Control-flow Enforcement Technology (CET) provides protection against
Return/Jump-Oriented Programming (ROP/JOP) attack. There're two CET
sub-features: Shadow Stack (SHSTK) and Indirect Branch Tracking (IBT).
SHSTK is to prevent ROP programming and IBT is to prevent JOP programming.
Several parts in KVM have been updated to provide VM CET support, including:
CPUID/XSAVES config, MSR pass-through, user space MSR access interface,
vmentry/vmexit config, nested VM etc. These patches have dependency on CET
kernel patches for xsaves support and CET definitions, e.g., MSR and related
feature flags.
CET kernel patches are here:
https://lkml.kernel.org/r/[email protected]
v12:
- Fixed a few issues per Sean and Paolo's review feeback.
- Refactored patches to make them properly arranged.
- Removed unnecessary hard-coded CET states for host/guest.
- Added compile-time assertions for vmcs_field_to_offset_table to detect
mismatch of the field type and field encoding number.
- Added a custom MSR MSR_KVM_GUEST_SSP for guest active SSP save/restore.
- Rebased patches to 5.7-rc3.
v11:
- Fixed a guest vmentry failure issue when guest reboots.
- Used vm_xxx_control_{set, clear}bit() to avoid side effect, it'll
clear cached data instead of pure VMCS field bits.
- Added vcpu->arch.guest_supported_xss dedidated for guest runtime mask,
this avoids supported_xss overwritten issue caused by an old qemu.
- Separated vmentry/vmexit state setting with CR0/CR4 dependency check
to make the patch more clear.
- Added CET VMCS states in dump_vmcs() for debugging purpose.
- Other refactor based on testing.
- This patch serial is built on top of below branch and CET kernel patches
for seeking xsaves support:
https://git.kernel.org/pub/scm/virt/kvm/kvm.git/log/?h=cpu-caps
v10:
- Refactored code per Sean's review feedback.
- Added CET support for nested VM.
- Removed fix-patch for CPUID(0xd,N) enumeration as this part is done
by Paolo and Sean.
- This new patchset is based on Paolo's queued cpu_caps branch.
- Modified patch per XSAVES related change.
- Consolidated KVM unit-test patch with KVM patches.
v9:
- Refactored msr-check functions per Sean's feedback.
- Fixed a few issues per Sean's suggestion.
- Rebased patch to kernel-v5.4.
- Moved CET CPUID feature bits and CR4.CET to last patch.
v8:
- Addressed Jim and Sean's feedback on: 1) CPUID(0xD,i) enumeration. 2)
sanity check when configure guest CET. 3) function improvement.
- Added more sanity check functions.
- Set host vmexit default status so that guest won't leak CET status to
host when vmexit.
- Added CR0.WP vs. CR4.CET mutual constrains.
v7:
- Rebased patch to kernel v5.3
- Sean suggested to change CPUID(0xd, n) enumeration code as alined with
existing one, and I think it's better to make the fix as an independent patch
since XSS MSR are being used widely on X86 platforms.
- Check more host and guest status before configure guest CET
per Sean's feedback.
- Add error-check before guest accesses CET MSRs per Sean's feedback.
- Other minor fixes suggested by Sean.
v6:
- Rebase patch to kernel v5.2.
- Move CPUID(0xD, n>=1) helper to a seperate patch.
- Merge xsave size fix with other patch.
- Other minor fixes per community feedback.
v5:
- Rebase patch to kernel v5.1.
- Wrap CPUID(0xD, n>=1) code to a helper function.
- Pass through MSR_IA32_PL1_SSP and MSR_IA32_PL2_SSP to Guest.
- Add Co-developed-by expression in patch description.
- Refine patch description.
v4:
- Add Sean's patch for loading Guest fpu state before access XSAVES
managed CET MSRs.
- Melt down CET bits setting into CPUID configuration patch.
- Add VMX interface to query Host XSS.
- Check Host and Guest XSS support bits before set Guest XSS.
- Make Guest SHSTK and IBT feature enabling independent.
- Do not report CET support to Guest when Host CET feature is Disabled.
v3:
- Modified patches to make Guest CET independent to Host enabling.
- Added patch 8 to add user space access for Guest CET MSR access.
- Modified code comments and patch description to reflect changes.
v2:
- Re-ordered patch sequence, combined one patch.
- Added more description for CET related VMCS fields.
- Added Host CET capability check while enabling Guest CET loading bit.
- Added Host CET capability check while reporting Guest CPUID(EAX=7, EXC=0).
- Modified code in reporting Guest CPUID(EAX=D,ECX>=1), make it clearer.
- Added Host and Guest XSS mask check while setting bits for Guest XSS.
Sean Christopherson (1):
KVM: x86: Load guest fpu state when access MSRs managed by XSAVES
Yang Weijiang (9):
KVM: VMX: Introduce CET VMCS fields and flags
KVM: VMX: Set guest CET MSRs per KVM and host configuration
KVM: VMX: Configure CET settings upon guest CR0/4 changing
KVM: x86: Refresh CPUID once guest changes XSS bits
KVM: x86: Add userspace access interface for CET MSRs
KVM: VMX: Enable CET support for nested VM
KVM: VMX: Add VMCS dump and sanity check for CET states
KVM: x86: Add #CP support in guest exception dispatch
KVM: x86: Enable CET virtualization and advertise CET to userspace
arch/x86/include/asm/kvm_host.h | 4 +-
arch/x86/include/asm/vmx.h | 8 +
arch/x86/include/uapi/asm/kvm.h | 1 +
arch/x86/include/uapi/asm/kvm_para.h | 7 +-
arch/x86/kvm/cpuid.c | 28 ++-
arch/x86/kvm/vmx/capabilities.h | 5 +
arch/x86/kvm/vmx/nested.c | 34 ++++
arch/x86/kvm/vmx/vmcs12.c | 275 ++++++++++++++++-----------
arch/x86/kvm/vmx/vmcs12.h | 14 +-
arch/x86/kvm/vmx/vmx.c | 257 ++++++++++++++++++++++++-
arch/x86/kvm/x86.c | 42 +++-
arch/x86/kvm/x86.h | 2 +-
12 files changed, 546 insertions(+), 131 deletions(-)
--
2.17.2
CET(Control-flow Enforcement Technology) is a CPU feature used to prevent
Return/Jump-Oriented Programming(ROP/JOP) attacks. It provides the following
sub-features to defend against ROP/JOP style control-flow subversion attacks:
Shadow Stack (SHSTK):
A second stack for program which is used exclusively for control transfer
operations.
Indirect Branch Tracking (IBT):
Code branching protection to defend against jump/call oriented programming.
Several new CET MSRs are defined in kernel to support CET:
MSR_IA32_{U,S}_CET: Controls the CET settings for user mode and kernel mode
respectively.
MSR_IA32_PL{0,1,2,3}_SSP: Stores shadow stack pointers for CPL-0,1,2,3
protection respectively.
MSR_IA32_INT_SSP_TAB: Stores base address of shadow stack pointer table.
Two XSAVES state bits are introduced for CET:
IA32_XSS:[bit 11]: Control saving/restoring user mode CET states
IA32_XSS:[bit 12]: Control saving/restoring kernel mode CET states.
Six VMCS fields are introduced for CET:
{HOST,GUEST}_S_CET: Stores CET settings for kernel mode.
{HOST,GUEST}_SSP: Stores shadow stack pointer of current task/thread.
{HOST,GUEST}_INTR_SSP_TABLE: Stores base address of shadow stack pointer
table.
If VM_EXIT_LOAD_HOST_CET_STATE = 1, the host CET states are restored from below
VMCS fields at VM-Exit:
HOST_S_CET
HOST_SSP
HOST_INTR_SSP_TABLE
If VM_ENTRY_LOAD_GUEST_CET_STATE = 1, the guest CET states are loaded from below
VMCS fields at VM-Entry:
GUEST_S_CET
GUEST_SSP
GUEST_INTR_SSP_TABLE
Co-developed-by: Zhang Yi Z <[email protected]>
Signed-off-by: Zhang Yi Z <[email protected]>
Signed-off-by: Yang Weijiang <[email protected]>
---
arch/x86/include/asm/vmx.h | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index 5e090d1f03f8..f301def9125a 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -94,6 +94,7 @@
#define VM_EXIT_CLEAR_BNDCFGS 0x00800000
#define VM_EXIT_PT_CONCEAL_PIP 0x01000000
#define VM_EXIT_CLEAR_IA32_RTIT_CTL 0x02000000
+#define VM_EXIT_LOAD_CET_STATE 0x10000000
#define VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR 0x00036dff
@@ -107,6 +108,7 @@
#define VM_ENTRY_LOAD_BNDCFGS 0x00010000
#define VM_ENTRY_PT_CONCEAL_PIP 0x00020000
#define VM_ENTRY_LOAD_IA32_RTIT_CTL 0x00040000
+#define VM_ENTRY_LOAD_CET_STATE 0x00100000
#define VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR 0x000011ff
@@ -328,6 +330,9 @@ enum vmcs_field {
GUEST_PENDING_DBG_EXCEPTIONS = 0x00006822,
GUEST_SYSENTER_ESP = 0x00006824,
GUEST_SYSENTER_EIP = 0x00006826,
+ GUEST_S_CET = 0x00006828,
+ GUEST_SSP = 0x0000682a,
+ GUEST_INTR_SSP_TABLE = 0x0000682c,
HOST_CR0 = 0x00006c00,
HOST_CR3 = 0x00006c02,
HOST_CR4 = 0x00006c04,
@@ -340,6 +345,9 @@ enum vmcs_field {
HOST_IA32_SYSENTER_EIP = 0x00006c12,
HOST_RSP = 0x00006c14,
HOST_RIP = 0x00006c16,
+ HOST_S_CET = 0x00006c18,
+ HOST_SSP = 0x00006c1a,
+ HOST_INTR_SSP_TABLE = 0x00006c1c
};
/*
--
2.17.2
There're two different places storing Guest CET states, states managed
with XSAVES/XRSTORS, as restored/saved in previous patch, can be read/write
directly from/to the MSRs. For those stored in VMCS fields, they're access
via vmcs_read/vmcs_write.
To correctly read/write the CET MSRs, it's necessary to check whether the
kernel FPU context switch happened and reload guest FPU context if needed.
Suggested-by: Sean Christopherson <[email protected]>
Signed-off-by: Yang Weijiang <[email protected]>
---
arch/x86/include/uapi/asm/kvm_para.h | 7 +-
arch/x86/kvm/vmx/vmx.c | 148 +++++++++++++++++++++++++++
arch/x86/kvm/x86.c | 4 +
3 files changed, 156 insertions(+), 3 deletions(-)
diff --git a/arch/x86/include/uapi/asm/kvm_para.h b/arch/x86/include/uapi/asm/kvm_para.h
index 2a8e0b6b9805..211bba6f7d8a 100644
--- a/arch/x86/include/uapi/asm/kvm_para.h
+++ b/arch/x86/include/uapi/asm/kvm_para.h
@@ -46,10 +46,11 @@
/* Custom MSRs falls in the range 0x4b564d00-0x4b564dff */
#define MSR_KVM_WALL_CLOCK_NEW 0x4b564d00
#define MSR_KVM_SYSTEM_TIME_NEW 0x4b564d01
-#define MSR_KVM_ASYNC_PF_EN 0x4b564d02
-#define MSR_KVM_STEAL_TIME 0x4b564d03
-#define MSR_KVM_PV_EOI_EN 0x4b564d04
+#define MSR_KVM_ASYNC_PF_EN 0x4b564d02
+#define MSR_KVM_STEAL_TIME 0x4b564d03
+#define MSR_KVM_PV_EOI_EN 0x4b564d04
#define MSR_KVM_POLL_CONTROL 0x4b564d05
+#define MSR_KVM_GUEST_SSP 0x4b564d06
struct kvm_steal_time {
__u64 steal;
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 7137e252ab38..7f3a65ee64c5 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -1777,6 +1777,94 @@ static int vmx_get_msr_feature(struct kvm_msr_entry *msr)
}
}
+static void vmx_get_xsave_msr(struct msr_data *msr_info)
+{
+ local_irq_disable();
+ if (test_thread_flag(TIF_NEED_FPU_LOAD))
+ switch_fpu_return();
+ rdmsrl(msr_info->index, msr_info->data);
+ local_irq_enable();
+}
+
+static void vmx_set_xsave_msr(struct msr_data *msr_info)
+{
+ local_irq_disable();
+ if (test_thread_flag(TIF_NEED_FPU_LOAD))
+ switch_fpu_return();
+ wrmsrl(msr_info->index, msr_info->data);
+ local_irq_enable();
+}
+
+#define CET_MSR_RSVD_BITS_1 GENMASK(2, 0)
+#define CET_MSR_RSVD_BITS_2 GENMASK(9, 6)
+
+static bool cet_check_msr_valid(struct kvm_vcpu *vcpu,
+ struct msr_data *msr, u64 rsvd_bits)
+{
+ u64 data = msr->data;
+ u32 index = msr->index;
+
+ if ((index == MSR_IA32_PL0_SSP || index == MSR_IA32_PL1_SSP ||
+ index == MSR_IA32_PL2_SSP || index == MSR_IA32_PL3_SSP ||
+ index == MSR_IA32_INT_SSP_TAB || index == MSR_KVM_GUEST_SSP) &&
+ is_noncanonical_address(data, vcpu))
+ return false;
+
+ if ((index == MSR_IA32_S_CET || index == MSR_IA32_U_CET) &&
+ data & MSR_IA32_CET_ENDBR_EN) {
+ u64 bitmap_base = data >> 12;
+
+ if (is_noncanonical_address(bitmap_base, vcpu))
+ return false;
+ }
+
+ return !(data & rsvd_bits);
+}
+
+static bool cet_check_ssp_msr_accessible(struct kvm_vcpu *vcpu,
+ struct msr_data *msr)
+{
+ u32 index = msr->index;
+
+ if (!boot_cpu_has(X86_FEATURE_SHSTK))
+ return false;
+
+ if (!msr->host_initiated &&
+ !guest_cpuid_has(vcpu, X86_FEATURE_SHSTK))
+ return false;
+
+ if (index == MSR_KVM_GUEST_SSP)
+ return msr->host_initiated &&
+ guest_cpuid_has(vcpu, X86_FEATURE_SHSTK);
+
+ if (index == MSR_IA32_INT_SSP_TAB)
+ return true;
+
+ if (index == MSR_IA32_PL3_SSP)
+ return supported_xss & XFEATURE_MASK_CET_USER;
+
+ return supported_xss & XFEATURE_MASK_CET_KERNEL;
+}
+
+static bool cet_check_ctl_msr_accessible(struct kvm_vcpu *vcpu,
+ struct msr_data *msr)
+{
+ u32 index = msr->index;
+
+ if (!boot_cpu_has(X86_FEATURE_SHSTK) &&
+ !boot_cpu_has(X86_FEATURE_IBT))
+ return false;
+
+ if (!msr->host_initiated &&
+ !guest_cpuid_has(vcpu, X86_FEATURE_SHSTK) &&
+ !guest_cpuid_has(vcpu, X86_FEATURE_IBT))
+ return false;
+
+ if (index == MSR_IA32_U_CET)
+ return supported_xss & XFEATURE_MASK_CET_USER;
+
+ return supported_xss & XFEATURE_MASK_CET_KERNEL;
+}
/*
* Reads an msr value (of 'msr_index') into 'pdata'.
* Returns 0 on success, non-0 otherwise.
@@ -1909,6 +1997,31 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
else
msr_info->data = vmx->pt_desc.guest.addr_a[index / 2];
break;
+ case MSR_KVM_GUEST_SSP:
+ if (!cet_check_ssp_msr_accessible(vcpu, msr_info))
+ return 1;
+ msr_info->data = vmcs_readl(GUEST_SSP);
+ break;
+ case MSR_IA32_S_CET:
+ if (!cet_check_ctl_msr_accessible(vcpu, msr_info))
+ return 1;
+ msr_info->data = vmcs_readl(GUEST_S_CET);
+ break;
+ case MSR_IA32_INT_SSP_TAB:
+ if (!cet_check_ssp_msr_accessible(vcpu, msr_info))
+ return 1;
+ msr_info->data = vmcs_readl(GUEST_INTR_SSP_TABLE);
+ break;
+ case MSR_IA32_U_CET:
+ if (!cet_check_ctl_msr_accessible(vcpu, msr_info))
+ return 1;
+ vmx_get_xsave_msr(msr_info);
+ break;
+ case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP:
+ if (!cet_check_ssp_msr_accessible(vcpu, msr_info))
+ return 1;
+ vmx_get_xsave_msr(msr_info);
+ break;
case MSR_TSC_AUX:
if (!msr_info->host_initiated &&
!guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP))
@@ -2165,6 +2278,41 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
else
vmx->pt_desc.guest.addr_a[index / 2] = data;
break;
+ case MSR_KVM_GUEST_SSP:
+ if (!cet_check_ssp_msr_accessible(vcpu, msr_info))
+ return 1;
+ if (!cet_check_msr_valid(vcpu, msr_info, CET_MSR_RSVD_BITS_1))
+ return 1;
+ vmcs_writel(GUEST_SSP, data);
+ break;
+ case MSR_IA32_S_CET:
+ if (!cet_check_ctl_msr_accessible(vcpu, msr_info))
+ return 1;
+ if (!cet_check_msr_valid(vcpu, msr_info, CET_MSR_RSVD_BITS_2))
+ return 1;
+ vmcs_writel(GUEST_S_CET, data);
+ break;
+ case MSR_IA32_INT_SSP_TAB:
+ if (!cet_check_ctl_msr_accessible(vcpu, msr_info))
+ return 1;
+ if (!cet_check_msr_valid(vcpu, msr_info, 0))
+ return 1;
+ vmcs_writel(GUEST_INTR_SSP_TABLE, data);
+ break;
+ case MSR_IA32_U_CET:
+ if (!cet_check_ctl_msr_accessible(vcpu, msr_info))
+ return 1;
+ if (!cet_check_msr_valid(vcpu, msr_info, CET_MSR_RSVD_BITS_2))
+ return 1;
+ vmx_set_xsave_msr(msr_info);
+ break;
+ case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP:
+ if (!cet_check_ssp_msr_accessible(vcpu, msr_info))
+ return 1;
+ if (!cet_check_msr_valid(vcpu, msr_info, CET_MSR_RSVD_BITS_1))
+ return 1;
+ vmx_set_xsave_msr(msr_info);
+ break;
case MSR_TSC_AUX:
if (!msr_info->host_initiated &&
!guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP))
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 50f80dcab3a9..1ba91101e6e6 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1228,6 +1228,10 @@ static const u32 msrs_to_save_all[] = {
MSR_ARCH_PERFMON_EVENTSEL0 + 12, MSR_ARCH_PERFMON_EVENTSEL0 + 13,
MSR_ARCH_PERFMON_EVENTSEL0 + 14, MSR_ARCH_PERFMON_EVENTSEL0 + 15,
MSR_ARCH_PERFMON_EVENTSEL0 + 16, MSR_ARCH_PERFMON_EVENTSEL0 + 17,
+
+ MSR_IA32_XSS, MSR_IA32_U_CET, MSR_IA32_S_CET,
+ MSR_IA32_PL0_SSP, MSR_IA32_PL1_SSP, MSR_IA32_PL2_SSP,
+ MSR_IA32_PL3_SSP, MSR_IA32_INT_SSP_TAB,
};
static u32 msrs_to_save[ARRAY_SIZE(msrs_to_save_all)];
--
2.17.2
CPUID(0xd, 1) reports the current required storage size of XCR0 | XSS,
when guest updates the XSS, it's necessary to update the CPUID leaf, otherwise
guest will fetch old state size, and results to some WARN traces during guest
running.
supported_xss is initialized to host_xss & KVM_SUPPORTED_XSS to indicate current
MSR_IA32_XSS bits supported in KVM, but actual XSS bits seen in guest depends
on the setting of CPUID(0xd,1).{ECX, EDX} for guest.
Co-developed-by: Zhang Yi Z <[email protected]>
Signed-off-by: Zhang Yi Z <[email protected]>
Signed-off-by: Yang Weijiang <[email protected]>
---
arch/x86/include/asm/kvm_host.h | 1 +
arch/x86/kvm/cpuid.c | 23 +++++++++++++++++++----
arch/x86/kvm/x86.c | 12 ++++++++----
3 files changed, 28 insertions(+), 8 deletions(-)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 42a2d0d3984a..f68c825e94ad 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -649,6 +649,7 @@ struct kvm_vcpu_arch {
u64 xcr0;
u64 guest_supported_xcr0;
+ u64 guest_supported_xss;
u32 guest_xstate_size;
struct kvm_pio_request pio;
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 901cd1fdecd9..984ab2b395b3 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -89,15 +89,30 @@ int kvm_update_cpuid(struct kvm_vcpu *vcpu)
vcpu->arch.guest_xstate_size = XSAVE_HDR_SIZE + XSAVE_HDR_OFFSET;
} else {
vcpu->arch.guest_supported_xcr0 =
- (best->eax | ((u64)best->edx << 32)) & supported_xcr0;
+ (((u64)best->edx << 32) | best->eax) & supported_xcr0;
vcpu->arch.guest_xstate_size = best->ebx =
xstate_required_size(vcpu->arch.xcr0, false);
}
best = kvm_find_cpuid_entry(vcpu, 0xD, 1);
- if (best && (cpuid_entry_has(best, X86_FEATURE_XSAVES) ||
- cpuid_entry_has(best, X86_FEATURE_XSAVEC)))
- best->ebx = xstate_required_size(vcpu->arch.xcr0, true);
+ if (best) {
+ if (cpuid_entry_has(best, X86_FEATURE_XSAVES) ||
+ cpuid_entry_has(best, X86_FEATURE_XSAVEC)) {
+ u64 xstate = vcpu->arch.xcr0 | vcpu->arch.ia32_xss;
+
+ best->ebx = xstate_required_size(xstate, true);
+ }
+
+ if (!cpuid_entry_has(best, X86_FEATURE_XSAVES)) {
+ best->ecx = 0;
+ best->edx = 0;
+ }
+ vcpu->arch.guest_supported_xss =
+ (((u64)best->edx << 32) | best->ecx) & supported_xss;
+
+ } else {
+ vcpu->arch.guest_supported_xss = 0;
+ }
/*
* The existing code assumes virtual address is 48-bit or 57-bit in the
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index b63727318da1..c866087ed0ef 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2843,9 +2843,12 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
* IA32_XSS[bit 8]. Guests have to use RDMSR/WRMSR rather than
* XSAVES/XRSTORS to save/restore PT MSRs.
*/
- if (data & ~supported_xss)
+ if (data & ~vcpu->arch.guest_supported_xss)
return 1;
- vcpu->arch.ia32_xss = data;
+ if (vcpu->arch.ia32_xss != data) {
+ vcpu->arch.ia32_xss = data;
+ kvm_update_cpuid(vcpu);
+ }
break;
case MSR_SMI_COUNT:
if (!msr_info->host_initiated)
@@ -9678,8 +9681,9 @@ int kvm_arch_hardware_setup(void *opaque)
memcpy(&kvm_x86_ops, ops->runtime_ops, sizeof(kvm_x86_ops));
- if (!kvm_cpu_cap_has(X86_FEATURE_XSAVES))
- supported_xss = 0;
+ supported_xss = 0;
+ if (kvm_cpu_cap_has(X86_FEATURE_XSAVES))
+ supported_xss = host_xss & KVM_SUPPORTED_XSS;
cr4_reserved_bits = kvm_host_cr4_reserved_bits(&boot_cpu_data);
--
2.17.2
CET MSRs pass through guest directly to enhance performance. CET runtime
control settings are stored in MSR_IA32_{U,S}_CET, Shadow Stack Pointer(SSP)
are stored in MSR_IA32_PL{0,1,2,3}_SSP, SSP table base address is stored in
MSR_IA32_INT_SSP_TAB, these MSRs are defined in kernel and re-used here.
MSR_IA32_U_CET and MSR_IA32_PL3_SSP are used for user-mode protection,the MSR
contents are switched between threads during scheduling, it makes sense to pass
through them so that the guest kernel can use xsaves/xrstors to operate them
efficiently. Other MSRs are used for non-user mode protection. See SDM for detailed
info.
The difference between CET VMCS fields and CET MSRs is that,the former are used
during VMEnter/VMExit, whereas the latter are used for CET state storage between
task/thread scheduling.
Co-developed-by: Zhang Yi Z <[email protected]>
Signed-off-by: Zhang Yi Z <[email protected]>
Signed-off-by: Yang Weijiang <[email protected]>
---
arch/x86/kvm/vmx/vmx.c | 46 ++++++++++++++++++++++++++++++++++++++++++
arch/x86/kvm/x86.c | 3 +++
2 files changed, 49 insertions(+)
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index d52d470e36b1..97e766875a7e 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -3020,6 +3020,13 @@ void vmx_load_mmu_pgd(struct kvm_vcpu *vcpu, unsigned long cr3)
vmcs_writel(GUEST_CR3, guest_cr3);
}
+static bool is_cet_state_supported(struct kvm_vcpu *vcpu, u32 xss_states)
+{
+ return ((supported_xss & xss_states) &&
+ (guest_cpuid_has(vcpu, X86_FEATURE_SHSTK) ||
+ guest_cpuid_has(vcpu, X86_FEATURE_IBT)));
+}
+
int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -7098,6 +7105,42 @@ static void update_intel_pt_cfg(struct kvm_vcpu *vcpu)
vmx->pt_desc.ctl_bitmask &= ~(0xfULL << (32 + i * 4));
}
+static void vmx_update_intercept_for_cet_msr(struct kvm_vcpu *vcpu)
+{
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ unsigned long *msr_bitmap = vmx->vmcs01.msr_bitmap;
+ bool incpt;
+
+ incpt = !is_cet_state_supported(vcpu, XFEATURE_MASK_CET_USER);
+ /*
+ * U_CET is required for USER CET, and U_CET, PL3_SPP are bound as
+ * one component and controlled by IA32_XSS[bit 11].
+ */
+ vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_U_CET, MSR_TYPE_RW,
+ incpt);
+ vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_PL3_SSP, MSR_TYPE_RW,
+ incpt);
+
+ incpt = !is_cet_state_supported(vcpu, XFEATURE_MASK_CET_KERNEL);
+ /*
+ * S_CET is required for KERNEL CET, and PL0_SSP ... PL2_SSP are
+ * bound as one component and controlled by IA32_XSS[bit 12].
+ */
+ vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_S_CET, MSR_TYPE_RW,
+ incpt);
+ vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_PL0_SSP, MSR_TYPE_RW,
+ incpt);
+ vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_PL1_SSP, MSR_TYPE_RW,
+ incpt);
+ vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_PL2_SSP, MSR_TYPE_RW,
+ incpt);
+
+ incpt |= !guest_cpuid_has(vcpu, X86_FEATURE_SHSTK);
+ /* SSP_TAB is only available for KERNEL SHSTK.*/
+ vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_INT_SSP_TAB, MSR_TYPE_RW,
+ incpt);
+}
+
static void vmx_cpuid_update(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -7136,6 +7179,9 @@ static void vmx_cpuid_update(struct kvm_vcpu *vcpu)
vmx_set_guest_msr(vmx, msr, enabled ? 0 : TSX_CTRL_RTM_DISABLE);
}
}
+
+ if (supported_xss & (XFEATURE_MASK_CET_KERNEL | XFEATURE_MASK_CET_USER))
+ vmx_update_intercept_for_cet_msr(vcpu);
}
static __init void vmx_set_cpu_caps(void)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index c5835f9cb9ad..6390b62c12ed 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -186,6 +186,9 @@ static struct kvm_shared_msrs __percpu *shared_msrs;
| XFEATURE_MASK_BNDCSR | XFEATURE_MASK_AVX512 \
| XFEATURE_MASK_PKRU)
+#define KVM_SUPPORTED_XSS (XFEATURE_MASK_CET_USER | \
+ XFEATURE_MASK_CET_KERNEL)
+
u64 __read_mostly host_efer;
EXPORT_SYMBOL_GPL(host_efer);
--
2.17.2
Hi Yang,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on vhost/linux-next]
[also build test ERROR on tip/auto-latest linus/master v5.7-rc4 next-20200505]
[cannot apply to kvm/linux-next linux/master]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]
url: https://github.com/0day-ci/linux/commits/Yang-Weijiang/Introduce-support-for-guest-CET-feature/20200507-021021
base: https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git linux-next
config: x86_64-rhel (attached as .config)
compiler: gcc-7 (Ubuntu 7.5.0-6ubuntu2) 7.5.0
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kbuild test robot <[email protected]>
All errors (new ones prefixed by >>):
arch/x86/kvm/x86.c: In function 'kvm_set_cr0':
arch/x86/kvm/x86.c:808:53: error: 'X86_CR4_CET' undeclared (first use in this function); did you mean 'X86_CR0_ET'?
if (!(cr0 & X86_CR0_WP) && kvm_read_cr4_bits(vcpu, X86_CR4_CET))
^~~~~~~~~~~
X86_CR0_ET
arch/x86/kvm/x86.c:808:53: note: each undeclared identifier is reported only once for each function it appears in
arch/x86/kvm/x86.c: At top level:
arch/x86/kvm/x86.c:1232:16: error: 'MSR_IA32_U_CET' undeclared here (not in a function); did you mean 'MSR_IA32_TSC'?
MSR_IA32_XSS, MSR_IA32_U_CET, MSR_IA32_S_CET,
^~~~~~~~~~~~~~
MSR_IA32_TSC
arch/x86/kvm/x86.c:1232:32: error: 'MSR_IA32_S_CET' undeclared here (not in a function); did you mean 'MSR_IA32_U_CET'?
MSR_IA32_XSS, MSR_IA32_U_CET, MSR_IA32_S_CET,
^~~~~~~~~~~~~~
MSR_IA32_U_CET
arch/x86/kvm/x86.c:1233:2: error: 'MSR_IA32_PL0_SSP' undeclared here (not in a function); did you mean 'MSR_IA32_MCG_ESP'?
MSR_IA32_PL0_SSP, MSR_IA32_PL1_SSP, MSR_IA32_PL2_SSP,
^~~~~~~~~~~~~~~~
MSR_IA32_MCG_ESP
arch/x86/kvm/x86.c:1233:20: error: 'MSR_IA32_PL1_SSP' undeclared here (not in a function); did you mean 'MSR_IA32_PL0_SSP'?
MSR_IA32_PL0_SSP, MSR_IA32_PL1_SSP, MSR_IA32_PL2_SSP,
^~~~~~~~~~~~~~~~
MSR_IA32_PL0_SSP
arch/x86/kvm/x86.c:1233:38: error: 'MSR_IA32_PL2_SSP' undeclared here (not in a function); did you mean 'MSR_IA32_PL1_SSP'?
MSR_IA32_PL0_SSP, MSR_IA32_PL1_SSP, MSR_IA32_PL2_SSP,
^~~~~~~~~~~~~~~~
MSR_IA32_PL1_SSP
arch/x86/kvm/x86.c:1234:2: error: 'MSR_IA32_PL3_SSP' undeclared here (not in a function); did you mean 'MSR_IA32_PL2_SSP'?
MSR_IA32_PL3_SSP, MSR_IA32_INT_SSP_TAB,
^~~~~~~~~~~~~~~~
MSR_IA32_PL2_SSP
arch/x86/kvm/x86.c:1234:20: error: 'MSR_IA32_INT_SSP_TAB' undeclared here (not in a function); did you mean 'MSR_IA32_PL3_SSP'?
MSR_IA32_PL3_SSP, MSR_IA32_INT_SSP_TAB,
^~~~~~~~~~~~~~~~~~~~
MSR_IA32_PL3_SSP
arch/x86/kvm/x86.c: In function 'is_xsaves_msr':
arch/x86/kvm/x86.c:3278:15: error: comparison between pointer and integer [-Werror]
return index == MSR_IA32_U_CET ||
^~
arch/x86/kvm/x86.c:3279:16: error: comparison between pointer and integer [-Werror]
(index >= MSR_IA32_PL0_SSP && index <= MSR_IA32_PL3_SSP);
^~
arch/x86/kvm/x86.c:3279:45: error: comparison between pointer and integer [-Werror]
(index >= MSR_IA32_PL0_SSP && index <= MSR_IA32_PL3_SSP);
^~
arch/x86/kvm/x86.c: In function 'kvm_arch_hardware_setup':
arch/x86/kvm/x86.c:191:34: error: 'XFEATURE_MASK_CET_USER' undeclared (first use in this function); did you mean 'XFEATURE_MASK_BNDCSR'?
#define KVM_SUPPORTED_XSS (XFEATURE_MASK_CET_USER | \
^
arch/x86/kvm/x86.c:9707:30: note: in expansion of macro 'KVM_SUPPORTED_XSS'
supported_xss = host_xss & KVM_SUPPORTED_XSS;
^~~~~~~~~~~~~~~~~
arch/x86/kvm/x86.c:192:6: error: 'XFEATURE_MASK_CET_KERNEL' undeclared (first use in this function); did you mean 'XFEATURE_MASK_CET_USER'?
XFEATURE_MASK_CET_KERNEL)
^
arch/x86/kvm/x86.c:9707:30: note: in expansion of macro 'KVM_SUPPORTED_XSS'
supported_xss = host_xss & KVM_SUPPORTED_XSS;
^~~~~~~~~~~~~~~~~
arch/x86/kvm/x86.c:191:57: error: invalid operands to binary | (have 'const u32 * {aka const unsigned int *}' and 'const u32 * {aka const unsigned int *}')
#define KVM_SUPPORTED_XSS (XFEATURE_MASK_CET_USER | \
~ ^
arch/x86/kvm/x86.c:9707:30: note: in expansion of macro 'KVM_SUPPORTED_XSS'
supported_xss = host_xss & KVM_SUPPORTED_XSS;
^~~~~~~~~~~~~~~~~
arch/x86/kvm/x86.c:9707:28: error: invalid operands to binary & (have 'u64 {aka long long unsigned int}' and 'const u32 * {aka const unsigned int *}')
supported_xss = host_xss & KVM_SUPPORTED_XSS;
^
>> arch/x86/kvm/x86.c:9707:17: error: assignment makes integer from pointer without a cast [-Werror=int-conversion]
supported_xss = host_xss & KVM_SUPPORTED_XSS;
^
cc1: all warnings being treated as errors
vim +9707 arch/x86/kvm/x86.c
e9b11c17552afe drivers/kvm/x86.c Zhang Xiantao 2007-11-14 9688
b990408537388e arch/x86/kvm/x86.c Sean Christopherson 2020-03-21 9689 int kvm_arch_hardware_setup(void *opaque)
e9b11c17552afe drivers/kvm/x86.c Zhang Xiantao 2007-11-14 9690 {
d008dfdb0e7012 arch/x86/kvm/x86.c Sean Christopherson 2020-03-21 9691 struct kvm_x86_init_ops *ops = opaque;
9e9c3fe40bcd28 arch/x86/kvm/x86.c Nadav Amit 2015-04-12 9692 int r;
9e9c3fe40bcd28 arch/x86/kvm/x86.c Nadav Amit 2015-04-12 9693
91661989d17cce arch/x86/kvm/x86.c Sean Christopherson 2020-03-02 9694 rdmsrl_safe(MSR_EFER, &host_efer);
91661989d17cce arch/x86/kvm/x86.c Sean Christopherson 2020-03-02 9695
408e9a318f57ba arch/x86/kvm/x86.c Paolo Bonzini 2020-03-05 9696 if (boot_cpu_has(X86_FEATURE_XSAVES))
408e9a318f57ba arch/x86/kvm/x86.c Paolo Bonzini 2020-03-05 9697 rdmsrl(MSR_IA32_XSS, host_xss);
408e9a318f57ba arch/x86/kvm/x86.c Paolo Bonzini 2020-03-05 9698
d008dfdb0e7012 arch/x86/kvm/x86.c Sean Christopherson 2020-03-21 9699 r = ops->hardware_setup();
9e9c3fe40bcd28 arch/x86/kvm/x86.c Nadav Amit 2015-04-12 9700 if (r != 0)
9e9c3fe40bcd28 arch/x86/kvm/x86.c Nadav Amit 2015-04-12 9701 return r;
9e9c3fe40bcd28 arch/x86/kvm/x86.c Nadav Amit 2015-04-12 9702
afaf0b2f9b801c arch/x86/kvm/x86.c Sean Christopherson 2020-03-21 9703 memcpy(&kvm_x86_ops, ops->runtime_ops, sizeof(kvm_x86_ops));
69c6f69aa3064a arch/x86/kvm/x86.c Sean Christopherson 2020-03-21 9704
408e9a318f57ba arch/x86/kvm/x86.c Paolo Bonzini 2020-03-05 9705 supported_xss = 0;
c76aeac0801da1 arch/x86/kvm/x86.c Yang Weijiang 2020-05-06 9706 if (kvm_cpu_cap_has(X86_FEATURE_XSAVES))
c76aeac0801da1 arch/x86/kvm/x86.c Yang Weijiang 2020-05-06 @9707 supported_xss = host_xss & KVM_SUPPORTED_XSS;
408e9a318f57ba arch/x86/kvm/x86.c Paolo Bonzini 2020-03-05 9708
b11306b53b2540 arch/x86/kvm/x86.c Sean Christopherson 2019-12-10 9709 cr4_reserved_bits = kvm_host_cr4_reserved_bits(&boot_cpu_data);
b11306b53b2540 arch/x86/kvm/x86.c Sean Christopherson 2019-12-10 9710
35181e86df97e4 arch/x86/kvm/x86.c Haozhong Zhang 2015-10-20 9711 if (kvm_has_tsc_control) {
35181e86df97e4 arch/x86/kvm/x86.c Haozhong Zhang 2015-10-20 9712 /*
35181e86df97e4 arch/x86/kvm/x86.c Haozhong Zhang 2015-10-20 9713 * Make sure the user can only configure tsc_khz values that
35181e86df97e4 arch/x86/kvm/x86.c Haozhong Zhang 2015-10-20 9714 * fit into a signed integer.
273ba45796c14b arch/x86/kvm/x86.c Marcelo Tosatti 2018-06-11 9715 * A min value is not calculated because it will always
35181e86df97e4 arch/x86/kvm/x86.c Haozhong Zhang 2015-10-20 9716 * be 1 on all machines.
35181e86df97e4 arch/x86/kvm/x86.c Haozhong Zhang 2015-10-20 9717 */
35181e86df97e4 arch/x86/kvm/x86.c Haozhong Zhang 2015-10-20 9718 u64 max = min(0x7fffffffULL,
35181e86df97e4 arch/x86/kvm/x86.c Haozhong Zhang 2015-10-20 9719 __scale_tsc(kvm_max_tsc_scaling_ratio, tsc_khz));
35181e86df97e4 arch/x86/kvm/x86.c Haozhong Zhang 2015-10-20 9720 kvm_max_guest_tsc_khz = max;
35181e86df97e4 arch/x86/kvm/x86.c Haozhong Zhang 2015-10-20 9721
ad721883e9c5f4 arch/x86/kvm/x86.c Haozhong Zhang 2015-10-20 9722 kvm_default_tsc_scaling_ratio = 1ULL << kvm_tsc_scaling_ratio_frac_bits;
35181e86df97e4 arch/x86/kvm/x86.c Haozhong Zhang 2015-10-20 9723 }
ad721883e9c5f4 arch/x86/kvm/x86.c Haozhong Zhang 2015-10-20 9724
9e9c3fe40bcd28 arch/x86/kvm/x86.c Nadav Amit 2015-04-12 9725 kvm_init_msr_list();
9e9c3fe40bcd28 arch/x86/kvm/x86.c Nadav Amit 2015-04-12 9726 return 0;
e9b11c17552afe drivers/kvm/x86.c Zhang Xiantao 2007-11-14 9727 }
e9b11c17552afe drivers/kvm/x86.c Zhang Xiantao 2007-11-14 9728
:::::: The code at line 9707 was first introduced by commit
:::::: c76aeac0801da1991ca230714e41d1ce71555219 KVM: x86: Refresh CPUID once guest changes XSS bits
:::::: TO: Yang Weijiang <[email protected]>
:::::: CC: 0day robot <[email protected]>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]
Hi Yang,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on vhost/linux-next]
[also build test ERROR on tip/auto-latest linus/master v5.7-rc4 next-20200505]
[cannot apply to kvm/linux-next linux/master]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]
url: https://github.com/0day-ci/linux/commits/Yang-Weijiang/Introduce-support-for-guest-CET-feature/20200507-021021
base: https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git linux-next
config: x86_64-allyesconfig (attached as .config)
compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project 54b35c066417d4856e9d53313f7e98b354274584)
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install x86_64 cross compiling tool for clang build
# apt-get install binutils-x86-64-linux-gnu
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kbuild test robot <[email protected]>
All errors (new ones prefixed by >>):
>> arch/x86/kvm/vmx/vmx.c:3026:26: error: use of undeclared identifier 'X86_FEATURE_SHSTK'; did you mean 'XFEATURE_SSE'?
(guest_cpuid_has(vcpu, X86_FEATURE_SHSTK) ||
^~~~~~~~~~~~~~~~~
XFEATURE_SSE
arch/x86/include/asm/fpu/types.h:104:2: note: 'XFEATURE_SSE' declared here
XFEATURE_SSE,
^
arch/x86/kvm/vmx/vmx.c:3027:25: error: use of undeclared identifier 'X86_FEATURE_IBT'
guest_cpuid_has(vcpu, X86_FEATURE_IBT)));
^
arch/x86/kvm/vmx/vmx.c:7114:40: error: use of undeclared identifier 'XFEATURE_MASK_CET_USER'
incpt = !is_cet_state_supported(vcpu, XFEATURE_MASK_CET_USER);
^
>> arch/x86/kvm/vmx/vmx.c:7119:40: error: use of undeclared identifier 'MSR_IA32_U_CET'
vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_U_CET, MSR_TYPE_RW,
^
>> arch/x86/kvm/vmx/vmx.c:7121:40: error: use of undeclared identifier 'MSR_IA32_PL3_SSP'
vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_PL3_SSP, MSR_TYPE_RW,
^
arch/x86/kvm/vmx/vmx.c:7124:40: error: use of undeclared identifier 'XFEATURE_MASK_CET_KERNEL'
incpt = !is_cet_state_supported(vcpu, XFEATURE_MASK_CET_KERNEL);
^
>> arch/x86/kvm/vmx/vmx.c:7129:40: error: use of undeclared identifier 'MSR_IA32_S_CET'
vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_S_CET, MSR_TYPE_RW,
^
>> arch/x86/kvm/vmx/vmx.c:7131:40: error: use of undeclared identifier 'MSR_IA32_PL0_SSP'
vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_PL0_SSP, MSR_TYPE_RW,
^
>> arch/x86/kvm/vmx/vmx.c:7133:40: error: use of undeclared identifier 'MSR_IA32_PL1_SSP'
vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_PL1_SSP, MSR_TYPE_RW,
^
>> arch/x86/kvm/vmx/vmx.c:7135:40: error: use of undeclared identifier 'MSR_IA32_PL2_SSP'
vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_PL2_SSP, MSR_TYPE_RW,
^
arch/x86/kvm/vmx/vmx.c:7138:34: error: use of undeclared identifier 'X86_FEATURE_SHSTK'; did you mean 'XFEATURE_SSE'?
incpt |= !guest_cpuid_has(vcpu, X86_FEATURE_SHSTK);
^~~~~~~~~~~~~~~~~
XFEATURE_SSE
arch/x86/include/asm/fpu/types.h:104:2: note: 'XFEATURE_SSE' declared here
XFEATURE_SSE,
^
>> arch/x86/kvm/vmx/vmx.c:7140:40: error: use of undeclared identifier 'MSR_IA32_INT_SSP_TAB'
vmx_set_intercept_for_msr(msr_bitmap, MSR_IA32_INT_SSP_TAB, MSR_TYPE_RW,
^
arch/x86/kvm/vmx/vmx.c:7183:23: error: use of undeclared identifier 'XFEATURE_MASK_CET_KERNEL'
if (supported_xss & (XFEATURE_MASK_CET_KERNEL | XFEATURE_MASK_CET_USER))
^
arch/x86/kvm/vmx/vmx.c:7183:50: error: use of undeclared identifier 'XFEATURE_MASK_CET_USER'
if (supported_xss & (XFEATURE_MASK_CET_KERNEL | XFEATURE_MASK_CET_USER))
^
14 errors generated.
vim +3026 arch/x86/kvm/vmx/vmx.c
3022
3023 static bool is_cet_state_supported(struct kvm_vcpu *vcpu, u32 xss_states)
3024 {
3025 return ((supported_xss & xss_states) &&
> 3026 (guest_cpuid_has(vcpu, X86_FEATURE_SHSTK) ||
3027 guest_cpuid_has(vcpu, X86_FEATURE_IBT)));
3028 }
3029
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]
On Wed, May 06, 2020 at 04:20:59PM +0800, Yang Weijiang wrote:
> Control-flow Enforcement Technology (CET) provides protection against
> Return/Jump-Oriented Programming (ROP/JOP) attack. There're two CET
> sub-features: Shadow Stack (SHSTK) and Indirect Branch Tracking (IBT).
> SHSTK is to prevent ROP programming and IBT is to prevent JOP programming.
>
> Several parts in KVM have been updated to provide VM CET support, including:
> CPUID/XSAVES config, MSR pass-through, user space MSR access interface,
> vmentry/vmexit config, nested VM etc. These patches have dependency on CET
> kernel patches for xsaves support and CET definitions, e.g., MSR and related
> feature flags.
>
> CET kernel patches are here:
> https://lkml.kernel.org/r/[email protected]
>
> v12:
> - Fixed a few issues per Sean and Paolo's review feeback.
> - Refactored patches to make them properly arranged.
> - Removed unnecessary hard-coded CET states for host/guest.
> - Added compile-time assertions for vmcs_field_to_offset_table to detect
> mismatch of the field type and field encoding number.
> - Added a custom MSR MSR_KVM_GUEST_SSP for guest active SSP save/restore.
> - Rebased patches to 5.7-rc3.
>
ping...
Sean and Paolo,
Could you review v12 at your convenience? Thank you!
On Mon, May 18, 2020 at 04:42:32PM +0800, Yang Weijiang wrote:
> On Wed, May 06, 2020 at 04:20:59PM +0800, Yang Weijiang wrote:
> > Control-flow Enforcement Technology (CET) provides protection against
> > Return/Jump-Oriented Programming (ROP/JOP) attack. There're two CET
> > sub-features: Shadow Stack (SHSTK) and Indirect Branch Tracking (IBT).
> > SHSTK is to prevent ROP programming and IBT is to prevent JOP programming.
> >
> > Several parts in KVM have been updated to provide VM CET support, including:
> > CPUID/XSAVES config, MSR pass-through, user space MSR access interface,
> > vmentry/vmexit config, nested VM etc. These patches have dependency on CET
> > kernel patches for xsaves support and CET definitions, e.g., MSR and related
> > feature flags.
> >
> > CET kernel patches are here:
> > https://lkml.kernel.org/r/[email protected]
> >
> > v12:
> > - Fixed a few issues per Sean and Paolo's review feeback.
> > - Refactored patches to make them properly arranged.
> > - Removed unnecessary hard-coded CET states for host/guest.
> > - Added compile-time assertions for vmcs_field_to_offset_table to detect
> > mismatch of the field type and field encoding number.
> > - Added a custom MSR MSR_KVM_GUEST_SSP for guest active SSP save/restore.
> > - Rebased patches to 5.7-rc3.
> >
> ping...
>
> Sean and Paolo,
> Could you review v12 at your convenience? Thank you!
Through no fault of your own, it'll probably be a few weeks before I get back
to your CET series. The kernel enabling doesn't seem like it's going to be
merged anytime soon, certainly not for 5.8, so unfortunately your series got
put on the backburner. Sorry :-(.
On Wed, May 06, 2020 at 04:20:59PM +0800, Yang Weijiang wrote:
> Several parts in KVM have been updated to provide VM CET support, including:
> CPUID/XSAVES config, MSR pass-through, user space MSR access interface,
> vmentry/vmexit config, nested VM etc. These patches have dependency on CET
> kernel patches for xsaves support and CET definitions, e.g., MSR and related
> feature flags.
Other than the MSR and cpufeatures flags definitions, is there any direct
dependency on kernel CET support? I.e. if/when XSAVES support is merged,
is there anything beyond the architectural definitions that are required to
merge KVM CET virtualization?
On Wed, Jun 10, 2020 at 09:56:36AM -0700, Sean Christopherson wrote:
> On Wed, May 06, 2020 at 04:20:59PM +0800, Yang Weijiang wrote:
> > Several parts in KVM have been updated to provide VM CET support, including:
> > CPUID/XSAVES config, MSR pass-through, user space MSR access interface,
> > vmentry/vmexit config, nested VM etc. These patches have dependency on CET
> > kernel patches for xsaves support and CET definitions, e.g., MSR and related
> > feature flags.
>
> Other than the MSR and cpufeatures flags definitions, is there any direct
> dependency on kernel CET support? I.e. if/when XSAVES support is merged,
> is there anything beyond the architectural definitions that are required to
> merge KVM CET virtualization?
No, KVM CET patches only depend on kernel CET related definitions and XSAVES
support now. But to make guest CET work, we need CET patches for QEMU.
On Thu, Jun 11, 2020 at 09:29:13AM +0800, Yang Weijiang wrote:
> On Wed, Jun 10, 2020 at 09:56:36AM -0700, Sean Christopherson wrote:
> > On Wed, May 06, 2020 at 04:20:59PM +0800, Yang Weijiang wrote:
> > > Several parts in KVM have been updated to provide VM CET support, including:
> > > CPUID/XSAVES config, MSR pass-through, user space MSR access interface,
> > > vmentry/vmexit config, nested VM etc. These patches have dependency on CET
> > > kernel patches for xsaves support and CET definitions, e.g., MSR and related
> > > feature flags.
> >
> > Other than the MSR and cpufeatures flags definitions, is there any direct
> > dependency on kernel CET support? I.e. if/when XSAVES support is merged,
> > is there anything beyond the architectural definitions that are required to
> > merge KVM CET virtualization?
> No, KVM CET patches only depend on kernel CET related definitions and XSAVES
> support now.
Neato.
> But to make guest CET work, we need CET patches for QEMU.
Ya, but we don't need to wait for host kernel support, which was the crux of
my question.
Can you please respin this series with the CET definition patches included?
The XSAVES support has been queued to tip/x86/fpu. Assuming that lands in
kernel 5.9, I _think_ KVM support for CET can land in 5.10.
Base your series on kvm/queue, i.e. don't worry about the XSAVES patches,
I'll merge them in from tip/x86/fpu for testing.
Thanks!
On Tue, Jun 23, 2020 at 11:39:19AM -0700, Sean Christopherson wrote:
> On Thu, Jun 11, 2020 at 09:29:13AM +0800, Yang Weijiang wrote:
> > On Wed, Jun 10, 2020 at 09:56:36AM -0700, Sean Christopherson wrote:
> > > On Wed, May 06, 2020 at 04:20:59PM +0800, Yang Weijiang wrote:
> > > > Several parts in KVM have been updated to provide VM CET support, including:
> > > > CPUID/XSAVES config, MSR pass-through, user space MSR access interface,
> > > > vmentry/vmexit config, nested VM etc. These patches have dependency on CET
> > > > kernel patches for xsaves support and CET definitions, e.g., MSR and related
> > > > feature flags.
> > >
> > > Other than the MSR and cpufeatures flags definitions, is there any direct
> > > dependency on kernel CET support? I.e. if/when XSAVES support is merged,
> > > is there anything beyond the architectural definitions that are required to
> > > merge KVM CET virtualization?
> > No, KVM CET patches only depend on kernel CET related definitions and XSAVES
> > support now.
>
> Neato.
>
> > But to make guest CET work, we need CET patches for QEMU.
>
> Ya, but we don't need to wait for host kernel support, which was the crux of
> my question.
>
>
> Can you please respin this series with the CET definition patches included?
> The XSAVES support has been queued to tip/x86/fpu. Assuming that lands in
> kernel 5.9, I _think_ KVM support for CET can land in 5.10.
Sure. Besides this change and the unrestricted guest case change, any
other changes I should do to v12 patch?
Thanks for review!
>
> Base your series on kvm/queue, i.e. don't worry about the XSAVES patches,
> I'll merge them in from tip/x86/fpu for testing.
>
> Thanks!