Control-flow Enforcement Technology (CET) provides protection against return/jump-oriented programming (ROP) attacks. To make kvm Guest OS own the capability, this patch-set is required. It enables CET related CPUID report, xsaves/xrstors, vmx entry configuration etc. for Guest OS. PATCH 1 : Define CET VMCS fields and bits. PATCH 2/3 : Report CET feature support in CPUID. PATCH 4 : Fix xsaves size calculation issue. PATCH 5 : Pass through CET MSRs to Guest. PATCH 6 : Set Guest CET state auto loading bit. PATCH 7 : Enable CET xsaves bits support in XSS. PATCH 8 : Add CET MSR user space access interface. Changelog: v3: - Modified patches to make Guest CET independent to Host enabling. - Added patch 8 to add user space access for Guest CET MSR access. - Modified code comments and patch description to reflect changes. v2: - Re-ordered patch sequence, combined one patch. - Added more description for CET related VMCS fields. - Added Host CET capability check while enabling Guest CET loading bit. - Added Host CET capability check while reporting Guest CPUID(EAX=7, EXC=0). - Modified code in reporting Guest CPUID(EAX=D,ECX>=1), make it clearer. - Added Host and Guest XSS mask check while setting bits for Guest XSS. Yang Weijiang (8): KVM:VMX: Define CET VMCS fields and bits KVM:CPUID: Define CET CPUID bits and CR4.CET master enable bit. KVM:CPUID: Add CPUID support for Guest CET KVM:CPUID: Fix xsaves area size calculation for CPUID.(EAX=0xD,ECX=1). KVM:VMX: Pass through host CET related MSRs to Guest. KVM:VMX: Load Guest CET via VMCS when CET is enabled in Guest KVM:X86: Add XSS bit 11 and 12 support for CET xsaves/xrstors. KVM:X86: Add user-space read/write interface for CET MSRs. arch/x86/include/asm/kvm_host.h | 3 +- arch/x86/include/asm/vmx.h | 8 ++++ arch/x86/kvm/cpuid.c | 67 ++++++++++++++++++++++++--------- arch/x86/kvm/vmx.c | 53 ++++++++++++++++++++++++-- arch/x86/kvm/x86.c | 46 ++++++++++++++++++++-- arch/x86/kvm/x86.h | 4 ++ 6 files changed, 157 insertions(+), 24 deletions(-) -- 2.17.1
