| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <36e0a671-6463-4bab-b5f1-63499838358d@citrix.com>
Date: Tue, 26 Aug 2025 19:50:41 +0100
From: Andrew Cooper <andrew.cooper3@...rix.com>
To: Xin Li <xin@...or.com>, linux-kernel@...r.kernel.org,
kvm@...r.kernel.org, linux-doc@...r.kernel.org
Cc: pbonzini@...hat.com, seanjc@...gle.com, corbet@....net,
tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com, luto@...nel.org,
peterz@...radead.org, chao.gao@...el.com, hch@...radead.org
Subject: Re: [PATCH v6 06/20] KVM: VMX: Set FRED MSR intercepts
On 25/08/2025 3:51 am, Xin Li wrote:
> On 8/21/2025 3:36 PM, Xin Li (Intel) wrote:
>> + /*
>> + * MSR_IA32_FRED_RSP0 and MSR_IA32_PL0_SSP (aka
>> MSR_IA32_FRED_SSP0) are
>> + * designated for event delivery while executing in userspace.
>> Since
>> + * KVM operates exclusively in kernel mode (the CPL is always 0
>> after
>> + * any VM exit), KVM can safely retain and operate with the
>> guest-defined
>> + * values for MSR_IA32_FRED_RSP0 and MSR_IA32_PL0_SSP.
>> + *
>> + * Therefore, interception of MSR_IA32_FRED_RSP0 and
>> MSR_IA32_PL0_SSP
>> + * is not required.
>> + *
>> + * Note, save and restore of MSR_IA32_PL0_SSP belong to CET
>> supervisor
>> + * context management. However the FRED SSP MSRs, including
>> + * MSR_IA32_PL0_SSP, are supported by any processor that
>> enumerates FRED.
>> + * If such a processor does not support CET, FRED transitions
>> will not
>> + * use the MSRs, but the MSRs would still be accessible using
>> MSR-access
>> + * instructions (e.g., RDMSR, WRMSR).
>> + */
>> + vmx_set_intercept_for_msr(vcpu, MSR_IA32_FRED_RSP0, MSR_TYPE_RW,
>> intercept);
>> + vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL0_SSP, MSR_TYPE_RW,
>> intercept);
>
> Hi Sean,
>
> I'd like to bring up an issue concerning MSR_IA32_PL0_SSP.
>
> The FRED spec claims:
>
> The FRED SSP MSRs are supported by any processor that enumerates
> CPUID.(EAX=7,ECX=1):EAX.FRED[bit 17] as 1. If such a processor does not
> support CET, FRED transitions will not use the MSRs (because shadow
> stacks
> are not enabled), but the MSRs would still be accessible using MSR-access
> instructions (e.g., RDMSR, WRMSR).
This is silly. AIUI, all CPUs that have FRED also have CET-SS, so in
practice they all have these MSRs.
But from an architectural point of view, if CET-SS isn't available,
these MSRs shouldn't be either. A guest which can't use CET-SS has no
reason to touch these MSRs at all.
MSR_PL0_SSP (== MSR_FRED_SSP_SL0) is gated on CET-SS alone (it already
exists in CPUs), while MSR_FRED_SSP_SL{1..3} should be gated on CET-SS
&& FRED, and should be reserved[1] otherwise.
This distinction only matters for guests, and adding the CET-SS
precondition makes things simpler overall for both VMMs and guests. So
can't this just be fixed up before being integrated into the SDM?
~Andrew
[1] I have a sneaking suspicion there's a SKU reason why the spec is
written that way, and "Reserved" is still the right behaviour to have
for !CET-SS || !FRED.
Powered by blists - more mailing lists