| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aNIJawIapU86zXZG@intel.com> Date: Tue, 23 Sep 2025 10:43:55 +0800 From: Chao Gao <chao.gao@...el.com> To: Sean Christopherson <seanjc@...gle.com> CC: Paolo Bonzini <pbonzini@...hat.com>, <kvm@...r.kernel.org>, <linux-kernel@...r.kernel.org>, Tom Lendacky <thomas.lendacky@....com>, Mathias Krause <minipli@...ecurity.net>, John Allen <john.allen@....com>, Rick Edgecombe <rick.p.edgecombe@...el.com>, Binbin Wu <binbin.wu@...ux.intel.com>, Xiaoyao Li <xiaoyao.li@...el.com>, "Maxim Levitsky" <mlevitsk@...hat.com>, Zhang Yi Z <yi.z.zhang@...ux.intel.com>, "Xin Li" <xin@...or.com> Subject: Re: [PATCH v16 34/51] KVM: nVMX: Advertise new VM-Entry/Exit control bits for CET state >Advertise support if and only if KVM supports at least one of IBT or SHSTK. >While it's userspace's responsibility to provide a consistent CPU model to >the guest, that doesn't mean KVM should set userspace up to fail. Makes senes. >@@ -7178,13 +7178,17 @@ static void nested_vmx_setup_exit_ctls(struct vmcs_config *vmcs_conf, > VM_EXIT_HOST_ADDR_SPACE_SIZE | > #endif > VM_EXIT_LOAD_IA32_PAT | VM_EXIT_SAVE_IA32_PAT | >- VM_EXIT_CLEAR_BNDCFGS; >+ VM_EXIT_CLEAR_BNDCFGS | VM_EXIT_LOAD_CET_STATE; > msrs->exit_ctls_high |= > VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR | > VM_EXIT_LOAD_IA32_EFER | VM_EXIT_SAVE_IA32_EFER | > VM_EXIT_SAVE_VMX_PREEMPTION_TIMER | VM_EXIT_ACK_INTR_ON_EXIT | > VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL; > >+ if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) && >+ !kvm_cpu_cap_has(X86_FEATURE_IBT)) >+ msrs->exit_ctls_high &= ~VM_EXIT_LOAD_CET_STATE; ... >+ > /* We support free control of debug control saving. */ > msrs->exit_ctls_low &= ~VM_EXIT_SAVE_DEBUG_CONTROLS; > } >@@ -7200,11 +7204,16 @@ static void nested_vmx_setup_entry_ctls(struct vmcs_config *vmcs_conf, > #ifdef CONFIG_X86_64 > VM_ENTRY_IA32E_MODE | > #endif >- VM_ENTRY_LOAD_IA32_PAT | VM_ENTRY_LOAD_BNDCFGS; >+ VM_ENTRY_LOAD_IA32_PAT | VM_ENTRY_LOAD_BNDCFGS | >+ VM_ENTRY_LOAD_CET_STATE; > msrs->entry_ctls_high |= > (VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR | VM_ENTRY_LOAD_IA32_EFER | > VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL); > >+ if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) && >+ !kvm_cpu_cap_has(X86_FEATURE_IBT)) >+ msrs->exit_ctls_high &= ~VM_ENTRY_LOAD_CET_STATE; one copy-paste error here. s/exit_ctls_high/entry_ctls_high/ >+ > /* We support free control of debug control loading. */ > msrs->entry_ctls_low &= ~VM_ENTRY_LOAD_DEBUG_CONTROLS; > } >-- >2.51.0.470.ga7dc726c21-goog >
Powered by blists - more mailing lists