From: Sean Christopherson <seanjc@google.com>
To: Xiaoyao Li <xiaoyao.li@intel.com>
Cc: Chao Gao <chao.gao@intel.com>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
acme@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com,
hpa@zytor.com, john.allen@amd.com, mingo@kernel.org,
mingo@redhat.com, minipli@grsecurity.net, mlevitsk@redhat.com,
namhyung@kernel.org, pbonzini@redhat.com, prsampat@amd.com,
rick.p.edgecombe@intel.com, shuah@kernel.org,
tglx@linutronix.de, weijiang.yang@intel.com, x86@kernel.org,
xin@zytor.com
Subject: Re: [PATCH v14 15/22] KVM: x86: Don't emulate instructions guarded by CET
Date: Fri, 12 Sep 2025 07:37:19 -0700 [thread overview]
Message-ID: <aMQwH8UZQoU90LBr@google.com> (raw)
In-Reply-To: <ac7eb055-a3a2-479c-8d21-4ebc262be93b@intel.com>
On Fri, Sep 12, 2025, Xiaoyao Li wrote:
> On 9/11/2025 6:42 PM, Chao Gao wrote:
> > > > @@ -4941,6 +4947,24 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len, int
> > > > if (ctxt->d == 0)
> > > > return EMULATION_FAILED;
> > > > + if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_CET) {
> > > > + u64 u_cet, s_cet;
> > > > + bool stop_em;
> > > > +
> > > > + if (ctxt->ops->get_msr(ctxt, MSR_IA32_U_CET, &u_cet) ||
> > > > + ctxt->ops->get_msr(ctxt, MSR_IA32_S_CET, &s_cet))
> > > > + return EMULATION_FAILED;
> > > > +
> > > > + stop_em = ((u_cet & CET_SHSTK_EN) || (s_cet & CET_SHSTK_EN)) &&
> > > > + (opcode.flags & ShadowStack);
> > > > +
> > > > + stop_em |= ((u_cet & CET_ENDBR_EN) || (s_cet & CET_ENDBR_EN)) &&
> > > > + (opcode.flags & IndirBrnTrk);
> > >
> > > Why don't check CPL here? Just for simplicity?
> >
> > I think so. This is a corner case and we don't want to make it very precise
Checking CPL here would not make the code more complex, e.g. naively it could be
something like:
u64 cet;
int r;
if (ctxt->ops->cpl(ctxt) == 3)
r = ctxt->ops->get_msr(ctxt, MSR_IA32_U_CET, &cet);
else
r = ctxt->ops->get_msr(ctxt, MSR_IA32_S_CET, &cet);
if (r)
return EMULATION_FAILED;
if (cet & CET_SHSTK_EN && opcode.flags & ShadowStack)
return EMULATION_FAILED;
if (cet & CET_ENDBR_EN && opcode.flags & IndirBrnTrk)
return EMULATION_FAILED;
> > (and thus complex). The reason is that no one had a strong opinion on whether
> > to do the CPL check or not. I asked the same question before [*], but I don't
> > have a strong opinion on this either.
>
> I'm OK with it.
I have a strong opinion. :-)
KVM must NOT check CPL, because inter-privilege level transfers could trigger
CET emulation and both levels. E.g. a FAR CALL will be affected by both shadow
stacks and IBT at the target privilege level.
So this need more than just a changelog blurb, it needs a comment. The code
can also be cleaned up and optimized. Reading CR4 and two MSRs (via indirect
calls, i.e. potential retpolines) is wasteful for the vast majority of instructions,
and gathering "stop emulation" into a local variable when a positive test is fatal
is pointless.
/*
* Reject emulation if KVM might need to emulate shadow stack updates
* and/or indirect branch tracking enforcement, which the emulator
* doesn't support. Deliberately don't check CPL as inter-privilege
* level transfers can trigger emulation at both privilege levels, and
* the expectation is that the guest will not require emulation of any
* CET-affected instructions at any privilege level.
*/
if (opcode.flags & (ShadowStack | IndirBrnTrk) &&
ctxt->ops->get_cr(ctxt, 4) & X86_CR4_CET) {
u64 u_cet, s_cet;
if (ctxt->ops->get_msr(ctxt, MSR_IA32_U_CET, &u_cet) ||
ctxt->ops->get_msr(ctxt, MSR_IA32_S_CET, &s_cet))
return EMULATION_FAILED;
if ((u_cet | s_cet) & CET_SHSTK_EN && opcode.flags & ShadowStack)
return EMULATION_FAILED;
if ((u_cet | s_cet) & CET_ENDBR_EN && opcode.flags & IndirBrnTrk)
return EMULATION_FAILED;
}
next prev parent reply other threads:[~2025-09-12 14:37 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-09 9:39 [PATCH v14 00/22] Enable CET Virtualization Chao Gao
2025-09-09 9:39 ` [PATCH v14 01/22] KVM: x86: Introduce KVM_{G,S}ET_ONE_REG uAPIs support Chao Gao
2025-09-10 9:03 ` Xiaoyao Li
2025-09-10 17:17 ` Sean Christopherson
2025-09-10 17:35 ` Sean Christopherson
2025-09-09 9:39 ` [PATCH v14 02/22] KVM: x86: Report XSS as to-be-saved if there are supported features Chao Gao
2025-09-11 6:52 ` Binbin Wu
2025-09-09 9:39 ` [PATCH v14 03/22] KVM: x86: Check XSS validity against guest CPUIDs Chao Gao
2025-09-10 9:22 ` Xiaoyao Li
2025-09-10 11:33 ` Chao Gao
2025-09-10 18:47 ` Sean Christopherson
2025-09-09 9:39 ` [PATCH v14 04/22] KVM: x86: Refresh CPUID on write to guest MSR_IA32_XSS Chao Gao
2025-09-10 9:23 ` Xiaoyao Li
2025-09-11 7:02 ` Binbin Wu
2025-09-09 9:39 ` [PATCH v14 05/22] KVM: x86: Initialize kvm_caps.supported_xss Chao Gao
2025-09-10 9:36 ` Xiaoyao Li
2025-09-09 9:39 ` [PATCH v14 06/22] KVM: x86: Load guest FPU state when access XSAVE-managed MSRs Chao Gao
2025-09-10 9:37 ` Xiaoyao Li
2025-09-10 11:18 ` Chao Gao
2025-09-10 13:46 ` Xiaoyao Li
2025-09-10 15:24 ` Chao Gao
2025-09-10 17:50 ` Sean Christopherson
2025-09-09 9:39 ` [PATCH v14 07/22] KVM: x86: Add fault checks for guest CR4.CET setting Chao Gao
2025-09-10 9:38 ` Xiaoyao Li
2025-09-09 9:39 ` [PATCH v14 08/22] KVM: x86: Report KVM supported CET MSRs as to-be-saved Chao Gao
2025-09-09 9:39 ` [PATCH v14 09/22] KVM: VMX: Introduce CET VMCS fields and control bits Chao Gao
2025-09-09 9:39 ` [PATCH v14 10/22] KVM: x86: Enable guest SSP read/write interface with new uAPIs Chao Gao
2025-09-09 9:39 ` [PATCH v14 11/22] KVM: VMX: Emulate read and write to CET MSRs Chao Gao
2025-09-11 8:05 ` Xiaoyao Li
2025-09-11 9:02 ` Chao Gao
2025-09-11 20:24 ` Sean Christopherson
2025-09-09 9:39 ` [PATCH v14 12/22] KVM: x86: Save and reload SSP to/from SMRAM Chao Gao
2025-09-09 9:39 ` [PATCH v14 13/22] KVM: VMX: Set up interception for CET MSRs Chao Gao
2025-09-09 9:39 ` [PATCH v14 14/22] KVM: VMX: Set host constant supervisor states to VMCS fields Chao Gao
2025-09-12 22:04 ` Sean Christopherson
2025-09-09 9:39 ` [PATCH v14 15/22] KVM: x86: Don't emulate instructions guarded by CET Chao Gao
2025-09-11 9:18 ` Xiaoyao Li
2025-09-11 10:42 ` Chao Gao
2025-09-12 6:23 ` Xiaoyao Li
2025-09-12 14:37 ` Sean Christopherson [this message]
2025-09-12 15:11 ` Sean Christopherson
2025-09-16 14:42 ` Chao Gao
2025-09-12 14:42 ` Sean Christopherson
2025-09-09 9:39 ` [PATCH v14 16/22] KVM: x86: Enable CET virtualization for VMX and advertise to userspace Chao Gao
2025-09-09 9:39 ` [PATCH v14 17/22] KVM: nVMX: Virtualize NO_HW_ERROR_CODE_CC for L1 event injection to L2 Chao Gao
2025-09-09 9:39 ` [PATCH v14 18/22] KVM: nVMX: Prepare for enabling CET support for nested guest Chao Gao
2025-09-09 9:39 ` [PATCH v14 19/22] KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET Chao Gao
2025-09-09 9:39 ` [PATCH v14 20/22] KVM: nVMX: Add consistency checks for CET states Chao Gao
2025-09-09 9:39 ` [PATCH v14 21/22] KVM: nVMX: Advertise new VM-Entry/Exit control bits for CET state Chao Gao
2025-09-09 9:39 ` [PATCH v14 22/22] KVM: selftest: Add tests for KVM_{GET,SET}_ONE_REG Chao Gao
2025-09-10 18:06 ` Sean Christopherson
2025-09-09 9:52 ` [PATCH v14 00/22] Enable CET Virtualization Chao Gao
2025-09-10 18:29 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aMQwH8UZQoU90LBr@google.com \
--to=seanjc@google.com \
--cc=acme@redhat.com \
--cc=bp@alien8.de \
--cc=chao.gao@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=john.allen@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=minipli@grsecurity.net \
--cc=mlevitsk@redhat.com \
--cc=namhyung@kernel.org \
--cc=pbonzini@redhat.com \
--cc=prsampat@amd.com \
--cc=rick.p.edgecombe@intel.com \
--cc=shuah@kernel.org \
--cc=tglx@linutronix.de \
--cc=weijiang.yang@intel.com \
--cc=x86@kernel.org \
--cc=xiaoyao.li@intel.com \
--cc=xin@zytor.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox