x86/kvm: Toggle IBRS on VM entry and exit

CVE-2017-5753
CVE-2017-5715

Restore guest IBRS on VM entry and set it to 1 on VM exit
back to kernel.

Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 497770311762651e0ec03985b0cf51540276e401..ec4c9009ed9097993c3f1aa28e0a66af410a4dd5 100644 (file)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -9039,6 +9039,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
                __write_pkru(vcpu->arch.pkru);
 
        atomic_switch_perf_msrs(vmx);
+
+       if (boot_cpu_has(X86_FEATURE_SPEC_CTRL))
+               add_atomic_switch_msr(vmx, MSR_IA32_SPEC_CTRL,
+                       vcpu->arch.spec_ctrl, FEATURE_ENABLE_IBRS);
+
        debugctlmsr = get_debugctlmsr();
 
        vmx_arm_hv_timer(vcpu);