On Wed, Apr 23, 2025 at 3:56 AM Xin Li <xin@xxxxxxxxx> wrote: > > On 4/22/2025 9:12 AM, Zack Rusin wrote: > > Allow handling VMware backdoors by the L0 monitor. This is required on > > setups running Windows VBS, where the L1 will be running Hyper-V which > > can't handle VMware backdoors. Thus on Windows VBS legacy VMware backdoor > > calls issued by the userspace will end up in Hyper-V (L1) and endup > > throwing an error. > > Add a KVM cap that, in nested setups, allows the legacy VMware backdoor > > to be handled by the L0 monitor. Thanks to this we can make sure that > > VMware backdoor is always handled by the correct monitor. > > > > Signed-off-by: Zack Rusin <zack.rusin@xxxxxxxxxxxx> > > Cc: Doug Covelli <doug.covelli@xxxxxxxxxxxx> > > Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx> > > Cc: Jonathan Corbet <corbet@xxxxxxx> > > Cc: Sean Christopherson <seanjc@xxxxxxxxxx> > > Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > > Cc: Ingo Molnar <mingo@xxxxxxxxxx> > > Cc: Borislav Petkov <bp@xxxxxxxxx> > > Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> > > Cc: x86@xxxxxxxxxx > > Cc: "H. Peter Anvin" <hpa@xxxxxxxxx> > > Cc: Zack Rusin <zack.rusin@xxxxxxxxxxxx> > > Cc: kvm@xxxxxxxxxxxxxxx > > Cc: linux-doc@xxxxxxxxxxxxxxx > > Cc: linux-kernel@xxxxxxxxxxxxxxx > > --- > > Documentation/virt/kvm/api.rst | 14 +++++++++++ > > arch/x86/include/asm/kvm_host.h | 1 + > > arch/x86/kvm/Kconfig | 1 + > > arch/x86/kvm/kvm_vmware.h | 42 +++++++++++++++++++++++++++++++++ > > arch/x86/kvm/svm/nested.c | 6 +++++ > > arch/x86/kvm/svm/svm.c | 3 ++- > > arch/x86/kvm/vmx/nested.c | 6 +++++ > > arch/x86/kvm/x86.c | 8 +++++++ > > include/uapi/linux/kvm.h | 1 + > > 9 files changed, 81 insertions(+), 1 deletion(-) > > > > diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst > > index 6d3d2a509848..55bd464ebf95 100644 > > --- a/Documentation/virt/kvm/api.rst > > +++ b/Documentation/virt/kvm/api.rst > > @@ -8322,6 +8322,20 @@ userspace handling of hypercalls is discouraged. To implement > > such functionality, use KVM_EXIT_IO (x86) or KVM_EXIT_MMIO > > (all except s390). > > > > +7.39 KVM_CAP_X86_VMWARE_NESTED_BACKDOOR_L0 > > +------------------------------------------ > > + > > +:Architectures: x86 > > +:Parameters: args[0] whether the feature should be enabled or not > > +:Returns: 0 on success. > > + > > +Capability allows VMware backdoors to be handled by L0 when running > > +on nested configurations. This is required when, for example > > +running Windows guest with Hyper-V VBS enabled - in that configuration > > +the VMware backdoor calls issued by VMware tools would endup in Hyper-V > > +(L1) which doesn't handle VMware backdoor. Enable this option to have > > +VMware backdoor sent to L0 monitor. > > + > > 8. Other capabilities. > > ====================== > > > > You're not basing the patch set on v6.15-rcX? It was rebased on top of v6.14. > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > > index 300cef9a37e2..5dc57bc57851 100644 > > --- a/arch/x86/kvm/x86.c > > +++ b/arch/x86/kvm/x86.c > > @@ -4653,6 +4653,7 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext) > > #ifdef CONFIG_KVM_VMWARE > > case KVM_CAP_X86_VMWARE_BACKDOOR: > > case KVM_CAP_X86_VMWARE_HYPERCALL: > > + case KVM_CAP_X86_VMWARE_NESTED_BACKDOOR_L0: > > #endif > > r = 1; > > break; > > @@ -6754,6 +6755,13 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm, > > kvm->arch.vmware.hypercall_enabled = cap->args[0]; > > r = 0; > > break; > > + case KVM_CAP_X86_VMWARE_NESTED_BACKDOOR_L0: > > + r = -EINVAL; > > + if (cap->args[0] & ~1) > > Replace ~1 with a macro for better readability please. Are you sure about that? This code is already used elsewhere in the file (for KVM_CAP_EXIT_ON_EMULATION_FAILURE) so, ignoring the fact that it's arguable whether IS_ZERO_OR_ONE is more readable than & ~1, if we use a macro for the vmware caps and not for KVM_CAP_EXIT_ON_EMULATION_FAILURE then the code would be inconsistent and that decreases the readability. Or are you saying that since I'm already there you'd like to see a completely separate patch that defines some kind of IS_ZERO_OR_ONE macro for KVM, use it for KVM_CAP_EXIT_ON_EMULATION_FAILURE and, once that lands then I can make use of it in this series? z
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
