Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp8032393rdb;
        Thu, 4 Jan 2024 16:45:40 -0800 (PST)
X-Google-Smtp-Source: AGHT+IG0ZSHDYOdNW5mRArohE2G4IWCmBFYUQL2p9E+chH884tGPJ8jxKsbeJ4v7YaJ5C9zSZMDQ
X-Received: by 2002:a17:90a:ad82:b0:28b:e058:4807 with SMTP id s2-20020a17090aad8200b0028be0584807mr1274477pjq.59.1704415540032;
        Thu, 04 Jan 2024 16:45:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1704415540; cv=none;
        d=google.com; s=arc-20160816;
        b=wn5GwU9Xo3WLZO1GI02mMxCtoiHNeTRcIMTpENzig5wOpvuL0ioSWm18EqwmZjWK0A
         5VgyQ6nMwae5ERP0zeh8SjewxsALLGBGrlSKPDFwBfxbqrbjBTrt2F3JQ7dQuEVTgs5H
         ol/hs1TvJ0VQl9hi8smT0YDg42w15HCG8yRGQ4Tu6whVkGk/hZcziu73pg2BedAsOTgJ
         xG76OoHgGk683UU1Qd6fHNujOa3B/vaCevUptKppMfLQtdDrmn7v2vxiT1aIu8vxi9oO
         dKh2vryMyK9vTxwkJbTOsTPqxj2rXvmmaRzDtvbtjX4lhO2327A1rICLkuAVyx5Yqjfw
         9NfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:dkim-signature;
        bh=Wq7vNTMud1h9RSq/r7FFlbSWd3EFsZcYUti+eAsDyuM=;
        fh=4kqdU1XFxi6VeSO2mm5qKiMuDiB/BUYTF0Y6tfHo+OA=;
        b=hyNWVErr3ZOj/1oyyZy68h7B0uEkiH4KBINLLhxyOYpz1kiastfr5RfenTyE4YdSXS
         3cidlKf+Eo9zBN8491CGs+Wjebyu7KWaCyE/WVZHC91aSYqK/lwds9jUA335e5M2ezp/
         Uq9bl6k/mgZOXqllrqtUGOHU0IEv8plRVEGUpHoWx9G+6m/poeoNh/ujacPVj1pYCtnz
         pHwd5+kR5e0vz7TTuVS7KtpJ7ee9HmovglVnXs7SIF6s0vGO5bxFrbbXrwUQYgZ8i7RD
         2w17uEPOhK4wXvTHaKmLjh3hsIV74aL4/+ct6PDqLMvtjO8VwK7PbCs44WlCSSaejMLI
         4O4w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=kMwET7i9;
       spf=pass (google.com: domain of linux-kernel+bounces-17357-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-17357-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel+bounces-17357-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id d12-20020a17090ad3cc00b0028c2a41bd4csi3792904pjw.110.2024.01.04.16.45.39
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 04 Jan 2024 16:45:40 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-17357-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=kMwET7i9;
       spf=pass (google.com: domain of linux-kernel+bounces-17357-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-17357-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 9A69BB23772
	for <linux.lists.archive@gmail.com>; Fri,  5 Jan 2024 00:44:53 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 3F4BE1FCA;
	Fri,  5 Jan 2024 00:44:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="kMwET7i9"
X-Original-To: linux-kernel@vger.kernel.org
Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E921D185B
	for <linux-kernel@vger.kernel.org>; Fri,  5 Jan 2024 00:44:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com
Received: by mail-ed1-f45.google.com with SMTP id 4fb4d7f45d1cf-54744e66d27so6134a12.0
        for <linux-kernel@vger.kernel.org>; Thu, 04 Jan 2024 16:44:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1704415479; x=1705020279; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Wq7vNTMud1h9RSq/r7FFlbSWd3EFsZcYUti+eAsDyuM=;
        b=kMwET7i9RRTGq3MSZ2Ii45sH7JlIk9tNlMVxKRtYXhyz8ulYeSEn/h8PDuODlRJLa7
         d8mHsPcnPweq6FOS2p+FsvlHrMmOa6CHC3Kx3W3uHuSkUYQDQX+lJUad71eBbLNelcge
         7CiXQj65BHOg0uB3uY03M7GyM2FncM2ntG//aFlBfOFBlGQHb6dg8PgmS2gsjaNCQXtU
         tLNhN7b8Y0e2gNC0YPzjetG3/xPfJr9wjNNgC0kzK6wSR92Kspas7NQ7LcJDGh5EYIWN
         izKpnltWEwHbjdsJZCcAVqWMWDMSoI5fv30ZgK3Qb4So1pq7d/THIOVNZ2qFddKnuHpt
         7ZdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1704415479; x=1705020279;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Wq7vNTMud1h9RSq/r7FFlbSWd3EFsZcYUti+eAsDyuM=;
        b=MUlD6wKonfkriCsilb++Z/QQfo24IfGkLOYmaI9xuPcJv7eeJwj/BDr2tXTwx6v/F/
         JU6qwHttVSsEz27W/DNa39aBgmxBxFvw9ZGDaPCQvwBdiDu6mLNLkWr8KCukig2chNcD
         tj1UffnvNRgN2smevMCg0ufIVEy4I8B4Gbv8Ai9chtut+z9wJs3WlYBIciKwg1OB4f4K
         UGtELdLR5AZ7eG42Hv+VLEp2K+JbbGlY4phSkQj3HmlvZNPpSqS8pYljJoZ/gEg1Vn85
         pRKOcV2e99PK8JXXUe3hV9FSWH1A5pMbTZceaVp7UZZpNAh2O09f5tn+OdGm1VuV5zZ9
         lYUw==
X-Gm-Message-State: AOJu0YyivHU/yexR1f5UhAonPepunVpLTwbd042QRfSIkJKbB/hb/Pgl
	0W/LQDIy8idxs/TJfXPuk48Tp1zBJhfjsVaARncizytzhC8+
X-Received: by 2002:a50:d78c:0:b0:553:773b:b7b2 with SMTP id
 w12-20020a50d78c000000b00553773bb7b2mr74526edi.6.1704415479108; Thu, 04 Jan
 2024 16:44:39 -0800 (PST)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20231221140239.4349-1-weijiang.yang@intel.com>
 <93f118670137933980e9ed263d01afdb532010ed.camel@intel.com>
 <5f57ce03-9568-4739-b02d-e9fac6ed381a@intel.com> <6179ddcb25c683bd178e74e7e2455cee63ba74de.camel@intel.com>
 <ZZdLG5W5u19PsnTo@google.com> <a2344e2143ef2b9eca0d153c86091e58e596709d.camel@intel.com>
In-Reply-To: <a2344e2143ef2b9eca0d153c86091e58e596709d.camel@intel.com>
From: Jim Mattson <jmattson@google.com>
Date: Thu, 4 Jan 2024 16:44:24 -0800
Message-ID: <CALMp9eRB9JwnB22wLsef6HvDQP35HWvNrf0f44undomjYEX=Qw@mail.gmail.com>
Subject: Re: [PATCH v8 00/26] Enable CET Virtualization
To: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
Cc: "seanjc@google.com" <seanjc@google.com>, "Gao, Chao" <chao.gao@intel.com>, 
	"Yang, Weijiang" <weijiang.yang@intel.com>, "Hansen, Dave" <dave.hansen@intel.com>, 
	"peterz@infradead.org" <peterz@infradead.org>, "john.allen@amd.com" <john.allen@amd.com>, 
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, "pbonzini@redhat.com" <pbonzini@redhat.com>, 
	"kvm@vger.kernel.org" <kvm@vger.kernel.org>, "mlevitsk@redhat.com" <mlevitsk@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thu, Jan 4, 2024 at 4:34=E2=80=AFPM Edgecombe, Rick P
<rick.p.edgecombe@intel.com> wrote:
>
> On Thu, 2024-01-04 at 16:22 -0800, Sean Christopherson wrote:
> > No, the days of KVM making shit up from are done.  IIUC, you're
> > advocating that
> > it's ok for KVM to induce a #CP that architecturally should not
> > happen.  That is
> > not acceptable, full stop.
>
> Nope, not advocating that at all. I'm noticing that in this series KVM
> has special emulator behavior that doesn't match the HW when CET is
> enabled. That it *skips* emitting #CPs (and other CET behaviors SW
> depends on), and wondering if it is a problem.
>
> I'm worried that there is some way attackers will induce the host to
> emulate an instruction and skip CET enforcement that the HW would
> normally do.
>
> >
> > Retrying the instruction in the guest, exiting to userspace, and even
> > terminating
> > the VM are all perfectly acceptable behaviors if KVM encounters
> > something it can't
> > *correctly* emulate.  But clobbering the shadow stack or not
> > detecting a CFI
> > violation, even if the guest is misbehaving, is not ok.
> >
> [snip]
> > Yeah, I don't even know what the TRACKER bit does (I don't feel like
> > reading the
> > SDM right now), let alone if what KVM does or doesn't do in response
> > is remotely
> > correct.
> >
> > For CALL/RET (and presumably any branch instructions with IBT?) other
> > instructions
> > that are directly affected by CET, the simplest thing would probably
> > be to disable
> > those in KVM's emulator if shadow stacks and/or IBT are enabled, and
> > let KVM's
> > failure paths take it from there.
>
> Right, that is what I was wondering might be the normal solution for
> situations like this.

On AMD CPUs and on Intel CPUs with "unrestricted guest," I don't think
there is any need to emulate an instruction that doesn't either (a)
cause a VM-exit by opcode (e.g. CPUID) or (b) access memory.  I think
we should probably disable emulation of anything else, for both
security and sanity.

> >
> > Then, *if* a use case comes along where the guest is utilizing CET
> > and "needs"
> > KVM to emulate affected instructions, we can add the necessary
> > support the emulator.
> >
> > Alternatively, if teaching KVM's emulator to play nice with shadow
> > stacks and IBT
> > is easy-ish, just do that.
>
> I think it will not be very easy.