On 8/6/23 10:44, Yang, Weijiang wrote:
Similar to my suggestsion for XSS, I think we drop the waiver for
host_initiated
accesses, i.e. require the feature to be enabled and exposed to the
guest, even
for the host.
I saw Paolo shares different opinion on this, so would hold on for a
while...
It's not *so* different: the host initiated access should be allowed,
but it should only allow writing zero. So, something like:
+static bool kvm_cet_is_msr_accessible(struct kvm_vcpu *vcpu,
+ struct msr_data *msr)
+{
bool host_msr_reset =
msr->host_initiated && msr->data == 0;
and then below you use host_msr_reset instead of msr->host_initiated.
+ if (msr->index == MSR_KVM_GUEST_SSP)
+ return msr->host_initiated;
+
+ return msr->host_initiated ||
+ guest_cpuid_has(vcpu, X86_FEATURE_SHSTK);
This can be unified like this:
return
(host_msr_reset || guest_cpuid_has(vcpu, X86_FEATURE_SHSTK)) &&
(msr->index != MSR_KVM_GUEST_SSP || msr->host_initiated);
+ }
+
+ if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) &&
+ !kvm_cpu_cap_has(X86_FEATURE_IBT))
+ return false;
+
+ return msr->host_initiated ||
+ guest_cpuid_has(vcpu, X86_FEATURE_IBT) ||
+ guest_cpuid_has(vcpu, X86_FEATURE_SHSTK);
while this can simply use host_msr_reset.
Paolo
