Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp8411108rwr; Thu, 11 May 2023 00:25:40 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7vYuCm+NJ4c2wNvW+oqCpwsBG4fBExV32MjtblbQl0xJIu+K32hR6s8gpVPGX/tKAHZNwT X-Received: by 2002:a05:6a00:2d1c:b0:643:2559:80f3 with SMTP id fa28-20020a056a002d1c00b00643255980f3mr29468847pfb.2.1683789940552; Thu, 11 May 2023 00:25:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683789940; cv=none; d=google.com; s=arc-20160816; b=iTnkWVv0nOpCdraHBwLSJ413R7MD143nIteOla4PbcC96R1UfB5mpoO/v/X4qqxrWS N8isUNzidIefC1zQ/80QuV90LA8uJCrX6ju4OCmSZhwXNMcT8Ju2aqNQCCWZLd9AKK+h 2dUcS0Gjc66n8zckQfkTKVvNy01UFVzrqZyAL4YwGBGA59f1B/r65NsgnPrdQb/bJsvl zh63+yCX2g8nFZM4b/Nkmy/yc8MwTWjXKU/yB8PynaXut4guny6J2ABnNGmKVAhZ8XyI 32HBfeYnwxQ1FZkYuTGBN9yhn0c9aUr7d9yaHmNcfa/xzBQbQt6yAHzz5HdkI/Y1eU4i +jUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=F4wpGklpLfhVUg68WJ+Ix/Lr4JmeUpICDQ5Dt+zoYhg=; b=0KjIwxY7h3vDl50Vk70QW9CjPGQ6gPKUmhWYNyrxJyGeSMSupu+ZaiHDGE+xaXhOZ6 dObkh3PdRqBG5VIRjdDLtkNeqZ8zlTvJbAVBo8FDuhgmuKu+yeIKBbpDuA1IaoNd2fkD GNQRA+U1Kts2Qknp4qyQEgShekIpWujKxorV3EhQCj0d3prrkR2g3TihdPWOVg6yu+Tw U3gH442SX9MujsRF2RWPcogfom/xdNZgTl9n9tYpXVlLqHyiS72jWhRGxpuihUe49X7l 1Vx7UNE/TA4PyYOxCJuuxfNuwx96C+uxo9ddfmOgjSwBYITSHVsF5rFFJW6Q002lAlMf 6L0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="jJI7y/4z"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h14-20020a056a00000e00b00640d9c06df3si2508231pfk.329.2023.05.11.00.25.26; Thu, 11 May 2023 00:25:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="jJI7y/4z"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237083AbjEKHOC (ORCPT + 99 others); Thu, 11 May 2023 03:14:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47536 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237408AbjEKHNo (ORCPT ); Thu, 11 May 2023 03:13:44 -0400 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1AEA230D8; Thu, 11 May 2023 00:13:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1683789220; x=1715325220; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=J0XgQwTy0iS8eIRI2gcCgub1aePDBSrzX/sB3imPY/s=; b=jJI7y/4zxSBcZirCTURMzP/YPYKtwlmp0i8hMricOOdo0s8C9q3bV6mP uKLt9Qx/77T9mZZSkzXejJGkHVwDsGyk2EM0QbsW/Wq++KD2n1UGF+zGh bSCy2W8RO4Um9oU+UNHRYhucHCglaCNKiJKPs/m7KheQZzUc5Dq3Y3MEy tw7oT9Gj6kVLud3uw3g+HcepaPe+aj6JbTvpkqHHZpKwwfTztL7tiq2vI II6ogs8hOKLtdDyAyr84euFQ5YZsSYzBHcOHXj9A8M7ah+x16AEzHVwgR oyaT4kFJRa+IzBZ2UQ2dPnzZPgocy1Yimr9x4SGx/JvNux+u+W7yeXZQT A==; X-IronPort-AV: E=McAfee;i="6600,9927,10706"; a="334896605" X-IronPort-AV: E=Sophos;i="5.99,266,1677571200"; d="scan'208";a="334896605" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 May 2023 00:13:32 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10706"; a="1029512372" X-IronPort-AV: E=Sophos;i="5.99,266,1677571200"; d="scan'208";a="1029512372" Received: from embargo.jf.intel.com ([10.165.9.183]) by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 May 2023 00:13:24 -0700 From: Yang Weijiang To: seanjc@google.com, pbonzini@redhat.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: peterz@infradead.org, rppt@kernel.org, binbin.wu@linux.intel.com, rick.p.edgecombe@intel.com, weijiang.yang@intel.com, john.allen@amd.com, Zhang Yi Z Subject: [PATCH v3 11/21] KVM:VMX: Introduce CET VMCS fields and control bits Date: Thu, 11 May 2023 00:08:47 -0400 Message-Id: <20230511040857.6094-12-weijiang.yang@intel.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230511040857.6094-1-weijiang.yang@intel.com> References: <20230511040857.6094-1-weijiang.yang@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00,DATE_IN_PAST_03_06, DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Control-flow Enforcement Technology(CET) is a CPU feature used to prevent Return/Jump-Oriented Programming (ROP/JOP) attacks. CET introduces a new exception type, Control Protection (#CP), and two sub-features(SHSTK,IBT) to defend against ROP/JOP style control-flow subversion attacks. Shadow Stack (SHSTK): A shadow stack is a second stack used exclusively for control transfer operations. The shadow stack is separate from the data/normal stack and can be enabled individually in user and kernel mode. When shadow stack is enabled, CALL pushes the return address on both the data and shadow stack. RET pops the return address from both stacks and compares them. If the return addresses from the two stacks do not match, the processor generates a #CP. Indirect Branch Tracking (IBT): IBT adds a new instrution, ENDBRANCH, that is used to mark valid target addresses of indirect branches(CALL, JMP, ENCLU[EEXIT], etc...). If an indirect branch is executed and the next instruction is _not_ an ENDBRANCH, the processor generates a #CP. Several new CET MSRs are defined to support CET: MSR_IA32_{U,S}_CET: Controls the CET settings for user mode and kernel mode respectively. MSR_IA32_PL{0,1,2,3}_SSP: Stores shadow stack pointers for CPL-0,1,2,3 protection respectively. MSR_IA32_INT_SSP_TAB: Linear address of shadow stack pointer table,the entry is indexed by IST of interrupt gate desc. Two XSAVES state bits are introduced for CET: IA32_XSS:[bit 11]: Control saving/restoring user mode CET states IA32_XSS:[bit 12]: Control saving/restoring kernel mode CET states. Six VMCS fields are introduced for CET: {HOST,GUEST}_S_CET: Stores CET settings for kernel mode. {HOST,GUEST}_SSP: Stores shadow stack pointer of current active task/thread. {HOST,GUEST}_INTR_SSP_TABLE: Stores current active MSR_IA32_INT_SSP_TAB. If VM_EXIT_LOAD_HOST_CET_STATE = 1, the host CET states are restored from the following VMCS fields at VM-Exit: HOST_S_CET HOST_SSP HOST_INTR_SSP_TABLE If VM_ENTRY_LOAD_GUEST_CET_STATE = 1, the guest CET states are loaded from the following VMCS fields at VM-Entry: GUEST_S_CET GUEST_SSP GUEST_INTR_SSP_TABLE Co-developed-by: Zhang Yi Z Signed-off-by: Zhang Yi Z Signed-off-by: Yang Weijiang --- arch/x86/include/asm/vmx.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h index 498dc600bd5c..fe2aff27df8c 100644 --- a/arch/x86/include/asm/vmx.h +++ b/arch/x86/include/asm/vmx.h @@ -102,6 +102,7 @@ #define VM_EXIT_CLEAR_BNDCFGS 0x00800000 #define VM_EXIT_PT_CONCEAL_PIP 0x01000000 #define VM_EXIT_CLEAR_IA32_RTIT_CTL 0x02000000 +#define VM_EXIT_LOAD_CET_STATE 0x10000000 #define VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR 0x00036dff @@ -115,6 +116,7 @@ #define VM_ENTRY_LOAD_BNDCFGS 0x00010000 #define VM_ENTRY_PT_CONCEAL_PIP 0x00020000 #define VM_ENTRY_LOAD_IA32_RTIT_CTL 0x00040000 +#define VM_ENTRY_LOAD_CET_STATE 0x00100000 #define VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR 0x000011ff @@ -343,6 +345,9 @@ enum vmcs_field { GUEST_PENDING_DBG_EXCEPTIONS = 0x00006822, GUEST_SYSENTER_ESP = 0x00006824, GUEST_SYSENTER_EIP = 0x00006826, + GUEST_S_CET = 0x00006828, + GUEST_SSP = 0x0000682a, + GUEST_INTR_SSP_TABLE = 0x0000682c, HOST_CR0 = 0x00006c00, HOST_CR3 = 0x00006c02, HOST_CR4 = 0x00006c04, @@ -355,6 +360,9 @@ enum vmcs_field { HOST_IA32_SYSENTER_EIP = 0x00006c12, HOST_RSP = 0x00006c14, HOST_RIP = 0x00006c16, + HOST_S_CET = 0x00006c18, + HOST_SSP = 0x00006c1a, + HOST_INTR_SSP_TABLE = 0x00006c1c }; /* -- 2.27.0