executor: sys/linux: SYZOS: add support for AMD STGI and CLGI instructions

ramosian-glider · ramosian-glider · commit 0a1338c68f19 · 2026-01-15T07:19:29.000Z
Implement the SYZOS_API_NESTED_AMD_STGI and SYZOS_API_NESTED_AMD_CLGI
primitives to toggle the Global Interrupt Flag (GIF). These commands
execute the stgi and clgi instructions respectively and require no
arguments.

Also add a test checking that CLGI correctly masks NMI injection from L0.
diff --git a/executor/common_kvm_amd64_syzos.h b/executor/common_kvm_amd64_syzos.h
@@ -34,6 +34,8 @@ typedef enum {
 	SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340,
 	SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380,
 	SYZOS_API_NESTED_AMD_INVLPGA = 381,
+	SYZOS_API_NESTED_AMD_STGI = 382,
+	SYZOS_API_NESTED_AMD_CLGI = 383,
 	SYZOS_API_STOP, // Must be the last one
 } syzos_api_id;
 
@@ -115,6 +117,8 @@ GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint
 GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64 cpu_id);
 GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64 cpu_id);
 GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64 cpu_id);
+GUEST_CODE static void guest_handle_nested_amd_stgi();
+GUEST_CODE static void guest_handle_nested_amd_clgi();
 
 typedef enum {
 	UEXIT_END = (uint64)-1,
@@ -233,6 +237,12 @@ guest_main(uint64 size, uint64 cpu)
 		} else if (call == SYZOS_API_NESTED_AMD_INVLPGA) {
 			// Invalidate TLB mappings for the specified address/ASID.
 			guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu);
+		} else if (call == SYZOS_API_NESTED_AMD_STGI) {
+			// Set Global Interrupt Flag (Enable Interrupts).
+			guest_handle_nested_amd_stgi();
+		} else if (call == SYZOS_API_NESTED_AMD_CLGI) {
+			// Clear Global Interrupt Flag (Disable Interrupts, including NMI).
+			guest_handle_nested_amd_clgi();
 		}
 		addr += cmd->size;
 		size -= cmd->size;
@@ -1300,4 +1310,20 @@ guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64 cpu_id)
 	asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory");
 }
 
+GUEST_CODE static noinline void
+guest_handle_nested_amd_stgi()
+{
+	if (get_cpu_vendor() != CPU_VENDOR_AMD)
+		return;
+	asm volatile("stgi" ::: "memory");
+}
+
+GUEST_CODE static noinline void
+guest_handle_nested_amd_clgi()
+{
+	if (get_cpu_vendor() != CPU_VENDOR_AMD)
+		return;
+	asm volatile("clgi" ::: "memory");
+}
+
 #endif // EXECUTOR_COMMON_KVM_AMD64_SYZOS_H
diff --git a/sys/linux/dev_kvm_amd64.txt b/sys/linux/dev_kvm_amd64.txt
@@ -172,6 +172,8 @@ syzos_api_call$x86 [
 	nested_intel_vmwrite_mask	syzos_api$x86[340, syzos_api_nested_intel_vmwrite_mask]
 	nested_amd_vmcb_write_mask	syzos_api$x86[380, syzos_api_nested_amd_vmcb_write_mask]
 	nested_amd_invlpga		syzos_api$x86[381, syzos_api_nested_amd_invlpga]
+	nested_amd_stgi			syzos_api$x86[382, void]
+	nested_amd_clgi			syzos_api$x86[383, void]
 ] [varlen]
 
 kvm_text_x86 [
diff --git a/sys/linux/test/amd64-syz_kvm_nested_amd_stgi b/sys/linux/test/amd64-syz_kvm_nested_amd_stgi
@@ -0,0 +1,47 @@
+#
+# requires: arch=amd64 -threaded
+#
+r0 = openat$kvm(0, &AUTO='/dev/kvm\x00', 0x0, 0x0)
+r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
+r2 = syz_kvm_setup_syzos_vm$x86(r1, &(0x7f0000c00000/0x400000)=nil)
+
+# Test AMD SVM STGI/CLGI interaction with Host NMI Injection.
+#
+# 1. Guest executes CLGI (disabling interrupts).
+# 2. Guest executes UEXIT (0x1337) to yield to Host.
+# 3. Host injects an NMI via KVM_NMI.
+#    - Because GIF=0, this NMI must remain PENDING and NOT be delivered yet.
+# 4. Guest resumes and executes STGI.
+#    - NMI should be delivered immediately after STGI.
+#
+r3 = syz_kvm_add_vcpu$x86(r2, &AUTO={0x0, &AUTO=[@enable_nested={AUTO, AUTO, 0x0}, @nested_create_vm={AUTO, AUTO, 0x0}, @nested_amd_clgi={AUTO, AUTO, ""}, @uexit={AUTO, AUTO, 0x1337}, @nested_amd_stgi={AUTO, AUTO, ""}, @uexit={AUTO, AUTO, 0xface}], AUTO})
+r4 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
+r5 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r4, 0x3, 0x1, r3, 0x0)
+
+# Run 1: Execute CLGI -> UEXIT(0x1337)
+#
+ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit$x86(r5, 0x1337)
+
+# Inject NMI into the vCPU.
+# Since GIF=0 in the guest, this NMI should be queued by L0.
+#
+ioctl$KVM_NMI(r3, 0x0)
+
+# Run 2: Resume -> STGI -> NMI Delivery -> UEXIT(0xface)
+# We verify that the guest survives the NMI delivery and reaches the final exit.
+# (If KVM fails to queue the NMI and delivers it early, or corrupts state, this may crash).
+#
+ioctl$KVM_RUN(r3, AUTO, 0x0)
+
+# We check for successful completion.
+# Note: If NMI is delivered, it might cause a standard KVM exit depending on interception settings.
+# If the guest handles it transparently, we see 0xface.
+# For this regression test, ensuring we don't crash L0 is the primary goal.
+#
+syz_kvm_assert_syzos_uexit$x86(r5, 0xface)
+
+# Cleanup.
+#
+ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit$x86(r5, 0xffffffff)
