From: Sean Christopherson <seanjc@google.com>
To: Weijiang Yang <weijiang.yang@intel.com>
Cc: pbonzini@redhat.com, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, peterz@infradead.org,
rppt@kernel.org, binbin.wu@linux.intel.com,
rick.p.edgecombe@intel.com, john.allen@amd.com,
Chao Gao <chao.gao@intel.com>
Subject: Re: [PATCH v3 00/21] Enable CET Virtualization
Date: Wed, 19 Jul 2023 12:41:47 -0700 [thread overview]
Message-ID: <ZLg8ezG/XrZH+KGD@google.com> (raw)
In-Reply-To: <e44a9a1a-0826-dfa7-4bd9-a11e5790d162@intel.com>
On Mon, Jul 17, 2023, Weijiang Yang wrote:
>
> On 6/24/2023 4:51 AM, Sean Christopherson wrote:
> > > 1)Add Supervisor Shadow Stack� state support(i.e., XSS.bit12(CET_S)) into
> > > kernel so that host can support guest Supervisor Shadow Stack MSRs in g/h FPU
> > > context switch.
> > If that's necessary for correct functionality, yes.
...
> the Pros:
> �- Super easy to implement for KVM.
> �- Automatically avoids saving and restoring this data when the vmexit
> �� is handled within KVM.
>
> the Cons:
> �- Unnecessarily restores XFEATURE_CET_KERNEL when switching to
> �� non-KVM task's userspace.
> �- Forces allocating space for this state on all tasks, whether or not
> �� they use KVM, and with likely zero users today and the near future.
> �- Complicates the FPU optimization thinking by including things that
> �� can have no affect on userspace in the FPU
>
> Given above reasons, I implemented guest CET supervisor states management
> in KVM instead of adding a kernel patch for it.
>
> Below are 3 KVM patches to support it:
>
> Patch 1: Save/reload guest CET supervisor states when necessary:
>
> =======================================================================
>
> commit 16147ede75dee29583b7d42a6621d10d55b63595
> Author: Yang Weijiang <weijiang.yang@intel.com>
> Date:�� Tue Jul 11 02:26:17 2023 -0400
>
> ��� KVM:x86: Make guest supervisor states as non-XSAVE managed
>
> ��� Save and reload guest CET supervisor states, i.e.,PL{0,1,2}_SSP,
> ��� when vCPU context is being swapped before and after userspace
> ��� <->kernel entry, also do the same operation when vCPU is sched-in
> ��� or sched-out.
...
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index e2c549f147a5..7d9cfb7e2fe8 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -11212,6 +11212,31 @@ static void kvm_put_guest_fpu(struct kvm_vcpu
> *vcpu)
> ������� trace_kvm_fpu(0);
> �}
>
> +static void kvm_save_cet_supervisor_ssp(struct kvm_vcpu *vcpu)
> +{
> +������ preempt_disable();
> +������ if (unlikely(guest_can_use(vcpu, X86_FEATURE_SHSTK))) {
> +�������������� rdmsrl(MSR_IA32_PL0_SSP, vcpu->arch.cet_s_ssp[0]);
> +�������������� rdmsrl(MSR_IA32_PL1_SSP, vcpu->arch.cet_s_ssp[1]);
> +�������������� rdmsrl(MSR_IA32_PL2_SSP, vcpu->arch.cet_s_ssp[2]);
> +�������������� wrmsrl(MSR_IA32_PL0_SSP, 0);
> +�������������� wrmsrl(MSR_IA32_PL1_SSP, 0);
> +�������������� wrmsrl(MSR_IA32_PL2_SSP, 0);
> +������ }
> +������ preempt_enable();
> +}
> +
> +static void kvm_reload_cet_supervisor_ssp(struct kvm_vcpu *vcpu)
> +{
> +������ preempt_disable();
> +������ if (unlikely(guest_can_use(vcpu, X86_FEATURE_SHSTK))) {
> +�������������� wrmsrl(MSR_IA32_PL0_SSP, vcpu->arch.cet_s_ssp[0]);
> +�������������� wrmsrl(MSR_IA32_PL1_SSP, vcpu->arch.cet_s_ssp[1]);
> +�������������� wrmsrl(MSR_IA32_PL2_SSP, vcpu->arch.cet_s_ssp[2]);
> +������ }
> +������ preempt_enable();
> +}
My understanding is that PL[0-2]_SSP are used only on transitions to the
corresponding privilege level from a *different* privilege level. That means
KVM should be able to utilize the user_return_msr framework to load the host
values. Though if Linux ever supports SSS, I'm guessing the core kernel will
have some sort of mechanism to defer loading MSR_IA32_PL0_SSP until an exit to
userspace, e.g. to avoid having to write PL0_SSP, which will presumably be
per-task, on every context switch.
But note my original wording: **If that's necessary**
If nothing in the host ever consumes those MSRs, i.e. if SSS is NOT enabled in
IA32_S_CET, then running host stuff with guest values should be ok. KVM only
needs to guarantee that it doesn't leak values between guests. But that should
Just Work, e.g. KVM should load the new vCPU's values if SHSTK is exposed to the
guest, and intercept (to inject #GP) if SHSTK is not exposed to the guest.
And regardless of what the mechanism ends up managing SSP MSRs, it should only
ever touch PL0_SSP, because Linux never runs anything at CPL1 or CPL2, i.e. will
never consume PL{1,2}_SSP.
Am I missing something?
next prev parent reply other threads:[~2023-07-19 19:41 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-11 4:08 [PATCH v3 00/21] Enable CET Virtualization Yang Weijiang
2023-05-11 4:08 ` [PATCH v3 01/21] x86/shstk: Add Kconfig option for shadow stack Yang Weijiang
2023-05-11 4:08 ` [PATCH v3 02/21] x86/cpufeatures: Add CPU feature flags for shadow stacks Yang Weijiang
2023-05-11 4:08 ` [PATCH v3 03/21] x86/cpufeatures: Enable CET CR4 bit for shadow stack Yang Weijiang
2023-05-11 4:08 ` [PATCH v3 04/21] x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states Yang Weijiang
2023-05-11 4:08 ` [PATCH v3 05/21] x86/fpu: Add helper for modifying xstate Yang Weijiang
2023-05-11 4:08 ` [PATCH v3 06/21] KVM:x86: Report XSS as to-be-saved if there are supported features Yang Weijiang
2023-05-24 7:06 ` Chao Gao
2023-05-24 8:19 ` Yang, Weijiang
2023-05-11 4:08 ` [PATCH v3 07/21] KVM:x86: Refresh CPUID on write to guest MSR_IA32_XSS Yang Weijiang
2023-05-25 6:10 ` Chao Gao
2023-05-30 3:51 ` Yang, Weijiang
2023-05-30 12:08 ` Chao Gao
2023-05-31 1:11 ` Yang, Weijiang
2023-06-15 23:45 ` Sean Christopherson
2023-06-16 1:58 ` Yang, Weijiang
2023-06-23 23:21 ` Sean Christopherson
2023-06-26 9:24 ` Yang, Weijiang
2023-05-11 4:08 ` [PATCH v3 08/21] KVM:x86: Init kvm_caps.supported_xss with supported feature bits Yang Weijiang
2023-06-06 8:38 ` Chao Gao
2023-06-08 5:42 ` Yang, Weijiang
2023-05-11 4:08 ` [PATCH v3 09/21] KVM:x86: Load guest FPU state when accessing xsaves-managed MSRs Yang Weijiang
2023-06-15 23:50 ` Sean Christopherson
2023-06-16 2:02 ` Yang, Weijiang
2023-05-11 4:08 ` [PATCH v3 10/21] KVM:x86: Add #CP support in guest exception classification Yang Weijiang
2023-06-06 9:08 ` Chao Gao
2023-06-08 6:01 ` Yang, Weijiang
2023-06-15 23:58 ` Sean Christopherson
2023-06-16 6:56 ` Yang, Weijiang
2023-06-16 18:57 ` Sean Christopherson
2023-06-19 9:28 ` Yang, Weijiang
2023-06-30 9:34 ` Yang, Weijiang
2023-06-30 10:27 ` Chao Gao
2023-06-30 12:05 ` Yang, Weijiang
2023-06-30 15:05 ` Neiger, Gil
2023-06-30 15:15 ` Sean Christopherson
2023-07-01 1:58 ` Yang, Weijiang
2023-07-01 1:54 ` Yang, Weijiang
2023-06-30 15:07 ` Sean Christopherson
2023-06-30 15:21 ` Neiger, Gil
2023-07-01 1:57 ` Yang, Weijiang
2023-05-11 4:08 ` [PATCH v3 11/21] KVM:VMX: Introduce CET VMCS fields and control bits Yang Weijiang
2023-05-11 4:08 ` [PATCH v3 12/21] KVM:x86: Add fault checks for guest CR4.CET setting Yang Weijiang
2023-06-06 11:03 ` Chao Gao
2023-06-08 6:06 ` Yang, Weijiang
2023-05-11 4:08 ` [PATCH v3 13/21] KVM:VMX: Emulate reads and writes to CET MSRs Yang Weijiang
2023-05-23 8:21 ` Binbin Wu
2023-05-24 2:49 ` Yang, Weijiang
2023-06-23 23:53 ` Sean Christopherson
2023-06-26 14:05 ` Yang, Weijiang
2023-06-26 21:15 ` Sean Christopherson
2023-06-27 3:32 ` Yang, Weijiang
2023-06-27 14:55 ` Sean Christopherson
2023-06-28 1:42 ` Yang, Weijiang
2023-07-07 9:10 ` Yang, Weijiang
2023-07-07 15:28 ` Neiger, Gil
2023-07-12 16:42 ` Sean Christopherson
2023-05-11 4:08 ` [PATCH v3 14/21] KVM:VMX: Add a synthetic MSR to allow userspace to access GUEST_SSP Yang Weijiang
2023-05-23 8:57 ` Binbin Wu
2023-05-24 2:55 ` Yang, Weijiang
2023-05-11 4:08 ` [PATCH v3 15/21] KVM:x86: Report CET MSRs as to-be-saved if CET is supported Yang Weijiang
2023-05-11 4:08 ` [PATCH v3 16/21] KVM:x86: Save/Restore GUEST_SSP to/from SMM state save area Yang Weijiang
2023-06-23 22:30 ` Sean Christopherson
2023-06-26 8:59 ` Yang, Weijiang
2023-06-26 21:20 ` Sean Christopherson
2023-06-27 3:50 ` Yang, Weijiang
2023-05-11 4:08 ` [PATCH v3 17/21] KVM:VMX: Pass through user CET MSRs to the guest Yang Weijiang
2023-05-11 4:08 ` [PATCH v3 18/21] KVM:x86: Enable CET virtualization for VMX and advertise to userspace Yang Weijiang
2023-05-24 6:35 ` Chenyi Qiang
2023-05-24 8:07 ` Yang, Weijiang
2023-05-11 4:08 ` [PATCH v3 19/21] KVM:nVMX: Enable user CET support for nested VMX Yang Weijiang
2023-05-11 4:08 ` [PATCH v3 20/21] KVM:x86: Enable kernel IBT support for guest Yang Weijiang
2023-06-24 0:03 ` Sean Christopherson
2023-06-26 12:10 ` Yang, Weijiang
2023-06-26 20:50 ` Sean Christopherson
2023-06-27 1:53 ` Yang, Weijiang
2023-05-11 4:08 ` [PATCH v3 21/21] KVM:x86: Support CET supervisor shadow stack MSR access Yang Weijiang
2023-06-15 23:30 ` [PATCH v3 00/21] Enable CET Virtualization Sean Christopherson
2023-06-16 0:00 ` Sean Christopherson
2023-06-16 1:00 ` Yang, Weijiang
2023-06-16 8:25 ` Yang, Weijiang
2023-06-16 17:56 ` Sean Christopherson
2023-06-19 6:41 ` Yang, Weijiang
2023-06-23 20:51 ` Sean Christopherson
2023-06-26 6:46 ` Yang, Weijiang
2023-07-17 7:44 ` Yang, Weijiang
2023-07-19 19:41 ` Sean Christopherson [this message]
2023-07-19 20:26 ` Sean Christopherson
2023-07-20 1:58 ` Yang, Weijiang
2023-07-19 20:36 ` Peter Zijlstra
2023-07-20 5:26 ` Pankaj Gupta
2023-07-20 8:03 ` Peter Zijlstra
2023-07-20 8:09 ` Peter Zijlstra
2023-07-20 9:14 ` Pankaj Gupta
2023-07-20 10:46 ` Andrew Cooper
2023-07-20 1:55 ` Yang, Weijiang
2023-07-10 0:28 ` Yang, Weijiang
2023-07-10 22:18 ` Sean Christopherson
2023-07-11 1:24 ` Yang, Weijiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZLg8ezG/XrZH+KGD@google.com \
--to=seanjc@google.com \
--cc=binbin.wu@linux.intel.com \
--cc=chao.gao@intel.com \
--cc=john.allen@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=rppt@kernel.org \
--cc=weijiang.yang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox