| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Yqs7qjjbqxpw62B/@hirez.programming.kicks-ass.net>
Date: Thu, 16 Jun 2022 16:18:18 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Paolo Bonzini <pbonzini@...hat.com>
Cc: Yang Weijiang <weijiang.yang@...el.com>, seanjc@...gle.com,
x86@...nel.org, kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
rick.p.edgecombe@...el.com
Subject: Re: [PATCH 00/19] Refresh queued CET virtualization series
On Thu, Jun 16, 2022 at 12:21:20PM +0200, Paolo Bonzini wrote:
> On 6/16/22 12:12, Peter Zijlstra wrote:
> > Do I understand this right in that a host without X86_KERNEL_IBT cannot
> > run a guest with X86_KERNEL_IBT on? That seems unfortunate, since that
> > was exactly what I did while developing the X86_KERNEL_IBT patches.
> >
> > I'm thinking that if the hardware supports it, KVM should expose it,
> > irrespective of the host kernel using it.
>
> For IBT in particular, I think all processor state is only loaded and stored
> at vmentry/vmexit (does not need XSAVES), so it should be feasible.
That would be the S_CET stuff, yeah, that's VMCS managed. The U_CET
stuff is all XSAVE though.
But funny thing, CPUID doesn't enumerate {U,S}_CET separately. It *does*
enumerate IBT and SS separately, but for each IBT/SS you have to
implement both U and S.
That was a problem with the first series, which only implemented support
for U_CET while advertising IBT and SS (very much including S_CET), and
still is a problem with this series because S_SS is missing while
advertised.
Powered by blists - more mailing lists