From: Sean Christopherson <seanjc@google.com>
To: John Allen <john.allen@amd.com>, g@google.com
Cc: Weijiang Yang <weijiang.yang@intel.com>,
"thomas.lendacky@amd.com" <thomas.lendacky@amd.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"x86@kernel.org" <x86@kernel.org>, Borislav Petkov <bp@alien8.de>,
Rick Edgecombe <rick.p.edgecombe@intel.com>
Subject: Re: [RFC PATCH 0/7] SVM guest shadow stack support
Date: Thu, 30 Mar 2023 13:05:27 -0700 [thread overview]
Message-ID: <ZCXotrLbDl6JJaVj@google.com> (raw)
In-Reply-To: <ZCXnYj3GsoB1Kipo@johallen-workstation.lan>
On Thu, Mar 30, 2023, John Allen wrote:
> On Thu, Mar 30, 2023 at 01:37:38PM +0800, Yang, Weijiang wrote:
> >
> > On 3/29/2023 8:16 AM, Yang, Weijiang wrote:
> > > > Now that the baremetal series has been accepted, how do we want to
> > > > proceed? I think I'd like to send a refreshed version based on the
> > > > version that was accpeted, but I'd want to wait to base it on a new
> > > > version of Weijiang's kvm/vmx series (if one is planned).
> >
> > Patch 1/7 did what I wanted to implement to support AMD SHSTK, my next
> > version will continue refactoring them in vmx scope, then� your series may
> > pick up the helper and modify accordingly.
> >
> > Please note, in my series, I removed check for MSR_IA32_PL{0,1,2}_SSP since
> > they're not supported right now, but your series supports for the MSRs, so
> > you have to change the helper a bit to adapt to your patches.
>
> The reason we decided to include the PL{0,1,2}_SSP MSRs is that even
> though linux doesn't support supervisor shadow stack, a non-linux guest
> OS might support it and could make use of the MSRs. It could be
> something the vmx patches might want to account for as well
And emulating/virtualizing those MSRs is mandatory unless KVM can hide those MSRs
without violating the architecture (been a while since I looked at CET). If the
architecture does allow enumerating support for userspace but not supervisor, then
ideally the two would be enabled separately in KVM, e.g. so that that if one is
completely busted, we might be able to precisely revert only the broken code.
next prev parent reply other threads:[~2023-03-30 20:05 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-12 20:39 [RFC PATCH 0/7] SVM guest shadow stack support John Allen
2022-10-12 20:39 ` [RFC PATCH 1/7] KVM: x86: Move shared CET routine to common x86 kvm code John Allen
2022-10-12 20:39 ` [RFC PATCH 2/7] KVM: x86: SVM: Emulate reads and writes to shadow stack MSRs John Allen
2022-10-12 20:39 ` [RFC PATCH 3/7] KVM: x86: SVM: Update dump_vmcb with shadow stack save area additions John Allen
2022-10-12 20:39 ` [RFC PATCH 4/7] KVM: x86: SVM: Pass through shadow stack MSRs John Allen
2022-10-12 20:39 ` [RFC PATCH 5/7] KVM: SVM: Save shadow stack host state on VMRUN John Allen
2022-10-12 20:39 ` [RFC PATCH 6/7] KVM: SVM: Add MSR_IA32_XSS to the GHCB for hypervisor kernel John Allen
2022-10-12 20:39 ` [RFC PATCH 7/7] KVM: SVM: Add CET features to supported_xss John Allen
2023-01-25 0:51 ` Sean Christopherson
2023-01-25 0:55 ` [RFC PATCH 0/7] SVM guest shadow stack support Sean Christopherson
2023-01-25 1:11 ` Edgecombe, Rick P
2023-03-28 17:51 ` John Allen
2023-03-29 0:16 ` Yang, Weijiang
2023-03-30 5:37 ` Yang, Weijiang
2023-03-30 19:47 ` John Allen
2023-03-30 20:05 ` Sean Christopherson [this message]
2023-03-31 6:39 ` Yang, Weijiang
2023-01-25 17:07 ` John Allen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZCXotrLbDl6JJaVj@google.com \
--to=seanjc@google.com \
--cc=bp@alien8.de \
--cc=g@google.com \
--cc=john.allen@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=thomas.lendacky@amd.com \
--cc=weijiang.yang@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox