[tboot-devel] [PATCH v2] Check for VMX support before reading feature control MSR

Tue, 17 May 2016 14:14:53 -0700 

# HG changeset patch
# User Bandan Das
# Date 1463518351 14400
#      Tue May 17 16:52:31 2016 -0400
# Node ID 48936dfc0d232660db89ac2de7f924195f2b3760
# Parent  1ed81e15773346e5bfb6da253f7476f37ceeea3d
# v2: Move the check up since g_cpuid_ext_feat_info is accessed before
# the call to supports_vmx, also check for smx support
We found this problem when booting a KVM guest through tboot from a
host OS where the VMX register is not exposed to the guest, even when
the guest has cloned the host CPU.

Attempting to read MSR_IA32_FEATURE_CONTROL before checking whether it
exists, on CPUs where it does not exist, sends the BSP into an infinite
loop. #GP is asserted when trying to read the non-existent MSR, which
resets the IP, only to again encounter the attempted read of the
non-existent MSR.

Postponing the read of MSR_IA32_FEATURE_CONTROL until the existence of
VMX/SMX has been ascertained prevents this problem.

Signed-off-by: Tony Camuso <tcam...@redhat.com>
Signed-off-by: Bandan Das <b...@redhat.com>

diff -r 1ed81e157733 -r 48936dfc0d23 tboot/txt/verify.c
--- a/tboot/txt/verify.c        Wed Apr 20 16:31:18 2016 -0700
+++ b/tboot/txt/verify.c        Tue May 17 16:52:31 2016 -0400
@@ -109,8 +109,13 @@
     }
     g_cpuid_ext_feat_info = cpuid_ecx(1);
 
-    g_feat_ctrl_msr = rdmsr(MSR_IA32_FEATURE_CONTROL);
-    printk(TBOOT_DETA"IA32_FEATURE_CONTROL_MSR: %08lx\n", g_feat_ctrl_msr);
+    /* read feature control msr only if processor supports VMX or SMX 
instructions */
+    if ( (g_cpuid_ext_feat_info & CPUID_X86_FEATURE_VMX) ||
+         (g_cpuid_ext_feat_info & CPUID_X86_FEATURE_SMX) ) {
+        g_feat_ctrl_msr = rdmsr(MSR_IA32_FEATURE_CONTROL);
+        printk(TBOOT_DETA"IA32_FEATURE_CONTROL_MSR: %08lx\n", 
g_feat_ctrl_msr);        
+    }
+
     return true;
 }
 

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to