| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bebd47e3-2434-4b0d-953e-166150decdec@linux.intel.com>
Date: Mon, 22 Sep 2025 15:31:35 +0800
From: Binbin Wu <binbin.wu@...ux.intel.com>
To: Sean Christopherson <seanjc@...gle.com>
Cc: Paolo Bonzini <pbonzini@...hat.com>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, Tom Lendacky <thomas.lendacky@....com>,
Mathias Krause <minipli@...ecurity.net>, John Allen <john.allen@....com>,
Rick Edgecombe <rick.p.edgecombe@...el.com>, Chao Gao <chao.gao@...el.com>,
Xiaoyao Li <xiaoyao.li@...el.com>, Maxim Levitsky <mlevitsk@...hat.com>,
Zhang Yi Z <yi.z.zhang@...ux.intel.com>, Xin Li <xin@...or.com>
Subject: Re: [PATCH v16 25/51] KVM: x86: Add XSS support for CET_KERNEL and
CET_USER
On 9/20/2025 6:32 AM, Sean Christopherson wrote:
> From: Yang Weijiang <weijiang.yang@...el.com>
>
> Add CET_KERNEL and CET_USER to KVM's set of supported XSS bits when IBT
> *or* SHSTK is supported. Like CR4.CET, XFEATURE support for IBT and SHSTK
> are bundle together under the CET umbrella, and thus prone to
> virtualization holes if KVM or the guest supports only one of IBT or SHSTK,
> but hardware supports both. However, again like CR4.CET, such
> virtualization holes are benign from the host's perspective so long as KVM
> takes care to always honor the "or" logic.
>
> Require CET_KERNEL and CET_USER to come as a pair, and refuse to support
> IBT or SHSTK if one (or both) features is missing, as the (host) kernel
> expects them to come as a pair, i.e. may get confused and corrupt state if
> only one of CET_KERNEL or CET_USER is supported.
>
> Signed-off-by: Yang Weijiang <weijiang.yang@...el.com>
> Signed-off-by: Mathias Krause <minipli@...ecurity.net>
> Tested-by: Mathias Krause <minipli@...ecurity.net>
> Tested-by: John Allen <john.allen@....com>
> Tested-by: Rick Edgecombe <rick.p.edgecombe@...el.com>
> Signed-off-by: Chao Gao <chao.gao@...el.com>
> [sean: split to separate patch, write changelog, add XFEATURE_MASK_CET_ALL]
> Signed-off-by: Sean Christopherson <seanjc@...gle.com>
Reviewed-by: Binbin Wu <binbin.wu@...ux.intel.com>
> ---
> arch/x86/kvm/x86.c | 18 +++++++++++++++---
> 1 file changed, 15 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 40596fc5142e..4a0ff0403bb2 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -220,13 +220,14 @@ static struct kvm_user_return_msrs __percpu *user_return_msrs;
> | XFEATURE_MASK_BNDCSR | XFEATURE_MASK_AVX512 \
> | XFEATURE_MASK_PKRU | XFEATURE_MASK_XTILE)
>
> +#define XFEATURE_MASK_CET_ALL (XFEATURE_MASK_CET_USER | XFEATURE_MASK_CET_KERNEL)
> /*
> * Note, KVM supports exposing PT to the guest, but does not support context
> * switching PT via XSTATE (KVM's PT virtualization relies on perf; swapping
> * PT via guest XSTATE would clobber perf state), i.e. KVM doesn't support
> * IA32_XSS[bit 8] (guests can/must use RDMSR/WRMSR to save/restore PT MSRs).
> */
> -#define KVM_SUPPORTED_XSS 0
> +#define KVM_SUPPORTED_XSS (XFEATURE_MASK_CET_ALL)
>
> bool __read_mostly allow_smaller_maxphyaddr = 0;
> EXPORT_SYMBOL_GPL(allow_smaller_maxphyaddr);
> @@ -10104,6 +10105,16 @@ int kvm_x86_vendor_init(struct kvm_x86_init_ops *ops)
> if (!kvm_cpu_cap_has(X86_FEATURE_XSAVES))
> kvm_caps.supported_xss = 0;
>
> + if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) &&
> + !kvm_cpu_cap_has(X86_FEATURE_IBT))
> + kvm_caps.supported_xss &= ~XFEATURE_MASK_CET_ALL;
> +
> + if ((kvm_caps.supported_xss & XFEATURE_MASK_CET_ALL) != XFEATURE_MASK_CET_ALL) {
> + kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
> + kvm_cpu_cap_clear(X86_FEATURE_IBT);
> + kvm_caps.supported_xss &= ~XFEATURE_MASK_CET_ALL;
> + }
> +
> if (kvm_caps.has_tsc_control) {
> /*
> * Make sure the user can only configure tsc_khz values that
> @@ -12775,10 +12786,11 @@ static void kvm_xstate_reset(struct kvm_vcpu *vcpu, bool init_event)
> /*
> * On INIT, only select XSTATE components are zeroed, most components
> * are unchanged. Currently, the only components that are zeroed and
> - * supported by KVM are MPX related.
> + * supported by KVM are MPX and CET related.
> */
> xfeatures_mask = (kvm_caps.supported_xcr0 | kvm_caps.supported_xss) &
> - (XFEATURE_MASK_BNDREGS | XFEATURE_MASK_BNDCSR);
> + (XFEATURE_MASK_BNDREGS | XFEATURE_MASK_BNDCSR |
> + XFEATURE_MASK_CET_ALL);
> if (!xfeatures_mask)
> return;
>
Powered by blists - more mailing lists