| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aHisz7hU0VGsf78Z@intel.com> Date: Thu, 17 Jul 2025 15:57:03 +0800 From: Chao Gao <chao.gao@...el.com> To: Mathias Krause <minipli@...ecurity.net> CC: John Allen <john.allen@....com>, Xiaoyao Li <xiaoyao.li@...el.com>, <kvm@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <x86@...nel.org>, <seanjc@...gle.com>, <pbonzini@...hat.com>, <dave.hansen@...el.com>, <rick.p.edgecombe@...el.com>, <mlevitsk@...hat.com>, <weijiang.yang@...el.com>, <xin@...or.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, "H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...hat.com>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [PATCH v11 00/23] Enable CET Virtualization On Thu, Jul 17, 2025 at 09:00:04AM +0200, Mathias Krause wrote: >On 16.07.25 22:36, John Allen wrote: >> On Mon, Jul 07, 2025 at 09:32:37AM +0800, Chao Gao wrote: >>> On Mon, Jul 07, 2025 at 12:51:14AM +0800, Xiaoyao Li wrote: >>>> Hi Chao, >>>> >>>> On 7/4/2025 4:49 PM, Chao Gao wrote: >>>>> Tests: >>>>> ====================== >>>>> This series passed basic CET user shadow stack test and kernel IBT test in L1 >>>>> and L2 guest. >>>>> The patch series_has_ impact to existing vmx test cases in KVM-unit-tests,the >>>>> failures have been fixed here[1]. >>>>> One new selftest app[2] is introduced for testing CET MSRs accessibilities. >>>>> >>>>> Note, this series hasn't been tested on AMD platform yet. >>>>> >>>>> To run user SHSTK test and kernel IBT test in guest, an CET capable platform >>>>> is required, e.g., Sapphire Rapids server, and follow below steps to build >>>>> the binaries: >>>>> >>>>> 1. Host kernel: Apply this series to mainline kernel (>= v6.6) and build. >>>>> >>>>> 2. Guest kernel: Pull kernel (>= v6.6), opt-in CONFIG_X86_KERNEL_IBT >>>>> and CONFIG_X86_USER_SHADOW_STACK options. Build with CET enabled gcc versions >>>>> (>= 8.5.0). >>>>> >>>>> 3. Apply CET QEMU patches[3] before build mainline QEMU. >>>> >>>> You forgot to provide the links of [1][2][3]. >>> >>> Oops, thanks for catching this. >>> >>> Here are the links: >>> >>> [1]: KVM-unit-tests fixup: >>> https://lore.kernel.org/all/20230913235006.74172-1-weijiang.yang@intel.com/ >>> [2]: Selftest for CET MSRs: >>> https://lore.kernel.org/all/20230914064201.85605-1-weijiang.yang@intel.com/ >>> [3]: QEMU patch: >>> https://lore.kernel.org/all/20230720111445.99509-1-weijiang.yang@intel.com/ >>> >>> Please note that [1] has already been merged. And [3] is an older version of >>> CET for QEMU; I plan to post a new version for QEMU after the KVM series is >>> merged. >> >> Do you happen to have a branch with the in-progress qemu patches you are >> testing with? I'm working on testing on AMD and I'm having issues >> getting this old version of the series to work properly. Hi John, Try this branch: https://github.com/gaochaointel/qemu-dev qemu-cet Disclaimer: I haven't cleaned up the QEMU patches yet, so they are not of upstream quality. > >For me the old patches worked by changing the #define of >MSR_KVM_GUEST_SSP from 0x4b564d09 to 0x4b564dff -- on top of QEMU 9.0.1, >that is. Please note that aliasing guest SSP to the virtual MSR indexed by 0x4b564dff is not part of KVM uAPI in the v11 series. This means the index 0x4b564dff isn't stable; userspace should read/write guest SSP via KVM_GET/SET_ONE_REG ioctls.
Powered by blists - more mailing lists