Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp4061301rdb;
        Thu, 14 Sep 2023 10:31:02 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGMML7LmUlT2XbKRZDZ3qdafMN2/VYGSzsQbfl1Eg8tIqy1kr7NgMWZj1iOe+YSYeMAHDX8
X-Received: by 2002:a05:6a20:9384:b0:140:cb66:73aa with SMTP id x4-20020a056a20938400b00140cb6673aamr6597900pzh.3.1694712661733;
        Thu, 14 Sep 2023 10:31:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1694712661; cv=none;
        d=google.com; s=arc-20160816;
        b=Co9VTYZEtBmFL7146ocHYgroBFPk+7cFgQAjTUrS5KCmWq1jc08lpMoOwobsI9U1p4
         cBCkeaeSxsJETeCwQVwYSwwqqMs56m9E3Kv1ffjc7xvw/nhc9oyW8wgkI3KnxRwD4vka
         sAooHZyX9cqvshvuqqO5rfOKPVhG7zaw+Gc+dO/4ALXSeYSb7b7jJvQqIlPYJOCopF6L
         RQZG8f6UOKV86PDytYirkNvnuBbvGpi43g0IAgUCj/7vX9QEThTJ6ExiY+T2VBYYc20V
         QOvK1E7EXCa0HvOjU3h6frV+wjbfNW6H3AI/5E49CBLwR88W6k20eZK6Y3/3MbXwSAAP
         uLMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=TDFZ+L2JYpn9EruLzWPoFIeU1T6VVji5fDIJz1eXau8=;
        fh=6178OKG2HPQ9OtiEe+sL0+amgAIGC3finCMsQ4RI52c=;
        b=ECp/rXCTUoWfRys7kuxv+n6qrM3dSRUTQ4K3/0ZqEK7sxXnEAtRyT5/rCeVoILzUos
         uSJXdzW8EzLl/ZzU8Yse27croM+8cNFJ4v92DejWF7U1m9yI/XZHqTPAC+6EInQxD8Tp
         8BeBX0qiW0iKv5dZ07tlguCqjIPjn2efM6hGzsitbm1yT3UEqWmZunaM/noaIUcP7zHr
         TRJktzFAK91Eu+V6AnFlQR4NZbePhfB742KMTmYWtpbXpBJKtSw8YRfWGSVfoHlQ/YsX
         rWuhxNdOrWYDxoZstb0Gc3J85O/Q6oF/cCyR6FcGBwMg80tgENWWGYqF/nHR5r2K9gZC
         8xIQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=GdteVxjv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7])
        by mx.google.com with ESMTPS id r20-20020a6560d4000000b00565dd3fbfdfsi1758488pgv.214.2023.09.14.10.31.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 14 Sep 2023 10:31:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=GdteVxjv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 5FCAD82B487C;
	Thu, 14 Sep 2023 02:39:26 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237770AbjINJjX (ORCPT <rfc822;benbjiang@gmail.com> + 99 others);
        Thu, 14 Sep 2023 05:39:23 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49870 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237397AbjINJi2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 14 Sep 2023 05:38:28 -0400
Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.88])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 345EA1FCC;
        Thu, 14 Sep 2023 02:38:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1694684302; x=1726220302;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=TS/VKDE1O/rn+ikFL14LmVI7YbiOfvQZpzAeNZ2MVYI=;
  b=GdteVxjvqstWaf0NMEnBtwNaZgsI5DHcD6LbIGTz1qCGlT1hzU9KMJb3
   06NcRcUS3RA4U40d+PkWekR9KOR0DoGf6UMnO0cKV1h4eaHwVAAFPwCpz
   1Z7hyfVK+TAnZJKi8vzdAIRFKWuIhnSpK/bhug5q3OD40rV1mZOeiK+hv
   mpBneFdJL74NHE0Sar4lfRAm6qsZdayiJKzZn9rZmfepGM/vfv7OQQebQ
   8ppYq0C15Yj8FwsAejyA82s2bbjSOMhA5UGmyocUdZdqIEQaCyY0ViAoH
   7SAEwu/uC9agCtQGor8E3942CpLaKtQtpQX3gdHdvkoVgWqDxtk/TagL3
   Q==;
X-IronPort-AV: E=McAfee;i="6600,9927,10832"; a="409857398"
X-IronPort-AV: E=Sophos;i="6.02,145,1688454000"; 
   d="scan'208";a="409857398"
Received: from fmsmga007.fm.intel.com ([10.253.24.52])
  by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Sep 2023 02:38:21 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10832"; a="747656273"
X-IronPort-AV: E=Sophos;i="6.02,145,1688454000"; 
   d="scan'208";a="747656273"
Received: from embargo.jf.intel.com ([10.165.9.183])
  by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Sep 2023 02:38:21 -0700
From:   Yang Weijiang <weijiang.yang@intel.com>
To:     seanjc@google.com, pbonzini@redhat.com, kvm@vger.kernel.org,
        linux-kernel@vger.kernel.org
Cc:     dave.hansen@intel.com, peterz@infradead.org, chao.gao@intel.com,
        rick.p.edgecombe@intel.com, weijiang.yang@intel.com,
        john.allen@amd.com, Zhang Yi Z <yi.z.zhang@linux.intel.com>
Subject: [PATCH v6 17/25] KVM: VMX: Introduce CET VMCS fields and control bits
Date:   Thu, 14 Sep 2023 02:33:17 -0400
Message-Id: <20230914063325.85503-18-weijiang.yang@intel.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20230914063325.85503-1-weijiang.yang@intel.com>
References: <20230914063325.85503-1-weijiang.yang@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 14 Sep 2023 02:39:26 -0700 (PDT)

Control-flow Enforcement Technology (CET) is a kind of CPU feature used
to prevent Return/CALL/Jump-Oriented Programming (ROP/COP/JOP) attacks.
It provides two sub-features(SHSTK,IBT) to defend against ROP/COP/JOP
style control-flow subversion attacks.

Shadow Stack (SHSTK):
  A shadow stack is a second stack used exclusively for control transfer
  operations. The shadow stack is separate from the data/normal stack and
  can be enabled individually in user and kernel mode. When shadow stack
  is enabled, CALL pushes the return address on both the data and shadow
  stack. RET pops the return address from both stacks and compares them.
  If the return addresses from the two stacks do not match, the processor
  generates a #CP.

Indirect Branch Tracking (IBT):
  IBT introduces instruction(ENDBRANCH)to mark valid target addresses of
  indirect branches (CALL, JMP etc...). If an indirect branch is executed
  and the next instruction is _not_ an ENDBRANCH, the processor generates
  a #CP. These instruction behaves as a NOP on platforms that have no CET.

Several new CET MSRs are defined to support CET:
  MSR_IA32_{U,S}_CET: CET settings for {user,supervisor} CET respectively.

  MSR_IA32_PL{0,1,2,3}_SSP: SHSTK pointer linear address for CPL{0,1,2,3}.

  MSR_IA32_INT_SSP_TAB: Linear address of SHSTK pointer table, whose entry
			is indexed by IST of interrupt gate desc.

Two XSAVES state bits are introduced for CET:
  IA32_XSS:[bit 11]: Control saving/restoring user mode CET states
  IA32_XSS:[bit 12]: Control saving/restoring supervisor mode CET states.

Six VMCS fields are introduced for CET:
  {HOST,GUEST}_S_CET: Stores CET settings for kernel mode.
  {HOST,GUEST}_SSP: Stores current active SSP.
  {HOST,GUEST}_INTR_SSP_TABLE: Stores current active MSR_IA32_INT_SSP_TAB.

On Intel platforms, two additional bits are defined in VM_EXIT and VM_ENTRY
control fields:
If VM_EXIT_LOAD_CET_STATE = 1, host CET states are loaded from following
VMCS fields at VM-Exit:
  HOST_S_CET
  HOST_SSP
  HOST_INTR_SSP_TABLE

If VM_ENTRY_LOAD_CET_STATE = 1, guest CET states are loaded from following
VMCS fields at VM-Entry:
  GUEST_S_CET
  GUEST_SSP
  GUEST_INTR_SSP_TABLE

Reviewed-by: Chao Gao <chao.gao@intel.com>
Co-developed-by: Zhang Yi Z <yi.z.zhang@linux.intel.com>
Signed-off-by: Zhang Yi Z <yi.z.zhang@linux.intel.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
---
 arch/x86/include/asm/vmx.h | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index 0e73616b82f3..451fd4f4fedc 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -104,6 +104,7 @@
 #define VM_EXIT_CLEAR_BNDCFGS                   0x00800000
 #define VM_EXIT_PT_CONCEAL_PIP			0x01000000
 #define VM_EXIT_CLEAR_IA32_RTIT_CTL		0x02000000
+#define VM_EXIT_LOAD_CET_STATE                  0x10000000
 
 #define VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR	0x00036dff
 
@@ -117,6 +118,7 @@
 #define VM_ENTRY_LOAD_BNDCFGS                   0x00010000
 #define VM_ENTRY_PT_CONCEAL_PIP			0x00020000
 #define VM_ENTRY_LOAD_IA32_RTIT_CTL		0x00040000
+#define VM_ENTRY_LOAD_CET_STATE                 0x00100000
 
 #define VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR	0x000011ff
 
@@ -345,6 +347,9 @@ enum vmcs_field {
 	GUEST_PENDING_DBG_EXCEPTIONS    = 0x00006822,
 	GUEST_SYSENTER_ESP              = 0x00006824,
 	GUEST_SYSENTER_EIP              = 0x00006826,
+	GUEST_S_CET                     = 0x00006828,
+	GUEST_SSP                       = 0x0000682a,
+	GUEST_INTR_SSP_TABLE            = 0x0000682c,
 	HOST_CR0                        = 0x00006c00,
 	HOST_CR3                        = 0x00006c02,
 	HOST_CR4                        = 0x00006c04,
@@ -357,6 +362,9 @@ enum vmcs_field {
 	HOST_IA32_SYSENTER_EIP          = 0x00006c12,
 	HOST_RSP                        = 0x00006c14,
 	HOST_RIP                        = 0x00006c16,
+	HOST_S_CET                      = 0x00006c18,
+	HOST_SSP                        = 0x00006c1a,
+	HOST_INTR_SSP_TABLE             = 0x00006c1c
 };
 
 /*
-- 
2.27.0