From: Chao Gao <chao.gao@intel.com>
To: <kvm@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Cc: <mlevitsk@redhat.com>, <rick.p.edgecombe@intel.com>,
<weijiang.yang@intel.com>, <xin@zytor.com>,
Mathias Krause <minipli@grsecurity.net>,
John Allen <john.allen@amd.com>,
"Sean Christopherson" <seanjc@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>, <x86@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [PATCH v12 22/24] KVM: nVMX: Enable CET support for nested guest
Date: Fri, 15 Aug 2025 22:24:07 +0800 [thread overview]
Message-ID: <aJ9DB12YVJEyDORD@intel.com> (raw)
In-Reply-To: <20250812025606.74625-23-chao.gao@intel.com>
>@@ -4479,6 +4543,9 @@ static bool is_vmcs12_ext_field(unsigned long field)
> case GUEST_IDTR_BASE:
> case GUEST_PENDING_DBG_EXCEPTIONS:
> case GUEST_BNDCFGS:
>+ case GUEST_S_CET:
>+ case GUEST_SSP:
>+ case GUEST_INTR_SSP_TABLE:
> return true;
> default:
> break;
>@@ -4529,6 +4596,10 @@ static void sync_vmcs02_to_vmcs12_rare(struct kvm_vcpu *vcpu,
> vmcs12->guest_pending_dbg_exceptions =
> vmcs_readl(GUEST_PENDING_DBG_EXCEPTIONS);
>
>+ cet_vmcs_fields_get(&vmx->vcpu, &vmcs12->guest_s_cet,
>+ &vmcs12->guest_ssp,
>+ &vmcs12->guest_ssp_tbl);
>+
> vmx->nested.need_sync_vmcs02_to_vmcs12_rare = false;
> }
>
>@@ -4760,6 +4831,10 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
> if (vmcs12->vm_exit_controls & VM_EXIT_CLEAR_BNDCFGS)
> vmcs_write64(GUEST_BNDCFGS, 0);
>
>+ if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_CET_STATE)
>+ cet_vmcs_fields_set(vcpu, vmcs12->host_s_cet, vmcs12->host_ssp,
>+ vmcs12->host_ssp_tbl);
>+
Xin wrote a new test [*] and found a bug here. If VM_EXIT_LOAD_CET_STATE is not
set, the guest values should be retained after the nested vm-exit.
so here should be
if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_CET_STATE)
cet_vmcs_fields_set(vcpu, vmcs12->host_s_cet, vmcs12->host_ssp,
vmcs12->host_ssp_tbl);
else
cet_vmcs_fields_set(vcpu, vmcs12->guest_s_cet, vmcs12->guest_ssp,
vmcs12->guest_ssp_tbl);
This creates a dependency that vmcs12->guest_s_cet/ssp/ssp_tbl must be
up-to-date here. So, vmcs12->guest_s_cet/ssp/ssp_tbl should be synced from
vmcs02 on each nested VM-exit rather than lazily in sync_vmcs02_to_vmcs12_rare().
Specifically, the cet_vmcs_fields_get() in sync_vmcs02_to_vmcs12_rare() should
be moved to sync_vmcs02_to_vmcs12(), and is_vmcs12_ext_field() should return
false for CET VMCS fields.
Note that Xin's test differs from the test I wrote [**] in L2 guest behavior.
His test writes to the S_CET MSR, while my test reads the S_CET MSR, which
is why this bug escaped from my CET test.
[*]: https://github.com/xinli-intel/kvm-unit-tests/commit/f1df81c3189a3328adb47c7dd6cd985830fe738f
[**]: https://lore.kernel.org/kvm/20250626073459.12990-9-minipli@grsecurity.net/
below diff can fix this issue:
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 7c88fedc27c7..eadd659ae22f 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -4596,9 +4596,6 @@ static bool is_vmcs12_ext_field(unsigned long field)
case GUEST_IDTR_BASE:
case GUEST_PENDING_DBG_EXCEPTIONS:
case GUEST_BNDCFGS:
- case GUEST_S_CET:
- case GUEST_SSP:
- case GUEST_INTR_SSP_TABLE:
return true;
default:
break;
@@ -4649,10 +4646,6 @@ static void sync_vmcs02_to_vmcs12_rare(struct kvm_vcpu *vcpu,
vmcs12->guest_pending_dbg_exceptions =
vmcs_readl(GUEST_PENDING_DBG_EXCEPTIONS);
- cet_vmcs_fields_get(&vmx->vcpu, &vmcs12->guest_s_cet,
- &vmcs12->guest_ssp,
- &vmcs12->guest_ssp_tbl);
-
vmx->nested.need_sync_vmcs02_to_vmcs12_rare = false;
}
@@ -4759,6 +4752,10 @@ static void sync_vmcs02_to_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
if (vmcs12->vm_exit_controls & VM_EXIT_SAVE_IA32_EFER)
vmcs12->guest_ia32_efer = vcpu->arch.efer;
+
+ cet_vmcs_fields_get(&vmx->vcpu, &vmcs12->guest_s_cet,
+ &vmcs12->guest_ssp,
+ &vmcs12->guest_ssp_tbl);
}
/*
@@ -4884,9 +4881,17 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
if (vmcs12->vm_exit_controls & VM_EXIT_CLEAR_BNDCFGS)
vmcs_write64(GUEST_BNDCFGS, 0);
+ /*
+ * Load CET state from host state if VM_EXIT_LOAD_CET_STATE is set.
+ * otherwise CET state should be retained across VM-exit, i.e.,
+ * guest values should be propagated from vmcs12 to vmcs01.
+ */
if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_CET_STATE)
cet_vmcs_fields_set(vcpu, vmcs12->host_s_cet, vmcs12->host_ssp,
vmcs12->host_ssp_tbl);
+ else
+ cet_vmcs_fields_set(vcpu, vmcs12->guest_s_cet, vmcs12->guest_ssp,
+ vmcs12->guest_ssp_tbl);
if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_PAT) {
vmcs_write64(GUEST_IA32_PAT, vmcs12->host_ia32_pat);
next prev parent reply other threads:[~2025-08-15 14:24 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-12 2:55 [PATCH v12 00/24] Enable CET Virtualization Chao Gao
2025-08-12 2:55 ` [PATCH v12 01/24] KVM: x86: Rename kvm_{g,s}et_msr()* to show that they emulate guest accesses Chao Gao
2025-09-01 7:07 ` Xiaoyao Li
2025-09-02 14:28 ` Sean Christopherson
2025-08-12 2:55 ` [PATCH v12 02/24] KVM: x86: Use double-underscore read/write MSR helpers as appropriate Chao Gao
2025-08-12 2:55 ` [PATCH v12 03/24] KVM: x86: Add kvm_msr_{read,write}() helpers Chao Gao
2025-08-12 2:55 ` [PATCH v12 04/24] KVM: x86: Manually clear MPX state only on INIT Chao Gao
2025-08-12 2:55 ` [PATCH v12 05/24] KVM: x86: Zero XSTATE components on INIT by iterating over supported features Chao Gao
2025-08-12 2:55 ` [PATCH v12 06/24] KVM: x86: Introduce KVM_{G,S}ET_ONE_REG uAPIs support Chao Gao
2025-08-19 17:37 ` Sean Christopherson
2025-08-20 8:28 ` Chao Gao
2025-08-21 13:20 ` Chao Gao
2025-08-12 2:55 ` [PATCH v12 07/24] KVM: x86: Report XSS as to-be-saved if there are supported features Chao Gao
2025-08-12 2:55 ` [PATCH v12 08/24] KVM: x86: Refresh CPUID on write to guest MSR_IA32_XSS Chao Gao
2025-08-12 2:55 ` [PATCH v12 09/24] KVM: x86: Initialize kvm_caps.supported_xss Chao Gao
2025-08-12 2:55 ` [PATCH v12 10/24] KVM: x86: Load guest FPU state when access XSAVE-managed MSRs Chao Gao
2025-08-12 2:55 ` [PATCH v12 11/24] KVM: x86: Add fault checks for guest CR4.CET setting Chao Gao
2025-08-12 2:55 ` [PATCH v12 12/24] KVM: x86: Report KVM supported CET MSRs as to-be-saved Chao Gao
2025-08-12 2:55 ` [PATCH v12 13/24] KVM: VMX: Introduce CET VMCS fields and control bits Chao Gao
2025-08-12 2:55 ` [PATCH v12 14/24] KVM: x86: Enable guest SSP read/write interface with new uAPIs Chao Gao
2025-08-12 2:55 ` [PATCH v12 15/24] KVM: VMX: Emulate read and write to CET MSRs Chao Gao
2025-08-19 16:09 ` Sean Christopherson
2025-08-19 17:19 ` Edgecombe, Rick P
2025-08-19 17:50 ` Sean Christopherson
2025-08-19 17:53 ` Xin Li
2025-08-19 18:35 ` Sean Christopherson
2025-08-20 2:32 ` Chao Gao
2025-08-20 14:12 ` Sean Christopherson
2025-08-12 2:55 ` [PATCH v12 16/24] KVM: x86: Save and reload SSP to/from SMRAM Chao Gao
2025-08-12 2:55 ` [PATCH v12 17/24] KVM: VMX: Set up interception for CET MSRs Chao Gao
2025-08-19 16:11 ` Sean Christopherson
2025-08-19 18:05 ` Xin Li
2025-08-19 18:45 ` Sean Christopherson
2025-08-20 2:10 ` Chao Gao
2025-08-12 2:55 ` [PATCH v12 18/24] KVM: VMX: Set host constant supervisor states to VMCS fields Chao Gao
2025-08-18 7:57 ` Chao Gao
2025-08-12 2:55 ` [PATCH v12 19/24] KVM: x86: Don't emulate instructions guarded by CET Chao Gao
2025-08-12 2:55 ` [PATCH v12 20/24] KVM: x86: Enable CET virtualization for VMX and advertise to userspace Chao Gao
2025-08-19 18:49 ` Sean Christopherson
2025-08-12 2:55 ` [PATCH v12 21/24] KVM: nVMX: Virtualize NO_HW_ERROR_CODE_CC for L1 event injection to L2 Chao Gao
2025-08-12 2:55 ` [PATCH v12 22/24] KVM: nVMX: Enable CET support for nested guest Chao Gao
2025-08-15 14:24 ` Chao Gao [this message]
2025-08-19 17:18 ` Sean Christopherson
2025-08-12 2:55 ` [PATCH v12 23/24] KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET Chao Gao
2025-08-19 17:27 ` Sean Christopherson
2025-08-20 7:29 ` Chao Gao
2025-08-12 2:55 ` [PATCH v12 24/24] KVM: nVMX: Add consistency checks for CET states Chao Gao
2025-08-15 22:57 ` [PATCH v12 00/24] Enable CET Virtualization Edgecombe, Rick P
2025-08-18 7:53 ` Chao Gao
2025-08-18 22:25 ` Xin Li
2025-08-19 23:11 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aJ9DB12YVJEyDORD@intel.com \
--to=chao.gao@intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=john.allen@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=minipli@grsecurity.net \
--cc=mlevitsk@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=weijiang.yang@intel.com \
--cc=x86@kernel.org \
--cc=xin@zytor.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.