| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 May 2024 17:19:18 +0800
From: "Yang, Weijiang" <weijiang.yang@...el.com>
To: Sean Christopherson <seanjc@...gle.com>
CC: <pbonzini@...hat.com>, <dave.hansen@...el.com>, <x86@...nel.org>,
<kvm@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<peterz@...radead.org>, <chao.gao@...el.com>, <rick.p.edgecombe@...el.com>,
<mlevitsk@...hat.com>, <john.allen@....com>
Subject: Re: [PATCH v10 24/27] KVM: x86: Enable CET virtualization for VMX and
advertise to userspace
On 5/2/2024 7:15 AM, Sean Christopherson wrote:
> On Sun, Feb 18, 2024, Yang Weijiang wrote:
>> @@ -696,6 +697,20 @@ void kvm_set_cpu_caps(void)
>> kvm_cpu_cap_set(X86_FEATURE_INTEL_STIBP);
>> if (boot_cpu_has(X86_FEATURE_AMD_SSBD))
>> kvm_cpu_cap_set(X86_FEATURE_SPEC_CTRL_SSBD);
>> + /*
>> + * Don't use boot_cpu_has() to check availability of IBT because the
>> + * feature bit is cleared in boot_cpu_data when ibt=off is applied
>> + * in host cmdline.
> I'm not convinced this is a good reason to diverge from the host kernel. E.g.
> PCID and many other features honor the host setup, I don't see what makes IBT
> special.
This is mostly based on our user experience and the hypothesis for cloud computing:
When we evolve host kernels, we constantly encounter issues when kernel IBT is on,
so we have to disable kernel IBT by adding ibt=off. But we need to test the CET features
in VM, if we just simply refer to host boot cpuid data, then IBT cannot be enabled in
VM which makes CET features incomplete in guest.
I guess in cloud computing, it could run into similar dilemma. In this case, the tenant
cannot benefit the feature just because of host SW problem. I know currently KVM
except LA57 always honors host feature configurations, but in CET case, there could be
divergence wrt honoring host configuration as long as there's no quirk for the feature.
But I think the issue is still open for discussion...
>
> LA57 is special because it's entirely reasonable, likely even, for a host to
> only want to use 48-bit virtual addresses, but still want to let the guest enable
> LA57.
>
>> @@ -4934,6 +4935,14 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
>>
>> vmcs_write32(VM_ENTRY_INTR_INFO_FIELD, 0); /* 22.2.1 */
>>
>> + if (kvm_cpu_cap_has(X86_FEATURE_SHSTK)) {
>> + vmcs_writel(GUEST_SSP, 0);
>> + vmcs_writel(GUEST_S_CET, 0);
>> + vmcs_writel(GUEST_INTR_SSP_TABLE, 0);
>> + } else if (kvm_cpu_cap_has(X86_FEATURE_IBT)) {
>> + vmcs_writel(GUEST_S_CET, 0);
>> + }
> Similar to my comments about MSR interception, I think it would be better to
> explicitly handle the "common" field. At first glance, code like the above makes
> it look like IBT is mutually exclusive with SHSTK, e.g. a reader that isn't
> looking closely could easily miss that both paths write GUEST_S_CET.
Sure,thanks!
>
> if (kvm_cpu_cap_has(X86_FEATURE_SHSTK)) {
> vmcs_writel(GUEST_SSP, 0);
> vmcs_writel(GUEST_INTR_SSP_TABLE, 0);
> }
> if (kvm_cpu_cap_has(X86_FEATURE_IBT) ||
> kvm_cpu_cap_has(X86_FEATURE_SHSTK))
> vmcs_writel(GUEST_S_CET, 0);
Powered by blists - more mailing lists