| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aMl3bAHObST4b1S/@intel.com>
Date: Tue, 16 Sep 2025 22:42:52 +0800
From: Chao Gao <chao.gao@...el.com>
To: Sean Christopherson <seanjc@...gle.com>
CC: Xiaoyao Li <xiaoyao.li@...el.com>, <kvm@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <acme@...hat.com>, <bp@...en8.de>,
<dave.hansen@...ux.intel.com>, <hpa@...or.com>, <john.allen@....com>,
<mingo@...nel.org>, <mingo@...hat.com>, <minipli@...ecurity.net>,
<mlevitsk@...hat.com>, <namhyung@...nel.org>, <pbonzini@...hat.com>,
<prsampat@....com>, <rick.p.edgecombe@...el.com>, <shuah@...nel.org>,
<tglx@...utronix.de>, <weijiang.yang@...el.com>, <x86@...nel.org>,
<xin@...or.com>
Subject: Re: [PATCH v14 15/22] KVM: x86: Don't emulate instructions guarded
by CET
>On second thought, I think it's worth doing the CPL checks. Explaining why KVM
>doesn't bother with checking privilege level is more work than just writing the
>code.
>
> /*
> * Reject emulation if KVM might need to emulate shadow stack updates
> * and/or indirect branch tracking enforcement, which the emulator
> * doesn't support.
> */
> if (opcode.flags & (ShadowStack | IndirBrnTrk) &&
> ctxt->ops->get_cr(ctxt, 4) & X86_CR4_CET) {
> u64 u_cet = 0, s_cet = 0;
>
> /*
> * Check both User and Supervisor on far transfers as inter-
> * privilege level transfers are impacted by CET at the target
> * privilege levels, and that is not known at this time. The
> * the expectation is that the guest will not require emulation
> * of any CET-affected instructions at any privilege level.
> */
> if (!(opcode.flags & NearBranch)) {
> u_cet = s_cet = CET_SHSTK_EN | CET_ENDBR_EN;
> } else if (ctxt->ops->cpl(ctxt) == 3) {
> u_cet = CET_SHSTK_EN | CET_ENDBR_EN;
> } else {
> s_cet = CET_SHSTK_EN | CET_ENDBR_EN;
> }
>
> if ((u_cet && ctxt->ops->get_msr(ctxt, MSR_IA32_U_CET, &u_cet)) ||
> (s_cet && ctxt->ops->get_msr(ctxt, MSR_IA32_S_CET, &s_cet)))
> return EMULATION_FAILED;
>
> if ((u_cet | s_cet) & CET_SHSTK_EN && opcode.flags & ShadowStack)
> return EMULATION_FAILED;
>
> if ((u_cet | s_cet) & CET_ENDBR_EN && opcode.flags & IndirBrnTrk)
> return EMULATION_FAILED;
> }
>
>Side topic, has anyone actually tested that this works? I.e. that attempts to
>emulate CET-affected instructions result in emulation failure?
I haven't. :(
>I'd love to have
>a selftest for this (hint, hint), but presumably writing one is non-trivial due
>to the need to get the selftest compiled with the necessary annotations, setup,
>and whatnot.
Sure. I'll try to write a selftest for this, but I'm unsure about its
complexity. Can you clarify what you mean by "necessary annotations,
setup..."? It seems to me that some simple assembly code, like
test_em_rdmsr(), should work.
For now, I plan to do a quick test by tweaking KUT's cet.c to force
emulation of CET-affected instructions.
Powered by blists - more mailing lists