From: Dave Voutila <dv@sisu.io>
Subject: SEV support in vmm breaking Intel VMX guests
To: tech@openbsd.org
Cc: Alexandre Ratchov <ratchov@openbsd.org>, Moritz Buhl <mbuhl@openbsd.org>, Hans-Joerg Hoexer <hshoexer@genua.de>
Date: Wed, 04 Sep 2024 09:46:33 -0400

ratchov@ found and bisected the issue and we're incorrectly advertising
capabilities to Intel guests that most likely do not exist. This value
shouldn't be hardcoded, regardless. Apparently Linux guests on older
Intel hardware will start doing naughty things and panic/reboot.

mbuhl: I'm guessing this affected your machine, too.

In practice, no vmm-capable host should have a value < 0x80000008 here,
but we currently don't emulate anything beyond 0x8000001f so this should
at least be capped.

We should be using more of an allow-list of feature bits for some of
this SEV stuff, but that's a separate concern.

-dv


diff refs/heads/master refs/heads/vmm-cpuid-sev
commit - 98bc733b08604094f4138174a0ee0bb9faaca4bd
commit + 42a9686029598861e3a93b38957d34b979ded1f6
blob - 0e8e2a526454e064ce45b2b64fb7ff16f0508189
blob + 823aed5552c5630179b5088d8de8b13bf1217d54
--- sys/arch/amd64/amd64/vmm_machdep.c
+++ sys/arch/amd64/amd64/vmm_machdep.c
@@ -59,6 +59,8 @@ void *l1tf_flush_region;
 				vcpu_vmx_check_cap(x, IA32_VMX_##y ##_CTLS, \
 				IA32_VMX_##z, 0) ? "Yes" : "No");

+#define MIN(a,b)	(((a)<(b))?(a):(b))
+
 #define VMX_EXIT_INFO_HAVE_RIP		0x1
 #define VMX_EXIT_INFO_HAVE_REASON	0x2
 #define VMX_EXIT_INFO_COMPLETE				\
@@ -6282,7 +6284,8 @@ vmm_handle_cpuid(struct vcpu *vcpu)
 		*rdx = 0;
 		break;
 	case 0x80000000:	/* Extended function level */
-		*rax = 0x8000001f; /* curcpu()->ci_pnfeatset */
+		/* We don't emulate past 0x8000001f currently. */
+		*rax = MIN(curcpu()->ci_pnfeatset, 0x8000001f);
 		*rbx = 0;
 		*rcx = 0;
 		*rdx = 0;