From 4b63b7cddae97d6a9ee38271cf226cae3348fe8d Mon Sep 17 00:00:00 2001 From: Vitaly Kuznetsov Date: Mon, 21 Feb 2022 15:53:16 +0100 Subject: [PATCH 01/24] vmxcap: Add 5-level EPT bit commit d312378e59658473aa91aa15c67ec6200d92e5ff upstream. 5-level EPT is present in Icelake Server CPUs and is supported by QEMU ('vmx-page-walk-5'). Intel-SIG: commit d312378e5965 vmxcap: Add 5-level EPT bit Signed-off-by: Vitaly Kuznetsov Message-Id: <20220221145316.576138-2-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini [ Jason Zeng: amend commit log ] Signed-off-by: Jason Zeng --- scripts/kvm/vmxcap | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/kvm/vmxcap b/scripts/kvm/vmxcap index 6fe66d5f57..f140040104 100755 --- a/scripts/kvm/vmxcap +++ b/scripts/kvm/vmxcap @@ -249,6 +249,7 @@ controls = [ bits = { 0: 'Execute-only EPT translations', 6: 'Page-walk length 4', + 7: 'Page-walk length 5', 8: 'Paging-structure memory type UC', 14: 'Paging-structure memory type WB', 16: '2MB EPT pages', -- Gitee From 67c8ae889bbcbacc565a264c158630e5deddb2d3 Mon Sep 17 00:00:00 2001 From: Vitaly Kuznetsov Date: Mon, 21 Feb 2022 15:53:15 +0100 Subject: [PATCH 02/24] i386: Add Icelake-Server-v6 CPU model with 5-level EPT support commit 12cab535db6440af41ed8dfefe908a594321b6ce upstream. Windows 11 with WSL2 enabled (Hyper-V) fails to boot with Icelake-Server {-v5} CPU model but boots well with '-cpu host'. Apparently, it expects 5-level paging and 5-level EPT support to come in pair but QEMU's Icelake-Server CPU model lacks the later. Introduce 'Icelake-Server-v6' CPU model with 'vmx-page-walk-5' enabled by default. Intel-SIG: commit 12cab535db64 i386: Add Icelake-Server-v6 CPU model with 5-level EPT support Signed-off-by: Vitaly Kuznetsov Message-Id: <20220221145316.576138-1-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini [ Jason Zeng: amend commit log ] Signed-off-by: Jason Zeng --- target/i386/cpu.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 016a62a809..40f26c51cc 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -3823,6 +3823,14 @@ static const X86CPUDefinition builtin_x86_defs[] = { { /* end of list */ } }, }, + { + .version = 6, + .note = "5-level EPT", + .props = (PropValue[]) { + { "vmx-page-walk-5", "on" }, + { /* end of list */ } + }, + }, { .version = 7, .note = "TSX, taa-no", -- Gitee From e3804d97d2379df37cc985a4adf400c2c6d86001 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 11 May 2022 18:39:12 +0200 Subject: [PATCH 03/24] vmxcap: add tertiary execution controls commit 333dbac358acc6cc174029263d633a22f66584b4 upstream. Intel-SIG: commit 333dbac358ac vmxcap: add tertiary execution controls Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- scripts/kvm/vmxcap | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/scripts/kvm/vmxcap b/scripts/kvm/vmxcap index f140040104..ce27f5e635 100755 --- a/scripts/kvm/vmxcap +++ b/scripts/kvm/vmxcap @@ -23,6 +23,7 @@ MSR_IA32_VMX_TRUE_PROCBASED_CTLS = 0x48E MSR_IA32_VMX_TRUE_EXIT_CTLS = 0x48F MSR_IA32_VMX_TRUE_ENTRY_CTLS = 0x490 MSR_IA32_VMX_VMFUNC = 0x491 +MSR_IA32_VMX_PROCBASED_CTLS3 = 0x492 class msr(object): def __init__(self): @@ -71,6 +72,13 @@ class Control(object): s = 'yes' print(' %-40s %s' % (self.bits[bit], s)) +# All 64 bits in the tertiary controls MSR are allowed-1 +class Allowed1Control(Control): + def read2(self, nr): + m = msr() + val = m.read(nr, 0) + return (0, val) + class Misc(object): def __init__(self, name, bits, msr): self.name = name @@ -135,6 +143,7 @@ controls = [ 12: 'RDTSC exiting', 15: 'CR3-load exiting', 16: 'CR3-store exiting', + 17: 'Activate tertiary controls', 19: 'CR8-load exiting', 20: 'CR8-store exiting', 21: 'Use TPR shadow', @@ -186,6 +195,14 @@ controls = [ cap_msr = MSR_IA32_VMX_PROCBASED_CTLS2, ), + Allowed1Control( + name = 'tertiary processor-based controls', + bits = { + 4: 'Enable IPI virtualization' + }, + cap_msr = MSR_IA32_VMX_PROCBASED_CTLS3, + ), + Control( name = 'VM-Exit controls', bits = { -- Gitee From c5427bc371d47f727f648d66395929c5bfadf023 Mon Sep 17 00:00:00 2001 From: Ake Koomsin Date: Mon, 7 Aug 2023 18:33:40 +0900 Subject: [PATCH 04/24] target/i386: add support for VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE commit 33cc88261c352445d31599054653d759f20531c1 upstream. Current QEMU can expose waitpkg to guests when it is available. However, VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE is still not recognized and masked by QEMU. This can lead to an unexpected situation when a L1 hypervisor wants to expose waitpkg to a L2 guest. The L1 hypervisor can assume that VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE exists as waitpkg is available. The L1 hypervisor then can accidentally expose waitpkg to the L2 guest. This will cause invalid opcode exception in the L2 guest when it executes waitpkg related instructions. This patch adds VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE support, and sets up dependency between the bit and CPUID_7_0_ECX_WAITPKG. QEMU should not expose waitpkg feature if VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE is not available to avoid unexpected invalid opcode exception in L2 guests. Intel-SIG: commit 33cc88261c35 target/i386: add support for VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE Signed-off-by: Ake Koomsin Message-ID: <20230807093339.32091-2-ake@igel.co.jp> Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/cpu.c | 6 +++++- target/i386/cpu.h | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 40f26c51cc..cd2de0c7d0 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1134,7 +1134,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { "vmx-invpcid-exit", "vmx-vmfunc", "vmx-shadow-vmcs", "vmx-encls-exit", "vmx-rdseed-exit", "vmx-pml", NULL, NULL, "vmx-xsaves", NULL, NULL, NULL, - NULL, "vmx-tsc-scaling", NULL, NULL, + NULL, "vmx-tsc-scaling", "vmx-enable-user-wait-pause", NULL, NULL, NULL, NULL, NULL, }, .msr = { @@ -1443,6 +1443,10 @@ static FeatureDep feature_dependencies[] = { .from = { FEAT_8000_0001_ECX, CPUID_EXT3_SVM }, .to = { FEAT_SVM, ~0ull }, }, + { + .from = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE }, + .to = { FEAT_7_0_ECX, CPUID_7_0_ECX_WAITPKG }, + }, }; typedef struct X86RegisterInfo32 { diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 84910db8bb..7fdf20eb53 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -1093,6 +1093,7 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, #define VMX_SECONDARY_EXEC_ENABLE_PML 0x00020000 #define VMX_SECONDARY_EXEC_XSAVES 0x00100000 #define VMX_SECONDARY_EXEC_TSC_SCALING 0x02000000 +#define VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE 0x04000000 #define VMX_PIN_BASED_EXT_INTR_MASK 0x00000001 #define VMX_PIN_BASED_NMI_EXITING 0x00000008 -- Gitee From 6bca777c7404c967f6c590d9c8ea6f9eaf5901d4 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 20 Sep 2023 17:41:17 +0200 Subject: [PATCH 05/24] target/i386: enumerate bit 56 of MSR_IA32_VMX_BASIC commit 0c49c9180c5498bcd55edc1bfb12b0466e08575c upstream. On parts that enumerate IA32_VMX_BASIC MSR bit as 1, any exception vector can be delivered with or without an error code if the other consistency checks are satisfied. Intel-SIG: commit 0c49c9180c54 target/i386: enumerate bit 56 of MSR_IA32_VMX_BASIC Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- scripts/kvm/vmxcap | 1 + target/i386/cpu.c | 1 + target/i386/cpu.h | 1 + 3 files changed, 3 insertions(+) diff --git a/scripts/kvm/vmxcap b/scripts/kvm/vmxcap index ce27f5e635..3fb4d5b342 100755 --- a/scripts/kvm/vmxcap +++ b/scripts/kvm/vmxcap @@ -115,6 +115,7 @@ controls = [ (50, 53): 'VMCS memory type', 54: 'INS/OUTS instruction information', 55: 'IA32_VMX_TRUE_*_CTLS support', + 56: 'Skip checks on event error code', }, msr = MSR_IA32_VMX_BASIC, ), diff --git a/target/i386/cpu.c b/target/i386/cpu.c index cd2de0c7d0..fcbabcfc87 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1246,6 +1246,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { .feat_names = { [54] = "vmx-ins-outs", [55] = "vmx-true-ctls", + [56] = "vmx-any-errcode", }, .msr = { .index = MSR_IA32_VMX_BASIC, diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 7fdf20eb53..31b9af5483 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -1019,6 +1019,7 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, #define MSR_VMX_BASIC_DUAL_MONITOR (1ULL << 49) #define MSR_VMX_BASIC_INS_OUTS (1ULL << 54) #define MSR_VMX_BASIC_TRUE_CTLS (1ULL << 55) +#define MSR_VMX_BASIC_ANY_ERRCODE (1ULL << 56) #define MSR_VMX_MISC_PREEMPTION_TIMER_SHIFT_MASK 0x1Full #define MSR_VMX_MISC_STORE_LMA (1ULL << 5) -- Gitee From 58e9b07f58c69959ce5092119ca2770a47f7d295 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 8 May 2024 11:10:54 +0200 Subject: [PATCH 06/24] target/i386: fix feature dependency for WAITPKG commit fe01af5d47d4cf7fdf90c54d43f784e5068c8d72 upstream. The VMX feature bit depends on general availability of WAITPKG, not the other way round. Intel-SIG: commit fe01af5d47d4 target/i386: fix feature dependency for WAITPKG Fixes: 33cc88261c3 ("target/i386: add support for VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE", 2023-08-28) Cc: qemu-stable@nongnu.org Reviewed-by: Zhao Liu Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/cpu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index fcbabcfc87..9bcc1faf8f 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1445,8 +1445,8 @@ static FeatureDep feature_dependencies[] = { .to = { FEAT_SVM, ~0ull }, }, { - .from = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE }, - .to = { FEAT_7_0_ECX, CPUID_7_0_ECX_WAITPKG }, + .from = { FEAT_7_0_ECX, CPUID_7_0_ECX_WAITPKG }, + .to = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE }, }, }; -- Gitee From 0e666b9d50d2d835028c2608ea3004d3783b6e99 Mon Sep 17 00:00:00 2001 From: Robert Hoo Date: Fri, 12 Jan 2024 14:00:41 +0800 Subject: [PATCH 07/24] target/i386: add support for LAM in CPUID enumeration commit ba6780905943696d790cc880c8e5684b51f027fe upstream. Linear Address Masking (LAM) is a new Intel CPU feature, which allows software to use of the untranslated address bits for metadata. The bit definition: CPUID.(EAX=7,ECX=1):EAX[26] Add CPUID definition for LAM. Note LAM feature is not supported for TCG of target-i386, LAM CPIUD bit will not be added to TCG_7_1_EAX_FEATURES. More info can be found in Intel ISE Chapter "LINEAR ADDRESS MASKING(LAM)" https://cdrdv2.intel.com/v1/dl/getContent/671368 Intel-SIG: commit ba6780905943 target/i386: add support for LAM in CPUID enumeration Signed-off-by: Robert Hoo Co-developed-by: Binbin Wu Signed-off-by: Binbin Wu Tested-by: Xuelian Guo Reviewed-by: Xiaoyao Li Reviewed-by: Zhao Liu Message-ID: <20240112060042.19925-2-binbin.wu@linux.intel.com> Signed-off-by: Paolo Bonzini Conflicts: target/i386/cpu.h [jz: resolve simple context conflict] Signed-off-by: Jason Zeng --- target/i386/cpu.c | 2 +- target/i386/cpu.h | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 9bcc1faf8f..974e8fb0d5 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -878,7 +878,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { "fsrc", NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, "amx-fp16", NULL, "avx-ifma", - NULL, NULL, NULL, NULL, + NULL, NULL, "lam", NULL, NULL, NULL, NULL, NULL, }, .cpuid = { diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 31b9af5483..d879213fff 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -908,6 +908,9 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, #define CPUID_7_1_EAX_AMX_FP16 (1U << 21) /* Support for VPMADD52[H,L]UQ */ #define CPUID_7_1_EAX_AVX_IFMA (1U << 23) +/* Linear Address Masking */ +#define CPUID_7_1_EAX_LAM (1U << 26) + /* Support for VPDPB[SU,UU,SS]D[,S] */ #define CPUID_7_1_EDX_AVX_VNNI_INT8 (1U << 4) /* AVX NE CONVERT Instructions */ -- Gitee From 753cd49cefd20e54d9d69411f99227677e57e03f Mon Sep 17 00:00:00 2001 From: Binbin Wu Date: Fri, 12 Jan 2024 14:00:42 +0800 Subject: [PATCH 08/24] target/i386: add control bits support for LAM commit 0117067131f99acaab4f4d2cca0290c5510e37cf upstream. LAM uses CR3[61] and CR3[62] to configure/enable LAM on user pointers. LAM uses CR4[28] to configure/enable LAM on supervisor pointers. For CR3 LAM bits, no additional handling needed: - TCG LAM is not supported for TCG of target-i386. helper_write_crN() and helper_vmrun() check max physical address bits before calling cpu_x86_update_cr3(), no change needed, i.e. CR3 LAM bits are not allowed to be set in TCG. - gdbstub x86_cpu_gdb_write_register() will call cpu_x86_update_cr3() to update cr3. Allow gdb to set the LAM bit(s) to CR3, if vcpu doesn't support LAM, KVM_SET_SREGS will fail as other reserved bits. For CR4 LAM bit, its reservation depends on vcpu supporting LAM feature or not. - TCG LAM is not supported for TCG of target-i386. helper_write_crN() and helper_vmrun() check CR4 reserved bit before calling cpu_x86_update_cr4(), i.e. CR4 LAM bit is not allowed to be set in TCG. - gdbstub x86_cpu_gdb_write_register() will call cpu_x86_update_cr4() to update cr4. Mask out LAM bit on CR4 if vcpu doesn't support LAM. - x86_cpu_reset_hold() doesn't need special handling. Intel-SIG: commit 0117067131f9 target/i386: add control bits support for LAM Signed-off-by: Binbin Wu Tested-by: Xuelian Guo Reviewed-by: Xiaoyao Li Reviewed-by: Zhao Liu Message-ID: <20240112060042.19925-3-binbin.wu@linux.intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/cpu.h | 7 ++++++- target/i386/helper.c | 4 ++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/target/i386/cpu.h b/target/i386/cpu.h index d879213fff..69bff8be72 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -254,6 +254,7 @@ typedef enum X86Seg { #define CR4_SMAP_MASK (1U << 21) #define CR4_PKE_MASK (1U << 22) #define CR4_PKS_MASK (1U << 24) +#define CR4_LAM_SUP_MASK (1U << 28) #define CR4_RESERVED_MASK \ (~(target_ulong)(CR4_VME_MASK | CR4_PVI_MASK | CR4_TSD_MASK \ @@ -262,7 +263,8 @@ typedef enum X86Seg { | CR4_OSFXSR_MASK | CR4_OSXMMEXCPT_MASK |CR4_UMIP_MASK \ | CR4_LA57_MASK \ | CR4_FSGSBASE_MASK | CR4_PCIDE_MASK | CR4_OSXSAVE_MASK \ - | CR4_SMEP_MASK | CR4_SMAP_MASK | CR4_PKE_MASK | CR4_PKS_MASK)) + | CR4_SMEP_MASK | CR4_SMAP_MASK | CR4_PKE_MASK | CR4_PKS_MASK \ + | CR4_LAM_SUP_MASK)) #define DR6_BD (1 << 13) #define DR6_BS (1 << 14) @@ -2386,6 +2388,9 @@ static inline uint64_t cr4_reserved_bits(CPUX86State *env) if (!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_PKS)) { reserved_bits |= CR4_PKS_MASK; } + if (!(env->features[FEAT_7_1_EAX] & CPUID_7_1_EAX_LAM)) { + reserved_bits |= CR4_LAM_SUP_MASK; + } return reserved_bits; } diff --git a/target/i386/helper.c b/target/i386/helper.c index 533b29cb91..4215be8b51 100644 --- a/target/i386/helper.c +++ b/target/i386/helper.c @@ -198,6 +198,10 @@ void cpu_x86_update_cr4(CPUX86State *env, uint32_t new_cr4) new_cr4 &= ~CR4_PKS_MASK; } + if (!(env->features[FEAT_7_1_EAX] & CPUID_7_1_EAX_LAM)) { + new_cr4 &= ~CR4_LAM_SUP_MASK; + } + env->cr[4] = new_cr4; env->hflags = hflags; -- Gitee From 27b2acb774406e1f5515ff00162a17c64cd1f476 Mon Sep 17 00:00:00 2001 From: Xin Li Date: Wed, 8 Nov 2023 23:20:07 -0800 Subject: [PATCH 09/24] target/i386: add support for FRED in CPUID enumeration commit c1acad9f72d14daf918563eb77d2b31c39fbd06a upstream. FRED, i.e., the Intel flexible return and event delivery architecture, defines simple new transitions that change privilege level (ring transitions). The new transitions defined by the FRED architecture are FRED event delivery and, for returning from events, two FRED return instructions. FRED event delivery can effect a transition from ring 3 to ring 0, but it is used also to deliver events incident to ring 0. One FRED instruction (ERETU) effects a return from ring 0 to ring 3, while the other (ERETS) returns while remaining in ring 0. Collectively, FRED event delivery and the FRED return instructions are FRED transitions. In addition to these transitions, the FRED architecture defines a new instruction (LKGS) for managing the state of the GS segment register. The LKGS instruction can be used by 64-bit operating systems that do not use the new FRED transitions. WRMSRNS is an instruction that behaves exactly like WRMSR, with the only difference being that it is not a serializing instruction by default. Under certain conditions, WRMSRNS may replace WRMSR to improve performance. FRED uses it to switch RSP0 in a faster manner. Search for the latest FRED spec in most search engines with this search pattern: site:intel.com FRED (flexible return and event delivery) specification The CPUID feature flag CPUID.(EAX=7,ECX=1):EAX[17] enumerates FRED, and the CPUID feature flag CPUID.(EAX=7,ECX=1):EAX[18] enumerates LKGS, and the CPUID feature flag CPUID.(EAX=7,ECX=1):EAX[19] enumerates WRMSRNS. Add CPUID definitions for FRED/LKGS/WRMSRNS, and expose them to KVM guests. Because FRED relies on LKGS and WRMSRNS, add that to feature dependency map. Intel-SIG: commit c1acad9f72d1 target/i386: add support for FRED in CPUID enumeration Tested-by: Shan Kang Signed-off-by: Xin Li Message-ID: <20231109072012.8078-2-xin3.li@intel.com> [Fix order of dependencies, add dependencies from LM to FRED. - Paolo] Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/cpu.c | 14 +++++++++++++- target/i386/cpu.h | 6 ++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 974e8fb0d5..c983f9857c 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -876,7 +876,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { "avx-vnni", "avx512-bf16", NULL, "cmpccxadd", NULL, NULL, "fzrm", "fsrs", "fsrc", NULL, NULL, NULL, - NULL, NULL, NULL, NULL, + NULL, "fred", "lkgs", "wrmsrns", NULL, "amx-fp16", NULL, "avx-ifma", NULL, NULL, "lam", NULL, NULL, NULL, NULL, NULL, @@ -1448,6 +1448,18 @@ static FeatureDep feature_dependencies[] = { .from = { FEAT_7_0_ECX, CPUID_7_0_ECX_WAITPKG }, .to = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE }, }, + { + .from = { FEAT_8000_0001_EDX, CPUID_EXT2_LM }, + .to = { FEAT_7_1_EAX, CPUID_7_1_EAX_FRED }, + }, + { + .from = { FEAT_7_1_EAX, CPUID_7_1_EAX_LKGS }, + .to = { FEAT_7_1_EAX, CPUID_7_1_EAX_FRED }, + }, + { + .from = { FEAT_7_1_EAX, CPUID_7_1_EAX_WRMSRNS }, + .to = { FEAT_7_1_EAX, CPUID_7_1_EAX_FRED }, + }, }; typedef struct X86RegisterInfo32 { diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 69bff8be72..d44d04f354 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -919,6 +919,12 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, #define CPUID_7_1_EDX_AVX_NE_CONVERT (1U << 5) /* PREFETCHIT0/1 Instructions */ #define CPUID_7_1_EDX_PREFETCHITI (1U << 14) +/* Flexible return and event delivery (FRED) */ +#define CPUID_7_1_EAX_FRED (1U << 17) +/* Load into IA32_KERNEL_GS_BASE (LKGS) */ +#define CPUID_7_1_EAX_LKGS (1U << 18) +/* Non-Serializing Write to Model Specific Register (WRMSRNS) */ +#define CPUID_7_1_EAX_WRMSRNS (1U << 19) /* Do not exhibit MXCSR Configuration Dependent Timing (MCDT) behavior */ #define CPUID_7_2_EDX_MCDT_NO (1U << 5) -- Gitee From 9de9b32c51ff24c5c7b90b26eb30b5471540dc99 Mon Sep 17 00:00:00 2001 From: Xin Li Date: Wed, 8 Nov 2023 23:20:08 -0800 Subject: [PATCH 10/24] target/i386: mark CR4.FRED not reserved commit f88ddc40c6d8b591a357108feec52cea13796d2d upstream. The CR4.FRED bit, i.e., CR4[32], is no longer a reserved bit when FRED is exposed to guests, otherwise it is still a reserved bit. Intel-SIG: commit f88ddc40c6d8 target/i386: mark CR4.FRED not reserved Tested-by: Shan Kang Signed-off-by: Xin Li Reviewed-by: Zhao Liu Message-ID: <20231109072012.8078-3-xin3.li@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/cpu.h | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/target/i386/cpu.h b/target/i386/cpu.h index d44d04f354..33d6e33c0a 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -256,6 +256,18 @@ typedef enum X86Seg { #define CR4_PKS_MASK (1U << 24) #define CR4_LAM_SUP_MASK (1U << 28) +#ifdef TARGET_X86_64 +#define CR4_FRED_MASK (1ULL << 32) +#else +#define CR4_FRED_MASK 0 +#endif + +#ifdef TARGET_X86_64 +#define CR4_FRED_MASK (1ULL << 32) +#else +#define CR4_FRED_MASK 0 +#endif + #define CR4_RESERVED_MASK \ (~(target_ulong)(CR4_VME_MASK | CR4_PVI_MASK | CR4_TSD_MASK \ | CR4_DE_MASK | CR4_PSE_MASK | CR4_PAE_MASK \ @@ -264,7 +276,7 @@ typedef enum X86Seg { | CR4_LA57_MASK \ | CR4_FSGSBASE_MASK | CR4_PCIDE_MASK | CR4_OSXSAVE_MASK \ | CR4_SMEP_MASK | CR4_SMAP_MASK | CR4_PKE_MASK | CR4_PKS_MASK \ - | CR4_LAM_SUP_MASK)) + | CR4_LAM_SUP_MASK | CR4_FRED_MASK)) #define DR6_BD (1 << 13) #define DR6_BS (1 << 14) @@ -2397,6 +2409,9 @@ static inline uint64_t cr4_reserved_bits(CPUX86State *env) if (!(env->features[FEAT_7_1_EAX] & CPUID_7_1_EAX_LAM)) { reserved_bits |= CR4_LAM_SUP_MASK; } + if (!(env->features[FEAT_7_1_EAX] & CPUID_7_1_EAX_FRED)) { + reserved_bits |= CR4_FRED_MASK; + } return reserved_bits; } -- Gitee From 92dfbddcc1ad18a11885a209a89f9eebda02ae31 Mon Sep 17 00:00:00 2001 From: Xin Li Date: Wed, 8 Nov 2023 23:20:10 -0800 Subject: [PATCH 11/24] vmxcap: add support for VMX FRED controls commit 2e641870170e28df28c5d9914e76ea7cab141516 upstream. Report secondary vm-exit controls and the VMX controls used to save/load FRED MSRs. Intel-SIG: commit 2e641870170e vmxcap: add support for VMX FRED controls Tested-by: Shan Kang Signed-off-by: Xin Li Message-ID: <20231109072012.8078-5-xin3.li@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- scripts/kvm/vmxcap | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/scripts/kvm/vmxcap b/scripts/kvm/vmxcap index 3fb4d5b342..44898d73c2 100755 --- a/scripts/kvm/vmxcap +++ b/scripts/kvm/vmxcap @@ -24,6 +24,7 @@ MSR_IA32_VMX_TRUE_EXIT_CTLS = 0x48F MSR_IA32_VMX_TRUE_ENTRY_CTLS = 0x490 MSR_IA32_VMX_VMFUNC = 0x491 MSR_IA32_VMX_PROCBASED_CTLS3 = 0x492 +MSR_IA32_VMX_EXIT_CTLS2 = 0x493 class msr(object): def __init__(self): @@ -219,11 +220,21 @@ controls = [ 23: 'Clear IA32_BNDCFGS', 24: 'Conceal VM exits from PT', 25: 'Clear IA32_RTIT_CTL', + 31: 'Activate secondary VM-exit controls', }, cap_msr = MSR_IA32_VMX_EXIT_CTLS, true_cap_msr = MSR_IA32_VMX_TRUE_EXIT_CTLS, ), + Allowed1Control( + name = 'secondary VM-Exit controls', + bits = { + 0: 'Save IA32 FRED MSRs', + 1: 'Load IA32 FRED MSRs', + }, + cap_msr = MSR_IA32_VMX_EXIT_CTLS2, + ), + Control( name = 'VM-Entry controls', bits = { @@ -237,6 +248,7 @@ controls = [ 16: 'Load IA32_BNDCFGS', 17: 'Conceal VM entries from PT', 18: 'Load IA32_RTIT_CTL', + 23: 'Load IA32 FRED MSRs', }, cap_msr = MSR_IA32_VMX_ENTRY_CTLS, true_cap_msr = MSR_IA32_VMX_TRUE_ENTRY_CTLS, -- Gitee From 992704e6a4814a7d9edc2aa3645a6a511d18cf5c Mon Sep 17 00:00:00 2001 From: Xin Li Date: Wed, 8 Nov 2023 23:20:11 -0800 Subject: [PATCH 12/24] target/i386: enumerate VMX nested-exception support commit ef202d64c3020f3df03c39d3ad688732d81aaae8 upstream. Allow VMX nested-exception support to be exposed in KVM guests, thus nested KVM guests can enumerate it. Intel-SIG: commit ef202d64c302 target/i386: enumerate VMX nested-exception support Tested-by: Shan Kang Signed-off-by: Xin Li Message-ID: <20231109072012.8078-6-xin3.li@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- scripts/kvm/vmxcap | 1 + target/i386/cpu.c | 1 + target/i386/cpu.h | 1 + 3 files changed, 3 insertions(+) diff --git a/scripts/kvm/vmxcap b/scripts/kvm/vmxcap index 44898d73c2..508be19c75 100755 --- a/scripts/kvm/vmxcap +++ b/scripts/kvm/vmxcap @@ -117,6 +117,7 @@ controls = [ 54: 'INS/OUTS instruction information', 55: 'IA32_VMX_TRUE_*_CTLS support', 56: 'Skip checks on event error code', + 58: 'VMX nested exception support', }, msr = MSR_IA32_VMX_BASIC, ), diff --git a/target/i386/cpu.c b/target/i386/cpu.c index c983f9857c..11fa375527 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1247,6 +1247,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { [54] = "vmx-ins-outs", [55] = "vmx-true-ctls", [56] = "vmx-any-errcode", + [58] = "vmx-nested-exception", }, .msr = { .index = MSR_IA32_VMX_BASIC, diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 33d6e33c0a..93874f5f0e 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -1043,6 +1043,7 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, #define MSR_VMX_BASIC_INS_OUTS (1ULL << 54) #define MSR_VMX_BASIC_TRUE_CTLS (1ULL << 55) #define MSR_VMX_BASIC_ANY_ERRCODE (1ULL << 56) +#define MSR_VMX_BASIC_NESTED_EXCEPTION (1ULL << 58) #define MSR_VMX_MISC_PREEMPTION_TIMER_SHIFT_MASK 0x1Full #define MSR_VMX_MISC_STORE_LMA (1ULL << 5) -- Gitee From 30fa9db74b511d7873d08bd4a1f8e6b62a504af8 Mon Sep 17 00:00:00 2001 From: Xin Li Date: Wed, 8 Nov 2023 23:20:12 -0800 Subject: [PATCH 13/24] target/i386: Add get/set/migrate support for FRED MSRs commit 4ebd98eb3ade5957a842da1420bda012eeeaab9c upstream. FRED CPU states are managed in 9 new FRED MSRs, in addtion to a few existing CPU registers and MSRs, e.g., CR4.FRED and MSR_IA32_PL0_SSP. Save/restore/migrate FRED MSRs if FRED is exposed to the guest. Intel-SIG: commit 4ebd98eb3ade target/i386: Add get/set/migrate support for FRED MSRs Tested-by: Shan Kang Signed-off-by: Xin Li Message-ID: <20231109072012.8078-7-xin3.li@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/cpu.h | 22 +++++++++++++++++++ target/i386/kvm/kvm.c | 49 +++++++++++++++++++++++++++++++++++++++++++ target/i386/machine.c | 28 +++++++++++++++++++++++++ 3 files changed, 99 insertions(+) diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 93874f5f0e..d85d4a3bf7 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -523,6 +523,17 @@ typedef enum X86Seg { #define MSR_IA32_XFD 0x000001c4 #define MSR_IA32_XFD_ERR 0x000001c5 +/* FRED MSRs */ +#define MSR_IA32_FRED_RSP0 0x000001cc /* Stack level 0 regular stack pointer */ +#define MSR_IA32_FRED_RSP1 0x000001cd /* Stack level 1 regular stack pointer */ +#define MSR_IA32_FRED_RSP2 0x000001ce /* Stack level 2 regular stack pointer */ +#define MSR_IA32_FRED_RSP3 0x000001cf /* Stack level 3 regular stack pointer */ +#define MSR_IA32_FRED_STKLVLS 0x000001d0 /* FRED exception stack levels */ +#define MSR_IA32_FRED_SSP1 0x000001d1 /* Stack level 1 shadow stack pointer in ring 0 */ +#define MSR_IA32_FRED_SSP2 0x000001d2 /* Stack level 2 shadow stack pointer in ring 0 */ +#define MSR_IA32_FRED_SSP3 0x000001d3 /* Stack level 3 shadow stack pointer in ring 0 */ +#define MSR_IA32_FRED_CONFIG 0x000001d4 /* FRED Entrypoint and interrupt stack level */ + #define MSR_IA32_BNDCFGS 0x00000d90 #define MSR_IA32_XSS 0x00000da0 #define MSR_IA32_UMWAIT_CONTROL 0xe1 @@ -1634,6 +1645,17 @@ typedef struct CPUX86State { target_ulong cstar; target_ulong fmask; target_ulong kernelgsbase; + + /* FRED MSRs */ + uint64_t fred_rsp0; + uint64_t fred_rsp1; + uint64_t fred_rsp2; + uint64_t fred_rsp3; + uint64_t fred_stklvls; + uint64_t fred_ssp1; + uint64_t fred_ssp2; + uint64_t fred_ssp3; + uint64_t fred_config; #endif uint64_t tsc; diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c index 1c019f2f98..47cbc7f5c2 100644 --- a/target/i386/kvm/kvm.c +++ b/target/i386/kvm/kvm.c @@ -3106,6 +3106,17 @@ static int kvm_put_msrs(X86CPU *cpu, int level) kvm_msr_entry_add(cpu, MSR_KERNELGSBASE, env->kernelgsbase); kvm_msr_entry_add(cpu, MSR_FMASK, env->fmask); kvm_msr_entry_add(cpu, MSR_LSTAR, env->lstar); + if (env->features[FEAT_7_1_EAX] & CPUID_7_1_EAX_FRED) { + kvm_msr_entry_add(cpu, MSR_IA32_FRED_RSP0, env->fred_rsp0); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_RSP1, env->fred_rsp1); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_RSP2, env->fred_rsp2); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_RSP3, env->fred_rsp3); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_STKLVLS, env->fred_stklvls); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_SSP1, env->fred_ssp1); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_SSP2, env->fred_ssp2); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_SSP3, env->fred_ssp3); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_CONFIG, env->fred_config); + } } #endif @@ -3532,6 +3543,17 @@ static int kvm_get_msrs(X86CPU *cpu) kvm_msr_entry_add(cpu, MSR_KERNELGSBASE, 0); kvm_msr_entry_add(cpu, MSR_FMASK, 0); kvm_msr_entry_add(cpu, MSR_LSTAR, 0); + if (env->features[FEAT_7_1_EAX] & CPUID_7_1_EAX_FRED) { + kvm_msr_entry_add(cpu, MSR_IA32_FRED_RSP0, 0); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_RSP1, 0); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_RSP2, 0); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_RSP3, 0); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_STKLVLS, 0); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_SSP1, 0); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_SSP2, 0); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_SSP3, 0); + kvm_msr_entry_add(cpu, MSR_IA32_FRED_CONFIG, 0); + } } #endif kvm_msr_entry_add(cpu, MSR_KVM_SYSTEM_TIME, 0); @@ -3733,6 +3755,33 @@ static int kvm_get_msrs(X86CPU *cpu) case MSR_LSTAR: env->lstar = msrs[i].data; break; + case MSR_IA32_FRED_RSP0: + env->fred_rsp0 = msrs[i].data; + break; + case MSR_IA32_FRED_RSP1: + env->fred_rsp1 = msrs[i].data; + break; + case MSR_IA32_FRED_RSP2: + env->fred_rsp2 = msrs[i].data; + break; + case MSR_IA32_FRED_RSP3: + env->fred_rsp3 = msrs[i].data; + break; + case MSR_IA32_FRED_STKLVLS: + env->fred_stklvls = msrs[i].data; + break; + case MSR_IA32_FRED_SSP1: + env->fred_ssp1 = msrs[i].data; + break; + case MSR_IA32_FRED_SSP2: + env->fred_ssp2 = msrs[i].data; + break; + case MSR_IA32_FRED_SSP3: + env->fred_ssp3 = msrs[i].data; + break; + case MSR_IA32_FRED_CONFIG: + env->fred_config = msrs[i].data; + break; #endif case MSR_IA32_TSC: env->tsc = msrs[i].data; diff --git a/target/i386/machine.c b/target/i386/machine.c index 41cf5c0053..3a752f4e75 100644 --- a/target/i386/machine.c +++ b/target/i386/machine.c @@ -1476,6 +1476,33 @@ static const VMStateDescription vmstate_msr_xfd = { }; #ifdef TARGET_X86_64 +static bool intel_fred_msrs_needed(void *opaque) +{ + X86CPU *cpu = opaque; + CPUX86State *env = &cpu->env; + + return !!(env->features[FEAT_7_1_EAX] & CPUID_7_1_EAX_FRED); +} + +static const VMStateDescription vmstate_msr_fred = { + .name = "cpu/fred", + .version_id = 1, + .minimum_version_id = 1, + .needed = intel_fred_msrs_needed, + .fields = (VMStateField[]) { + VMSTATE_UINT64(env.fred_rsp0, X86CPU), + VMSTATE_UINT64(env.fred_rsp1, X86CPU), + VMSTATE_UINT64(env.fred_rsp2, X86CPU), + VMSTATE_UINT64(env.fred_rsp3, X86CPU), + VMSTATE_UINT64(env.fred_stklvls, X86CPU), + VMSTATE_UINT64(env.fred_ssp1, X86CPU), + VMSTATE_UINT64(env.fred_ssp2, X86CPU), + VMSTATE_UINT64(env.fred_ssp3, X86CPU), + VMSTATE_UINT64(env.fred_config, X86CPU), + VMSTATE_END_OF_LIST() + } + }; + static bool amx_xtile_needed(void *opaque) { X86CPU *cpu = opaque; @@ -1656,6 +1683,7 @@ const VMStateDescription vmstate_x86_cpu = { &vmstate_msr_intel_sgx, &vmstate_msr_xfd, #ifdef TARGET_X86_64 + &vmstate_msr_fred, &vmstate_amx_xtile, #endif &vmstate_triple_fault, -- Gitee From b3200674c3c59bfc04722c9ae04c306c0315e49c Mon Sep 17 00:00:00 2001 From: "Xin Li (Intel)" Date: Wed, 7 Aug 2024 01:18:10 -0700 Subject: [PATCH 14/24] target/i386: Delete duplicated macro definition CR4_FRED_MASK commit a23bc6539890d8b27458cf56bc4ed0e0d3c2de3e upstream. Macro CR4_FRED_MASK is defined twice, delete one. Intel-SIG: commit a23bc6539890 target/i386: Delete duplicated macro definition CR4_FRED_MASK Signed-off-by: Xin Li (Intel) Link: https://lore.kernel.org/r/20240807081813.735158-2-xin@zytor.com Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/cpu.h | 6 ------ 1 file changed, 6 deletions(-) diff --git a/target/i386/cpu.h b/target/i386/cpu.h index d85d4a3bf7..c9acb2863a 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -262,12 +262,6 @@ typedef enum X86Seg { #define CR4_FRED_MASK 0 #endif -#ifdef TARGET_X86_64 -#define CR4_FRED_MASK (1ULL << 32) -#else -#define CR4_FRED_MASK 0 -#endif - #define CR4_RESERVED_MASK \ (~(target_ulong)(CR4_VME_MASK | CR4_PVI_MASK | CR4_TSD_MASK \ | CR4_DE_MASK | CR4_PSE_MASK | CR4_PAE_MASK \ -- Gitee From d4d23c2148c334a06f2e94e7ce8816a3dfab5d73 Mon Sep 17 00:00:00 2001 From: "Xin Li (Intel)" Date: Wed, 7 Aug 2024 01:18:11 -0700 Subject: [PATCH 15/24] target/i386: Add VMX control bits for nested FRED support commit 7c6ec5bc5fea92a4ddea3f0189e3a7e7588e1d19 upstream. Add definitions of 1) VM-exit activate secondary controls bit 2) VM-entry load FRED bit which are required to enable nested FRED. Intel-SIG: commit 7c6ec5bc5fea target/i386: Add VMX control bits for nested FRED support Reviewed-by: Zhao Liu Signed-off-by: Xin Li (Intel) Link: https://lore.kernel.org/r/20240807081813.735158-3-xin@zytor.com Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/cpu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 11fa375527..bbf2d77e3a 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1174,7 +1174,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { "vmx-exit-save-efer", "vmx-exit-load-efer", "vmx-exit-save-preemption-timer", "vmx-exit-clear-bndcfgs", NULL, "vmx-exit-clear-rtit-ctl", NULL, NULL, - NULL, "vmx-exit-load-pkrs", NULL, NULL, + NULL, "vmx-exit-load-pkrs", NULL, "vmx-exit-secondary-ctls", }, .msr = { .index = MSR_IA32_VMX_TRUE_EXIT_CTLS, @@ -1189,7 +1189,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { NULL, "vmx-entry-ia32e-mode", NULL, NULL, NULL, "vmx-entry-load-perf-global-ctrl", "vmx-entry-load-pat", "vmx-entry-load-efer", "vmx-entry-load-bndcfgs", NULL, "vmx-entry-load-rtit-ctl", NULL, - NULL, NULL, "vmx-entry-load-pkrs", NULL, + NULL, NULL, "vmx-entry-load-pkrs", "vmx-entry-load-fred", NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, }, -- Gitee From 264b97f176447befa012ee04f194680eaf21e7f1 Mon Sep 17 00:00:00 2001 From: Lei Wang Date: Wed, 7 Aug 2024 01:18:12 -0700 Subject: [PATCH 16/24] target/i386: Raise the highest index value used for any VMCS encoding commit ab891454ebe82f7e359be721007652556f9f8356 upstream. Because the index value of the VMCS field encoding of FRED injected-event data (one of the newly added VMCS fields for FRED transitions), 0x52, is larger than any existing index value, raise the highest index value used for any VMCS encoding to 0x52. Because the index value of the VMCS field encoding of Secondary VM-exit controls, 0x44, is larger than any existing index value, raise the highest index value used for any VMCS encoding to 0x44. Intel-SIG: commit ab891454ebe8 target/i386: Raise the highest index value used for any VMCS encoding Co-developed-by: Xin Li Signed-off-by: Xin Li Signed-off-by: Lei Wang Signed-off-by: Xin Li (Intel) Link: https://lore.kernel.org/r/20240807081813.735158-4-xin@zytor.com Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/cpu.h | 1 + target/i386/kvm/kvm.c | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/target/i386/cpu.h b/target/i386/cpu.h index c9acb2863a..877299c811 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -1144,6 +1144,7 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, #define VMX_VM_EXIT_PT_CONCEAL_PIP 0x01000000 #define VMX_VM_EXIT_CLEAR_IA32_RTIT_CTL 0x02000000 #define VMX_VM_EXIT_LOAD_IA32_PKRS 0x20000000 +#define VMX_VM_EXIT_ACTIVATE_SECONDARY_CONTROLS 0x80000000 #define VMX_VM_ENTRY_LOAD_DEBUG_CONTROLS 0x00000004 #define VMX_VM_ENTRY_IA32E_MODE 0x00000200 diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c index 47cbc7f5c2..bc25381ffc 100644 --- a/target/i386/kvm/kvm.c +++ b/target/i386/kvm/kvm.c @@ -2969,7 +2969,14 @@ static void kvm_msr_entry_add_vmx(X86CPU *cpu, FeatureWordArray f) kvm_msr_entry_add(cpu, MSR_IA32_VMX_CR4_FIXED0, CR4_VMXE_MASK); - if (f[FEAT_VMX_SECONDARY_CTLS] & VMX_SECONDARY_EXEC_TSC_SCALING) { + if (f[FEAT_7_1_EAX] & CPUID_7_1_EAX_FRED) { + /* FRED injected-event data (0x2052). */ + kvm_msr_entry_add(cpu, MSR_IA32_VMX_VMCS_ENUM, 0x52); + } else if (f[FEAT_VMX_EXIT_CTLS] & + VMX_VM_EXIT_ACTIVATE_SECONDARY_CONTROLS) { + /* Secondary VM-exit controls (0x2044). */ + kvm_msr_entry_add(cpu, MSR_IA32_VMX_VMCS_ENUM, 0x44); + } else if (f[FEAT_VMX_SECONDARY_CTLS] & VMX_SECONDARY_EXEC_TSC_SCALING) { /* TSC multiplier (0x2032). */ kvm_msr_entry_add(cpu, MSR_IA32_VMX_VMCS_ENUM, 0x32); } else { -- Gitee From d8292b56d13c4a40fc66680d9e432444fe4bd45a Mon Sep 17 00:00:00 2001 From: Chao Gao Date: Thu, 19 Sep 2024 13:10:11 +0800 Subject: [PATCH 17/24] target/i386: Add more features enumerated by CPUID.7.2.EDX commit 10eaf9c0fb7060f45807becbb2742a9de9bc3632 upstream. Following 5 bits in CPUID.7.2.EDX are supported by KVM. Add their supports in QEMU. Each of them indicates certain bits of IA32_SPEC_CTRL are supported. Those bits can control CPU speculation behavior which can be used to defend against side-channel attacks. bit0: intel-psfd if 1, indicates bit 7 of the IA32_SPEC_CTRL MSR is supported. Bit 7 of this MSR disables Fast Store Forwarding Predictor without disabling Speculative Store Bypass bit1: ipred-ctrl If 1, indicates bits 3 and 4 of the IA32_SPEC_CTRL MSR are supported. Bit 3 of this MSR enables IPRED_DIS control for CPL3. Bit 4 of this MSR enables IPRED_DIS control for CPL0/1/2 bit2: rrsba-ctrl If 1, indicates bits 5 and 6 of the IA32_SPEC_CTRL MSR are supported. Bit 5 of this MSR disables RRSBA behavior for CPL3. Bit 6 of this MSR disables RRSBA behavior for CPL0/1/2 bit3: ddpd-u If 1, indicates bit 8 of the IA32_SPEC_CTRL MSR is supported. Bit 8 of this MSR disables Data Dependent Prefetcher. bit4: bhi-ctrl if 1, indicates bit 10 of the IA32_SPEC_CTRL MSR is supported. Bit 10 of this MSR enables BHI_DIS_S behavior. Intel-SIG: commit 10eaf9c0fb70 target/i386: Add more features enumerated by CPUID.7.2.EDX Signed-off-by: Chao Gao Link: https://lore.kernel.org/r/20240919051011.118309-1-chao.gao@intel.com Signed-off-by: Paolo Bonzini Conflicts: target/i386/cpu.c [jz: resolve context conflict due to different order than upstream between two feature word: FEAT_7_1_EDX and FEAT_7_2_EDX. We happen to put FEAT_7_2_EDX before FEAT_7_1_EDX] Signed-off-by: Jason Zeng --- target/i386/cpu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index bbf2d77e3a..88e7bbca03 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -891,8 +891,8 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { [FEAT_7_2_EDX] = { .type = CPUID_FEATURE_WORD, .feat_names = { - NULL, NULL, NULL, NULL, - NULL, "mcdt-no", NULL, NULL, + "intel-psfd", "ipred-ctrl", "rrsba-ctrl", "ddpd-u", + "bhi-ctrl", "mcdt-no", NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -- Gitee From 145ce76b656d6e0c9922139d11b11d5c399814b3 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Thu, 27 Jun 2024 01:12:42 +0200 Subject: [PATCH 18/24] target/i386: pass X86CPU to x86_cpu_get_supported_feature_word commit 8dee38483274bd0fcf3f74dea024d719b958200d upstream. This allows modifying the bits in "-cpu max"/"-cpu host" depending on the guest CPU vendor (which, at least by default, is the host vendor in the case of KVM). For example, machine check architecture differs between Intel and AMD, and bits from AMD should be dropped when configuring the guest for an Intel model. Intel-SIG: commit 8dee38483274 target/i386: pass X86CPU to x86_cpu_get_supported_feature_word Cc: Xiaoyao Li Cc: John Allen Signed-off-by: Paolo Bonzini Conflicts: target/i386/cpu.c [jz: resolve conflict due to LBR support not backported] Signed-off-by: Jason Zeng --- target/i386/cpu.c | 9 ++++----- target/i386/cpu.h | 3 +-- target/i386/kvm/kvm-cpu.c | 2 +- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 88e7bbca03..9ef5e778e1 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -5834,8 +5834,7 @@ CpuDefinitionInfoList *qmp_query_cpu_definitions(Error **errp) return cpu_list; } -uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, - bool migratable_only) +uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w) { FeatureWordInfo *wi = &feature_word_info[w]; uint64_t r = 0; @@ -5869,7 +5868,7 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, r &= ~CPUID_EXT2_LM; } #endif - if (migratable_only) { + if (cpu && cpu->migratable) { r &= x86_cpu_get_migratable_flags(w); } return r; @@ -7110,7 +7109,7 @@ void x86_cpu_expand_features(X86CPU *cpu, Error **errp) * by the user. */ env->features[w] |= - x86_cpu_get_supported_feature_word(w, cpu->migratable) & + x86_cpu_get_supported_feature_word(cpu, w) & ~env->user_features[w] & ~feature_word_info[w].no_autoenable_flags; } @@ -7236,7 +7235,7 @@ static void x86_cpu_filter_features(X86CPU *cpu, bool verbose) for (w = 0; w < FEATURE_WORDS; w++) { uint64_t host_feat = - x86_cpu_get_supported_feature_word(w, false); + x86_cpu_get_supported_feature_word(NULL, w); uint64_t requested_features = env->features[w]; uint64_t unavailable_features = requested_features & ~host_feat; mark_unavailable_features(cpu, w, unavailable_features, prefix); diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 877299c811..4a2d2d4ee2 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -637,8 +637,7 @@ typedef enum FeatureWord { } FeatureWord; typedef uint64_t FeatureWordArray[FEATURE_WORDS]; -uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, - bool migratable_only); +uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w); /* cpuid_features bits */ #define CPUID_FP87 (1U << 0) diff --git a/target/i386/kvm/kvm-cpu.c b/target/i386/kvm/kvm-cpu.c index 7237378a7d..ea188c2b5f 100644 --- a/target/i386/kvm/kvm-cpu.c +++ b/target/i386/kvm/kvm-cpu.c @@ -102,7 +102,7 @@ static void kvm_cpu_xsave_init(void) if (!esa->size) { continue; } - if ((x86_cpu_get_supported_feature_word(esa->feature, false) & esa->bits) + if ((x86_cpu_get_supported_feature_word(NULL, esa->feature) & esa->bits) != esa->bits) { continue; } -- Gitee From 2c96c55a7428c178a84b1ce93210a5ff3f8633b4 Mon Sep 17 00:00:00 2001 From: Xiaoyao Li Date: Wed, 24 Jan 2024 21:40:15 -0500 Subject: [PATCH 19/24] i386/cpuid: Remove subleaf constraint on CPUID leaf 1F commit a3b5376521a0de898440e8d0942b54e628f0949f upstream. No such constraint that subleaf index needs to be less than 64. Intel-SIG: commit a3b5376521a0 i386/cpuid: Remove subleaf constraint on CPUID leaf 1F Signed-off-by: Xiaoyao Li Reviewed-by:Yang Weijiang Message-ID: <20240125024016.2521244-3-xiaoyao.li@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/kvm/kvm.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c index bc25381ffc..3e022d8ebd 100644 --- a/target/i386/kvm/kvm.c +++ b/target/i386/kvm/kvm.c @@ -1795,10 +1795,6 @@ int kvm_arch_init_vcpu(CPUState *cs) break; } - if (i == 0x1f && j == 64) { - break; - } - c->function = i; c->flags = KVM_CPUID_FLAG_SIGNIFCANT_INDEX; c->index = j; -- Gitee From b0ea064b203a6d2ba56289c3acccb30bbd921faa Mon Sep 17 00:00:00 2001 From: Xiaoyao Li Date: Wed, 14 Aug 2024 03:54:23 -0400 Subject: [PATCH 20/24] target/i386: Don't construct a all-zero entry for CPUID[0xD 0x3f] commit 00c8a933d95add3ce4afebbe491ca0fa398a9007 upstream. Currently, QEMU always constructs a all-zero CPUID entry for CPUID[0xD 0x3f]. It's meaningless to construct such a leaf as the end of leaf 0xD. Rework the logic of how subleaves of 0xD are constructed to get rid of such all-zero value of subleaf 0x3f. Intel-SIG: commit 00c8a933d95a target/i386: Don't construct a all-zero entry for CPUID[0xD 0x3f] Signed-off-by: Xiaoyao Li Link: https://lore.kernel.org/r/20240814075431.339209-2-xiaoyao.li@intel.com Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/kvm/kvm.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c index 3e022d8ebd..f740113c93 100644 --- a/target/i386/kvm/kvm.c +++ b/target/i386/kvm/kvm.c @@ -1791,10 +1791,6 @@ int kvm_arch_init_vcpu(CPUState *cs) case 0xb: case 0xd: for (j = 0; ; j++) { - if (i == 0xd && j == 64) { - break; - } - c->function = i; c->flags = KVM_CPUID_FLAG_SIGNIFCANT_INDEX; c->index = j; @@ -1810,7 +1806,12 @@ int kvm_arch_init_vcpu(CPUState *cs) break; } if (i == 0xd && c->eax == 0) { - continue; + if (j < 63) { + continue; + } else { + cpuid_i--; + break; + } } if (cpuid_i == KVM_MAX_CPUID_ENTRIES) { fprintf(stderr, "cpuid_data is full, no space for " -- Gitee From 360b0616352b405e128077ed0897a8ab903d39b8 Mon Sep 17 00:00:00 2001 From: Xiaoyao Li Date: Wed, 14 Aug 2024 03:54:24 -0400 Subject: [PATCH 21/24] target/i386: Enable fdp-excptn-only and zero-fcs-fds commit 7dddc3bb875e7141ab25931d0f30a1c319bc8457 upstream. - CPUID.(EAX=07H,ECX=0H):EBX[bit 6]: x87 FPU Data Pointer updated only on x87 exceptions if 1. - CPUID.(EAX=07H,ECX=0H):EBX[bit 13]: Deprecates FPU CS and FPU DS values if 1. i.e., X87 FCS and FDS are always zero. Define names for them so that they can be exposed to guest with -cpu host. Also define the bit field MACROs so that named cpu models can add it as well in the future. Intel-SIG: commit 7dddc3bb875e target/i386: Enable fdp-excptn-only and zero-fcs-fds Signed-off-by: Xiaoyao Li Link: https://lore.kernel.org/r/20240814075431.339209-3-xiaoyao.li@intel.com Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/cpu.c | 4 ++-- target/i386/cpu.h | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 9ef5e778e1..1582176e63 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -816,9 +816,9 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { .type = CPUID_FEATURE_WORD, .feat_names = { "fsgsbase", "tsc-adjust", "sgx", "bmi1", - "hle", "avx2", NULL, "smep", + "hle", "avx2", "fdp-excptn-only", "smep", "bmi2", "erms", "invpcid", "rtm", - NULL, NULL, "mpx", NULL, + NULL, "zero-fcs-fds", "mpx", NULL, "avx512f", "avx512dq", "rdseed", "adx", "smap", "avx512ifma", "pcommit", "clflushopt", "clwb", "intel-pt", "avx512pf", "avx512er", diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 4a2d2d4ee2..e3babc9dd9 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -791,6 +791,8 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w); #define CPUID_7_0_EBX_HLE (1U << 4) /* Intel Advanced Vector Extensions 2 */ #define CPUID_7_0_EBX_AVX2 (1U << 5) +/* FPU data pointer updated only on x87 exceptions */ +#define CPUID_7_0_EBX_FDP_EXCPTN_ONLY (1u << 6) /* Supervisor-mode Execution Prevention */ #define CPUID_7_0_EBX_SMEP (1U << 7) /* 2nd Group of Advanced Bit Manipulation Extensions */ @@ -801,6 +803,8 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w); #define CPUID_7_0_EBX_INVPCID (1U << 10) /* Restricted Transactional Memory */ #define CPUID_7_0_EBX_RTM (1U << 11) +/* Zero out FPU CS and FPU DS */ +#define CPUID_7_0_EBX_ZERO_FCS_FDS (1U << 13) /* Memory Protection Extension */ #define CPUID_7_0_EBX_MPX (1U << 14) /* AVX-512 Foundation */ -- Gitee From 32f32817d1133b4ed9e683f9b4a745f14d931bd7 Mon Sep 17 00:00:00 2001 From: Xiaoyao Li Date: Wed, 14 Aug 2024 03:54:27 -0400 Subject: [PATCH 22/24] target/i386: Construct CPUID 2 as stateful iff times > 1 commit 5ab639141b6d916a6f4041d4ec46f2f1a1e4a365 upstream. When times == 1, the CPUID leaf 2 is not stateful. Intel-SIG: commit 5ab639141b6d target/i386: Construct CPUID 2 as stateful iff times > 1 Signed-off-by: Xiaoyao Li Link: https://lore.kernel.org/r/20240814075431.339209-6-xiaoyao.li@intel.com Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/kvm/kvm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c index f740113c93..6febb5d677 100644 --- a/target/i386/kvm/kvm.c +++ b/target/i386/kvm/kvm.c @@ -1763,10 +1763,12 @@ int kvm_arch_init_vcpu(CPUState *cs) int times; c->function = i; - c->flags = KVM_CPUID_FLAG_STATEFUL_FUNC | - KVM_CPUID_FLAG_STATE_READ_NEXT; cpu_x86_cpuid(env, i, 0, &c->eax, &c->ebx, &c->ecx, &c->edx); times = c->eax & 0xff; + if (times > 1) { + c->flags = KVM_CPUID_FLAG_STATEFUL_FUNC | + KVM_CPUID_FLAG_STATE_READ_NEXT; + } for (j = 1; j < times; ++j) { if (cpuid_i == KVM_MAX_CPUID_ENTRIES) { -- Gitee From 868ddc72781b803934dfabff4b3b5dfeec1c024a Mon Sep 17 00:00:00 2001 From: Xiaoyao Li Date: Wed, 14 Aug 2024 03:54:31 -0400 Subject: [PATCH 23/24] target/i386: Make invtsc migratable when user sets tsc-khz explicitly commit 87c88db3143e91076d167a62dd7febf49afca8a2 upstream. When user sets tsc-frequency explicitly, the invtsc feature is actually migratable because the tsc-frequency is supposed to be fixed during the migration. See commit d99569d9d856 ("kvm: Allow invtsc migration if tsc-khz is set explicitly") for referrence. Intel-SIG: commit 87c88db3143e target/i386: Make invtsc migratable when user sets tsc-khz explicitly Signed-off-by: Xiaoyao Li Link: https://lore.kernel.org/r/20240814075431.339209-10-xiaoyao.li@intel.com Signed-off-by: Paolo Bonzini Signed-off-by: Jason Zeng --- target/i386/cpu.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 1582176e63..6c219c4b9b 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1576,9 +1576,10 @@ static inline uint64_t x86_cpu_xsave_xss_components(X86CPU *cpu) * Returns the set of feature flags that are supported and migratable by * QEMU, for a given FeatureWord. */ -static uint64_t x86_cpu_get_migratable_flags(FeatureWord w) +static uint64_t x86_cpu_get_migratable_flags(X86CPU *cpu, FeatureWord w) { FeatureWordInfo *wi = &feature_word_info[w]; + CPUX86State *env = &cpu->env; uint64_t r = 0; int i; @@ -1592,6 +1593,12 @@ static uint64_t x86_cpu_get_migratable_flags(FeatureWord w) r |= f; } } + + /* when tsc-khz is set explicitly, invtsc is migratable */ + if ((w == FEAT_8000_0007_EDX) && env->user_tsc_khz) { + r |= CPUID_APM_INVTSC; + } + return r; } @@ -5869,7 +5876,7 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w) } #endif if (cpu && cpu->migratable) { - r &= x86_cpu_get_migratable_flags(w); + r &= x86_cpu_get_migratable_flags(cpu, w); } return r; } -- Gitee From 64a159744b4ba3b869083644f6950df7293db2fe Mon Sep 17 00:00:00 2001 From: Han Han Date: Thu, 19 Dec 2024 16:51:38 +0800 Subject: [PATCH 24/24] target/i386/cpu: Fix notes for CPU models commit 93dcc9390e5ad0696ae7e9b7b3a5b08c2d1b6de6 upstream. Intel-SIG: commit 93dcc9390e5a target/i386/cpu: Fix notes for CPU models Fixes: 644e3c5d812 ("missing vmx features for Skylake-Server and Cascadelake-Server") Signed-off-by: Han Han Reviewed-by: Chenyi Qiang Reviewed-by: Michael Tokarev Signed-off-by: Michael Tokarev Signed-off-by: Jason Zeng --- target/i386/cpu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 6c219c4b9b..285598cc3e 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -3314,6 +3314,7 @@ static const X86CPUDefinition builtin_x86_defs[] = { }, { .version = 4, + .note = "IBRS, EPT switching, no TSX", .props = (PropValue[]) { { "vmx-eptp-switching", "on" }, { /* end of list */ } @@ -3448,7 +3449,7 @@ static const X86CPUDefinition builtin_x86_defs[] = { }, }, { .version = 4, - .note = "ARCH_CAPABILITIES, no TSX", + .note = "ARCH_CAPABILITIES, EPT switching, no TSX", .props = (PropValue[]) { { "vmx-eptp-switching", "on" }, { /* end of list */ } -- Gitee