSR_IA32_VMX_PROCBASED_CTLS2, &ign, &supported);
45	c->vmx_capability[SECONDARY_CTLS] = supported;
46
47	/ All 64 bits of tertiary controls MSR are allowed-1 settings. /
48	rdmsr_safe(MSR_IA32_VMX_PROCBASED_CTLS3, &low, &high);
49	c->vmx_capability[TERTIARY_CTLS_LOW] = low;
50	c->vmx_capability[TERTIARY_CTLS_HIGH] = high;
51
52	rdmsr(MSR_IA32_VMX_PINBASED_CTLS, ign, supported);
53	rdmsr_safe(MSR_IA32_VMX_VMFUNC, &ign, &funcs);
54
55	/*
56	* Except for EPT+VPID, which enumerates support for both in a single
57	* MSR, low for EPT, high for VPID.
58	*/
59	rdmsr_safe(MSR_IA32_VMX_EPT_VPID_CAP, &ept, &vpid);
60
61	/ Pin, EPT, VPID and VM-Func are merged into a single word. /
62	WARN_ON_ONCE(supported >> `16`);
63	WARN_ON_ONCE(funcs >> `4`);
64	c->vmx_capability[MISC_FEATURES] = (supported & `0xffff`) \|
65	((vpid & `0x1`) << `16`) \|
66	((funcs & `0xf`) << `28`);
67
68	/ EPT bits are full on scattered and must be manually handled. /
69	if (ept & VMX_EPT_EXECUTE_ONLY_BIT)
70	c->vmx_capability[MISC_FEATURES] \|= VMX_F(EPT_EXECUTE_ONLY);
71	if (ept & VMX_EPT_AD_BIT)
72	c->vmx_capability[MISC_FEATURES] \|= VMX_F(EPT_AD);
73	if (ept & VMX_EPT_1GB_PAGE_BIT)
74	c->vmx_capability[MISC_FEATURES] \|= VMX_F(EPT_1GB);
75	if (ept & VMX_EPT_PAGE_WALK_5_BIT)
76	c->vmx_capability[MISC_FEATURES] \|= VMX_F(EPT_5LEVEL);
77
78	/ Synthetic APIC features that are aggregates of multiple features. /
79	if ((c->vmx_capability[PRIMARY_CTLS] & VMX_F(VIRTUAL_TPR)) &&
80	(c->vmx_capability[SECONDARY_CTLS] & VMX_F(VIRT_APIC_ACCESSES)))
81	c->vmx_capability[MISC_FEATURES] \|= VMX_F(FLEXPRIORITY);
82
83	if ((c->vmx_capability[PRIMARY_CTLS] & VMX_F(VIRTUAL_TPR)) &&
84	(c->vmx_capability[SECONDARY_CTLS] & VMX_F(APIC_REGISTER_VIRT)) &&
85	(c->vmx_capability[SECONDARY_CTLS] & VMX_F(VIRT_INTR_DELIVERY)) &&
86	(c->vmx_capability[MISC_FEATURES] & VMX_F(POSTED_INTR)))
87	c->vmx_capability[MISC_FEATURES] \|= VMX_F(APICV);
88
89	/ Set the synthetic cpufeatures to preserve /proc/cpuinfo's ABI. /
90	if (c->vmx_capability[PRIMARY_CTLS] & VMX_F(VIRTUAL_TPR))
91	set_cpu_cap(c, X86_FEATURE_TPR_SHADOW);
92	if (c->vmx_capability[MISC_FEATURES] & VMX_F(FLEXPRIORITY))
93	set_cpu_cap(c, X86_FEATURE_FLEXPRIORITY);
94	if (c->vmx_capability[MISC_FEATURES] & VMX_F(VIRTUAL_NMIS))
95	set_cpu_cap(c, X86_FEATURE_VNMI);
96	if (c->vmx_capability[SECONDARY_CTLS] & VMX_F(EPT))
97	set_cpu_cap(c, X86_FEATURE_EPT);
98	if (c->vmx_capability[MISC_FEATURES] & VMX_F(EPT_AD))
99	set_cpu_cap(c, X86_FEATURE_EPT_AD);
100	if (c->vmx_capability[MISC_FEATURES] & VMX_F(VPID))
101	set_cpu_cap(c, X86_FEATURE_VPID);
102	}
103	#endif /* CONFIG_X86_VMX_FEATURE_NAMES */
104
105	static int __init nosgx(char *str)
106	{
107	setup_clear_cpu_cap(X86_FEATURE_SGX);
108
109	return `0`;
110	}
111
112	early_param("nosgx", nosgx);
113
114	void init_ia32_feat_ctl(struct cpuinfo_x86 *c)
115	{
116	bool enable_sgx_kvm = false, enable_sgx_driver = false;
117	bool tboot = tboot_enabled();
118	bool enable_vmx;
119	u64 msr;
120
121	if (rdmsrl_safe(MSR_IA32_FEAT_CTL, p: &msr)) {
122	clear_cpu_cap(c, X86_FEATURE_VMX);
123	clear_cpu_cap(c, X86_FEATURE_SGX);
124	return;
125	}
126
127	enable_vmx = cpu_has(c, X86_FEATURE_VMX) &&
128	IS_ENABLED(CONFIG_KVM_INTEL);
129
130	if (cpu_has(c, X86_FEATURE_SGX) && IS_ENABLED(CONFIG_X86_SGX)) {
131	/*
132	* Separate out SGX driver enabling from KVM. This allows KVM
133	* guests to use SGX even if the kernel SGX driver refuses to
134	* use it. This happens if flexible Launch Control is not
135	* available.
136	*/
137	enable_sgx_driver = cpu_has(c, X86_FEATURE_SGX_LC);
138	enable_sgx_kvm = enable_vmx && IS_ENABLED(CONFIG_X86_SGX_KVM);
139	}
140
141	if (msr & FEAT_CTL_LOCKED)
142	goto update_caps;
143
144	/*
145	* Ignore whatever value BIOS left in the MSR to avoid enabling random
146	* features or faulting on the WRMSR.
147	*/
148	msr = FEAT_CTL_LOCKED;
149
150	/*
151	* Enable VMX if and only if the kernel may do VMXON at some point,
152	* i.e. KVM is enabled, to avoid unnecessarily adding an attack vector
153	* for the kernel, e.g. using VMX to hide malicious code.
154	*/
155	if (enable_vmx) {
156	msr \|= FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX;
157
158	if (tboot)
159	msr \|= FEAT_CTL_VMX_ENABLED_INSIDE_SMX;
160	}
161
162	if (enable_sgx_kvm \|\| enable_sgx_driver) {
163	msr \|= FEAT_CTL_SGX_ENABLED;
164	if (enable_sgx_driver)
165	msr \|= FEAT_CTL_SGX_LC_ENABLED;
166	}
167
168	wrmsrl(MSR_IA32_FEAT_CTL, val: msr);
169
170	update_caps:
171	set_cpu_cap(c, X86_FEATURE_MSR_IA32_FEAT_CTL);
172
173	if (!cpu_has(c, X86_FEATURE_VMX))
174	goto update_sgx;
175
176	if ( (tboot && !(msr & FEAT_CTL_VMX_ENABLED_INSIDE_SMX)) \|\|
177	(!tboot && !(msr & FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX))) {
178	if (IS_ENABLED(CONFIG_KVM_INTEL))
179	pr_err_once("VMX (%s TXT) disabled by BIOS\n",
180	tboot ? "inside" : "outside");
181	clear_cpu_cap(c, X86_FEATURE_VMX);
182	} else {
183	#ifdef CONFIG_X86_VMX_FEATURE_NAMES
184	init_vmx_capabilities(c);
185	#endif
186	}
187
188	update_sgx:
189	if (!(msr & FEAT_CTL_SGX_ENABLED)) {
190	if (enable_sgx_kvm \|\| enable_sgx_driver)
191	pr_err_once("SGX disabled by BIOS.\n");
192	clear_cpu_cap(c, X86_FEATURE_SGX);
193	return;
194	}
195
196	/*
197	* VMX feature bit may be cleared due to being disabled in BIOS,
198	* in which case SGX virtualization cannot be supported either.
199	*/
200	if (!cpu_has(c, X86_FEATURE_VMX) && enable_sgx_kvm) {
201	pr_err_once("SGX virtualization disabled due to lack of VMX.\n");
202	enable_sgx_kvm = `0`;
203	}
204
205	if (!(msr & FEAT_CTL_SGX_LC_ENABLED) && enable_sgx_driver) {
206	if (!enable_sgx_kvm) {
207	pr_err_once("SGX Launch Control is locked. Disable SGX.\n");
208	clear_cpu_cap(c, X86_FEATURE_SGX);
209	} else {
210	pr_err_once("SGX Launch Control is locked. Support SGX virtualization only.\n");
211	clear_cpu_cap(c, X86_FEATURE_SGX_LC);
212	}
213	}
214	}
215

source code of linux/arch/x86/kernel/cpu/feat_ctl.c