Received: by 2002:a05:7412:f589:b0:e2:908c:2ebd with SMTP id eh9csp412659rdb; Tue, 31 Oct 2023 10:46:02 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF9cDoXbg3OGEA2kwAcw6DSXvjw1y8ya/1zoxC03pgGZbv7FiFCOAcZdsutI6J5NWFFQyNv X-Received: by 2002:a05:6a20:938c:b0:17b:40:ccd6 with SMTP id x12-20020a056a20938c00b0017b0040ccd6mr18468788pzh.2.1698774361763; Tue, 31 Oct 2023 10:46:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698774361; cv=none; d=google.com; s=arc-20160816; b=O06CWID1ddzLxTiEWfouYs7pOj9iOdh7STR+bcXoOw40UVQ4t3C41W3UpGJGG7azBb EsCkiBP3MuCYJjsJ/f3vqFCDzPbfO4s/XlvtDyPkOc4GmRBX2FTngGbvie1A7dhGDx5e slhHKVWccGd/oAvBA1jcev70aOSX7ADSBgBE0PbRGBDOHOKDDdesKt1DsAgHVagtop+j JPZdGa+b36HnbbutUPQKjttvCCLInkL/FORUkS9MSmej0R1+60qj+JxGM4++cH0Rhuen l7wVdscpooAPBV/L2FY3an/IWjL7lmts2xgLeW0Sq2SdWS6vk93pB83hm8j4QCxMwZCG JPgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=++yDpu2AH/a5plJrgjGi13e3Lbz8agKll4JzdkwLo3c=; fh=dtrqXlmdW2pp+l2CpWShG6zD+/fqsERpCoLg3WvVy+I=; b=TQ67RGUGZQPLfoilYUBUKbFZ2m0Nf+OeQcmnkK/IGgA7k6dn5Xsy9+45yiad4SxXek ptRaxUG0np/7HgpNx+9fFXshVzcMSZndtC6CXDVnSbnA1inabbMC8nvP8gSeHiM4c3gD kHwDu1LTGkz0/v4xxvAP8EITFq1eUiqBldLBTBkZe+2Ka2Un21IML17kEw1LBlsgkYr9 ila8ZHI5YycHpYw8HWhSaM0MX1LMt0GsLsuxD7pqDIG7XbpV6kiTPEEZHK4gY7mbwcmu QBWZZn93LnXQrwTjhsRr33Lh935/C+NdhcHobj6NguwocoPVh1lbmMjOD2L9ZinyAPD6 +7jw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="b/rQTOmb"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id z13-20020aa7948d000000b006c12323c3desi1224554pfk.350.2023.10.31.10.46.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Oct 2023 10:46:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="b/rQTOmb"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 3CDE480613B8; Tue, 31 Oct 2023 10:45:15 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346973AbjJaRpE (ORCPT + 99 others); Tue, 31 Oct 2023 13:45:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37614 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346975AbjJaRpC (ORCPT ); Tue, 31 Oct 2023 13:45:02 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B3C6BC2 for ; Tue, 31 Oct 2023 10:44:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1698774254; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=++yDpu2AH/a5plJrgjGi13e3Lbz8agKll4JzdkwLo3c=; b=b/rQTOmb4xF6CupIXNNZIjGwxpAzQH8a4r5q+NVirlWOhgY0Qe/90/qt5biM3WHqVZ5BOX QJrY8ZiMq69pS3H+zZ1Iz2R3nrYVoXTJ9fPW/6HDJ+XUEt64NiT3cNV8Y1mK17fHfO8Udr G0qaaheLR4FDqvdJ7UvmfS2cMXnKQaE= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-501-_n9wCwdSMZCIZXrkEpegBw-1; Tue, 31 Oct 2023 13:44:13 -0400 X-MC-Unique: _n9wCwdSMZCIZXrkEpegBw-1 Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-4084e263ec4so42080535e9.2 for ; Tue, 31 Oct 2023 10:44:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698774252; x=1699379052; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=++yDpu2AH/a5plJrgjGi13e3Lbz8agKll4JzdkwLo3c=; b=mASJn7Tsn6q7raRsiPbObGKVIAef0V09XNObg6M+zG5Bd8s/HGkkXTOqi+TZjNHu9J oYTuMwS8e0/7mCaoN4SLvjRFQZzfNsiHdFPaU1nI4kOqrJVymqzdLF/tsrtCLMdVQT1C S21KUl+tv8etzclsmpYrFBZfle0SkCHmruSJ+ARS51k2kmj3vonosoTuNJW3ozxRAj48 M491PvlNOLw83X4b0wmNgOQlCMgy5IaVB6Zxuovy5A6DMSupIrtubFnDjTHsv/8KS55i xS5ewjR1dXgOzwQ+6CZ4Lb1x3EO0dktQgH8VLs4O09OmGUDqeOsqI/KhW13D3QK4329n FOnA== X-Gm-Message-State: AOJu0YzsnRbNil+ZxW4lpmlbdSceWA1K7Lt8IXaGGYfooISujfXXJIGb ZAs3rmhMhO5Xqle4m+NrThFEjOtQedJg65j1ZTcJCAFRWfPHg9U0Tn4/SAoKYEhwVs/XuhN1T/f CbfHGEW60oMUZCevfDuQY6HAN X-Received: by 2002:a05:600c:4748:b0:3fb:feb0:6f40 with SMTP id w8-20020a05600c474800b003fbfeb06f40mr11485647wmo.11.1698774252075; Tue, 31 Oct 2023 10:44:12 -0700 (PDT) X-Received: by 2002:a05:600c:4748:b0:3fb:feb0:6f40 with SMTP id w8-20020a05600c474800b003fbfeb06f40mr11485630wmo.11.1698774251754; Tue, 31 Oct 2023 10:44:11 -0700 (PDT) Received: from starship ([89.237.100.246]) by smtp.gmail.com with ESMTPSA id z18-20020a05600c079200b0040772934b12sm2296222wmo.7.2023.10.31.10.44.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Oct 2023 10:44:10 -0700 (PDT) Message-ID: Subject: Re: [PATCH v6 03/25] x86/fpu/xstate: Add CET supervisor mode state support From: Maxim Levitsky To: "Yang, Weijiang" , "Edgecombe, Rick P" , "kvm@vger.kernel.org" , "pbonzini@redhat.com" , "Christopherson,, Sean" , "linux-kernel@vger.kernel.org" Cc: "peterz@infradead.org" , "Hansen, Dave" , "Gao, Chao" , "john.allen@amd.com" Date: Tue, 31 Oct 2023 19:44:08 +0200 In-Reply-To: References: <20230914063325.85503-1-weijiang.yang@intel.com> <20230914063325.85503-4-weijiang.yang@intel.com> <35393ed30962125fd6ce1f91f71595d1111413ec.camel@intel.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.36.5 (3.36.5-2.fc32) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.3 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Tue, 31 Oct 2023 10:45:15 -0700 (PDT) On Fri, 2023-09-15 at 14:30 +0800, Yang, Weijiang wrote: > On 9/15/2023 8:06 AM, Edgecombe, Rick P wrote: > > On Thu, 2023-09-14 at 02:33 -0400, Yang Weijiang wrote: > > > Add supervisor mode state support within FPU xstate management > > > framework. > > > Although supervisor shadow stack is not enabled/used today in > > > kernel,KVM > > ^ Nit: needs a space > > > requires the support because when KVM advertises shadow stack feature > > > to > > > guest, architechturally it claims the support for both user and > > ^ Spelling: "architecturally" > > Thank you!! > > > > supervisor > > > modes for Linux and non-Linux guest OSes. > > > > > > With the xstate support, guest supervisor mode shadow stack state can > > > be > > > properly saved/restored when 1) guest/host FPU context is swapped > > > 2) vCPU > > > thread is sched out/in. > > (2) is a little bit confusing, because the lazy FPU stuff won't always > > save/restore while scheduling. > > It's true for normal thread, but for vCPU thread, it's a bit different, on the path to > vm-entry, after host/guest fpu states swapped, preemption is not disabled and > vCPU thread could be sched out/in, in this case, guest FPU states will be saved/ > restored because TIF_NEED_FPU_LOAD is always cleared after swap. > > > But trying to explain the details in > > this commit log is probably unnecessary. Maybe something like? > > > > 2) At the proper times while other tasks are scheduled > > I just want to justify that enabling of supervisor xstate is necessary for guest. > Maybe I need to reword a bit :-) > > > I think also a key part of this is that XFEATURE_CET_KERNEL is not > > *all* of the "guest supervisor mode shadow stack state", at least with > > respect to the MSRs. It might be worth calling that out a little more > > loudly. > > OK, I will call it out that supervisor mode shadow stack state also includes IA32_S_CET msr. > > > > The alternative is to enable it in KVM domain, but KVM maintainers > > > NAKed > > > the solution. The external discussion can be found at [*], it ended > > > up > > > with adding the support in kernel instead of KVM domain. > > > > > > Note, in KVM case, guest CET supervisor state i.e., > > > IA32_PL{0,1,2}_MSRs, > > > are preserved after VM-Exit until host/guest fpstates are swapped, > > > but > > > since host supervisor shadow stack is disabled, the preserved MSRs > > > won't > > > hurt host. > > It might beg the question of if this solution will need to be redone by > > some future Linux supervisor shadow stack effort. I *think* the answer > > is no. > > AFAICT KVM needs to be modified if host shadow stack is implemented, at least > guest/host CET supervisor MSRs should be swapped at the earliest time after > vm-exit so that host won't misbehavior on *guest* MSR contents. I agree. > > > Most of the xsave managed features are restored before returning to > > userspace because they would have userspace effect. But > > XFEATURE_CET_KERNEL is different. It only effects the kernel. But the > > IA32_PL{0,1,2}_MSRs are used when transitioning to those rings. So for > > Linux they would get used when transitioning back from userspace. In > > order for it to be used when control transfers back *from* userspace, > > it needs to be restored before returning *to* userspace. So despite > > being needed only for the kernel, and having no effect on userspace, it > > might need to be swapped/restored at the same time as the rest of the > > FPU state that only affects userspace. > > You're right, for enabling of supervisor mode shadow stack, we need to take > it carefully whenever ring/stack is switching. But we still have time to figure out > the points. > > Thanks a lot for bring up such kind of thinking! > > > Probably supervisor shadow stack for Linux needs much more analysis, > > but trying to leave some breadcrumbs on the thinking from internal > > reviews. I don't know if it might be good to include some of this > > reasoning in the commit log. It's a bit hand wavy. > > IMO, we have put much assumption on the fact that CET supervisor shadow stack is not > enabled in kernel and this patch itself is straightforward and simple, it's just a small > brick for enabling supervisor shadow stack, we would revisit whether something is an > issue based on how SSS is implemented in kernel. So let's not add such kind of reasoning :-) Overall the patch looks OK to me. Reviewed-by: Maxim Levitsky Best regards, Maxim Levitsky > > Thank you for the enlightenment! > > > [*]: > > > https://lore.kernel.org/all/806e26c2-8d21-9cc9-a0b7-7787dd231729@intel.com/ > > > > > > Signed-off-by: Yang Weijiang > > Otherwise, the code looked good to me.