On Mon, Mar 18, 2019 at 11:03:43PM +0800, Yang Weijiang wrote: > Control-flow Enforcement Technology (CET) provides protection against > return/jump-oriented programming (ROP) attacks. To make kvm Guest OS own > the capability, this patch-set is required. It enables CET related CPUID > report, xsaves/xrstors, vmx entry configuration etc. for Guest OS. > > PATCH 1 : Define CET VMCS fields and bits. > PATCH 2/3 : Report CET feature support in CPUID. > PATCH 4 : Fix xsaves size calculation issue. > PATCH 5 : Pass through CET MSRs to Guest. > PATCH 6 : Set Guest CET state auto loading bit. > PATCH 7 : Load Guest fpu state when accessing CET XSAVES managed MSRs. > PATCH 8 : Add CET MSR user space access interface. > > Changelog: > > v4: > - Add Sean's patch for loading Guest fpu state before access XSAVES > managed CET MSRs. > - Melt down CET bits setting into CPUID configuration patch. > - Add VMX interface to query Host XSS. > - Check Host and Guest XSS support bits before set Guest XSS. > - Make Guest SHSTK and IBT feature enabling independent. > - Do not report CET support to Guest when Host CET feature is > Disabled. > > v3: > - Modified patches to make Guest CET independent to Host enabling. > - Added patch 8 to add user space access for Guest CET MSR access. > - Modified code comments and patch description to reflect changes. > > v2: > - Re-ordered patch sequence, combined one patch. > - Added more description for CET related VMCS fields. > - Added Host CET capability check while enabling Guest CET loading bit. > - Added Host CET capability check while reporting Guest CPUID(EAX=7, > EXC=0). > - Modified code in reporting Guest CPUID(EAX=D,ECX>=1), make it clearer. > - Added Host and Guest XSS mask check while setting bits for Guest XSS. > > > Sean Christopherson (1): > KVM:x86: load guest fpu state when accessing MSRs managed by XSAVES > > Yang Weijiang (7): > KVM:VMX: Define CET VMCS fields and bits > KVM:CPUID: Add CET CPUID support for Guest > KVM:CPUID: Fix xsaves area size calculation for CPUID.(EAX=0xD,ECX=1). > KVM:VMX: Pass through host CET related MSRs to Guest. > KVM:VMX: Load Guest CET via VMCS when CET is enabled in Guest > KVM:x86: Allow Guest to set supported bits in XSS > KVM:x86: Add user-space read/write interface for CET MSRs > > arch/x86/include/asm/kvm_host.h | 5 +- > arch/x86/include/asm/msr-index.h | 2 + > arch/x86/include/asm/vmx.h | 8 +++ > arch/x86/kvm/cpuid.c | 53 ++++++++++++++------ > arch/x86/kvm/vmx.c | 86 ++++++++++++++++++++++++++++++-- > arch/x86/kvm/x86.c | 32 +++++++++++- > arch/x86/kvm/x86.h | 4 ++ > 7 files changed, 167 insertions(+), 23 deletions(-) > > -- > 2.17.1 Hi, Paolo and Sean, Do you have any comments on v4 patches?
