[cpuid] fix bug in T2 and C3 template

Additional CPU features need to be disable on Skylake.

Signed-off-by: Andreea Florescu <[email protected]>

Author: andreeaflorescu

cpuid/src/cpu_leaf.rs

@@ -124,7 +124,8 @@ pub mod leaf_0x7 {
             // Intel® Resource Director Technology (Intel® RDT) Monitoring
             pub const RDT_M_SHIFT: u32 = 12;
             // 13 = Deprecates FPU CS and FPU DS values if 1
-            // 14 = MPX (Intel® Memory Protection Extensions)
+            // Memory Protection Extensions
+            pub const MPX_SHIFT: u32 = 14;
             // RDT = Intel® Resource Director Technology
             pub const RDT_A_SHIFT: u32 = 15;
             // AVX-512 Foundation instructions
@@ -137,8 +138,11 @@ pub mod leaf_0x7 {
             // AVX512IFMA = AVX-512 Integer Fused Multiply-Add Instructions
             pub const AVX512IFMA_SHIFT: u32 = 21;
             // 21 = PCOMMIT intruction
-            // 23 = CLFLUSH_OPT (flushing multiple cache lines in parallel within a single logical processor)
-            // 24 = CLWB (Cache Line Write Back)
+            // 22 reserved
+            // CLFLUSHOPT (flushing multiple cache lines in parallel within a single logical processor)
+            pub const CLFLUSHOPT_SHIFT: u32 = 23;
+            // CLWB = Cache Line Write Back
+            pub const CLWB_SHIFT: u32 = 24;
             // PT = Intel Processor Trace
             pub const PT_SHIFT: u32 = 25;
             // AVX512PF = AVX512 Prefetch Instructions
@@ -160,8 +164,10 @@ pub mod leaf_0x7 {
             // AVX512_VBMI = AVX-512 Vector Byte Manipulation Instructions
             pub const AVX512_VBMI_SHIFT: u32 = 1;
             // 2 = UMIP (User Mode Instruction Prevention)
-            // 3 = PKU (Protection Keys for user-mode pages)
-            // 4 = OSPKE (If 1, OS has set CR4.PKE to enable protection keys)
+            // PKU = Protection Keys for user-mode pages
+            pub const PKU_SHIFT: u32 = 3;
+            // OSPKE = If 1, OS has set CR4.PKE to enable protection keys
+            pub const OSPKE_SHIFT: u32 = 4;
             // 5 = WAITPKG
             // 7-6 reserved
             // 8 = GFNI
@@ -227,11 +233,23 @@ pub mod leaf_0xb {
 pub mod leaf_0xd {
     pub const LEAF_NUM: u32 = 0xd;
 
-    pub mod eax {
-        use bit_helper::BitRange;
+    pub mod index0 {
+        pub mod eax {
+            use bit_helper::BitRange;
+
+            pub const MPX_STATE_BITRANGE: BitRange = bit_range!(4, 3);
+            pub const AVX512_STATE_BITRANGE: BitRange = bit_range!(7, 5);
+        }
+    }
 
-        pub const AVX512_STATE_BITRANGE: BitRange = bit_range!(7, 5);
+    pub mod index1 {
+        pub mod eax {
+            pub const XSAVEC_SHIFT: u32 = 1;
+            pub const XGETBV_SHIFT: u32 = 2;
+            pub const XSAVES_SHIFT: u32 = 3;
+        }
     }
+
 }
 
 pub mod leaf_0x80000000 {

cpuid/src/template/c3.rs

@@ -66,11 +66,14 @@ pub fn set_cpuid_entries(entries: &mut [kvm_cpuid_entry2]) {
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RTM_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RDT_M_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RDT_A_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::MPX_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512F_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512DQ_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RDSEED_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::ADX_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512IFMA_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::CLFLUSHOPT_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::CLWB_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::PT_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512PF_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512ER_SHIFT);
@@ -80,6 +83,8 @@ pub fn set_cpuid_entries(entries: &mut [kvm_cpuid_entry2]) {
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512VL_SHIFT);
 
                     entry.ecx &= !(1 << leaf_0x7::index0::ecx::AVX512_VBMI_SHIFT);
+                    entry.ecx &= !(1 << leaf_0x7::index0::ecx::PKU_SHIFT);
+                    entry.ecx &= !(1 << leaf_0x7::index0::ecx::OSPKE_SHIFT);
                     entry.ecx &= !(1 << leaf_0x7::index0::ecx::AVX512_VPOPCNTDQ_SHIFT);
                     entry.ecx &= !(1 << leaf_0x7::index0::ecx::RDPID_SHIFT);
                     entry.ecx &= !(1 << leaf_0x7::index0::ecx::SGX_LC_SHIFT);
@@ -89,11 +94,25 @@ pub fn set_cpuid_entries(entries: &mut [kvm_cpuid_entry2]) {
                 }
             }
             leaf_0xd::LEAF_NUM => {
-                // AVX-512 instructions are masked out with the C3 template so the size in bytes
-                // of the save area should be 0 (or invalid).
-                entry
-                    .eax
-                    .write_bits_in_range(&leaf_0xd::eax::AVX512_STATE_BITRANGE, 0);
+                if entry.index == 0 {
+                    // MPX is masked out with the C3 template so the size in in bytes of the save
+                    // area should be 0 (or invalid).
+                    entry
+                        .eax
+                        .write_bits_in_range(&leaf_0xd::index0::eax::MPX_STATE_BITRANGE, 0);
+
+                    // AVX-512 instructions are masked out with the C3 template so the size in bytes
+                    // of the save area should be 0 (or invalid).
+                    entry
+                        .eax
+                        .write_bits_in_range(&leaf_0xd::index0::eax::AVX512_STATE_BITRANGE, 0);
+                }
+
+                if entry.index == 1 {
+                    entry.eax &= !(1 << leaf_0xd::index1::eax::XSAVEC_SHIFT);
+                    entry.eax &= !(1 << leaf_0xd::index1::eax::XGETBV_SHIFT);
+                    entry.eax &= !(1 << leaf_0xd::index1::eax::XSAVES_SHIFT);
+                }
             }
             leaf_0x80000001::LEAF_NUM => {
                 entry.ecx &= !(1 << leaf_0x80000001::ecx::PREFETCH_SHIFT);

cpuid/src/template/t2.rs

@@ -59,11 +59,14 @@ pub fn set_cpuid_entries(entries: &mut [kvm_cpuid_entry2]) {
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RTM_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RDT_M_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RDT_A_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::MPX_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512F_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512DQ_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RDSEED_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::ADX_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512IFMA_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::CLFLUSHOPT_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::CLWB_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::PT_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512PF_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512ER_SHIFT);
@@ -73,6 +76,8 @@ pub fn set_cpuid_entries(entries: &mut [kvm_cpuid_entry2]) {
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512VL_SHIFT);
 
                     entry.ecx &= !(1 << leaf_0x7::index0::ecx::AVX512_VBMI_SHIFT);
+                    entry.ecx &= !(1 << leaf_0x7::index0::ecx::PKU_SHIFT);
+                    entry.ecx &= !(1 << leaf_0x7::index0::ecx::OSPKE_SHIFT);
                     entry.ecx &= !(1 << leaf_0x7::index0::ecx::AVX512_VPOPCNTDQ_SHIFT);
                     entry.ecx &= !(1 << leaf_0x7::index0::ecx::RDPID_SHIFT);
                     entry.ecx &= !(1 << leaf_0x7::index0::ecx::SGX_LC_SHIFT);
@@ -82,11 +87,25 @@ pub fn set_cpuid_entries(entries: &mut [kvm_cpuid_entry2]) {
                 }
             }
             leaf_0xd::LEAF_NUM => {
-                // AVX-512 instructions are masked out with the T2 template so the size in bytes
-                // of the save area should be 0 (or invalid).
-                entry
-                    .eax
-                    .write_bits_in_range(&leaf_0xd::eax::AVX512_STATE_BITRANGE, 0);
+                if entry.index == 0 {
+                    // MPX is masked out with the T2 template so the size in in bytes of the save
+                    // area should be 0 (or invalid).
+                    entry
+                        .eax
+                        .write_bits_in_range(&leaf_0xd::index0::eax::MPX_STATE_BITRANGE, 0);
+
+                    // AVX-512 instructions are masked out with the T2 template so the size in bytes
+                    // of the save area should be 0 (or invalid).
+                    entry
+                        .eax
+                        .write_bits_in_range(&leaf_0xd::index0::eax::AVX512_STATE_BITRANGE, 0);
+                }
+
+                if entry.index == 1 {
+                    entry.eax &= !(1 << leaf_0xd::index1::eax::XSAVEC_SHIFT);
+                    entry.eax &= !(1 << leaf_0xd::index1::eax::XGETBV_SHIFT);
+                    entry.eax &= !(1 << leaf_0xd::index1::eax::XSAVES_SHIFT);
+                }
             }
             leaf_0x80000001::LEAF_NUM => {
                 entry.ecx &= !(1 << leaf_0x80000001::ecx::PREFETCH_SHIFT);

tests/integration_tests/functional/test_cpu_features.py

@@ -305,24 +305,28 @@ def test_brand_string(test_microvm_with_ssh, network_config):
 
 @pytest.mark.skipif(
     platform.machine() != "x86_64",
-    reason="AVX features are available only on x86_64."
+    reason="CPU features are masked only on x86_64."
 )
 @pytest.mark.parametrize("cpu_template", ["T2", "C3"])
-def test_avx_disabled(test_microvm_with_ssh, network_config, cpu_template):
+def test_cpu_template(test_microvm_with_ssh, network_config, cpu_template):
     """Check that AVX2 & AVX512 instructions are disabled.
 
-    This is a rather dummy test for checking that no AVX2 or AVX512
-    instructions are exposed. It is a first step into checking the t2 & c3
+    This is a rather dummy test for checking that some features are not
+    exposed by mistake. It is a first step into checking the t2 & c3
     templates. In a next iteration we should check **all** cpuid entries, not
-    just the AVX family instructions. We can achieve this with a template
+    just these features. We can achieve this with a template
     containing all features on a t2/c3 instance and check that the cpuid in
     the guest is an exact match of the template.
     """
+    common_masked_features = ["avx512", "mpx", "clflushopt", "clwb", "xsavec",
+                              "xgetbv1", "xsaves", "pku", "ospke"]
+    c3_masked_features = ["avx2"]
+
     test_microvm = test_microvm_with_ssh
     test_microvm.spawn()
 
     test_microvm.basic_config(vcpu_count=1)
-    # Set the template to T2.
+    # Set template as specified in the `cpu_template` parameter.
     response = test_microvm.machine_cfg.put(
         vcpu_count=1,
         mem_size_mib=256,
@@ -339,8 +343,10 @@ def test_avx_disabled(test_microvm_with_ssh, network_config, cpu_template):
     assert stderr.read().decode("utf-8") == ''
 
     cpu_flags_output = stdout.readline().decode('utf-8').rstrip()
-    # On C3 there's no AVX2. Check that it is masked out.
+
     if cpu_template == "C3":
-        assert not "avx2" in cpu_flags_output
-    # Check that AVX-512 is masked out with both C3 and T2 templates
-    assert not "avx512" in cpu_flags_output
+        for feature in c3_masked_features:
+            assert feature not in cpu_flags_output
+    # Check that all features in `common_masked_features` are properly masked.
+    for feature in common_masked_features:
+        assert feature not in cpu_flags_output