Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp8035030rdb; Thu, 4 Jan 2024 16:55:09 -0800 (PST) X-Google-Smtp-Source: AGHT+IH0DZ2J7EQhedt6p1ViUAYy10N9wjJiNJFZD6ZM8S57JsbHaFPRLIYTn4BDDW2XrofFDBBR X-Received: by 2002:a05:6e02:1c43:b0:35f:f8e8:6c11 with SMTP id d3-20020a056e021c4300b0035ff8e86c11mr1469588ilg.85.1704416109345; Thu, 04 Jan 2024 16:55:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704416109; cv=none; d=google.com; s=arc-20160816; b=cGwO783of12CyWIMADAaYbiWXCYgdH7BnAfkxHUHOII6FilXj/RwSja4+DYi/BZbrI bkkcAZo0gu/P0sPyi+KKFR6t10X7lky2vnoY6aI0Ril2o2ZM5Vbwor0ZUYcDYSiEVW4g ExEg8sYBDYbg52JhemcFLhEb+GZMDOtrS5Pd4nCf6XqB/fyWyqk3nUQEaVVX+AnFHwz8 dj4poj/Tv4EquSSqCOTwRl2EWyalUL1x8Fe+1cdhiuKXTVVkhYrxbLbb3P/BrwVTtL1F jOcgdTkfyV7VfOnDtlL3pNuhfFgm7NIoMC34KS5mAB7qDoibk9cFxdDE5uN8ENXJGSd4 Qk1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :in-reply-to:date:dkim-signature; bh=Ee/8DoVUu/+3ZRM6tajVkLwvVI4m4v9ZGKpZPXTQPEo=; fh=q4WAMf2Ug+1i+PYyvCvM7xux4W1tHdOpjlUKCEORM8c=; b=0K+CxsYzoolmtAQZAeFx1hK9lz6AzSFwLveXvnnai5RBnfTLIm11hbHGvUFy7N5mbk Zctvfg/W0eLVSfFFiU0C/zvS0KKlO9gzHvBLP29FckHWR08RNOd/RNkn7V46fja/itrR uFtEQ7Yi7O+HRb88OqLT9P4k2QO9L1xImPY8S3EaB17HonADHiVHAwoMxEm27NvngReO /r8a9F5tZh5gQ8tlATkVmrlzKXc5Cj8lRDVUdLiy+BB7HNZLZBMrJe0NFIMLeOWTIx37 RAl8vyvnN3Zj9g0JcVKNfjyqMcAbHsHzfxsIqOzJBbB1qwImq2ynySgMb2tbbxsXJDsG xpHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=AUB3Y+B1; spf=pass (google.com: domain of linux-kernel+bounces-17359-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-17359-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id m15-20020a6562cf000000b005cd89d9fae3si404237pgv.634.2024.01.04.16.55.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Jan 2024 16:55:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-17359-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=AUB3Y+B1; spf=pass (google.com: domain of linux-kernel+bounces-17359-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-17359-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id F0E58B22E9A for ; Fri, 5 Jan 2024 00:55:05 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C17761FB2; Fri, 5 Jan 2024 00:54:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="AUB3Y+B1" X-Original-To: linux-kernel@vger.kernel.org Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BE2C21854 for ; Fri, 5 Jan 2024 00:54:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-5ce0d2a64edso599801a12.1 for ; Thu, 04 Jan 2024 16:54:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1704416094; x=1705020894; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=Ee/8DoVUu/+3ZRM6tajVkLwvVI4m4v9ZGKpZPXTQPEo=; b=AUB3Y+B1u/AgTlK4AZOl0VltHPrfeFkdx5MqSmME4OJ4OBGlEce0BODcj6e3p1VBcX 0AwiDsuLasQPkYrfi5DyabgVfc9KHKuMpOtnnrOi+qXRE+UfcMWsGAIlUZNh1L9Wdo8q y3n90PXhUGS5erqFCkzU9dozEA47CIRswjewkRUhAb3HPAkbV5NzlfxjOdeQGx+AU1MK 2Jv0viALWqSuKi4wZlN42P21sfe0uU6OoDRwitkzeS7qzGoTLy0Nqi5BCgyUvIaboKfJ wLjAfnjEeKJmzxHOTWyrTMYBfYfG91FiX9RP0bBNDnNaQx8WNykUlCjbcyQYi2LaXr3q CeIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704416094; x=1705020894; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=Ee/8DoVUu/+3ZRM6tajVkLwvVI4m4v9ZGKpZPXTQPEo=; b=Ug5nl6vtOhZ/avBEHZ4le+FBGkXkPpT5yoHAM1SbWVRQ2ncYfDFcUC//4r0iR6T6NA /MXdlOTm/ayUViapUi3yFuuGCzf/08CdXVNPOWV2edrNY4RpogH/5liqIRRq2eNS+qNg QKLT/DIM7g23NyGdsBGT+9tR96vNwj7zct+e/UBd/+nfbJwTx3Nn3jufKVTJtuRU3LXi Z/z+HFZePC9QpzUfwXZqlGcd2De9b7E4oWW4KkIgNxBurj7zOXUe/tm7II8zGX7LdNnD PqthQ0b5xKejGmclczFT0lDICr3QJJkT1AY0m5gDGBVVE1JcSQ8P+bwkgsMtRHIU3PW5 tT2A== X-Gm-Message-State: AOJu0Yz5AVWiq+HYENX8LH55YN7VuxAsWDjP1fmL9k7vkGN34XMAWGRV AyA4hatQbBttjCy1cSEzZlxTnLTpfvJy2+5ksg== X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a17:90a:51e5:b0:28d:2d4:4f89 with SMTP id u92-20020a17090a51e500b0028d02d44f89mr1236pjh.4.1704416092912; Thu, 04 Jan 2024 16:54:52 -0800 (PST) Date: Thu, 4 Jan 2024 16:54:51 -0800 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20231221140239.4349-1-weijiang.yang@intel.com> <93f118670137933980e9ed263d01afdb532010ed.camel@intel.com> <5f57ce03-9568-4739-b02d-e9fac6ed381a@intel.com> <6179ddcb25c683bd178e74e7e2455cee63ba74de.camel@intel.com> Message-ID: Subject: Re: [PATCH v8 00/26] Enable CET Virtualization From: Sean Christopherson To: Rick P Edgecombe Cc: Chao Gao , Weijiang Yang , Dave Hansen , "peterz@infradead.org" , "john.allen@amd.com" , "linux-kernel@vger.kernel.org" , "pbonzini@redhat.com" , "kvm@vger.kernel.org" , "mlevitsk@redhat.com" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Fri, Jan 05, 2024, Rick P Edgecombe wrote: > On Thu, 2024-01-04 at 16:22 -0800, Sean Christopherson wrote: > > No, the days of KVM making shit up from are done.=C2=A0 IIUC, you're ad= vocating > > that it's ok for KVM to induce a #CP that architecturally should not > > happen.=C2=A0 That is not acceptable, full stop. >=20 > Nope, not advocating that at all. Heh, wrong "you". That "you" was directed at Weijiang, who I *think* is sa= ying that clobbering the shadow stack by emulating CALL+RET and thus inducing a = bogus #CP in the guest is ok. > I'm noticing that in this series KVM has special emulator behavior that > doesn't match the HW when CET is enabled. That it *skips* emitting #CPs (= and > other CET behaviors SW depends on), and wondering if it is a problem. Yes, it's a problem. But IIUC, as is KVM would also induce bogus #CPs (whi= ch is probably less of a problem in practice, but still not acceptable). > I'm worried that there is some way attackers will induce the host to > emulate an instruction and skip CET enforcement that the HW would > normally do. Yep. The best behavior for this is likely KVM's existing behavior, i.e. re= try the instruction in the guest, and if that doesn't work, kick out to userspa= ce and let userspace try to sort things out. > > For CALL/RET (and presumably any branch instructions with IBT?) other > > instructions that are directly affected by CET, the simplest thing woul= d > > probably be to disable those in KVM's emulator if shadow stacks and/or = IBT > > are enabled, and let KVM's failure paths take it from there. >=20 > Right, that is what I was wondering might be the normal solution for > situations like this. If KVM can't emulate something, it either retries the instruction (with som= e decent logic to guard against infinite retries) or punts to userspace. Or if the platform owner likes to play with fire and doesn't enable KVM_CAP_EXIT_ON_EMULATION_FAILURE, KVM will inject a #UD (and still exit to userspace if the emulation happened at CPL0). And yes, that #UD is 100% KV= M making shit up, and yes, it has caused problems and confusion. :-) =20 > > Then, *if* a use case comes along where the guest is utilizing CET and > > "needs" KVM to emulate affected instructions, we can add the necessary > > support the emulator. > >=20 > > Alternatively, if teaching KVM's emulator to play nice with shadow stac= ks > > and IBT is easy-ish, just do that. >=20 > I think it will not be very easy. Yeah. As Jim alluded to, I think it's probably time to admit that emulatin= g instructions for modern CPUs is a fools errand and KVM should simply stop t= rying.