From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Tom Lendacky <thomas.lendacky@amd.com>,
Mathias Krause <minipli@grsecurity.net>,
John Allen <john.allen@amd.com>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Chao Gao <chao.gao@intel.com>,
Binbin Wu <binbin.wu@linux.intel.com>,
Xiaoyao Li <xiaoyao.li@intel.com>,
Maxim Levitsky <mlevitsk@redhat.com>,
Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Subject: [PATCH v16 51/51] KVM: VMX: Make CR4.CET a guest owned bit
Date: Fri, 19 Sep 2025 15:32:58 -0700 [thread overview]
Message-ID: <20250919223258.1604852-52-seanjc@google.com> (raw)
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
From: Mathias Krause <minipli@grsecurity.net>
Make CR4.CET a guest-owned bit under VMX by extending
KVM_POSSIBLE_CR4_GUEST_BITS accordingly.
There's no need to intercept changes to CR4.CET, as it's neither
included in KVM's MMU role bits, nor does KVM specifically care about
the actual value of a (nested) guest's CR4.CET value, beside for
enforcing architectural constraints, i.e. make sure that CR0.WP=1 if
CR4.CET=1.
Intercepting writes to CR4.CET is particularly bad for grsecurity
kernels with KERNEXEC or, even worse, KERNSEAL enabled. These features
heavily make use of read-only kernel objects and use a cpu-local CR0.WP
toggle to override it, when needed. Under a CET-enabled kernel, this
also requires toggling CR4.CET, hence the motivation to make it
guest-owned.
Using the old test from [1] gives the following runtime numbers (perf
stat -r 5 ssdd 10 50000):
* grsec guest on linux-6.16-rc5 + cet patches:
2.4647 +- 0.0706 seconds time elapsed ( +- 2.86% )
* grsec guest on linux-6.16-rc5 + cet patches + CR4.CET guest-owned:
1.5648 +- 0.0240 seconds time elapsed ( +- 1.53% )
Not only does not intercepting CR4.CET make the test run ~35% faster,
it's also more stable with less fluctuation due to fewer VMEXITs.
Therefore, make CR4.CET a guest-owned bit where possible.
This change is VMX-specific, as SVM has no such fine-grained control
register intercept control.
If KVM's assumptions regarding MMU role handling wrt. a guest's CR4.CET
value ever change, the BUILD_BUG_ON()s related to KVM_MMU_CR4_ROLE_BITS
and KVM_POSSIBLE_CR4_GUEST_BITS will catch that early.
Link: https://lore.kernel.org/kvm/20230322013731.102955-1-minipli@grsecurity.net/ [1]
Reviewed-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
arch/x86/kvm/kvm_cache_regs.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/kvm_cache_regs.h b/arch/x86/kvm/kvm_cache_regs.h
index 36a8786db291..8ddb01191d6f 100644
--- a/arch/x86/kvm/kvm_cache_regs.h
+++ b/arch/x86/kvm/kvm_cache_regs.h
@@ -7,7 +7,8 @@
#define KVM_POSSIBLE_CR0_GUEST_BITS (X86_CR0_TS | X86_CR0_WP)
#define KVM_POSSIBLE_CR4_GUEST_BITS \
(X86_CR4_PVI | X86_CR4_DE | X86_CR4_PCE | X86_CR4_OSFXSR \
- | X86_CR4_OSXMMEXCPT | X86_CR4_PGE | X86_CR4_TSD | X86_CR4_FSGSBASE)
+ | X86_CR4_OSXMMEXCPT | X86_CR4_PGE | X86_CR4_TSD | X86_CR4_FSGSBASE \
+ | X86_CR4_CET)
#define X86_CR0_PDPTR_BITS (X86_CR0_CD | X86_CR0_NW | X86_CR0_PG)
#define X86_CR4_TLBFLUSH_BITS (X86_CR4_PGE | X86_CR4_PCIDE | X86_CR4_PAE | X86_CR4_SMEP)
--
2.51.0.470.ga7dc726c21-goog
next prev parent reply other threads:[~2025-09-19 22:34 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-19 22:32 [PATCH v16 00/51] KVM: x86: Super Mega CET Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 01/51] KVM: SEV: Rename kvm_ghcb_get_sw_exit_code() to kvm_get_cached_sw_exit_code() Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 02/51] KVM: SEV: Read save fields from GHCB exactly once Sean Christopherson
2025-09-22 21:39 ` Tom Lendacky
2025-09-19 22:32 ` [PATCH v16 03/51] KVM: SEV: Validate XCR0 provided by guest in GHCB Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 04/51] KVM: x86: Introduce KVM_{G,S}ET_ONE_REG uAPIs support Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 05/51] KVM: x86: Report XSS as to-be-saved if there are supported features Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 06/51] KVM: x86: Check XSS validity against guest CPUIDs Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 07/51] KVM: x86: Refresh CPUID on write to guest MSR_IA32_XSS Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 08/51] KVM: x86: Initialize kvm_caps.supported_xss Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 09/51] KVM: x86: Load guest FPU state when access XSAVE-managed MSRs Sean Christopherson
2025-09-22 2:10 ` Binbin Wu
2025-09-22 16:41 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 10/51] KVM: x86: Add fault checks for guest CR4.CET setting Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 11/51] KVM: x86: Report KVM supported CET MSRs as to-be-saved Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 12/51] KVM: VMX: Introduce CET VMCS fields and control bits Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 13/51] KVM: x86: Enable guest SSP read/write interface with new uAPIs Sean Christopherson
2025-09-22 2:58 ` Binbin Wu
2025-09-23 9:06 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 14/51] KVM: VMX: Emulate read and write to CET MSRs Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 15/51] KVM: x86: Save and reload SSP to/from SMRAM Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 16/51] KVM: VMX: Set up interception for CET MSRs Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 17/51] KVM: VMX: Set host constant supervisor states to VMCS fields Sean Christopherson
2025-09-22 3:03 ` Binbin Wu
2025-09-19 22:32 ` [PATCH v16 18/51] KVM: x86: Don't emulate instructions affected by CET features Sean Christopherson
2025-09-22 5:39 ` Binbin Wu
2025-09-22 16:47 ` Sean Christopherson
2025-09-22 10:27 ` Chao Gao
2025-09-22 20:04 ` Sean Christopherson
2025-09-23 14:12 ` Xiaoyao Li
2025-09-23 16:15 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 19/51] KVM: x86: Don't emulate task switches when IBT or SHSTK is enabled Sean Christopherson
2025-09-22 6:41 ` Binbin Wu
2025-09-22 17:23 ` Sean Christopherson
2025-09-23 14:16 ` Xiaoyao Li
2025-09-22 11:27 ` Chao Gao
2025-09-19 22:32 ` [PATCH v16 20/51] KVM: x86: Emulate SSP[63:32]!=0 #GP(0) for FAR JMP to 32-bit mode Sean Christopherson
2025-09-22 7:15 ` Binbin Wu
2025-09-23 14:29 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 21/51] KVM: x86/mmu: WARN on attempt to check permissions for Shadow Stack #PF Sean Christopherson
2025-09-22 7:17 ` Binbin Wu
2025-09-22 7:46 ` Binbin Wu
2025-09-23 14:33 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 22/51] KVM: x86/mmu: Pretty print PK, SS, and SGX flags in MMU tracepoints Sean Christopherson
2025-09-22 7:18 ` Binbin Wu
2025-09-22 16:18 ` Sean Christopherson
2025-09-23 14:46 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 23/51] KVM: x86: Allow setting CR4.CET if IBT or SHSTK is supported Sean Christopherson
2025-09-22 7:25 ` Binbin Wu
2025-09-23 14:46 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 24/51] KVM: nVMX: Always forward XSAVES/XRSTORS exits from L2 to L1 Sean Christopherson
2025-09-23 8:15 ` Chao Gao
2025-09-23 14:49 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 25/51] KVM: x86: Add XSS support for CET_KERNEL and CET_USER Sean Christopherson
2025-09-22 7:31 ` Binbin Wu
2025-09-23 14:55 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 26/51] KVM: x86: Disable support for Shadow Stacks if TDP is disabled Sean Christopherson
2025-09-22 7:45 ` Binbin Wu
2025-09-23 14:56 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 27/51] KVM: x86: Disable support for IBT and SHSTK if allow_smaller_maxphyaddr is true Sean Christopherson
2025-09-22 8:00 ` Binbin Wu
2025-09-22 18:40 ` Sean Christopherson
2025-09-23 14:44 ` Xiaoyao Li
2025-09-23 15:04 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 28/51] KVM: x86: Enable CET virtualization for VMX and advertise to userspace Sean Christopherson
2025-09-22 8:06 ` Binbin Wu
2025-09-23 14:57 ` Xiaoyao Li
2025-09-19 22:32 ` [PATCH v16 29/51] KVM: VMX: Configure nested capabilities after CPU capabilities Sean Christopherson
2025-09-23 2:37 ` Chao Gao
2025-09-23 16:24 ` Sean Christopherson
2025-09-23 16:49 ` Xin Li
2025-09-19 22:32 ` [PATCH v16 30/51] KVM: nVMX: Virtualize NO_HW_ERROR_CODE_CC for L1 event injection to L2 Sean Christopherson
2025-09-22 8:37 ` Binbin Wu
2025-09-19 22:32 ` [PATCH v16 31/51] KVM: nVMX: Prepare for enabling CET support for nested guest Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 32/51] KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET Sean Christopherson
2025-09-22 8:47 ` Binbin Wu
2025-09-19 22:32 ` [PATCH v16 33/51] KVM: nVMX: Add consistency checks for CET states Sean Christopherson
2025-09-22 9:23 ` Binbin Wu
2025-09-22 16:35 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 34/51] KVM: nVMX: Advertise new VM-Entry/Exit control bits for CET state Sean Christopherson
2025-09-23 2:43 ` Chao Gao
2025-09-23 16:28 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 35/51] KVM: SVM: Emulate reads and writes to shadow stack MSRs Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 36/51] KVM: nSVM: Save/load CET Shadow Stack state to/from vmcb12/vmcb02 Sean Christopherson
2025-10-28 22:23 ` Yosry Ahmed
2025-12-09 0:48 ` Yosry Ahmed
2025-09-19 22:32 ` [PATCH v16 37/51] KVM: SVM: Update dump_vmcb with shadow stack save area additions Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 38/51] KVM: SVM: Pass through shadow stack MSRs as appropriate Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 39/51] KVM: SEV: Synchronize MSR_IA32_XSS from the GHCB when it's valid Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 40/51] KVM: SVM: Enable shadow stack virtualization for SVM Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 41/51] KVM: x86: Add human friendly formatting for #XM, and #VE Sean Christopherson
2025-09-22 8:29 ` Binbin Wu
2025-09-19 22:32 ` [PATCH v16 42/51] KVM: x86: Define Control Protection Exception (#CP) vector Sean Christopherson
2025-09-22 8:29 ` Binbin Wu
2025-09-19 22:32 ` [PATCH v16 43/51] KVM: x86: Define AMD's #HV, #VC, and #SX exception vectors Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 44/51] KVM: selftests: Add ex_str() to print human friendly name of " Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 45/51] KVM: selftests: Add an MSR test to exercise guest/host and read/write Sean Christopherson
2025-09-23 8:03 ` Chao Gao
2025-09-23 16:51 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 46/51] KVM: selftests: Add support for MSR_IA32_{S,U}_CET to MSRs test Sean Christopherson
2025-09-23 7:12 ` Chao Gao
2025-09-19 22:32 ` [PATCH v16 47/51] KVM: selftests: Extend MSRs test to validate vCPUs without supported features Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 48/51] KVM: selftests: Add KVM_{G,S}ET_ONE_REG coverage to MSRs test Sean Christopherson
2025-09-23 6:52 ` Chao Gao
2025-09-19 22:32 ` [PATCH v16 49/51] KVM: selftests: Add coverate for KVM-defined registers in " Sean Christopherson
2025-09-23 6:31 ` Chao Gao
2025-09-23 16:59 ` Sean Christopherson
2025-09-19 22:32 ` [PATCH v16 50/51] KVM: selftests: Verify MSRs are (not) in save/restore list when (un)supported Sean Christopherson
2025-09-23 6:46 ` Chao Gao
2025-09-23 17:02 ` Sean Christopherson
2025-09-19 22:32 ` Sean Christopherson [this message]
2025-09-22 8:34 ` [PATCH v16 51/51] KVM: VMX: Make CR4.CET a guest owned bit Binbin Wu
2025-09-24 14:32 ` [PATCH v16 00/51] KVM: x86: Super Mega CET Chao Gao
2025-09-24 18:07 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250919223258.1604852-52-seanjc@google.com \
--to=seanjc@google.com \
--cc=binbin.wu@linux.intel.com \
--cc=chao.gao@intel.com \
--cc=john.allen@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=minipli@grsecurity.net \
--cc=mlevitsk@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=thomas.lendacky@amd.com \
--cc=xiaoyao.li@intel.com \
--cc=xin@zytor.com \
--cc=yi.z.zhang@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox