Skip to content

Commit 71471ef

Browse files
esposemmcarlin-ds
esposem
authored and
mcarlin-ds
committed
KVM: VMX: fully disable SGX if SECONDARY_EXEC_ENCLS_EXITING unavailable
commit 1c1a414 upstream. Clear enable_sgx if ENCLS-exiting is not supported, i.e. if SGX cannot be virtualized. When KVM is loaded, adjust_vmx_controls checks that the bit is available before enabling the feature; however, other parts of the code check enable_sgx and not clearing the variable caused two different bugs, mostly affecting nested virtualization scenarios. First, because enable_sgx remained true, SECONDARY_EXEC_ENCLS_EXITING would be marked available in the capability MSR that are accessed by a nested hypervisor. KVM would then propagate the control from vmcs12 to vmcs02 even if it isn't supported by the processor, thus causing an unexpected VM-Fail (exit code 0x7) in L1. Second, vmx_set_cpu_caps() would not clear the SGX bits when hardware support is unavailable. This is a much less problematic bug as it only happens if SGX is soft-disabled (available in the processor but hidden in CPUID) or if SGX is supported for bare metal but not in the VMCS (will never happen when running on bare metal, but can theoertically happen when running in a VM). Last but not least, this ensures that module params in sysfs reflect KVM's actual configuration. RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2127128 Fixes: 72add91 ("KVM: VMX: Enable SGX virtualization for SGX1, SGX2 and LC") Cc: stable@vger.kernel.org Suggested-by: Sean Christopherson <seanjc@google.com> Suggested-by: Bandan Das <bsd@redhat.com> Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com> Message-Id: <20221025123749.2201649-1-eesposit@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent 466e4ca commit 71471ef

File tree

1 file changed

+5
-0
lines changed

1 file changed

+5
-0
lines changed

arch/x86/kvm/vmx/vmx.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7902,6 +7902,11 @@ static __init int hardware_setup(void)
79027902
if (!cpu_has_virtual_nmis())
79037903
enable_vnmi = 0;
79047904

7905+
#ifdef CONFIG_X86_SGX_KVM
7906+
if (!cpu_has_vmx_encls_vmexit())
7907+
enable_sgx = false;
7908+
#endif
7909+
79057910
/*
79067911
* set_apic_access_page_addr() is used to reload apic access
79077912
* page upon invalidation. No need to do anything if not

0 commit comments

Comments
 (0)