1
// SPDX-License-Identifier: GPL-2.0-only
2
#include <asm/msr-index.h>
3

4
#include <stdint.h>
5

6
#include "kvm_util.h"
7
#include "processor.h"
8

9
/* Use HYPERVISOR for MSRs that are emulated unconditionally (as is HYPERVISOR). */
10
#define X86_FEATURE_NONE X86_FEATURE_HYPERVISOR
11

12
struct kvm_msr {
13
	const struct kvm_x86_cpu_feature feature;
14
	const struct kvm_x86_cpu_feature feature2;
15
	const char *name;
16
	const u64 reset_val;
17
	const u64 write_val;
18
	const u64 rsvd_val;
19
	const u32 index;
20
	const bool is_kvm_defined;
21
};
22

23
#define ____MSR_TEST(msr, str, val, rsvd, reset, feat, f2, is_kvm)	\
24
{									\
25
	.index = msr,							\
26
	.name = str,							\
27
	.write_val = val,						\
28
	.rsvd_val = rsvd,						\
29
	.reset_val = reset,						\
30
	.feature = X86_FEATURE_ ##feat,					\
31
	.feature2 = X86_FEATURE_ ##f2,					\
32
	.is_kvm_defined = is_kvm,					\
33
}
34

35
#define __MSR_TEST(msr, str, val, rsvd, reset, feat)			\
36
	____MSR_TEST(msr, str, val, rsvd, reset, feat, feat, false)
37

38
#define MSR_TEST_NON_ZERO(msr, val, rsvd, reset, feat)			\
39
	__MSR_TEST(msr, #msr, val, rsvd, reset, feat)
40

41
#define MSR_TEST(msr, val, rsvd, feat)					\
42
	__MSR_TEST(msr, #msr, val, rsvd, 0, feat)
43

44
#define MSR_TEST2(msr, val, rsvd, feat, f2)				\
45
	____MSR_TEST(msr, #msr, val, rsvd, 0, feat, f2, false)
46

47
/*
48
 * Note, use a page aligned value for the canonical value so that the value
49
 * is compatible with MSRs that use bits 11:0 for things other than addresses.
50
 */
51
static const u64 canonical_val = 0x123456789000ull;
52

53
/*
54
 * Arbitrary value with bits set in every byte, but not all bits set.  This is
55
 * also a non-canonical value, but that's coincidental (any 64-bit value with
56
 * an alternating 0s/1s pattern will be non-canonical).
57
 */
58
static const u64 u64_val = 0xaaaa5555aaaa5555ull;
59

60
#define MSR_TEST_CANONICAL(msr, feat)					\
61
	__MSR_TEST(msr, #msr, canonical_val, NONCANONICAL, 0, feat)
62

63
#define MSR_TEST_KVM(msr, val, rsvd, feat)				\
64
	____MSR_TEST(KVM_REG_ ##msr, #msr, val, rsvd, 0, feat, feat, true)
65

66
/*
67
 * The main struct must be scoped to a function due to the use of structures to
68
 * define features.  For the global structure, allocate enough space for the
69
 * foreseeable future without getting too ridiculous, to minimize maintenance
70
 * costs (bumping the array size every time an MSR is added is really annoying).
71
 */
72
static struct kvm_msr msrs[128];
73
static int idx;
74

75
static bool ignore_unsupported_msrs;
76

77
static u64 fixup_rdmsr_val(u32 msr, u64 want)
78
{
79
	/*
80
	 * AMD CPUs drop bits 63:32 on some MSRs that Intel CPUs support.  KVM
81
	 * is supposed to emulate that behavior based on guest vendor model
82
	 * (which is the same as the host vendor model for this test).
83
	 */
84
	if (!host_cpu_is_amd)
85
		return want;
86

87
	switch (msr) {
88
	case MSR_IA32_SYSENTER_ESP:
89
	case MSR_IA32_SYSENTER_EIP:
90
	case MSR_TSC_AUX:
91
		return want & GENMASK_ULL(31, 0);
92
	default:
93
		return want;
94
	}
95
}
96

97
static void __rdmsr(u32 msr, u64 want)
98
{
99
	u64 val;
100
	u8 vec;
101

102
	vec = rdmsr_safe(msr, &val);
103
	__GUEST_ASSERT(!vec, "Unexpected %s on RDMSR(0x%x)", ex_str(vec), msr);
104

105
	__GUEST_ASSERT(val == want, "Wanted 0x%lx from RDMSR(0x%x), got 0x%lx",
106
		       want, msr, val);
107
}
108

109
static void __wrmsr(u32 msr, u64 val)
110
{
111
	u8 vec;
112

113
	vec = wrmsr_safe(msr, val);
114
	__GUEST_ASSERT(!vec, "Unexpected %s on WRMSR(0x%x, 0x%lx)",
115
		       ex_str(vec), msr, val);
116
	__rdmsr(msr, fixup_rdmsr_val(msr, val));
117
}
118

119
static void guest_test_supported_msr(const struct kvm_msr *msr)
120
{
121
	__rdmsr(msr->index, msr->reset_val);
122
	__wrmsr(msr->index, msr->write_val);
123
	GUEST_SYNC(fixup_rdmsr_val(msr->index, msr->write_val));
124

125
	__rdmsr(msr->index, msr->reset_val);
126
}
127

128
static void guest_test_unsupported_msr(const struct kvm_msr *msr)
129
{
130
	u64 val;
131
	u8 vec;
132

133
	/*
134
	 * KVM's ABI with respect to ignore_msrs is a mess and largely beyond
135
	 * repair, just skip the unsupported MSR tests.
136
	 */
137
	if (ignore_unsupported_msrs)
138
		goto skip_wrmsr_gp;
139

140
	/*
141
	 * {S,U}_CET exist if IBT or SHSTK is supported, but with bits that are
142
	 * writable only if their associated feature is supported.  Skip the
143
	 * RDMSR #GP test if the secondary feature is supported, but perform
144
	 * the WRMSR #GP test as the to-be-written value is tied to the primary
145
	 * feature.  For all other MSRs, simply do nothing.
146
	 */
147
	if (this_cpu_has(msr->feature2)) {
148
		if  (msr->index != MSR_IA32_U_CET &&
149
		     msr->index != MSR_IA32_S_CET)
150
			goto skip_wrmsr_gp;
151

152
		goto skip_rdmsr_gp;
153
	}
154

155
	vec = rdmsr_safe(msr->index, &val);
156
	__GUEST_ASSERT(vec == GP_VECTOR, "Wanted #GP on RDMSR(0x%x), got %s",
157
		       msr->index, ex_str(vec));
158

159
skip_rdmsr_gp:
160
	vec = wrmsr_safe(msr->index, msr->write_val);
161
	__GUEST_ASSERT(vec == GP_VECTOR, "Wanted #GP on WRMSR(0x%x, 0x%lx), got %s",
162
		       msr->index, msr->write_val, ex_str(vec));
163

164
skip_wrmsr_gp:
165
	GUEST_SYNC(0);
166
}
167

168
void guest_test_reserved_val(const struct kvm_msr *msr)
169
{
170
	/* Skip reserved value checks as well, ignore_msrs is trully a mess. */
171
	if (ignore_unsupported_msrs)
172
		return;
173

174
	/*
175
	 * If the CPU will truncate the written value (e.g. SYSENTER on AMD),
176
	 * expect success and a truncated value, not #GP.
177
	 */
178
	if (!this_cpu_has(msr->feature) ||
179
	    msr->rsvd_val == fixup_rdmsr_val(msr->index, msr->rsvd_val)) {
180
		u8 vec = wrmsr_safe(msr->index, msr->rsvd_val);
181

182
		__GUEST_ASSERT(vec == GP_VECTOR,
183
			       "Wanted #GP on WRMSR(0x%x, 0x%lx), got %s",
184
			       msr->index, msr->rsvd_val, ex_str(vec));
185
	} else {
186
		__wrmsr(msr->index, msr->rsvd_val);
187
		__wrmsr(msr->index, msr->reset_val);
188
	}
189
}
190

191
static void guest_main(void)
192
{
193
	for (;;) {
194
		const struct kvm_msr *msr = &msrs[READ_ONCE(idx)];
195

196
		if (this_cpu_has(msr->feature))
197
			guest_test_supported_msr(msr);
198
		else
199
			guest_test_unsupported_msr(msr);
200

201
		if (msr->rsvd_val)
202
			guest_test_reserved_val(msr);
203

204
		GUEST_SYNC(msr->reset_val);
205
	}
206
}
207

208
static bool has_one_reg;
209
static bool use_one_reg;
210

211
#define KVM_X86_MAX_NR_REGS	1
212

213
static bool vcpu_has_reg(struct kvm_vcpu *vcpu, u64 reg)
214
{
215
	struct {
216
		struct kvm_reg_list list;
217
		u64 regs[KVM_X86_MAX_NR_REGS];
218
	} regs = {};
219
	int r, i;
220

221
	/*
222
	 * If KVM_GET_REG_LIST succeeds with n=0, i.e. there are no supported
223
	 * regs, then the vCPU obviously doesn't support the reg.
224
	 */
225
	r = __vcpu_ioctl(vcpu, KVM_GET_REG_LIST, &regs.list);
226
	if (!r)
227
		return false;
228

229
	TEST_ASSERT_EQ(errno, E2BIG);
230

231
	/*
232
	 * KVM x86 is expected to support enumerating a relative small number
233
	 * of regs.  The majority of registers supported by KVM_{G,S}ET_ONE_REG
234
	 * are enumerated via other ioctls, e.g. KVM_GET_MSR_INDEX_LIST.  For
235
	 * simplicity, hardcode the maximum number of regs and manually update
236
	 * the test as necessary.
237
	 */
238
	TEST_ASSERT(regs.list.n <= KVM_X86_MAX_NR_REGS,
239
		    "KVM reports %llu regs, test expects at most %u regs, stale test?",
240
		    regs.list.n, KVM_X86_MAX_NR_REGS);
241

242
	vcpu_ioctl(vcpu, KVM_GET_REG_LIST, &regs.list);
243
	for (i = 0; i < regs.list.n; i++) {
244
		if (regs.regs[i] == reg)
245
			return true;
246
	}
247

248
	return false;
249
}
250

251
static void host_test_kvm_reg(struct kvm_vcpu *vcpu)
252
{
253
	bool has_reg = vcpu_cpuid_has(vcpu, msrs[idx].feature);
254
	u64 reset_val = msrs[idx].reset_val;
255
	u64 write_val = msrs[idx].write_val;
256
	u64 rsvd_val = msrs[idx].rsvd_val;
257
	u32 reg = msrs[idx].index;
258
	u64 val;
259
	int r;
260

261
	if (!use_one_reg)
262
		return;
263

264
	TEST_ASSERT_EQ(vcpu_has_reg(vcpu, KVM_X86_REG_KVM(reg)), has_reg);
265

266
	if (!has_reg) {
267
		r = __vcpu_get_reg(vcpu, KVM_X86_REG_KVM(reg), &val);
268
		TEST_ASSERT(r && errno == EINVAL,
269
			    "Expected failure on get_reg(0x%x)", reg);
270
		rsvd_val = 0;
271
		goto out;
272
	}
273

274
	val = vcpu_get_reg(vcpu, KVM_X86_REG_KVM(reg));
275
	TEST_ASSERT(val == reset_val, "Wanted 0x%lx from get_reg(0x%x), got 0x%lx",
276
		    reset_val, reg, val);
277

278
	vcpu_set_reg(vcpu, KVM_X86_REG_KVM(reg), write_val);
279
	val = vcpu_get_reg(vcpu, KVM_X86_REG_KVM(reg));
280
	TEST_ASSERT(val == write_val, "Wanted 0x%lx from get_reg(0x%x), got 0x%lx",
281
		    write_val, reg, val);
282

283
out:
284
	r = __vcpu_set_reg(vcpu, KVM_X86_REG_KVM(reg), rsvd_val);
285
	TEST_ASSERT(r, "Expected failure on set_reg(0x%x, 0x%lx)", reg, rsvd_val);
286
}
287

288
static void host_test_msr(struct kvm_vcpu *vcpu, u64 guest_val)
289
{
290
	u64 reset_val = msrs[idx].reset_val;
291
	u32 msr = msrs[idx].index;
292
	u64 val;
293

294
	if (!kvm_cpu_has(msrs[idx].feature))
295
		return;
296

297
	val = vcpu_get_msr(vcpu, msr);
298
	TEST_ASSERT(val == guest_val, "Wanted 0x%lx from get_msr(0x%x), got 0x%lx",
299
		    guest_val, msr, val);
300

301
	if (use_one_reg)
302
		vcpu_set_reg(vcpu, KVM_X86_REG_MSR(msr), reset_val);
303
	else
304
		vcpu_set_msr(vcpu, msr, reset_val);
305

306
	val = vcpu_get_msr(vcpu, msr);
307
	TEST_ASSERT(val == reset_val, "Wanted 0x%lx from get_msr(0x%x), got 0x%lx",
308
		    reset_val, msr, val);
309

310
	if (!has_one_reg)
311
		return;
312

313
	val = vcpu_get_reg(vcpu, KVM_X86_REG_MSR(msr));
314
	TEST_ASSERT(val == reset_val, "Wanted 0x%lx from get_reg(0x%x), got 0x%lx",
315
		    reset_val, msr, val);
316
}
317

318
static void do_vcpu_run(struct kvm_vcpu *vcpu)
319
{
320
	struct ucall uc;
321

322
	for (;;) {
323
		vcpu_run(vcpu);
324

325
		switch (get_ucall(vcpu, &uc)) {
326
		case UCALL_SYNC:
327
			host_test_msr(vcpu, uc.args[1]);
328
			return;
329
		case UCALL_PRINTF:
330
			pr_info("%s", uc.buffer);
331
			break;
332
		case UCALL_ABORT:
333
			REPORT_GUEST_ASSERT(uc);
334
		case UCALL_DONE:
335
			TEST_FAIL("Unexpected UCALL_DONE");
336
		default:
337
			TEST_FAIL("Unexpected ucall: %lu", uc.cmd);
338
		}
339
	}
340
}
341

342
static void vcpus_run(struct kvm_vcpu **vcpus, const int NR_VCPUS)
343
{
344
	int i;
345

346
	for (i = 0; i < NR_VCPUS; i++)
347
		do_vcpu_run(vcpus[i]);
348
}
349

350
#define MISC_ENABLES_RESET_VAL (MSR_IA32_MISC_ENABLE_PEBS_UNAVAIL | MSR_IA32_MISC_ENABLE_BTS_UNAVAIL)
351

352
static void test_msrs(void)
353
{
354
	const struct kvm_msr __msrs[] = {
355
		MSR_TEST_NON_ZERO(MSR_IA32_MISC_ENABLE,
356
				  MISC_ENABLES_RESET_VAL | MSR_IA32_MISC_ENABLE_FAST_STRING,
357
				  MSR_IA32_MISC_ENABLE_FAST_STRING, MISC_ENABLES_RESET_VAL, NONE),
358
		MSR_TEST_NON_ZERO(MSR_IA32_CR_PAT, 0x07070707, 0, 0x7040600070406, NONE),
359

360
		/*
361
		 * TSC_AUX is supported if RDTSCP *or* RDPID is supported.  Add
362
		 * entries for each features so that TSC_AUX doesn't exists for
363
		 * the "unsupported" vCPU, and obviously to test both cases.
364
		 */
365
		MSR_TEST2(MSR_TSC_AUX, 0x12345678, u64_val, RDTSCP, RDPID),
366
		MSR_TEST2(MSR_TSC_AUX, 0x12345678, u64_val, RDPID, RDTSCP),
367

368
		MSR_TEST(MSR_IA32_SYSENTER_CS, 0x1234, 0, NONE),
369
		/*
370
		 * SYSENTER_{ESP,EIP} are technically non-canonical on Intel,
371
		 * but KVM doesn't emulate that behavior on emulated writes,
372
		 * i.e. this test will observe different behavior if the MSR
373
		 * writes are handed by hardware vs. KVM.  KVM's behavior is
374
		 * intended (though far from ideal), so don't bother testing
375
		 * non-canonical values.
376
		 */
377
		MSR_TEST(MSR_IA32_SYSENTER_ESP, canonical_val, 0, NONE),
378
		MSR_TEST(MSR_IA32_SYSENTER_EIP, canonical_val, 0, NONE),
379

380
		MSR_TEST_CANONICAL(MSR_FS_BASE, LM),
381
		MSR_TEST_CANONICAL(MSR_GS_BASE, LM),
382
		MSR_TEST_CANONICAL(MSR_KERNEL_GS_BASE, LM),
383
		MSR_TEST_CANONICAL(MSR_LSTAR, LM),
384
		MSR_TEST_CANONICAL(MSR_CSTAR, LM),
385
		MSR_TEST(MSR_SYSCALL_MASK, 0xffffffff, 0, LM),
386

387
		MSR_TEST2(MSR_IA32_S_CET, CET_SHSTK_EN, CET_RESERVED, SHSTK, IBT),
388
		MSR_TEST2(MSR_IA32_S_CET, CET_ENDBR_EN, CET_RESERVED, IBT, SHSTK),
389
		MSR_TEST2(MSR_IA32_U_CET, CET_SHSTK_EN, CET_RESERVED, SHSTK, IBT),
390
		MSR_TEST2(MSR_IA32_U_CET, CET_ENDBR_EN, CET_RESERVED, IBT, SHSTK),
391
		MSR_TEST_CANONICAL(MSR_IA32_PL0_SSP, SHSTK),
392
		MSR_TEST(MSR_IA32_PL0_SSP, canonical_val, canonical_val | 1, SHSTK),
393
		MSR_TEST_CANONICAL(MSR_IA32_PL1_SSP, SHSTK),
394
		MSR_TEST(MSR_IA32_PL1_SSP, canonical_val, canonical_val | 1, SHSTK),
395
		MSR_TEST_CANONICAL(MSR_IA32_PL2_SSP, SHSTK),
396
		MSR_TEST(MSR_IA32_PL2_SSP, canonical_val, canonical_val | 1, SHSTK),
397
		MSR_TEST_CANONICAL(MSR_IA32_PL3_SSP, SHSTK),
398
		MSR_TEST(MSR_IA32_PL3_SSP, canonical_val, canonical_val | 1, SHSTK),
399

400
		MSR_TEST_KVM(GUEST_SSP, canonical_val, NONCANONICAL, SHSTK),
401
	};
402

403
	const struct kvm_x86_cpu_feature feat_none = X86_FEATURE_NONE;
404
	const struct kvm_x86_cpu_feature feat_lm = X86_FEATURE_LM;
405

406
	/*
407
	 * Create three vCPUs, but run them on the same task, to validate KVM's
408
	 * context switching of MSR state.  Don't pin the task to a pCPU to
409
	 * also validate KVM's handling of cross-pCPU migration.  Use the full
410
	 * set of features for the first two vCPUs, but clear all features in
411
	 * third vCPU in order to test both positive and negative paths.
412
	 */
413
	const int NR_VCPUS = 3;
414
	struct kvm_vcpu *vcpus[NR_VCPUS];
415
	struct kvm_vm *vm;
416
	int i;
417

418
	kvm_static_assert(sizeof(__msrs) <= sizeof(msrs));
419
	kvm_static_assert(ARRAY_SIZE(__msrs) <= ARRAY_SIZE(msrs));
420
	memcpy(msrs, __msrs, sizeof(__msrs));
421

422
	ignore_unsupported_msrs = kvm_is_ignore_msrs();
423

424
	vm = vm_create_with_vcpus(NR_VCPUS, guest_main, vcpus);
425

426
	sync_global_to_guest(vm, msrs);
427
	sync_global_to_guest(vm, ignore_unsupported_msrs);
428

429
	/*
430
	 * Clear features in the "unsupported features" vCPU.  This needs to be
431
	 * done before the first vCPU run as KVM's ABI is that guest CPUID is
432
	 * immutable once the vCPU has been run.
433
	 */
434
	for (idx = 0; idx < ARRAY_SIZE(__msrs); idx++) {
435
		/*
436
		 * Don't clear LM; selftests are 64-bit only, and KVM doesn't
437
		 * honor LM=0 for MSRs that are supposed to exist if and only
438
		 * if the vCPU is a 64-bit model.  Ditto for NONE; clearing a
439
		 * fake feature flag will result in false failures.
440
		 */
441
		if (memcmp(&msrs[idx].feature, &feat_lm, sizeof(feat_lm)) &&
442
		    memcmp(&msrs[idx].feature, &feat_none, sizeof(feat_none)))
443
			vcpu_clear_cpuid_feature(vcpus[2], msrs[idx].feature);
444
	}
445

446
	for (idx = 0; idx < ARRAY_SIZE(__msrs); idx++) {
447
		struct kvm_msr *msr = &msrs[idx];
448

449
		if (msr->is_kvm_defined) {
450
			for (i = 0; i < NR_VCPUS; i++)
451
				host_test_kvm_reg(vcpus[i]);
452
			continue;
453
		}
454

455
		/*
456
		 * Verify KVM_GET_SUPPORTED_CPUID and KVM_GET_MSR_INDEX_LIST
457
		 * are consistent with respect to MSRs whose existence is
458
		 * enumerated via CPUID.  Skip the check for FS/GS.base MSRs,
459
		 * as they aren't reported in the save/restore list since their
460
		 * state is managed via SREGS.
461
		 */
462
		TEST_ASSERT(msr->index == MSR_FS_BASE || msr->index == MSR_GS_BASE ||
463
			    kvm_msr_is_in_save_restore_list(msr->index) ==
464
			    (kvm_cpu_has(msr->feature) || kvm_cpu_has(msr->feature2)),
465
			    "%s %s in save/restore list, but %s according to CPUID", msr->name,
466
			    kvm_msr_is_in_save_restore_list(msr->index) ? "is" : "isn't",
467
			    (kvm_cpu_has(msr->feature) || kvm_cpu_has(msr->feature2)) ?
468
			    "supported" : "unsupported");
469

470
		sync_global_to_guest(vm, idx);
471

472
		vcpus_run(vcpus, NR_VCPUS);
473
		vcpus_run(vcpus, NR_VCPUS);
474
	}
475

476
	kvm_vm_free(vm);
477
}
478

479
int main(void)
480
{
481
	has_one_reg = kvm_has_cap(KVM_CAP_ONE_REG);
482

483
	test_msrs();
484

485
	if (has_one_reg) {
486
		use_one_reg = true;
487
		test_msrs();
488
	}
489
}
490

491