From: Yang Weijiang <weijiang.yang@intel.com>
To: pbonzini@redhat.com, sean.j.christopherson@intel.com,
mst@redhat.com, rkrcmar@redhat.com, jmattson@google.com,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
yu-cheng.yu@intel.com
Cc: weijiang.yang@intel.com
Subject: [PATCH v5 0/8] Introduce support for Guest CET feature
Date: Wed, 22 May 2019 15:00:53 +0800 [thread overview]
Message-ID: <20190522070101.7636-1-weijiang.yang@intel.com> (raw)
Control-flow Enforcement Technology (CET) provides protection against
Return/Jump-Oriented Programming (ROP/JOP) attack. It includes two
sub-features: shadow stack (SHSTK) and indirect branch tracking (IBT).
KVM modification is required to support Guest CET feature.
This patch serial implemented CET related CPUID/XSAVES enumeration, MSRs
and VMEntry configuration etc.so that Guest kernel can setup CET
runtime infrastructure based on them. Some MSRs and related feature
flags used in the patches reference the definitions in kernel patch.
CET kernel patch is here:
https://lkml.org/lkml/2018/11/20/225.
PATCH 1 : Define CET VMCS fields and bits.
PATCH 2/3 : Enumerate CET features/XSAVES in CPUID.
PATCH 4 : Fix xsaves size calculation issue.
PATCH 5 : Pass through CET MSRs to Guest.
PATCH 6 : Set Guest auto loading bit for CET.
PATCH 7 : Load Guest FPU states for XSAVES managed MSRs.
PATCH 8 : Add user-space access interface for CET states.
v4 -> v5:
- Rebase patch to kernel v5.1.
- Wrap CPUID(0xD, n>=1) code to a helper function.
- Pass through MSR_IA32_PL1_SSP and MSR_IA32_PL2_SSP to Guest.
- Add Co-developed-by expression in patch description.
- Refine patch description.
v3 -> v4:
- Add Sean's patch for loading Guest fpu state before access XSAVES
managed CET MSRs.
- Melt down CET bits setting into CPUID configuration patch.
- Add VMX interface to query Host XSS.
- Check Host and Guest XSS support bits before set Guest XSS.
- Make Guest SHSTK and IBT feature enabling independent.
- Do not report CET support to Guest when Host CET feature is Disabled.
v2 -> v3:
- Modified patches to make Guest CET independent to Host enabling.
- Added patch 8 to add user space access for Guest CET MSR access.
- Modified code comments and patch description to reflect changes.
v1 -> v2:
- Re-ordered patch sequence, combined one patch.
- Added more description for CET related VMCS fields.
- Added Host CET capability check while enabling Guest CET loading bit.
- Added Host CET capability check while reporting Guest CPUID(EAX=7, EXC=0).
- Modified code in reporting Guest CPUID(EAX=D,ECX>=1), make it clearer.
- Added Host and Guest XSS mask check while
setting bits for Guest XSS.
Sean Christopherson (1):
KVM: x86: Load Guest fpu state when accessing MSRs managed by XSAVES
Yang Weijiang (7):
KVM: VMX: Define CET VMCS fields and control bits
KVM: x86: Implement CET CPUID support for Guest
KVM: x86: Fix XSAVE size calculation issue
KVM: VMX: Pass through CET related MSRs to Guest
KVM: VMX: Load Guest CET via VMCS when CET is enabled in Guest
KVM: x86: Allow Guest to set supported bits in XSS
KVM: x86: Add user-space access interface for CET MSRs
arch/x86/include/asm/kvm_host.h | 5 +-
arch/x86/include/asm/msr-index.h | 2 +
arch/x86/include/asm/vmx.h | 8 +++
arch/x86/kvm/cpuid.c | 109 +++++++++++++++++++++----------
arch/x86/kvm/vmx/vmx.c | 83 +++++++++++++++++++++--
arch/x86/kvm/x86.c | 29 +++++++-
arch/x86/kvm/x86.h | 4 ++
7 files changed, 197 insertions(+), 43 deletions(-)
--
2.17.2
next reply other threads:[~2019-05-22 7:02 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-22 7:00 Yang Weijiang [this message]
2019-05-22 7:00 ` [PATCH v5 1/8] KVM: VMX: Define CET VMCS fields and control bits Yang Weijiang
2019-06-04 14:46 ` Sean Christopherson
2019-06-05 2:30 ` Yang Weijiang
2019-05-22 7:00 ` [PATCH v5 2/8] KVM: x86: Implement CET CPUID support for Guest Yang Weijiang
2019-06-04 19:58 ` Sean Christopherson
2019-06-05 2:51 ` Yang Weijiang
2019-05-22 7:00 ` [PATCH v5 3/8] KVM: x86: Fix XSAVE size calculation issue Yang Weijiang
2019-05-22 7:00 ` [PATCH v5 4/8] KVM: VMX: Pass through CET related MSRs to Guest Yang Weijiang
2019-06-04 19:59 ` Sean Christopherson
2019-05-22 7:00 ` [PATCH v5 5/8] KVM: VMX: Load Guest CET via VMCS when CET is enabled in Guest Yang Weijiang
2019-06-04 20:03 ` Sean Christopherson
2019-06-05 1:49 ` Yang Weijiang
2019-05-22 7:00 ` [PATCH v5 6/8] KVM: x86: Allow Guest to set supported bits in XSS Yang Weijiang
2019-05-22 7:01 ` [PATCH v5 7/8] KVM: x86: Load Guest fpu state when accessing MSRs managed by XSAVES Yang Weijiang
2019-05-22 7:01 ` [PATCH v5 8/8] KVM: x86: Add user-space access interface for CET MSRs Yang Weijiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190522070101.7636-1-weijiang.yang@intel.com \
--to=weijiang.yang@intel.com \
--cc=jmattson@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=sean.j.christopherson@intel.com \
--cc=yu-cheng.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox