| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e86e000a-ccf6-8a66-a7e3-01d1c6f12857@intel.com>
Date: Wed, 24 May 2023 16:07:13 +0800
From: "Yang, Weijiang" <weijiang.yang@...el.com>
To: Chenyi Qiang <chenyi.qiang@...el.com>
CC: <seanjc@...gle.com>, <pbonzini@...hat.com>,
<linux-kernel@...r.kernel.org>, <kvm@...r.kernel.org>,
<peterz@...radead.org>, <rppt@...nel.org>,
<binbin.wu@...ux.intel.com>, <rick.p.edgecombe@...el.com>,
<john.allen@....com>
Subject: Re: [PATCH v3 18/21] KVM:x86: Enable CET virtualization for VMX and
advertise to userspace
On 5/24/2023 2:35 PM, Chenyi Qiang wrote:
>
> On 5/11/2023 12:08 PM, Yang Weijiang wrote:
[...]
>> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
>> index 50026557fb2a..858cb68e781a 100644
>> --- a/arch/x86/kvm/x86.c
>> +++ b/arch/x86/kvm/x86.c
>> @@ -226,7 +226,7 @@ static struct kvm_user_return_msrs __percpu *user_return_msrs;
>> | XFEATURE_MASK_BNDCSR | XFEATURE_MASK_AVX512 \
>> | XFEATURE_MASK_PKRU | XFEATURE_MASK_XTILE)
>>
>> -#define KVM_SUPPORTED_XSS 0
>> +#define KVM_SUPPORTED_XSS (XFEATURE_MASK_CET_USER)
>>
>> u64 __read_mostly host_efer;
>> EXPORT_SYMBOL_GPL(host_efer);
>> @@ -9525,6 +9525,25 @@ static int __kvm_x86_vendor_init(struct kvm_x86_init_ops *ops)
>>
>> kvm_ops_update(ops);
>>
>> + /*
>> + * Check CET user bit is still set in kvm_caps.supported_xss,
>> + * if not, clear the cap bits as the user parts depends on
>> + * XSAVES support.
>> + */
>> + if (!kvm_cet_user_supported()) {
>> + kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
>> + kvm_cpu_cap_clear(X86_FEATURE_IBT);
>> + }
>> +
>> + /*
>> + * If SHSTK and IBT are available in KVM, clear CET user bit in
> Should it be "If SHSTK and IBT are *not* available ..."?
Good catch, thanks! I'll change it in next version!
>
>> + * kvm_caps.supported_xss so that kvm_cet_user_supported() returns
>> + * false when called.
>> + */
>> + if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) &&
>> + !kvm_cpu_cap_has(X86_FEATURE_IBT))
>> + kvm_caps.supported_xss &= ~XFEATURE_MASK_CET_USER;
>> +
>> for_each_online_cpu(cpu) {
>> smp_call_function_single(cpu, kvm_x86_check_cpu_compat, &r, 1);
>> if (r < 0)
Powered by blists - more mailing lists