sieni
/
linux
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/arch/x86/include/uapi/asm
History
Sean Christopherson 9d7dfb95da KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL 
Add VMX exit handlers for SEAMCALL and TDCALL to inject a #UD if a non-TD
guest attempts to execute SEAMCALL or TDCALL.  Neither SEAMCALL nor TDCALL
is gated by any software enablement other than VMXON, and so will generate
a VM-Exit instead of e.g. a native #UD when executed from the guest kernel.

Note!  No unprivileged DoS of the L1 kernel is possible as TDCALL and
SEAMCALL #GP at CPL > 0, and the CPL check is performed prior to the VMX
non-root (VM-Exit) check, i.e. userspace can't crash the VM. And for a
nested guest, KVM forwards unknown exits to L1, i.e. an L2 kernel can
crash itself, but not L1.

Note #2!  The Intel® Trust Domain CPU Architectural Extensions spec's
pseudocode shows the CPL > 0 check for SEAMCALL coming _after_ the VM-Exit,
but that appears to be a documentation bug (likely because the CPL > 0
check was incorrectly bundled with other lower-priority #GP checks).
Testing on SPR and EMR shows that the CPL > 0 check is performed before
the VMX non-root check, i.e. SEAMCALL #GPs when executed in usermode.

Note #3!  The aforementioned Trust Domain spec uses confusing pseudocode
that says that SEAMCALL will #UD if executed "inSEAM", but "inSEAM"
specifically means in SEAM Root Mode, i.e. in the TDX-Module.  The long-
form description explicitly states that SEAMCALL generates an exit when
executed in "SEAM VMX non-root operation".  But that's a moot point as the
TDX-Module injects #UD if the guest attempts to execute SEAMCALL, as
documented in the "Unconditionally Blocked Instructions" section of the
TDX-Module base specification.

Cc: stable@vger.kernel.org
Cc: Kai Huang <kai.huang@intel.com>
Cc: Xiaoyao Li <xiaoyao.li@intel.com>
Cc: Rick Edgecombe <rick.p.edgecombe@intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20251016182148.69085-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
 		2025-10-20 09:37:04 -07:00
..
Kbuild treewide: Add SPDX license identifier - Kbuild 2019-05-30 11:32:33 -07:00
a.out.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
amd_hsmp.h platform/x86/amd/hsmp: Add support for HSMP protocol version 7 messages 2024-12-02 19:20:14 +02:00
auxvec.h x86/elf: Support a new ELF aux vector AT_MINSIGSTKSZ 2021-05-19 12:18:45 +02:00
bitsperlong.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
boot.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
bootparam.h x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in UAPI headers 2025-03-19 11:30:53 +01:00
byteorder.h treewide: add "WITH Linux-syscall-note" to SPDX tag of uapi headers 2019-07-25 11:05:10 +02:00
debugreg.h x86/traps: Initialize DR6 by writing its architectural reset value 2025-06-24 13:15:51 -07:00
e820.h x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in UAPI headers 2025-03-19 11:30:53 +01:00
elf.h x86/elf: Add a new FPU buffer layout info to x86 core files 2024-07-29 10:45:43 +02:00
hw_breakpoint.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
hwcap2.h x86/elf: Use _BITUL() macro in UAPI headers 2021-05-21 11:12:52 +02:00
ist.h License cleanup: add SPDX license identifier to uapi header files with a license 2017-11-02 11:20:11 +01:00
kvm.h KVM: x86: Define AMD's #HV, #VC, and #SX exception vectors 2025-09-23 09:29:03 -07:00
kvm_para.h Guest-side KVM async #PF ABI cleanup for 6.9 2024-03-18 19:03:42 -04:00
kvm_perf.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
ldt.h x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in UAPI headers 2025-03-19 11:30:53 +01:00
mce.h x86/MCE/AMD: Add support for new MCA_SYND{1,2} registers 2024-10-31 10:36:07 +01:00
mman.h mman: Add map_shadow_stack() flags 2024-10-04 12:04:33 +01:00
msgbuf.h x86: Fix various typos in comments 2021-03-18 15:31:53 +01:00
msr.h x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in UAPI headers 2025-03-19 11:30:53 +01:00
mtrr.h x86/mtrr: Don't let mtrr_type_lookup() return MTRR_TYPE_INVALID 2023-06-01 15:04:33 +02:00
perf_regs.h perf/x86: Disable extended registers for non-supported PMUs 2019-06-24 19:19:23 +02:00
posix_types.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
posix_types_32.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
posix_types_64.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
posix_types_x32.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
prctl.h x86/shstk: Add ARCH_SHSTK_STATUS 2023-08-02 15:01:51 -07:00
processor-flags.h x86/cpu: Add X86_CR4_FRED macro 2024-01-31 22:00:38 +01:00
ptrace-abi.h x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in UAPI headers 2025-03-19 11:30:53 +01:00
ptrace.h x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in UAPI headers 2025-03-19 11:30:53 +01:00
sembuf.h arch: sembuf.h: make uapi asm/sembuf.h self-contained 2019-12-04 19:44:14 -08:00
setup.h
setup_data.h x86/kexec: add support for passing kexec handover (KHO) data 2025-05-12 23:50:41 -07:00
sgx.h x86/sgx: Support complete page removal 2022-07-07 10:13:03 -07:00
shmbuf.h shmbuf.h: add asm/shmbuf.h to UAPI compile-test coverage 2022-02-17 09:09:37 +01:00
sigcontext.h x86: Fix various typos in comments 2021-03-18 15:31:53 +01:00
sigcontext32.h treewide: add "WITH Linux-syscall-note" to SPDX tag of uapi headers 2019-07-25 11:05:10 +02:00
siginfo.h signal: Remove the need for __ARCH_SI_PREABLE_SIZE and SI_PAD_SIZE 2018-10-03 16:46:43 +02:00
signal.h x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in UAPI headers 2025-03-19 11:30:53 +01:00
stat.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
statfs.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
svm.h x86/apic: Initialize Secure AVIC APIC backing page 2025-08-31 21:59:07 +02:00
swab.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
ucontext.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
unistd.h x86/syscalls: Revert "x86/syscalls: Make __X32_SYSCALL_BIT be unsigned long" 2020-05-26 16:42:43 +02:00
vm86.h x86/vm86/32: Remove VM86_SCREEN_BITMAP support 2021-01-21 20:08:53 +01:00
vmx.h KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL 2025-10-20 09:37:04 -07:00
vsyscall.h License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00