On 1/5/2024 5:10 AM, Edgecombe, Rick P wrote:
On Thu, 2024-01-04 at 15:11 +0800, Yang, Weijiang wrote:
[...]
My understanding is that the KVM emulator kind of does what it has
to
keep things running, and isn't expected to emulate every possible
instruction. With CET though, it is changing the behavior of
existing
supported instructions. I could imagine a guest could skip over CET
enforcement by causing an MMIO exit and racing to overwrite the
exit-
causing instruction from a different vcpu to be an indirect
CALL/RET,
etc.
Can you elaborate the case? I cannot figure out how it works.
The point that it should be possible for KVM to emulate call/ret with
CET enabled. Not saying the specific case is critical, but the one I
used as an example was that the KVM emulator can (or at least in the
not too distant past) be forced to emulate arbitrary instructions if
the guest overwrites the instruction between the exit and the SW fetch
from the host.
The steps are:
vcpu 1 vcpu 2
-------------------------------------
mov to mmio addr
vm exit ept_misconfig
overwrite mov instruction to call %rax
host emulator fetches
host emulates call instruction
So then the guest call operation will skip the endbranch check. But I'm
not sure that there are not less exotic cases that would run across it.
I see a bunch of cases where write protected memory kicks to the
emulator as well. Not sure the exact scenarios and whether this could
happen naturally in races during live migration, dirty tracking, etc.
Again, I'm more just asking the exposure and thinking on it.
Now I get your points, I didn't think of exposure from guest and just thought of the
normal execution flow in guest, so I said let guest handle #CP directly.
Yes, I think we need to take these cases into account, as Sean suggested in following
replies, stopping emulation JMP/CALL/RET etc. instructions when guest CET is enabled
is effective and simple, I'll investigate the emulator code.
Thanks for raising the concerns!