lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZvQaNRhrsSJTYji3@google.com>
Date: Wed, 25 Sep 2024 07:12:05 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Xin Li <xin@...or.com>
Cc: Chao Gao <chao.gao@...el.com>, Xin Li <xin3.li@...el.com>, linux-kernel@...r.kernel.org, 
	kvm@...r.kernel.org, linux-doc@...r.kernel.org, 
	linux-kselftest@...r.kernel.org, pbonzini@...hat.com, corbet@....net, 
	tglx@...utronix.de, mingo@...hat.com, bp@...en8.de, 
	dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com, shuah@...nel.org, 
	vkuznets@...hat.com, peterz@...radead.org, ravi.v.shankar@...el.com
Subject: Re: [PATCH v2 07/25] KVM: VMX: Set intercept for FRED MSRs

On Wed, Sep 18, 2024, Xin Li wrote:
> > > MSR_IA32_FRED_SSP0 is an alias of the CET MSR_IA32_PL0_SSP and likely to
> > > be used in the same way as FRED RSP0, i.e., host FRED SSP0 _should_ be
> > > restored in arch_exit_to_user_mode_prepare().  However as of today Linux
> > > has no plan to utilize kernel shadow stack thus no one cares host FRED
> > > SSP0 (no?).  But lets say anyway it is host's responsibility to manage
> > > host FRED SSP0, then KVM only needs to take care of guest FRED SSP0
> > > (just like how KVM should handle guest FRED RSP0) even before the
> > > supervisor shadow stack feature is advertised to guest.
> > 
> > Heh, I'm not sure what your question is, or if there even is a question.  KVM
> > needs to context switch FRED SSP0 if FRED is exposed to the guest, but presumably
> > that will be done through XSAVE state?  If that's the long term plan, I would
> > prefer to focus on merging CET virtualization first, and then land FRED virtualization
> > on top so that KVM doesn't have to carry intermediate code to deal with the aliased
> > MSR.
> 
> You mean the following patch set, right?

Yep, and presumably the KVM support as well:

https://lore.kernel.org/all/20240219074733.122080-1-weijiang.yang@intel.com

> https://lore.kernel.org/kvm/20240531090331.13713-1-weijiang.yang@intel.com/

...

> > Ugh, but what happens if a CPU (or the host kernel) supports FRED but not CET SS?
> > Or is that effectively an illegal combination?
> 
> The FRED Spec says:
> 
> IA32_FRED_SSP1, IA32_FRED_SSP2, and IA32_FRED_SSP3 (MSR indices 1D1H–
> 1D3H). Together with the existing MSR IA32_PL0_SSP (MSR index 6A4H), these
> are the FRED SSP MSRs.
> 
> The FRED SSP MSRs are supported by any processor that enumerates
> CPUID.(EAX=7,ECX=1):EAX.FRED[bit 17] as 1. If such a processor does not
> support CET, FRED transitions will not use the MSRs (because shadow stacks
> are not enabled), but the MSRs would still be accessible using RDMSR and
> WRMSR.
> 
> 
> So they are independent, just that FRED SSP MSRs are NOT used if
> supervisor shadow stacks are not enabled (obviously Qemu can be
> configured to not advertise CET but FRED).
> 
> When FRED is advertised to a guest, KVM should allow FRED SSP MSRs
> accesses through disabling FRED SSP MSRs interception no matter whether
> supervisor shadow stacks are enabled or not.

KVM doesn't necessarily need to disabling MSR interception, e.g. if the expectation
is that the guest will rarely/never access the MSRs when CET is unsupported, then
we're likely better off going with a trap-and-emulate model.  KVM needs to emulate
RDMSR and WRMSR no matter what, e.g. in case the guest triggers a WRMSR when KVM
is emulating, and so that userspace can get/set MSR values.

And this means that yes, FRED virtualization needs to land after CET virtualization,
otherwise managing the conflicts/dependencies will be a nightmare.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ