From: Paolo Bonzini <pbonzini@redhat.com>

Date: Thu, 24 Aug 2017 13:55:35 +0200

Subject: KVM: VMX: cache secondary exec controls

Patch-mainline: v4.14-rc1

Git-commit: 80154d77c922d0f9bb1e4d115ff760c066c12d8f

References: bsc#1077761

Currently, secondary execution controls are divided in three groups:

- static, depending mostly on the module arguments or the processor

  (vmx_secondary_exec_control)

- static, depending on CPUID (vmx_cpuid_update)

- dynamic, depending on nested VMX or local APIC state

Because walking CPUID is expensive, prepare_vmcs02 is using only

the first group.  This however is unnecessarily complicated.  Just

cache the static secondary execution controls, and then prepare_vmcs02

does not need to compute them every time.  Computation of all static

secondary execution controls is now kept in a single function,

vmx_compute_secondary_exec_control.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Acked-by: Alexander Graf <agraf@suse.de>

---

 arch/x86/kvm/vmx.c |  100 ++++++++++++++++++++++++++++-------------------------

 1 file changed, 54 insertions(+), 46 deletions(-)

--- a/arch/x86/kvm/vmx.c

+++ b/arch/x86/kvm/vmx.c

@@ -574,6 +574,8 @@

 #endif

 	u32 vm_entry_controls_shadow;

 	u32 vm_exit_controls_shadow;

+	u32 secondary_exec_control;

+

 	/*

 	 * loaded_vmcs points to the VMCS currently used in this vcpu. For a

 	 * non-nested (L1) guest, it always points to vmcs01. For a nested

@@ -2797,7 +2799,10 @@

 	vmx->nested.nested_vmx_procbased_ctls_low &=

 		~(CPU_BASED_CR3_LOAD_EXITING | CPU_BASED_CR3_STORE_EXITING);

-	/* secondary cpu-based controls */

+	/*

+	 * secondary cpu-based controls.  Do not include those that

+	 * depend on CPUID bits, they are added later by vmx_cpuid_update.

+	 */

 	rdmsr(MSR_IA32_VMX_PROCBASED_CTLS2,

 		vmx->nested.nested_vmx_secondary_ctls_low,

 		vmx->nested.nested_vmx_secondary_ctls_high);

@@ -2805,7 +2810,6 @@

 	vmx->nested.nested_vmx_secondary_ctls_high &=

 		SECONDARY_EXEC_RDRAND | SECONDARY_EXEC_RDSEED |

 		SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES |

-		SECONDARY_EXEC_RDTSCP |

 		SECONDARY_EXEC_DESC |

 		SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE |

 		SECONDARY_EXEC_APIC_REGISTER_VIRT |

@@ -5252,10 +5256,12 @@

 	return exec_control;

 }

-static u32 vmx_secondary_exec_control(struct vcpu_vmx *vmx)

+static void vmx_compute_secondary_exec_control(struct vcpu_vmx *vmx)

 {

+	struct kvm_vcpu *vcpu = &vmx->vcpu;

+

 	u32 exec_control = vmcs_config.cpu_based_2nd_exec_ctrl;

-	if (!cpu_need_virtualize_apic_accesses(&vmx->vcpu))

+	if (!cpu_need_virtualize_apic_accesses(vcpu))

 		exec_control &= ~SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;

 	if (vmx->vpid == 0)

 		exec_control &= ~SECONDARY_EXEC_ENABLE_VPID;

@@ -5269,7 +5275,7 @@

 		exec_control &= ~SECONDARY_EXEC_UNRESTRICTED_GUEST;

 	if (!ple_gap)

 		exec_control &= ~SECONDARY_EXEC_PAUSE_LOOP_EXITING;

-	if (!kvm_vcpu_apicv_active(&vmx->vcpu))

+	if (!kvm_vcpu_apicv_active(vcpu))

 		exec_control &= ~(SECONDARY_EXEC_APIC_REGISTER_VIRT |

 				  SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY);

 	exec_control &= ~SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE;

@@ -5283,7 +5289,43 @@

 	if (!enable_pml)

 		exec_control &= ~SECONDARY_EXEC_ENABLE_PML;

-	return exec_control;

+	if (vmx_rdtscp_supported()) {

+		bool rdtscp_enabled = guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP);

+		if (!rdtscp_enabled)

+			exec_control &= ~SECONDARY_EXEC_RDTSCP;

+

+		if (nested) {

+			if (rdtscp_enabled)

+				vmx->nested.nested_vmx_secondary_ctls_high |=

+					SECONDARY_EXEC_RDTSCP;

+			else

+				vmx->nested.nested_vmx_secondary_ctls_high &=

+					~SECONDARY_EXEC_RDTSCP;

+		}

+	}

+

+	if (vmx_invpcid_supported()) {

+		/* Exposing INVPCID only when PCID is exposed */

+		bool invpcid_enabled =

+			guest_cpuid_has(vcpu, X86_FEATURE_INVPCID) &&

+			guest_cpuid_has(vcpu, X86_FEATURE_PCID);

+

+		if (!invpcid_enabled) {

+			exec_control &= ~SECONDARY_EXEC_ENABLE_INVPCID;

+			guest_cpuid_clear(vcpu, X86_FEATURE_INVPCID);

+		}

+

+		if (nested) {

+			if (invpcid_enabled)

+				vmx->nested.nested_vmx_secondary_ctls_high |=

+					SECONDARY_EXEC_ENABLE_INVPCID;

+			else

+				vmx->nested.nested_vmx_secondary_ctls_high &=

+					~SECONDARY_EXEC_ENABLE_INVPCID;

+		}

+	}

+

+	vmx->secondary_exec_control = exec_control;

 }

 static void ept_set_mmio_spte_mask(void)

@@ -5327,8 +5369,9 @@

 	vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, vmx_exec_control(vmx));

 	if (cpu_has_secondary_exec_ctrls()) {

+		vmx_compute_secondary_exec_control(vmx);

 		vmcs_write32(SECONDARY_VM_EXEC_CONTROL,

-				vmx_secondary_exec_control(vmx));

+			     vmx->secondary_exec_control);

 	}

 	if (kvm_vcpu_apicv_active(&vmx->vcpu)) {

@@ -9598,47 +9641,12 @@

 static void vmx_cpuid_update(struct kvm_vcpu *vcpu)

 {

 	struct vcpu_vmx *vmx = to_vmx(vcpu);

-	u32 secondary_exec_ctl = vmx_secondary_exec_control(vmx);

-

-	if (vmx_rdtscp_supported()) {

-		bool rdtscp_enabled = guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP);

-		if (!rdtscp_enabled)

-			secondary_exec_ctl &= ~SECONDARY_EXEC_RDTSCP;

-

-		if (nested) {

-			if (rdtscp_enabled)

-				vmx->nested.nested_vmx_secondary_ctls_high |=

-					SECONDARY_EXEC_RDTSCP;

-			else

-				vmx->nested.nested_vmx_secondary_ctls_high &=

-					~SECONDARY_EXEC_RDTSCP;

-		}

-	}

-

-	if (vmx_invpcid_supported()) {

-		/* Exposing INVPCID only when PCID is exposed */

-		bool invpcid_enabled =

-			guest_cpuid_has(vcpu, X86_FEATURE_INVPCID) &&

-			guest_cpuid_has(vcpu, X86_FEATURE_PCID);

-

-		if (!invpcid_enabled) {

-			secondary_exec_ctl &= ~SECONDARY_EXEC_ENABLE_INVPCID;

-			guest_cpuid_clear(vcpu, X86_FEATURE_INVPCID);

-		}

-		if (nested) {

-			if (invpcid_enabled)

-				vmx->nested.nested_vmx_secondary_ctls_high |=

-					SECONDARY_EXEC_ENABLE_INVPCID;

-			else

-				vmx->nested.nested_vmx_secondary_ctls_high &=

-					~SECONDARY_EXEC_ENABLE_INVPCID;

-		}

+	if (cpu_has_secondary_exec_ctrls()) {

+		vmx_compute_secondary_exec_control(vmx);

+		vmcs_set_secondary_exec_control(vmx->secondary_exec_control);

 	}

-	if (cpu_has_secondary_exec_ctrls())

-		vmcs_set_secondary_exec_control(secondary_exec_ctl);

-

 	if (nested_vmx_allowed(vcpu))

 		to_vmx(vcpu)->msr_ia32_feature_control_valid_bits |=

 			FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX;

@@ -10331,7 +10339,7 @@

 		enable_ept ? vmcs12->page_fault_error_code_match : 0);

 	if (cpu_has_secondary_exec_ctrls()) {

-		exec_control = vmx_secondary_exec_control(vmx);

+		exec_control = vmx->secondary_exec_control;

 		/* Take the following fields only from vmcs12 */

 		exec_control &= ~(SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES |