HV: enable L1 cache flush when VM entry

- flush L1 cache before VM entry only on platform
   affected by L1TF
 - flush operation is configurable by below MACRO:
    --CONFIG_L1D_FLUSH_VMENTRY_ENABLED

Tracked-On: #1672
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>

hypervisor/arch/x86/Kconfig

@@ -300,3 +300,7 @@ config ENFORCE_VALIDATED_ACPI_INFO
 	  tools to generate such data is required. Otherwise a warning will be
 	  printed when validated ACPI info is unavailable, but a binary can
 	  still be built with the ACPI info template.
+
+config L1D_FLUSH_VMENTRY_ENABLED
+	bool "Enable L1 cache flush before VM entry"
+	default n

hypervisor/arch/x86/cpu.c

@@ -911,3 +911,18 @@ static void cpu_xsave_init(void)
 		}
 	}
 }
+
+void cpu_l1d_flush(void)
+{
+	/*
+	 * 'skip_l1dfl_vmentry' will be true on platform that
+	 * is not affected by L1TF.
+	 *
+	 */
+	if (!skip_l1dfl_vmentry) {
+		if (cpu_has_cap(X86_FEATURE_L1D_FLUSH)) {
+			msr_write(MSR_IA32_FLUSH_CMD, IA32_L1D_FLUSH);
+		}
+	}
+
+}

hypervisor/arch/x86/guest/vcpu.c

@@ -426,6 +426,10 @@ int run_vcpu(struct vcpu *vcpu)
 		if (ibrs_type == IBRS_RAW)
 			msr_write(MSR_IA32_PRED_CMD, PRED_SET_IBPB);
 
+#ifdef CONFIG_L1D_FLUSH_VMENTRY_ENABLED
+		cpu_l1d_flush();
+#endif
+
 		/* Launch the VM */
 		status = vmx_vmrun(ctx, VM_LAUNCH, ibrs_type);
 
@@ -444,6 +448,9 @@ int run_vcpu(struct vcpu *vcpu)
 		rip = vcpu_get_rip(vcpu);
 		exec_vmwrite(VMX_GUEST_RIP, ((rip+(uint64_t)instlen) &
 				0xFFFFFFFFFFFFFFFFUL));
+#ifdef CONFIG_L1D_FLUSH_VMENTRY_ENABLED
+		cpu_l1d_flush();
+#endif
 
 		/* Resume the VM */
 		status = vmx_vmrun(ctx, VM_RESUME, ibrs_type);

hypervisor/include/arch/x86/cpu.h

@@ -324,6 +324,7 @@ void cpu_secondary_init(void);
 void start_cpus(void);
 void stop_cpus(void);
 void wait_sync_change(uint64_t *sync, uint64_t wake_sync);
+void cpu_l1d_flush(void);
 
 /* Read control register */
 #define CPU_CR_READ(cr, result_ptr)				\