drivers: hv: Support for SNP Secure AVIC

Microsoft/hcl-x64.config

@@ -2,23 +2,20 @@
 # Automatically generated file; DO NOT EDIT.
 # Linux/x86_64 6.18.0 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0"
+CONFIG_CC_VERSION_TEXT="gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0"
 CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=130300
+CONFIG_GCC_VERSION=90400
 CONFIG_CLANG_VERSION=0
 CONFIG_AS_IS_GNU=y
-CONFIG_AS_VERSION=24200
+CONFIG_AS_VERSION=23400
 CONFIG_LD_IS_BFD=y
-CONFIG_LD_VERSION=24200
+CONFIG_LD_VERSION=23400
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=109101
-CONFIG_RUSTC_LLVM_VERSION=210102
+CONFIG_RUSTC_VERSION=109500
+CONFIG_RUSTC_LLVM_VERSION=220102
 CONFIG_CC_CAN_LINK=y
-CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
-CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
-CONFIG_TOOLS_SUPPORT_RELR=y
+CONFIG_GCC_ASM_GOTO_OUTPUT_BROKEN=y
 CONFIG_CC_HAS_ASM_INLINE=y
-CONFIG_CC_HAS_ASSUME=y
 CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
 CONFIG_LD_CAN_USE_KEEP_IN_OVERLAY=y
 CONFIG_RUSTC_HAS_COERCE_POINTEE=y
@@ -305,6 +302,7 @@ CONFIG_ARCH_CPUIDLE_HALTPOLL=y
 # CONFIG_JAILHOUSE_GUEST is not set
 # CONFIG_ACRN_GUEST is not set
 # CONFIG_BHYVE_GUEST is not set
+# CONFIG_INTEL_TDX_GUEST is not set
 CONFIG_CC_HAS_MARCH_NATIVE=y
 # CONFIG_X86_NATIVE_CPU is not set
 CONFIG_X86_INTERNODE_CACHE_SHIFT=6
@@ -356,6 +354,7 @@ CONFIG_MICROCODE=y
 CONFIG_X86_MSR=y
 # CONFIG_X86_CPUID is not set
 CONFIG_X86_DIRECT_GBPAGES=y
+# CONFIG_AMD_MEM_ENCRYPT is not set
 CONFIG_NUMA=y
 CONFIG_AMD_NUMA=y
 CONFIG_NODES_SHIFT=6
@@ -410,26 +409,16 @@ CONFIG_X86_BUS_LOCK_DETECT=y
 CONFIG_CC_HAS_NAMED_AS=y
 CONFIG_CC_HAS_NAMED_AS_FIXED_SANITIZERS=y
 CONFIG_USE_X86_SEG_SUPPORT=y
-CONFIG_CC_HAS_SLS=y
 CONFIG_CC_HAS_RETURN_THUNK=y
 CONFIG_CC_HAS_ENTRY_PADDING=y
 CONFIG_FUNCTION_PADDING_CFI=11
 CONFIG_FUNCTION_PADDING_BYTES=16
-CONFIG_CALL_PADDING=y
-CONFIG_HAVE_CALL_THUNKS=y
-CONFIG_CALL_THUNKS=y
-CONFIG_PREFIX_SYMBOLS=y
 CONFIG_CPU_MITIGATIONS=y
 # CONFIG_MITIGATION_PAGE_TABLE_ISOLATION is not set
 CONFIG_MITIGATION_RETPOLINE=y
 # CONFIG_MITIGATION_RETHUNK is not set
-# CONFIG_MITIGATION_UNRET_ENTRY is not set
-# CONFIG_MITIGATION_CALL_DEPTH_TRACKING is not set
-# CONFIG_CALL_THUNKS_DEBUG is not set
 CONFIG_MITIGATION_IBPB_ENTRY=y
 CONFIG_MITIGATION_IBRS_ENTRY=y
-# CONFIG_MITIGATION_SRSO is not set
-# CONFIG_MITIGATION_SLS is not set
 # CONFIG_MITIGATION_GDS is not set
 # CONFIG_MITIGATION_RFDS is not set
 # CONFIG_MITIGATION_SPECTRE_BHI is not set
@@ -442,7 +431,6 @@ CONFIG_MITIGATION_IBRS_ENTRY=y
 # CONFIG_MITIGATION_SPECTRE_V2 is not set
 # CONFIG_MITIGATION_SRBDS is not set
 # CONFIG_MITIGATION_SSB is not set
-# CONFIG_MITIGATION_ITS is not set
 # CONFIG_MITIGATION_TSA is not set
 CONFIG_ARCH_HAS_ADD_PAGES=y
 
@@ -471,7 +459,6 @@ CONFIG_ARCH_SUPPORTS_ACPI=y
 # Bus options (PCI etc.)
 #
 CONFIG_PCI_DIRECT=y
-# CONFIG_PCI_CNB20LE_QUIRK is not set
 # CONFIG_ISA_BUS is not set
 # CONFIG_ISA_DMA_API is not set
 CONFIG_AMD_NB=y
@@ -508,6 +495,9 @@ CONFIG_X86_DISABLED_FEATURE_CENTAUR_MCR=y
 CONFIG_X86_DISABLED_FEATURE_PKU=y
 CONFIG_X86_DISABLED_FEATURE_OSPKE=y
 CONFIG_X86_DISABLED_FEATURE_PTI=y
+CONFIG_X86_DISABLED_FEATURE_RETHUNK=y
+CONFIG_X86_DISABLED_FEATURE_UNRET=y
+CONFIG_X86_DISABLED_FEATURE_CALL_DEPTH=y
 CONFIG_X86_DISABLED_FEATURE_LAM=y
 CONFIG_X86_DISABLED_FEATURE_ENQCMD=y
 CONFIG_X86_DISABLED_FEATURE_SGX=y
@@ -544,6 +534,7 @@ CONFIG_JUMP_LABEL=y
 # CONFIG_STATIC_CALL_SELFTEST is not set
 CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
 CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_USER_RETURN_NOTIFIER=y
 CONFIG_HAVE_IOREMAP_PROT=y
 CONFIG_HAVE_KPROBES=y
 CONFIG_HAVE_KRETPROBES=y
@@ -1909,16 +1900,9 @@ CONFIG_DEFAULT_SECURITY_DAC=y
 #
 # Memory initialization
 #
-CONFIG_CC_HAS_AUTO_VAR_INIT_PATTERN=y
-CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO_BARE=y
-CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO=y
 CONFIG_INIT_STACK_NONE=y
-# CONFIG_INIT_STACK_ALL_PATTERN is not set
-# CONFIG_INIT_STACK_ALL_ZERO is not set
 # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
 # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
-CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y
-# CONFIG_ZERO_CALL_USED_REGS is not set
 # end of Memory initialization
 
 #
@@ -2213,7 +2197,6 @@ CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 # CONFIG_DEBUG_INFO_REDUCED is not set
 CONFIG_DEBUG_INFO_COMPRESSED_NONE=y
 # CONFIG_DEBUG_INFO_COMPRESSED_ZLIB is not set
-# CONFIG_DEBUG_INFO_COMPRESSED_ZSTD is not set
 # CONFIG_DEBUG_INFO_SPLIT is not set
 CONFIG_GDB_SCRIPTS=y
 CONFIG_FRAME_WARN=2048
@@ -2242,8 +2225,6 @@ CONFIG_HAVE_ARCH_KGDB=y
 CONFIG_ARCH_HAS_UBSAN=y
 # CONFIG_UBSAN is not set
 CONFIG_HAVE_ARCH_KCSAN=y
-CONFIG_HAVE_KCSAN_COMPILER=y
-# CONFIG_KCSAN is not set
 # end of Generic Kernel Debugging Instruments
 
 #

arch/x86/hyperv/hv_apic.c

@@ -25,6 +25,7 @@
 #include <linux/clockchips.h>
 #include <linux/slab.h>
 #include <linux/cpuhotplug.h>
+#include <linux/cc_platform.h>
 #include <asm/hypervisor.h>
 #include <asm/mshyperv.h>
 #include <asm/apic.h>
@@ -53,6 +54,11 @@ static void hv_apic_icr_write(u32 low, u32 id)
 	wrmsrq(HV_X64_MSR_ICR, reg_val);
 }
 
+void hv_enable_coco_interrupt(unsigned int cpu, unsigned int vector, bool set)
+{
+	apic_update_vector(cpu, vector, set);
+}
+
 static u32 hv_apic_read(u32 reg)
 {
 	u32 reg_val, hi;
@@ -293,6 +299,9 @@ static void hv_send_ipi_self(int vector)
 
 void __init hv_apic_init(void)
 {
+	if (cc_platform_has(CC_ATTR_SNP_SECURE_AVIC))
+		return;
+
 	if (ms_hyperv.hints & HV_X64_CLUSTER_IPI_RECOMMENDED) {
 		pr_info("Hyper-V: Using IPI hypercalls\n");
 		/*

arch/x86/hyperv/hv_init.c

@@ -76,6 +76,7 @@ static inline void hv_set_hypercall_pg(void *ptr)
 EXPORT_SYMBOL_GPL(hv_hypercall_pg);
 #endif
 
+void *hv_vp_early_input_arg;
 union hv_ghcb * __percpu *hv_ghcb_pg;
 
 /* Storage to save the hypercall page temporarily for hibernation */
@@ -120,6 +121,10 @@ static int hv_cpu_init(unsigned int cpu)
 	if (ret)
 		return ret;
 
+	/* Allow Hyper-V stimer vector to be injected from Hypervisor. */
+	if (ms_hyperv.misc_features & HV_STIMER_DIRECT_MODE_AVAILABLE)
+		apic_update_vector(cpu, HYPERV_STIMER0_VECTOR, true);
+
 	return hyperv_init_ghcb();
 }
 
@@ -227,6 +232,9 @@ static int hv_cpu_die(unsigned int cpu)
 		*ghcb_va = NULL;
 	}
 
+	if (ms_hyperv.misc_features & HV_STIMER_DIRECT_MODE_AVAILABLE)
+		apic_update_vector(cpu, HYPERV_STIMER0_VECTOR, false);
+
 	hv_common_cpu_die(cpu);
 
 	if (hv_reenlightenment_cb == NULL)
@@ -375,13 +383,32 @@ void __init hyperv_init(void)
 	u64 guest_id;
 	union hv_x64_msr_hypercall_contents hypercall_msr;
 	int cpuhp;
+	int ret;
 
 	if (x86_hyper_type != X86_HYPER_MS_HYPERV)
 		return;
 
 	if (hv_common_init())
 		return;
 
+	if (cc_platform_has(CC_ATTR_SNP_SECURE_AVIC)) {
+		hv_vp_early_input_arg = (void *)__get_free_pages(
+					     GFP_KERNEL | __GFP_ZERO,
+					     get_order(num_possible_cpus() * PAGE_SIZE));
+		if (hv_vp_early_input_arg) {
+			ret = set_memory_decrypted((u64)hv_vp_early_input_arg,
+					     num_possible_cpus());
+			if (ret) {
+				free_pages((unsigned long)hv_vp_early_input_arg,
+					   get_order(num_possible_cpus() * PAGE_SIZE));
+				hv_vp_early_input_arg = NULL;
+				goto common_free;
+			}
+		} else {
+			goto common_free;
+		}
+	}
+
 	if (ms_hyperv.paravisor_present && hv_isolation_type_snp()) {
 		/* Negotiate GHCB Version. */
 		if (!hv_ghcb_negotiate_protocol())
@@ -519,6 +546,16 @@ void __init hyperv_init(void)
 free_vp_assist_page:
 	kfree(hv_vp_assist_page);
 	hv_vp_assist_page = NULL;
+free_vp_early_input_arg:
+	if (hv_vp_early_input_arg) {
+		set_memory_encrypted((u64)hv_vp_early_input_arg,
+				     num_possible_cpus());
+		free_pages((unsigned long)hv_vp_early_input_arg,
+			   get_order(num_possible_cpus() * PAGE_SIZE));
+		hv_vp_early_input_arg = NULL;
+	}
+common_free:
+	hv_common_free();
 }
 
 /*

arch/x86/hyperv/ivm.c

@@ -291,6 +291,45 @@ static void snp_cleanup_vmsa(struct sev_es_save_area *vmsa)
 		free_page((unsigned long)vmsa);
 }
 
+enum es_result hv_set_savic_backing_page(u64 gfn)
+{
+	u64 control = HV_HYPERCALL_REP_COMP_1 | HVCALL_SET_VP_REGISTERS;
+	struct hv_set_vp_registers_input *input =
+		(struct hv_set_vp_registers_input *)
+		((u8 *)hv_vp_early_input_arg + smp_processor_id() * PAGE_SIZE);
+	union hv_x64_register_sev_gpa_page value;
+	unsigned long flags;
+	int retry = 5;
+	u64 ret;
+
+	local_irq_save(flags);
+
+	value.enabled = 1;
+	value.reserved = 0;
+	value.pagenumber = gfn;
+
+	memset(input, 0, struct_size(input, element, 1));
+	input->header.partitionid = HV_PARTITION_ID_SELF;
+	input->header.vpindex = HV_VP_INDEX_SELF;
+	input->header.inputvtl = ms_hyperv.vtl;
+	input->element[0].name = HV_X64_REGISTER_SEV_AVIC_GPA;
+	input->element[0].value.reg64 = value.u64;
+
+	do {
+		ret = hv_do_hypercall(control, input, NULL);
+	} while (ret == HV_STATUS_TIME_OUT && retry--);
+
+	if (!hv_result_success(ret))
+		pr_err("Failed to set secure AVIC backing page %llx.\n", ret);
+
+	local_irq_restore(flags);
+
+	if (hv_result_success(ret))
+		return ES_OK;
+	else
+		return ES_VMM_ERROR;
+}
+
 int hv_snp_boot_ap(u32 apic_id, unsigned long start_ip, unsigned int cpu)
 {
 	struct sev_es_save_area *vmsa = (struct sev_es_save_area *)

arch/x86/include/asm/apic.h

@@ -241,6 +241,12 @@ static inline u64 native_x2apic_icr_read(void)
 	return val;
 }
 
+#if defined(CONFIG_AMD_SECURE_AVIC)
+extern void x2apic_savic_init_backing_page(void *backing_page);
+#else
+static inline void x2apic_savic_init_backing_page(void *backing_page) {}
+#endif
+
 extern int x2apic_mode;
 extern int x2apic_phys;
 extern void __init x2apic_set_max_apicid(u32 apicid);

arch/x86/include/asm/mshyperv.h

@@ -44,6 +44,7 @@ extern u64 hv_std_hypercall(u64 control, u64 param1, u64 param2);
 
 #if IS_ENABLED(CONFIG_HYPERV)
 extern void *hv_hypercall_pg;
+extern void *hv_vp_early_input_arg;
 
 extern union hv_ghcb * __percpu *hv_ghcb_pg;
 
@@ -197,6 +198,7 @@ int hv_unmap_ioapic_interrupt(int ioapic_id, struct hv_interrupt_entry *entry);
 bool hv_ghcb_negotiate_protocol(void);
 void __noreturn hv_ghcb_terminate(unsigned int set, unsigned int reason);
 int hv_snp_boot_ap(u32 apic_id, unsigned long start_ip, unsigned int cpu);
+enum es_result hv_set_savic_backing_page(u64 gfn);
 #else
 static inline bool hv_ghcb_negotiate_protocol(void) { return false; }
 static inline void hv_ghcb_terminate(unsigned int set, unsigned int reason) {}
@@ -300,6 +302,20 @@ static inline void hv_vtl_idle(void)
 		native_safe_halt();
 }
 
+/*
+ * Registers are only accessible via HVCALL_GET_VP_REGISTERS hvcall and
+ * there is not associated MSR address.
+ */
+#ifndef HV_X64_REGISTER_VSM_VP_STATUS
+#define		HV_X64_REGISTER_VSM_VP_STATUS   0x000D0003
+#endif
+#ifndef HV_X64_VTL_MASK
+#define		HV_X64_VTL_MASK                 GENMASK(3, 0)
+#endif
+#ifndef HV_X64_REGISTER_SEV_AVIC_GPA
+#define		HV_X64_REGISTER_SEV_AVIC_GPA    0x00090043
+#endif
+
 #ifdef CONFIG_HYPERV_VTL_MODE
 void __init hv_vtl_init_platform(void);
 int __init hv_vtl_early_init(void);

arch/x86/include/asm/sev.h

@@ -141,7 +141,12 @@ struct rmp_state {
 	u32 asid;
 } __packed;
 
-#define RMPADJUST_VMSA_PAGE_BIT		BIT(16)
+/* Target VMPL takes the first byte */
+#define RMPADJUST_ENABLE_READ			BIT(8)
+#define RMPADJUST_ENABLE_WRITE			BIT(9)
+#define RMPADJUST_USER_EXECUTE			BIT(10)
+#define RMPADJUST_KERNEL_EXECUTE		BIT(11)
+#define RMPADJUST_VMSA_PAGE_BIT			BIT(16)
 
 /* SNP Guest message request */
 struct snp_req_data {

arch/x86/include/asm/svm.h

@@ -190,6 +190,9 @@ struct __attribute__ ((__packed__)) vmcb_control_area {
 #define V_GIF_SHIFT 9
 #define V_GIF_MASK (1 << V_GIF_SHIFT)
 
+#define V_INT_SHADOW_SHIFT 10
+#define V_INT_SHADOW_MASK (1 << V_INT_SHADOW_SHIFT)
+
 #define V_NMI_PENDING_SHIFT 11
 #define V_NMI_PENDING_MASK (1 << V_NMI_PENDING_SHIFT)
 
@@ -202,6 +205,9 @@ struct __attribute__ ((__packed__)) vmcb_control_area {
 #define V_IGN_TPR_SHIFT 20
 #define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT)
 
+#define V_GUEST_BUSY_SHIFT 63
+#define V_GUEST_BUSY_MASK (1ULL << V_GUEST_BUSY_SHIFT)
+
 #define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK)
 
 #define V_INTR_MASKING_SHIFT 24