1/* SPDX-License-Identifier: GPL-2.0 */ 2#include <linux/linkage.h> 3#include <asm/asm.h> 4#include <asm/bitsperlong.h> 5#include <asm/nospec-branch.h> 6#include <asm/percpu.h> 7#include <asm/segment.h> 8#include "kvm-asm-offsets.h" 9#include "vmenter.h" 10 11.section .noinstr.text, "ax" 12 13/** 14 * __vmx_vcpu_run - Run a vCPU via a transition to VMX guest mode 15 * @vmx: struct vcpu_vmx * 16 * @flags: KVM_ENTER_VMRESUME: use VMRESUME instead of VMLAUNCH 17 * KVM_ENTER_SAVE_SPEC_CTRL: save guest SPEC_CTRL into vmx->spec_ctrl 18 * KVM_ENTER_CLEAR_CPU_BUFFERS_FOR_MMIO: vCPU can access host MMIO 19 * 20 * Returns: 21 * 0 on VM-Exit, 1 on VM-Fail 22 */ 23SYM_FUNC_START(__vmx_vcpu_run) 24 push %_ASM_BP 25 mov %_ASM_SP, %_ASM_BP 26#ifdef CONFIG_X86_64 27 push %r15 28 push %r14 29 push %r13 30 push %r12 31#else 32 push %edi 33 push %esi 34#endif 35 push %_ASM_BX 36 37 /* Save @vmx for SPEC_CTRL handling */ 38 push %_ASM_ARG1 39 40 /* Save @flags (used for VMLAUNCH vs. VMRESUME and mitigations). */ 41 push %_ASM_ARG2 42 43 lea (%_ASM_SP), %_ASM_ARG2 44 call vmx_update_host_rsp 45 46 /* Reload @vmx, _ASM_ARG1 may be modified by vmx_update_host_rsp(). */ 47 mov WORD_SIZE(%_ASM_SP), %_ASM_DI 48 49 /* 50 * Unlike AMD there's no V_SPEC_CTRL here, so do not leave the body 51 * out of line. Clobbers RAX, RCX, RDX, RSI. 52 */ 53 ALTERNATIVE "jmp .Lspec_ctrl_guest_done", "", X86_FEATURE_MSR_SPEC_CTRL 54 RESTORE_GUEST_SPEC_CTRL_BODY VMX_spec_ctrl(%_ASM_DI), .Lspec_ctrl_guest_done 55.Lspec_ctrl_guest_done: 56 57 /* 58 * Since vmentry is serializing on affected CPUs, there's no need for 59 * an LFENCE to stop speculation from skipping the wrmsr. 60 */ 61 62 /* 63 * Load guest registers. Don't clobber flags. Intentionally omit 64 * %_ASM_SP as it's context switched by hardware 65 */ 66 LOAD_REGS %_ASM_DI, VMX_vcpu_arch_regs, \ 67 %_ASM_AX, %_ASM_CX, %_ASM_DX, %_ASM_BX, %_ASM_BP, %_ASM_SI 68#ifdef CONFIG_X86_64 69 LOAD_REGS %_ASM_DI, VMX_vcpu_arch_regs, \ 70 %r8, %r9, %r10, %r11, %r12, %r13, %r14, %r15 71#endif 72 /* Load guest RDI. This kills the @vmx pointer! */ 73 LOAD_REGS %_ASM_DI, VMX_vcpu_arch_regs, %_ASM_DI 74 75 /* 76 * Note, ALTERNATIVE_2 works in reverse order. If CLEAR_CPU_BUF_VM is 77 * enabled, do VERW unconditionally. If CPU_BUF_VM_MMIO is enabled, 78 * check @flags to see if the vCPU has access to host MMIO, and if so, 79 * do VERW. Else, do nothing (no mitigations needed/enabled). 80 */ 81 ALTERNATIVE_2 "", \ 82 __stringify(testl $KVM_ENTER_CLEAR_CPU_BUFFERS_FOR_MMIO, (%_ASM_SP); \ 83 jz .Lskip_mmio_verw; \ 84 VERW; \ 85 .Lskip_mmio_verw:), \ 86 X86_FEATURE_CLEAR_CPU_BUF_VM_MMIO, \ 87 __stringify(VERW), X86_FEATURE_CLEAR_CPU_BUF_VM 88 89 /* Check @flags to see if VMLAUNCH or VMRESUME is needed. */ 90 testl $KVM_ENTER_VMRESUME, (%_ASM_SP) 91 jz .Lvmlaunch 92 93 /* 94 * After a successful VMRESUME/VMLAUNCH, control flow "magically" 95 * resumes below at 'vmx_vmexit' due to the VMCS HOST_RIP setting. 96 * So this isn't a typical function and objtool needs to be told to 97 * save the unwind state here and restore it below. 98 */ 99 UNWIND_HINT_SAVE 100 101/* 102 * If VMRESUME/VMLAUNCH and corresponding vmexit succeed, execution resumes at 103 * the 'vmx_vmexit' label below. 104 */ 105.Lvmresume: 106 vmresume 107 jmp .Lvmfail 108 109.Lvmlaunch: 110 vmlaunch 111 jmp .Lvmfail 112 113 _ASM_EXTABLE(.Lvmresume, .Lfixup) 114 _ASM_EXTABLE(.Lvmlaunch, .Lfixup) 115 116SYM_INNER_LABEL_ALIGN(vmx_vmexit, SYM_L_GLOBAL) 117 118 /* Restore unwind state from before the VMRESUME/VMLAUNCH. */ 119 UNWIND_HINT_RESTORE 120 ENDBR 121 122 /* Temporarily save guest's RDI. */ 123 push %_ASM_DI 124 125 /* Reload @vmx to RDI. */ 126 mov 2*WORD_SIZE(%_ASM_SP), %_ASM_DI 127 128 /* 129 * Save all guest registers, including RDI from the stack. Intentionally 130 * omit %_ASM_SP as it's context switched by hardware 131 */ 132 STORE_REGS %_ASM_DI, VMX_vcpu_arch_regs, \ 133 %_ASM_AX, %_ASM_CX, %_ASM_DX, %_ASM_BX, %_ASM_BP, %_ASM_SI 134 POP_REGS %_ASM_DI, VMX_vcpu_arch_regs, %_ASM_DI 135#ifdef CONFIG_X86_64 136 STORE_REGS %_ASM_DI, VMX_vcpu_arch_regs, \ 137 %r8, %r9, %r10, %r11, %r12, %r13, %r14, %r15 138#endif 139 140 /* Clear return value to indicate VM-Exit (as opposed to VM-Fail). */ 141 xor %ebx, %ebx 142 143.Lclear_regs: 144 /* 145 * Clear all general purpose registers except RSP and RBX to prevent 146 * speculative use of the guest's values, even those that are reloaded 147 * via the stack. In theory, an L1 cache miss when restoring registers 148 * could lead to speculative execution with the guest's values. 149 * Zeroing XORs are dirt cheap, i.e. the extra paranoia is essentially 150 * free. RSP and RBX are exempt as RSP is restored by hardware during 151 * VM-Exit and RBX is explicitly loaded with 0 or 1 to hold the return 152 * value. 153 */ 154 CLEAR_REGS %eax, %ecx, %edx, %ebp, %esi, %edi 155#ifdef CONFIG_X86_64 156 CLEAR_REGS %r8d, %r9d, %r10d, %r11d, %r12d, %r13d, %r14d, %r15d 157#endif 158 159 /* 160 * IMPORTANT: RSB filling and SPEC_CTRL handling must be done before 161 * the first unbalanced RET after vmexit! 162 * 163 * For retpoline or IBRS, RSB filling is needed to prevent poisoned RSB 164 * entries and (in some cases) RSB underflow. 165 * 166 * eIBRS has its own protection against poisoned RSB, so it doesn't 167 * need the RSB filling sequence. But it does need to be enabled, and a 168 * single call to retire, before the first unbalanced RET. 169 */ 170 171 FILL_RETURN_BUFFER %_ASM_CX, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_VMEXIT,\ 172 X86_FEATURE_RSB_VMEXIT_LITE 173 174 /* Clobbers RAX, RCX, RDX, RSI. */ 175 ALTERNATIVE "jmp .Lspec_ctrl_host_done", "", X86_FEATURE_MSR_SPEC_CTRL 176 mov WORD_SIZE(%_ASM_SP), %_ASM_DI 177 RESTORE_HOST_SPEC_CTRL_BODY VMX_spec_ctrl(%_ASM_DI), (%_ASM_SP), .Lspec_ctrl_host_done 178.Lspec_ctrl_host_done: 179 180 /* 181 * Halt speculation past a conditional wrmsr. Intel's eIBRS 182 * guarantees that the guest cannot control the RSB "once IBRS is 183 * set", but in the eIBRS case speculative execution past the 'je' 184 * can go all the way to the RET below while MSR_IA32_SPEC_CTRL 185 * still holds the guest value. 186 */ 187 ALTERNATIVE_2 "", "lfence", X86_FEATURE_MSR_SPEC_CTRL, \ 188 "", X86_FEATURE_KERNEL_IBRS 189 190 CLEAR_BRANCH_HISTORY_VMEXIT 191 192 /* Put return value in AX */ 193 mov %_ASM_BX, %_ASM_AX 194 195 /* Pop our saved arguments from the stack */ 196 pop %_ASM_BX 197 pop %_ASM_BX 198 199 /* ... and then the callee-save registers */ 200 pop %_ASM_BX 201#ifdef CONFIG_X86_64 202 pop %r12 203 pop %r13 204 pop %r14 205 pop %r15 206#else 207 pop %esi 208 pop %edi 209#endif 210 pop %_ASM_BP 211 RET 212 213.Lfixup: 214 cmpb $0, _ASM_RIP(virt_rebooting) 215 jne .Lvmfail 216 ud2 217.Lvmfail: 218 /* VM-Fail: set return value to 1 */ 219 mov $1, %_ASM_BX 220 jmp .Lclear_regs 221 222SYM_FUNC_END(__vmx_vcpu_run) 223 224#ifndef CONFIG_CC_HAS_ASM_GOTO_OUTPUT 225 226/** 227 * vmread_error_trampoline - Trampoline from inline asm to vmread_error() 228 * @field: VMCS field encoding that failed 229 * @fault: %true if the VMREAD faulted, %false if it failed 230 * 231 * Save and restore volatile registers across a call to vmread_error(). Note, 232 * all parameters are passed on the stack. 233 */ 234SYM_FUNC_START(vmread_error_trampoline) 235 push %_ASM_BP 236 mov %_ASM_SP, %_ASM_BP 237 238 push %_ASM_AX 239 push %_ASM_CX 240 push %_ASM_DX 241#ifdef CONFIG_X86_64 242 push %rdi 243 push %rsi 244 push %r8 245 push %r9 246 push %r10 247 push %r11 248#endif 249 250 /* Load @field and @fault to arg1 and arg2 respectively. */ 251 mov 3*WORD_SIZE(%_ASM_BP), %_ASM_ARG2 252 mov 2*WORD_SIZE(%_ASM_BP), %_ASM_ARG1 253 254 call vmread_error_trampoline2 255 256 /* Zero out @fault, which will be popped into the result register. */ 257 _ASM_MOV $0, 3*WORD_SIZE(%_ASM_BP) 258 259#ifdef CONFIG_X86_64 260 pop %r11 261 pop %r10 262 pop %r9 263 pop %r8 264 pop %rsi 265 pop %rdi 266#endif 267 pop %_ASM_DX 268 pop %_ASM_CX 269 pop %_ASM_AX 270 pop %_ASM_BP 271 272 RET 273SYM_FUNC_END(vmread_error_trampoline) 274#endif 275