Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp122452imb; Thu, 28 Feb 2019 18:09:13 -0800 (PST) X-Google-Smtp-Source: AHgI3IYsQkLhY8T+CPOFU/aGJ7ex64wseZIhQXJaMJR8rqgw3WJceHHBO1vnriyX+TKTVjeHfod9 X-Received: by 2002:a62:4117:: with SMTP id o23mr2953385pfa.248.1551406153262; Thu, 28 Feb 2019 18:09:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551406153; cv=none; d=google.com; s=arc-20160816; b=ygtCNy0STM71caQQvrJEVUcz7Lg4/A8Y5FhiCNqWEnDGAGnkKaFnLQxljaiDNRaqlz UcwlZ3jxhxqFgbs9kZm85n9Ppprz7+GTrQ2uGbnhUcbdvsMbn0mBz0wRjqvmEyRLuSzj SISd6T4vSUfJNfrezsx9xHoyFke5MUncHiN0L6FDVwtnCuYWZoAPi8M17VhyBoM9zu5B UskF64MN9+dNh2OkXC/VB/MruBdBL8/28bok5e0TrfD6Q0x7Ia0mIw6IeN1tsdbr7wJD japutgxdMxn+k8rxfV+wasCPb78IARIDJI7Ygs4WdJj0oOJVRcPO131Ul2lzpi0HnMM2 I5Wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=qNv3GhkYjzgoJOF4CStb5nIwLdBlicRwhK+KLxtPd24=; b=lx8v/OXlR4i9qDHWMt2TymsfnN3G6d6l9o/dAygwGezXElauqIXBIHg73lho9tcKO/ cNF7S8eyqdzvXnWkhcHwauTRvrUTeT3qgY3PTczu8ysqwBVYdRGgrTEu+4LRnMPnJpoW n6TypOuEQjYh9F5Vvo4Gbp3yxgBy6/+SszUVE8qiuJF1WC5LChvx/HqMgSM5nmDROt1W M6NVII+ZAfm75x3AL7mv+DZNgQosKOMDIKWf2/1D05QdI7uoQGOOBY2DTKeOCkQUUzUW 5kg9r8xt0hn4K32Jv/QTlG+elD2VKFLRSY16yHsnwtxgUEffcOAIkd0rykV2MXShaKOK HAww== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y8si18782887pgf.160.2019.02.28.18.08.57; Thu, 28 Feb 2019 18:09:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728618AbfCABoJ (ORCPT + 99 others); Thu, 28 Feb 2019 20:44:09 -0500 Received: from mga01.intel.com ([192.55.52.88]:17244 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725967AbfCABoJ (ORCPT ); Thu, 28 Feb 2019 20:44:09 -0500 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Feb 2019 17:44:08 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.58,425,1544515200"; d="scan'208";a="127201314" Received: from local-michael-cet-test.sh.intel.com (HELO localhost) ([10.239.159.128]) by fmsmga007.fm.intel.com with ESMTP; 28 Feb 2019 17:44:07 -0800 Date: Thu, 28 Feb 2019 16:38:44 +0800 From: Yang Weijiang To: Sean Christopherson Cc: pbonzini@redhat.com, rkrcmar@redhat.com, jmattson@google.com, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, mst@redhat.com, yu-cheng.yu@intel.com, Zhang Yi Z , weijiang.yang@intel.com Subject: Re: [PATCH v3 6/8] KVM:VMX: Load Guest CET via VMCS when CET is enabled in Guest Message-ID: <20190228083844.GC12006@local-michael-cet-test.sh.intel.com> References: <20190225132716.6982-1-weijiang.yang@intel.com> <20190225132716.6982-7-weijiang.yang@intel.com> <20190228161715.GF6166@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190228161715.GF6166@linux.intel.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 28, 2019 at 08:17:15AM -0800, Sean Christopherson wrote: > On Mon, Feb 25, 2019 at 09:27:14PM +0800, Yang Weijiang wrote: > > "Load Guest CET state" bit controls whether guest CET states > > will be loaded at Guest entry. Before doing that, KVM needs > > to check if CPU CET feature is available. > > > > Signed-off-by: Zhang Yi Z > > Signed-off-by: Yang Weijiang > > --- > > arch/x86/kvm/vmx.c | 32 ++++++++++++++++++++++++++++++++ > > 1 file changed, 32 insertions(+) > > > > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c > > index 89ee086e1729..d32cee9ee079 100644 > > --- a/arch/x86/kvm/vmx.c > > +++ b/arch/x86/kvm/vmx.c > > @@ -55,6 +55,7 @@ > > #include > > #include > > #include > > +#include > > > > #include "trace.h" > > #include "pmu.h" > > @@ -4065,6 +4066,20 @@ static inline bool vmx_feature_control_msr_valid(struct kvm_vcpu *vcpu, > > return !(val & ~valid_bits); > > } > > > > +static int vmx_guest_cet_cap(struct kvm_vcpu *vcpu) > > +{ > > + u32 eax, ebx, ecx, edx; > > + > > + /* > > + * Guest CET can work as long as HW supports the feature, independent > > + * to Host SW enabling status. > > + */ > > + cpuid_count(7, 0, &eax, &ebx, &ecx, &edx); > > + > > + return ((ecx & bit(X86_FEATURE_SHSTK)) | > > + (edx & bit(X86_FEATURE_IBT))) ? 1 : 0; > > Given the holes in the (current) architecture/spec, I think KVM has to > require both features to be supported in the guest to allow CR4.CET to > be enabled. The reason why I use a "OR" here is to keep CET enabling control the same as that on host, right now on host, users can select to enable SHSTK or IBT feature by disabling the unexpected one. It's free to select SHSTK & IBT or SHSTK | IBT. > > Technically SHSTK and IBT can be enabled independently, but unless I'm > missing something, supporting that in KVM (or any VMM) would be nasty > and would likely degrade guest performance significantly. > > MSRs IA32_U_CET and IA32_S_CET have enable bits for each CET feature. > Presumably the bits for each feature are reserved if the feature is not > supported, e.g. SH_STK_EN is reserved to zero if SHSTK isn't supported. > This wouldn't be a problem except that IA32_U_CET and the shadow stack > MSRs, e.g. IA32_PL*_SSP, can be saved/restored via XSAVES/XRSTORS. The > behavior is restricted by IA32_XSS, but again it's all or nothing, e.g. > if any CET feature is supported then XSS_CET_{S,U} can be set. > > For example, if a guest supported IBT and !SHSTK, and the guest enabled > XSS_CET_{S,I}, KVM would need to trap XSAVES/XRSTORS to enforce that the > SHSTK bits in XSS_CET_U aren't set. And that doesn't even address the > fact that the architecture defines the effects on the size of the XSAVE > state area as being a bundled deal, e.g. IA32_XSS.CET_U=1 increases the > size by 16 bytes (for IA32_U_CET and IA32_PL3_SSP) regardless of whether > or not SHSTK is supported. One would assume that IA32_PL3_SSP doesn't > exist if shadow stacks are not supported by the CPU. > > TL;DR: the architecture enumerates SHSTK and IBT independently, but > the architecture effectively assumes they are bundled together. > > > +} > > + > > static int vmx_get_msr_feature(struct kvm_msr_entry *msr) > > { > > switch (msr->index) { > > @@ -5409,6 +5424,23 @@ static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) > > return 1; > > } > > > > + /* > > + * To enable Guest CET, check whether CPU CET feature is > > + * available, if it's there, set Guest CET state loading bit > > + * per CR4.CET status, otherwise, return a fault to Guest. > > + */ > > + if (vmx_guest_cet_cap(vcpu)) { > > This is wrong, it's checking the host capabilities. Use guest_cpuid_has() > to query the guest capabilities. E.g. CET can be supported in the host > but not exposed to guest, in which case the CPUID bits will not be "set" > for the guest. > you're right, guest_cpuid_has() is enough for CET checking here since now guest CET enabling is independent to host CET state. > > + if (cr4 & X86_CR4_CET) { > > No need for curly braces here, both the 'if' and 'else' contain a single > statement. will remove the braces. > > > + vmcs_set_bits(VM_ENTRY_CONTROLS, > > + VM_ENTRY_LOAD_GUEST_CET_STATE); > > + } else { > > + vmcs_clear_bits(VM_ENTRY_CONTROLS, > > + VM_ENTRY_LOAD_GUEST_CET_STATE); > > + } > > + } else if (cr4 & X86_CR4_CET) { > > + return 1; > > + } > > + > > if (to_vmx(vcpu)->nested.vmxon && !nested_cr4_valid(vcpu, cr4)) > > return 1; > > > > -- > > 2.17.1 > >