Commit a6bb5709 authored by Sean Christopherson's avatar Sean Christopherson
Browse files

KVM: SVM: Don't try to pointlessly single-step SEV-ES guests for NMI window 



Bail early from svm_enable_nmi_window() for SEV-ES guests without trying
to enable single-step of the guest, as single-stepping an SEV-ES guest is
impossible and the guest is responsible for *telling* KVM when it is ready
for an new NMI to be injected.

Functionally, setting TF and RF in svm->vmcb->save.rflags is benign as the
field is ignored by hardware, but it's all kinds of confusing.

Signed-off-by: default avatarAlexey Kardashevskiy <aik@amd.com>
Link: https://lore.kernel.org/r/20230615063757.3039121-10-aik@amd.com


Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
parent 389fbbec

arch/x86/kvm/svm/svm.c

+13 −0
Original line number Diff line number Diff line
@@ -3802,6 +3802,19 @@ static void svm_enable_nmi_window(struct kvm_vcpu *vcpu) 
	if (svm_get_nmi_mask(vcpu) && !svm->awaiting_iret_completion)

		return; /* IRET will cause a vm exit */



	/*

	 * SEV-ES guests are responsible for signaling when a vCPU is ready to

	 * receive a new NMI, as SEV-ES guests can't be single-stepped, i.e.

	 * KVM can't intercept and single-step IRET to detect when NMIs are

	 * unblocked (architecturally speaking).  See SVM_VMGEXIT_NMI_COMPLETE.

	 *

	 * Note, GIF is guaranteed to be '1' for SEV-ES guests as hardware

	 * ignores SEV-ES guest writes to EFER.SVME *and* CLGI/STGI are not

	 * supported NAEs in the GHCB protocol.

	 */

	if (sev_es_guest(vcpu->kvm))

		return;



	if (!gif_set(svm)) {

		if (vgif)

			svm_set_intercept(svm, INTERCEPT_STGI);