| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Feb 2021 13:40:00 +0100
From: Paolo Bonzini <pbonzini@...hat.com>
To: Yang Weijiang <weijiang.yang@...el.com>, seanjc@...gle.com,
jmattson@...gle.com, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: yu.c.zhang@...ux.intel.com
Subject: Re: [PATCH v15 00/14] Introduce support for guest CET feature
On 03/02/21 12:34, Yang Weijiang wrote:
> Control-flow Enforcement Technology (CET) provides protection against
> Return/Jump-Oriented Programming (ROP/JOP) attack. There're two CET
> subfeatures: Shadow Stack (SHSTK) and Indirect Branch Tracking (IBT).
> SHSTK is to prevent ROP and IBT is to prevent JOP.
>
> Several parts in KVM have been updated to provide guest CET support, including:
> CPUID/XSAVES settings, MSR passthrough, user-space MSR access interface,
> vmentry/vmexit config, nested VM etc. These patches are dependent on CET
> kernel patches for XSAVES support and CET definitions, e.g., MSR and related
> feature flags.
>
> CET kernel patches: refer to [1], [2].
>
> Previous CET KVM patches: refer to [3].
>
> CET QEMU patches: refer to [4].
>
> CET KVM unit-test patch: refer to [5].
>
> [1]: CET Shadow Stack patches v18:
> https://lkml.kernel.org/linux-api/20210127212524.10188-1-yu-cheng.yu@intel.com/
>
> [2]: Indirect Branch Tracking patches v18:
> https://lkml.kernel.org/linux-api/20210127213028.11362-1-yu-cheng.yu@intel.com/
>
> [3]: CET KVM patches v14:
> https://lkml.kernel.org/kvm/20201106011637.14289-1-weijiang.yang@intel.com/
>
> [4]: CET QEMU patches:
> https://patchwork.ozlabs.org/project/qemu-devel/patch/20201013051935.6052-2-weijiang.yang@intel.com/
>
> [5]: CET KVM unit-test patch:
> https://patchwork.kernel.org/project/kvm/patch/20200506082110.25441-12-weijiang.yang@intel.com/
>
> Changes in v15:
> - Changed patches per Paolo's review feedback on v14.
> - Added a new patch for GUEST_SSP save/restore in guest SMM case.
> - Fixed guest call-trace issue due to CET MSR interception.
> - Removed unnecessary guest CET state cleanup in VMCS.
> - Rebased patches to 5.11-rc6.
>
>
> Sean Christopherson (2):
> KVM: x86: Report XSS as an MSR to be saved if there are supported
> features
> KVM: x86: Load guest fpu state when accessing MSRs managed by XSAVES
>
> Yang Weijiang (12):
> KVM: x86: Refresh CPUID on writes to MSR_IA32_XSS
> KVM: x86: Add #CP support in guest exception dispatch
> KVM: VMX: Introduce CET VMCS fields and flags
> KVM: x86: Add fault checks for CR4.CET
> KVM: VMX: Emulate reads and writes to CET MSRs
> KVM: VMX: Add a synthetic MSR to allow userspace VMM to access
> GUEST_SSP
> KVM: x86: Report CET MSRs as to-be-saved if CET is supported
> KVM: x86: Enable CET virtualization for VMX and advertise CET to
> userspace
> KVM: VMX: Pass through CET MSRs to the guest when supported
> KVM: nVMX: Add helper to check the vmcs01 MSR bitmap for MSR
> pass-through
> KVM: nVMX: Enable CET support for nested VMX
> KVM: x86: Save/Restore GUEST_SSP to/from SMRAM
>
> arch/x86/include/asm/kvm_host.h | 4 +-
> arch/x86/include/asm/vmx.h | 8 ++
> arch/x86/include/uapi/asm/kvm.h | 1 +
> arch/x86/include/uapi/asm/kvm_para.h | 1 +
> arch/x86/kvm/cpuid.c | 26 +++-
> arch/x86/kvm/emulate.c | 11 ++
> arch/x86/kvm/vmx/capabilities.h | 5 +
> arch/x86/kvm/vmx/nested.c | 57 ++++++--
> arch/x86/kvm/vmx/vmcs12.c | 6 +
> arch/x86/kvm/vmx/vmcs12.h | 14 +-
> arch/x86/kvm/vmx/vmx.c | 202 ++++++++++++++++++++++++++-
> arch/x86/kvm/x86.c | 67 ++++++++-
> arch/x86/kvm/x86.h | 10 +-
> 13 files changed, 387 insertions(+), 25 deletions(-)
>
Queued, though not for 5.12 unless the bare metal support is there too.
Paolo
Powered by blists - more mailing lists