On 08/03/19 17:28, Sean Christopherson wrote: > On Mon, Mar 04, 2019 at 08:36:55PM +0800, Yang Weijiang wrote: >> On Mon, Mar 04, 2019 at 07:12:02PM -0800, Sean Christopherson wrote: >>> On Mon, Mar 04, 2019 at 05:56:40PM +0800, Yang Weijiang wrote: >>>> Cannot agree with you more! >>>> This is some design limitation, but from my point of view, once vmm >>>> exposes CET capability to guest via CPUID, it grants the guest kernel freedom to choose >>>> which features to be enabled, we don't need to add extra constraints on >>>> the usage. >>> >>> But if KVM allows SHSTK and IBT to be toggled independently then the VMM >>> has only exposed SHSTK or IBT, not CET as whole. >>> >>> Even if SHSTK and IBT are bundled together the guest still has to opt-in >>> to enabling each feature. I don't see what we gain by pretending that >>> SHSTK/IBT can be individually exposed to the guest, and on the flip side >>> doing so creates a virtualization hole. >> you almost convinced me ;-), maybe I'll make the feature as a bundle in >> next release after check with kernel team. BTW, what do you mean by >> saying "create a virtualization hole"? Is it what you stated in above >> reply? > > By "virtualization hole" I mean the guest would be able to use a feature > that the virtual CPU model says isn't supported. I think it's okay to leave the hole and leave it to userspace to forbid enabling only one of the bits. Paolo > After rereading the XSS architecture, there's a marginally less crappy > option for handling XRSTOR as we could use the XSS_EXIT_BITMAP to > intercept XRSTOR if SHSTK != IBT and the guest is restoring CET state, > e.g. to ensure the guest isn't setting IA32_PL*_SSP if !SHSTK and isn't > setting bits that are effectively reserved in IA32_U_CET. > > But practically speaking that'd be the same as intercepting XRSTORS > unconditionally when the guest is using CET, i.e. it's still going to > tank the performance of a guest that uses CET+XSAVES/XRSTORS. >