x86: tighten conditions under which writing certain MSRs is permitted

MSRs that control physical CPU aspects generally are pointless (and
possibly dangerous) to be written when the writer isn't sufficiently
aware that it's running virtualized.

Signed-off-by: Jan Beulich <jbeulich@novell.com>

diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 97e3dc4a407fc48b3ed74733be989efe9f43f4c9..81141fd4f11c2b7c5eff0718ac369d8ffa7165a7 100644 (file)
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -2282,7 +2282,7 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
             if ( boot_cpu_data.x86_vendor != X86_VENDOR_AMD ||
                  boot_cpu_data.x86 < 0x10 || boot_cpu_data.x86 > 0x17 )
                 goto fail;
-            if ( !IS_PRIV(v->domain) )
+            if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
                 break;
             if ( (rdmsr_safe(MSR_AMD64_NB_CFG, val) != 0) ||
                  (eax != (uint32_t)val) ||
@@ -2295,7 +2295,7 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
             if ( boot_cpu_data.x86_vendor != X86_VENDOR_AMD ||
                  boot_cpu_data.x86 < 0x10 || boot_cpu_data.x86 > 0x17 )
                 goto fail;
-            if ( !IS_PRIV(v->domain) )
+            if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
                 break;
             if ( (rdmsr_safe(MSR_FAM10H_MMIO_CONF_BASE, val) != 0) )
                 goto fail;
@@ -2317,6 +2317,8 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
         case MSR_IA32_UCODE_REV:
             if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL )
                 goto fail;
+            if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
+                break;
             if ( rdmsr_safe(regs->ecx, val) )
                 goto fail;
             if ( msr_content )
@@ -2324,7 +2326,7 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
             break;
         case MSR_IA32_MISC_ENABLE:
             if ( rdmsr_safe(regs->ecx, val) )
-                goto invalid;
+                goto fail;
             val = guest_misc_enable(val);
             if ( msr_content != val )
                 goto invalid;
@@ -2351,7 +2353,7 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
         case MSR_IA32_ENERGY_PERF_BIAS:
             if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL )
                 goto fail;
-            if ( (v->domain->domain_id != 0) || !is_pinned_vcpu(v) )
+            if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
                 break;
             if ( wrmsr_safe(regs->ecx, msr_content) != 0 )
                 goto fail;