Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp201789pxb; Wed, 3 Feb 2021 03:29:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJyBRkk6rC5/hFZdXL41ISz0ZXNpC7kw8l7zYb09Vd/7QODBo6FuPL0erhkv3UdfsfA3/YKC X-Received: by 2002:aa7:d401:: with SMTP id z1mr2429022edq.213.1612351764662; Wed, 03 Feb 2021 03:29:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612351764; cv=none; d=google.com; s=arc-20160816; b=gA5LCfuj4Ux/cNv6Waa+gjC3nxkuAT0JofS9WW8V06lsAoc/N8Gt5sijJl4QXOyifQ a3De+COyYrpT1xcdBZyNQ8Bt/cRfORSileeqigMxXAuEKC8o9QhA0Y2KA1dG3/tKaCJh 3/jMxJTt+M0R3dyvgFR9Z6FWqsrZrbXJMeAL0tUN353lIrLb/lgddLWDhqmqo7+1yDsV 4WqaxrvTCzRP1L5UTU9Vd+emFyxcOiG+kJ95gvd0IqBGoNzu+A3JotiVuIINul+iFw2l SXuIpUnjxoX5WrGjsnlD4HleqF5TSbvZCIqv1AXzEDFMxc1lf1Lo+LVZfzVdQA7zmI18 THWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from:ironport-sdr:ironport-sdr; bh=Sx8pKyIa7fLWx/mXOEhIPnf3FOek6L+Y2JmNS/O+PAk=; b=U83ZrYMLt/zEko8LuC018KWAa+bNtMU2vVlyOw9KAD6y28UiDQxKPNGNnjMEVBEiVc pBxunMDdeStrhM18CHjFyY+HYHQ3avZeKjOsPsn0RvZOLcW1H5o31W9jxmkAvHF2Qk8o 48Fo0LUZYYOGfclBSMEn6SaQ5c/VTJfbNjak17XirZQW7teWGHoZzWRg+HAHeb7FeOGQ VIvvqdmid1BPnJLAjeE8G9vYQ+aQsBcs9zW4WRup4Vd7wLxGb2ccSAXG/7DBeMp1UNK1 DKs2kwt9TSpb74jzEM68umy6fiRw2XrTFinLzxVMid9AobktvJPjTD66W64mX1SLce9F r1Kg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m13si934179edb.227.2021.02.03.03.28.52; Wed, 03 Feb 2021 03:29:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234184AbhBCLZh (ORCPT + 99 others); Wed, 3 Feb 2021 06:25:37 -0500 Received: from mga01.intel.com ([192.55.52.88]:28346 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234205AbhBCLXR (ORCPT ); Wed, 3 Feb 2021 06:23:17 -0500 IronPort-SDR: Ixw6DqWgbdIVO/7wp7AFLQeM6991ML9R9Ltiu7XKGxjWedZks4YV6gDQjzgY93K2f0By4v4N6w 3L0dcYjX7ACQ== X-IronPort-AV: E=McAfee;i="6000,8403,9883"; a="199981277" X-IronPort-AV: E=Sophos;i="5.79,398,1602572400"; d="scan'208";a="199981277" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Feb 2021 03:22:16 -0800 IronPort-SDR: KOQY9JYvgiZv69alcPixoThA64HgyfX1opZK2uSRR8//Mf7roe73oEsfMdTO0OLUVWyuuTDS39 A5vE6NLACoOw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.79,398,1602572400"; d="scan'208";a="480311126" Received: from unknown (HELO local-michael-cet-test.sh.intel.com) ([10.239.159.166]) by fmsmga001.fm.intel.com with ESMTP; 03 Feb 2021 03:22:14 -0800 From: Yang Weijiang To: pbonzini@redhat.com, seanjc@google.com, jmattson@google.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: yu.c.zhang@linux.intel.com, Yang Weijiang Subject: [PATCH v15 05/14] KVM: VMX: Introduce CET VMCS fields and flags Date: Wed, 3 Feb 2021 19:34:12 +0800 Message-Id: <20210203113421.5759-6-weijiang.yang@intel.com> X-Mailer: git-send-email 2.17.2 In-Reply-To: <20210203113421.5759-1-weijiang.yang@intel.com> References: <20210203113421.5759-1-weijiang.yang@intel.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org CET (Control-flow Enforcement Technology) is a CPU feature used to prevent Return/Jump-Oriented Programming (ROP/JOP) attacks. CET introduces a new exception type, Control Protection (#CP), and two sub-features to defend against ROP/JOP style control-flow subversion attacks: Shadow Stack (SHSTK): A shadow stack is a second stack used exclusively for control transfer operations. The shadow stack is separate from the data/normal stack and can be enabled individually in user and kernel mode. When shadow stacks are enabled, CALL pushes the return address on both the data and shadow stack. RET pops the return address from both stacks and compares them. If the return addresses from the two stacks do not match, the processor signals a #CP. Indirect Branch Tracking (IBT): IBT adds a new instrution, ENDBRANCH, that is used to mark valid target addresses of indirect branches (CALL, JMP, ENCLU[EEXIT], etc...). If an indirect branch is executed and the next instruction is _not_ an ENDBRANCH, the processor signals a #CP. Several new CET MSRs are defined to support CET: MSR_IA32_{U,S}_CET: Controls the CET settings for user mode and kernel mode respectively. MSR_IA32_PL{0,1,2,3}_SSP: Stores shadow stack pointers for CPL-0,1,2,3 protection respectively. MSR_IA32_INT_SSP_TAB: Stores base address of shadow stack pointer table. Two XSAVES state bits are introduced for CET: IA32_XSS:[bit 11]: Control saving/restoring user mode CET states IA32_XSS:[bit 12]: Control saving/restoring kernel mode CET states. Six VMCS fields are introduced for CET: {HOST,GUEST}_S_CET: Stores CET settings for kernel mode. {HOST,GUEST}_SSP: Stores shadow stack pointer of current task/thread. {HOST,GUEST}_INTR_SSP_TABLE: Stores base address of shadow stack pointer table. If VM_EXIT_LOAD_HOST_CET_STATE = 1, the host CET states are restored from the following VMCS fields at VM-Exit: HOST_S_CET HOST_SSP HOST_INTR_SSP_TABLE If VM_ENTRY_LOAD_GUEST_CET_STATE = 1, the guest CET states are loaded from the following VMCS fields at VM-Entry: GUEST_S_CET GUEST_SSP GUEST_INTR_SSP_TABLE Co-developed-by: Zhang Yi Z Signed-off-by: Zhang Yi Z Signed-off-by: Yang Weijiang --- arch/x86/include/asm/vmx.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h index 38ca445a8429..54e996527a3a 100644 --- a/arch/x86/include/asm/vmx.h +++ b/arch/x86/include/asm/vmx.h @@ -94,6 +94,7 @@ #define VM_EXIT_CLEAR_BNDCFGS 0x00800000 #define VM_EXIT_PT_CONCEAL_PIP 0x01000000 #define VM_EXIT_CLEAR_IA32_RTIT_CTL 0x02000000 +#define VM_EXIT_LOAD_CET_STATE 0x10000000 #define VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR 0x00036dff @@ -107,6 +108,7 @@ #define VM_ENTRY_LOAD_BNDCFGS 0x00010000 #define VM_ENTRY_PT_CONCEAL_PIP 0x00020000 #define VM_ENTRY_LOAD_IA32_RTIT_CTL 0x00040000 +#define VM_ENTRY_LOAD_CET_STATE 0x00100000 #define VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR 0x000011ff @@ -329,6 +331,9 @@ enum vmcs_field { GUEST_PENDING_DBG_EXCEPTIONS = 0x00006822, GUEST_SYSENTER_ESP = 0x00006824, GUEST_SYSENTER_EIP = 0x00006826, + GUEST_S_CET = 0x00006828, + GUEST_SSP = 0x0000682a, + GUEST_INTR_SSP_TABLE = 0x0000682c, HOST_CR0 = 0x00006c00, HOST_CR3 = 0x00006c02, HOST_CR4 = 0x00006c04, @@ -341,6 +346,9 @@ enum vmcs_field { HOST_IA32_SYSENTER_EIP = 0x00006c12, HOST_RSP = 0x00006c14, HOST_RIP = 0x00006c16, + HOST_S_CET = 0x00006c18, + HOST_SSP = 0x00006c1a, + HOST_INTR_SSP_TABLE = 0x00006c1c }; /* -- 2.26.2