On Wed, Oct 02, 2019 at 11:04:07AM -0700, Jim Mattson wrote: > On Thu, Sep 26, 2019 at 7:17 PM Yang Weijiang <weijiang.yang@xxxxxxxxx> wrote: > > > > CET(Control-flow Enforcement Technology) is an upcoming Intel(R) > > processor feature that blocks Return/Jump-Oriented Programming(ROP) > > attacks. It provides the following capabilities to defend > > against ROP/JOP style control-flow subversion attacks: > > /* > > diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c > > index 9d282fec0a62..1aa86b87b6ab 100644 > > --- a/arch/x86/kvm/cpuid.c > > +++ b/arch/x86/kvm/cpuid.c > > @@ -365,13 +365,13 @@ static inline void do_cpuid_7_mask(struct kvm_cpuid_entry2 *entry, int index) > > F(AVX512VBMI) | F(LA57) | F(PKU) | 0 /*OSPKE*/ | > > F(AVX512_VPOPCNTDQ) | F(UMIP) | F(AVX512_VBMI2) | F(GFNI) | > > F(VAES) | F(VPCLMULQDQ) | F(AVX512_VNNI) | F(AVX512_BITALG) | > > - F(CLDEMOTE) | F(MOVDIRI) | F(MOVDIR64B); > > + F(CLDEMOTE) | F(MOVDIRI) | F(MOVDIR64B) | F(SHSTK); > > > > /* cpuid 7.0.edx*/ > > const u32 kvm_cpuid_7_0_edx_x86_features = > > F(AVX512_4VNNIW) | F(AVX512_4FMAPS) | F(SPEC_CTRL) | > > F(SPEC_CTRL_SSBD) | F(ARCH_CAPABILITIES) | F(INTEL_STIBP) | > > - F(MD_CLEAR); > > + F(MD_CLEAR) | F(IBT); > > Claiming that SHSTK and IBT are supported in the guest seems premature > as of this change, since you haven't actually done anything to > virtualize the features yet. > OK, will put the flags in other patch. > > /* cpuid 7.1.eax */ > > const u32 kvm_cpuid_7_1_eax_x86_features = > > diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h > > index fbffabad0370..a85800b23e6e 100644 > > --- a/arch/x86/kvm/x86.h > > +++ b/arch/x86/kvm/x86.h > > @@ -298,7 +298,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, unsigned long cr2, > > * Right now, no XSS states are used on x86 platform, > > * expand the macro for new features. > > */ > > -#define KVM_SUPPORTED_XSS (0) > > +#define KVM_SUPPORTED_XSS (XFEATURE_MASK_CET_USER \ > > + | XFEATURE_MASK_CET_KERNEL) > > If IA32_XSS can dynamically change within the guest, it will have to > be enumerated by KVM_GET_MSR_INDEX_LIST. thanks for pointing it out, need to add IA32_XSS to msrs_to_save list. >(Note that Aaron Lewis is > working on a series which will include that enumeration, if you'd like > to wait.) I'm also not convinced that there is sufficient > virtualization of these features to allow these bits to be set in the > guest IA32_XSS at this point. > It's true CET is working in guest after I added XSS/XSAVES support in KVM and QEMU, but I'd like to look at Aaron's new patch... > > extern u64 host_xcr0; > > > > -- > > 2.17.2 > >
