On Wed, Jul 22, 2020 at 12:48:05PM -0700, Sean Christopherson wrote: > On Thu, Jul 16, 2020 at 11:16:16AM +0800, Yang Weijiang wrote: > > Control-flow Enforcement Technology (CET) provides protection against > > Return/Jump-Oriented Programming (ROP/JOP) attack. There're two CET > > sub-features: Shadow Stack (SHSTK) and Indirect Branch Tracking (IBT). > > SHSTK is to prevent ROP programming and IBT is to prevent JOP programming. > > > > Several parts in KVM have been updated to provide VM CET support, including: > > CPUID/XSAVES config, MSR pass-through, user space MSR access interface, > > vmentry/vmexit config, nested VM etc. These patches have dependency on CET > > kernel patches for xsaves support and CET definitions, e.g., MSR and related > > feature flags. > > > > CET kernel patches are here: > > https://lkml.kernel.org/r/20200429220732.31602-1-yu-cheng.yu@xxxxxxxxx > > > > v13: > > - Added CET definitions as a separate patch to facilitate KVM test. > > What I actually want to do is pull in actual kernel patches themselves so > that we can upstream KVM support without having to wait for the kernel to > sort out the ABI, which seems like it's going to drag on. That's an innovative idea and beyond my imagination, great!:-) > > I was thinking that we'd only need the MSR/CR4/CPUID definitions, but forgot > that KVM also needs XSAVES context switching, so it's not as simple as I was > thinking. It's still relatively simple, but it means there would be > functional changes in the kernel. > > I'll respond to the main SSP series to pose the question of taking the two > small-ish kernel patches through the KVM tree. > > > arch/x86/include/asm/kvm_host.h | 4 +- > > arch/x86/include/asm/vmx.h | 8 + > > arch/x86/include/uapi/asm/kvm.h | 1 + > > arch/x86/include/uapi/asm/kvm_para.h | 7 +- > > arch/x86/kvm/cpuid.c | 28 ++- > > arch/x86/kvm/vmx/capabilities.h | 5 + > > arch/x86/kvm/vmx/nested.c | 34 ++++ > > arch/x86/kvm/vmx/vmcs12.c | 267 ++++++++++++++++----------- > > arch/x86/kvm/vmx/vmcs12.h | 14 +- > > arch/x86/kvm/vmx/vmx.c | 262 +++++++++++++++++++++++++- > > arch/x86/kvm/x86.c | 53 +++++- > > arch/x86/kvm/x86.h | 2 +- > > include/linux/kvm_host.h | 32 ++++ > > 13 files changed, 590 insertions(+), 127 deletions(-) > > I have quite a few comments/changes (will respond to individual patches), > but have done all the updates/rework and, assuming I haven't broken things, > we're nearing the point where I can carry this and push it past the finish > line, e.g. get acks from tip/x86 maintainers for the kernel patches and > send a pull request to Paolo. > > I pushed the result to: > > https://github.com/sean-jc/linux/releases/tag/kvm-cet-v14-rc1 > > can you please review and test? If everything looks good, I'll post v14. > If not, I'll work offline with you to get it into shape. > Thanks a lot for the efforts! I'll review and test the new patches and let you know the status. > Thanks!
