From: Yang Weijiang <weijiang.yang@intel.com>
To: seanjc@google.com, pbonzini@redhat.com, dave.hansen@intel.com,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: peterz@infradead.org, chao.gao@intel.com,
rick.p.edgecombe@intel.com, mlevitsk@redhat.com,
john.allen@amd.com, weijiang.yang@intel.com
Subject: [PATCH v8 26/26] KVM: nVMX: Enable CET support for nested guest
Date: Thu, 21 Dec 2023 09:02:39 -0500 [thread overview]
Message-ID: <20231221140239.4349-27-weijiang.yang@intel.com> (raw)
In-Reply-To: <20231221140239.4349-1-weijiang.yang@intel.com>
Set up CET MSRs, related VM_ENTRY/EXIT control bits and fixed CR4 setting
to enable CET for nested VM.
vmcs12 and vmcs02 needs to be synced when L2 exits to L1 or when L1 wants
to resume L2, that way correct CET states can be observed by one another.
Suggested-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
---
arch/x86/kvm/vmx/nested.c | 57 +++++++++++++++++++++++++++++++++++++--
arch/x86/kvm/vmx/vmcs12.c | 6 +++++
arch/x86/kvm/vmx/vmcs12.h | 14 +++++++++-
arch/x86/kvm/vmx/vmx.c | 2 ++
4 files changed, 76 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 468a7cf75035..dee718c65255 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -691,6 +691,28 @@ static inline bool nested_vmx_prepare_msr_bitmap(struct kvm_vcpu *vcpu,
nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
MSR_IA32_FLUSH_CMD, MSR_TYPE_W);
+ /* Pass CET MSRs to nested VM if L0 and L1 are set to pass-through. */
+ nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+ MSR_IA32_U_CET, MSR_TYPE_RW);
+
+ nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+ MSR_IA32_S_CET, MSR_TYPE_RW);
+
+ nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+ MSR_IA32_PL0_SSP, MSR_TYPE_RW);
+
+ nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+ MSR_IA32_PL1_SSP, MSR_TYPE_RW);
+
+ nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+ MSR_IA32_PL2_SSP, MSR_TYPE_RW);
+
+ nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+ MSR_IA32_PL3_SSP, MSR_TYPE_RW);
+
+ nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+ MSR_IA32_INT_SSP_TAB, MSR_TYPE_RW);
+
kvm_vcpu_unmap(vcpu, &vmx->nested.msr_bitmap_map, false);
vmx->nested.force_msr_bitmap_recalc = false;
@@ -2506,6 +2528,17 @@ static void prepare_vmcs02_rare(struct vcpu_vmx *vmx, struct vmcs12 *vmcs12)
if (kvm_mpx_supported() && vmx->nested.nested_run_pending &&
(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))
vmcs_write64(GUEST_BNDCFGS, vmcs12->guest_bndcfgs);
+
+ if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE) {
+ if (guest_can_use(&vmx->vcpu, X86_FEATURE_SHSTK)) {
+ vmcs_writel(GUEST_SSP, vmcs12->guest_ssp);
+ vmcs_writel(GUEST_INTR_SSP_TABLE,
+ vmcs12->guest_ssp_tbl);
+ }
+ if (guest_can_use(&vmx->vcpu, X86_FEATURE_SHSTK) ||
+ guest_can_use(&vmx->vcpu, X86_FEATURE_IBT))
+ vmcs_writel(GUEST_S_CET, vmcs12->guest_s_cet);
+ }
}
if (nested_cpu_has_xsaves(vmcs12))
@@ -4344,6 +4377,15 @@ static void sync_vmcs02_to_vmcs12_rare(struct kvm_vcpu *vcpu,
vmcs12->guest_pending_dbg_exceptions =
vmcs_readl(GUEST_PENDING_DBG_EXCEPTIONS);
+ if (guest_can_use(&vmx->vcpu, X86_FEATURE_SHSTK)) {
+ vmcs12->guest_ssp = vmcs_readl(GUEST_SSP);
+ vmcs12->guest_ssp_tbl = vmcs_readl(GUEST_INTR_SSP_TABLE);
+ }
+ if (guest_can_use(&vmx->vcpu, X86_FEATURE_SHSTK) ||
+ guest_can_use(&vmx->vcpu, X86_FEATURE_IBT)) {
+ vmcs12->guest_s_cet = vmcs_readl(GUEST_S_CET);
+ }
+
vmx->nested.need_sync_vmcs02_to_vmcs12_rare = false;
}
@@ -4569,6 +4611,16 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
if (vmcs12->vm_exit_controls & VM_EXIT_CLEAR_BNDCFGS)
vmcs_write64(GUEST_BNDCFGS, 0);
+ if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_CET_STATE) {
+ if (guest_can_use(vcpu, X86_FEATURE_SHSTK)) {
+ vmcs_writel(HOST_SSP, vmcs12->host_ssp);
+ vmcs_writel(HOST_INTR_SSP_TABLE, vmcs12->host_ssp_tbl);
+ }
+ if (guest_can_use(vcpu, X86_FEATURE_SHSTK) ||
+ guest_can_use(vcpu, X86_FEATURE_IBT))
+ vmcs_writel(HOST_S_CET, vmcs12->host_s_cet);
+ }
+
if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_PAT) {
vmcs_write64(GUEST_IA32_PAT, vmcs12->host_ia32_pat);
vcpu->arch.pat = vmcs12->host_ia32_pat;
@@ -6840,7 +6892,7 @@ static void nested_vmx_setup_exit_ctls(struct vmcs_config *vmcs_conf,
VM_EXIT_HOST_ADDR_SPACE_SIZE |
#endif
VM_EXIT_LOAD_IA32_PAT | VM_EXIT_SAVE_IA32_PAT |
- VM_EXIT_CLEAR_BNDCFGS;
+ VM_EXIT_CLEAR_BNDCFGS | VM_EXIT_LOAD_CET_STATE;
msrs->exit_ctls_high |=
VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR |
VM_EXIT_LOAD_IA32_EFER | VM_EXIT_SAVE_IA32_EFER |
@@ -6862,7 +6914,8 @@ static void nested_vmx_setup_entry_ctls(struct vmcs_config *vmcs_conf,
#ifdef CONFIG_X86_64
VM_ENTRY_IA32E_MODE |
#endif
- VM_ENTRY_LOAD_IA32_PAT | VM_ENTRY_LOAD_BNDCFGS;
+ VM_ENTRY_LOAD_IA32_PAT | VM_ENTRY_LOAD_BNDCFGS |
+ VM_ENTRY_LOAD_CET_STATE;
msrs->entry_ctls_high |=
(VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR | VM_ENTRY_LOAD_IA32_EFER |
VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL);
diff --git a/arch/x86/kvm/vmx/vmcs12.c b/arch/x86/kvm/vmx/vmcs12.c
index 106a72c923ca..4233b5ca9461 100644
--- a/arch/x86/kvm/vmx/vmcs12.c
+++ b/arch/x86/kvm/vmx/vmcs12.c
@@ -139,6 +139,9 @@ const unsigned short vmcs12_field_offsets[] = {
FIELD(GUEST_PENDING_DBG_EXCEPTIONS, guest_pending_dbg_exceptions),
FIELD(GUEST_SYSENTER_ESP, guest_sysenter_esp),
FIELD(GUEST_SYSENTER_EIP, guest_sysenter_eip),
+ FIELD(GUEST_S_CET, guest_s_cet),
+ FIELD(GUEST_SSP, guest_ssp),
+ FIELD(GUEST_INTR_SSP_TABLE, guest_ssp_tbl),
FIELD(HOST_CR0, host_cr0),
FIELD(HOST_CR3, host_cr3),
FIELD(HOST_CR4, host_cr4),
@@ -151,5 +154,8 @@ const unsigned short vmcs12_field_offsets[] = {
FIELD(HOST_IA32_SYSENTER_EIP, host_ia32_sysenter_eip),
FIELD(HOST_RSP, host_rsp),
FIELD(HOST_RIP, host_rip),
+ FIELD(HOST_S_CET, host_s_cet),
+ FIELD(HOST_SSP, host_ssp),
+ FIELD(HOST_INTR_SSP_TABLE, host_ssp_tbl),
};
const unsigned int nr_vmcs12_fields = ARRAY_SIZE(vmcs12_field_offsets);
diff --git a/arch/x86/kvm/vmx/vmcs12.h b/arch/x86/kvm/vmx/vmcs12.h
index 01936013428b..3884489e7f7e 100644
--- a/arch/x86/kvm/vmx/vmcs12.h
+++ b/arch/x86/kvm/vmx/vmcs12.h
@@ -117,7 +117,13 @@ struct __packed vmcs12 {
natural_width host_ia32_sysenter_eip;
natural_width host_rsp;
natural_width host_rip;
- natural_width paddingl[8]; /* room for future expansion */
+ natural_width host_s_cet;
+ natural_width host_ssp;
+ natural_width host_ssp_tbl;
+ natural_width guest_s_cet;
+ natural_width guest_ssp;
+ natural_width guest_ssp_tbl;
+ natural_width paddingl[2]; /* room for future expansion */
u32 pin_based_vm_exec_control;
u32 cpu_based_vm_exec_control;
u32 exception_bitmap;
@@ -292,6 +298,12 @@ static inline void vmx_check_vmcs12_offsets(void)
CHECK_OFFSET(host_ia32_sysenter_eip, 656);
CHECK_OFFSET(host_rsp, 664);
CHECK_OFFSET(host_rip, 672);
+ CHECK_OFFSET(host_s_cet, 680);
+ CHECK_OFFSET(host_ssp, 688);
+ CHECK_OFFSET(host_ssp_tbl, 696);
+ CHECK_OFFSET(guest_s_cet, 704);
+ CHECK_OFFSET(guest_ssp, 712);
+ CHECK_OFFSET(guest_ssp_tbl, 720);
CHECK_OFFSET(pin_based_vm_exec_control, 744);
CHECK_OFFSET(cpu_based_vm_exec_control, 748);
CHECK_OFFSET(exception_bitmap, 752);
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index c802e790c0d5..7ddd3f6fe8ab 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -7732,6 +7732,8 @@ static void nested_vmx_cr_fixed1_bits_update(struct kvm_vcpu *vcpu)
cr4_fixed1_update(X86_CR4_PKE, ecx, feature_bit(PKU));
cr4_fixed1_update(X86_CR4_UMIP, ecx, feature_bit(UMIP));
cr4_fixed1_update(X86_CR4_LA57, ecx, feature_bit(LA57));
+ cr4_fixed1_update(X86_CR4_CET, ecx, feature_bit(SHSTK));
+ cr4_fixed1_update(X86_CR4_CET, edx, feature_bit(IBT));
entry = kvm_find_cpuid_entry_index(vcpu, 0x7, 1);
cr4_fixed1_update(X86_CR4_LAM_SUP, eax, feature_bit(LAM));
--
2.39.3
next prev parent reply other threads:[~2023-12-21 9:03 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-21 14:02 [PATCH v8 00/26] Enable CET Virtualization Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 01/26] x86/fpu/xstate: Always preserve non-user xfeatures/flags in __state_perm Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 02/26] x86/fpu/xstate: Refine CET user xstate bit enabling Yang Weijiang
2024-01-02 22:24 ` Maxim Levitsky
2023-12-21 14:02 ` [PATCH v8 03/26] x86/fpu/xstate: Add CET supervisor mode state support Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 04/26] x86/fpu/xstate: Introduce XFEATURE_MASK_KERNEL_DYNAMIC xfeature set Yang Weijiang
2024-01-02 22:25 ` Maxim Levitsky
2024-01-03 9:10 ` Yang, Weijiang
2024-01-04 22:26 ` Edgecombe, Rick P
2024-01-04 22:26 ` Edgecombe, Rick P
2023-12-21 14:02 ` [PATCH v8 05/26] x86/fpu/xstate: Introduce fpu_guest_cfg for guest FPU configuration Yang Weijiang
2024-01-02 22:32 ` Maxim Levitsky
2024-01-03 9:17 ` Yang, Weijiang
2024-01-04 22:42 ` Edgecombe, Rick P
2023-12-21 14:02 ` [PATCH v8 06/26] x86/fpu/xstate: Create guest fpstate with guest specific config Yang Weijiang
2024-01-02 22:32 ` Maxim Levitsky
2024-01-03 18:16 ` Edgecombe, Rick P
2024-01-04 2:16 ` Yang, Weijiang
2024-01-04 22:47 ` Edgecombe, Rick P
2024-01-05 8:16 ` Yang, Weijiang
2023-12-21 14:02 ` [PATCH v8 07/26] x86/fpu/xstate: Warn if kernel dynamic xfeatures detected in normal fpstate Yang Weijiang
2024-01-02 22:33 ` Maxim Levitsky
2023-12-21 14:02 ` [PATCH v8 08/26] KVM: x86: Rework cpuid_get_supported_xcr0() to operate on vCPU data Yang Weijiang
2024-01-02 22:33 ` Maxim Levitsky
2023-12-21 14:02 ` [PATCH v8 09/26] KVM: x86: Rename kvm_{g,s}et_msr() to menifest emulation operations Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 10/26] KVM: x86: Refine xsave-managed guest register/MSR reset handling Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 11/26] KVM: x86: Add kvm_msr_{read,write}() helpers Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 12/26] KVM: x86: Report XSS as to-be-saved if there are supported features Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 13/26] KVM: x86: Refresh CPUID on write to guest MSR_IA32_XSS Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 14/26] KVM: x86: Initialize kvm_caps.supported_xss Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 15/26] KVM: x86: Load guest FPU state when access XSAVE-managed MSRs Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 16/26] KVM: x86: Add fault checks for guest CR4.CET setting Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 17/26] KVM: x86: Report KVM supported CET MSRs as to-be-saved Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 18/26] KVM: VMX: Introduce CET VMCS fields and control bits Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 19/26] KVM: x86: Use KVM-governed feature framework to track "SHSTK/IBT enabled" Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 20/26] KVM: VMX: Emulate read and write to CET MSRs Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 21/26] KVM: x86: Save and reload SSP to/from SMRAM Yang Weijiang
2024-01-02 22:34 ` Maxim Levitsky
2023-12-21 14:02 ` [PATCH v8 22/26] KVM: VMX: Set up interception for CET MSRs Yang Weijiang
2024-01-02 22:34 ` Maxim Levitsky
2024-01-15 9:58 ` Yuan Yao
2024-01-17 1:41 ` Yang, Weijiang
2024-01-17 1:58 ` Yang, Weijiang
2024-01-17 5:31 ` Yuan Yao
2024-01-17 6:16 ` Yang, Weijiang
2023-12-21 14:02 ` [PATCH v8 23/26] KVM: VMX: Set host constant supervisor states to VMCS fields Yang Weijiang
2023-12-21 14:02 ` [PATCH v8 24/26] KVM: x86: Enable CET virtualization for VMX and advertise to userspace Yang Weijiang
2024-01-02 22:34 ` Maxim Levitsky
2024-01-16 7:25 ` Yuan Yao
2024-01-17 1:43 ` Yang, Weijiang
2023-12-21 14:02 ` [PATCH v8 25/26] KVM: nVMX: Introduce new VMX_BASIC bit for event error_code delivery to L1 Yang Weijiang
2023-12-21 14:02 ` Yang Weijiang [this message]
2024-01-02 22:35 ` [PATCH v8 26/26] KVM: nVMX: Enable CET support for nested guest Maxim Levitsky
2024-01-16 7:22 ` Yuan Yao
2024-01-17 1:53 ` Yang, Weijiang
2024-01-03 18:50 ` [PATCH v8 00/26] Enable CET Virtualization Edgecombe, Rick P
2024-01-04 7:11 ` Yang, Weijiang
2024-01-04 21:10 ` Edgecombe, Rick P
2024-01-05 0:22 ` Sean Christopherson
2024-01-05 0:34 ` Edgecombe, Rick P
2024-01-05 0:44 ` Jim Mattson
2024-01-05 0:54 ` Sean Christopherson
2024-01-05 9:28 ` Yang, Weijiang
2024-01-05 16:21 ` Sean Christopherson
2024-01-05 17:52 ` Edgecombe, Rick P
2024-01-05 18:09 ` Jim Mattson
2024-01-05 18:51 ` Edgecombe, Rick P
2024-01-05 19:34 ` Sean Christopherson
2024-01-08 14:17 ` Yang, Weijiang
2024-01-09 15:10 ` Sean Christopherson
2024-01-11 14:56 ` Yang, Weijiang
2024-01-15 1:55 ` Chao Gao
2024-01-17 0:53 ` Yang, Weijiang
2024-01-05 9:04 ` Yang, Weijiang
2024-01-04 22:29 ` Edgecombe, Rick P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231221140239.4349-27-weijiang.yang@intel.com \
--to=weijiang.yang@intel.com \
--cc=chao.gao@intel.com \
--cc=dave.hansen@intel.com \
--cc=john.allen@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mlevitsk@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox