From nobody Sun Oct  5 00:09:20 2025
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C6282E9EC0;
	Tue, 12 Aug 2025 02:56:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=198.175.65.19
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1754967403; cv=none;
 b=NwOcYawEBa8I8MYGj8vj1i/rDbR3tn6ccuLm2zbiYOR7iQwFyj33qnwa168RwRpfJMETBR5hy7LYIevUH/h83FudlC8aum5IeioUUpP2lzo6nhCntGkOcXM5ijPv5I+dk5uJES8GvdslNjEjyBsU1liBacWU7B5JGEty2DUNbhY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1754967403; c=relaxed/simple;
	bh=28wdc2OVznvO/ghyvXwa1i1yEnJdtEDjNmhzmOLkpaY=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=H0yQGWFnGnNq7IQ72hYjXGFvFHmKVe0btK69dd0h1QAeyerqSabyMbGqIHYqVJmo5dH3YX89/fkIxc3QqRboyCKV1XUvjvIhLg5otVsKYMJnyYWwDfnC8HHZroLLhaE8XlrISjyFPl3sFDG9s8hxgLrF7E08VTMaxWPpsuE63ug=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com;
 spf=pass smtp.mailfrom=intel.com;
 dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b=VdJCfvs1; arc=none smtp.client-ip=198.175.65.19
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
 header.b="VdJCfvs1"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1754967402; x=1786503402;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=28wdc2OVznvO/ghyvXwa1i1yEnJdtEDjNmhzmOLkpaY=;
  b=VdJCfvs1yTWXPOWgQgQb38DXnVcDXLYvuZB7iHxIxFVVH2GBZVER8mfL
   ENB1LEATYVPnfNNHDlMK4N7CPKf73FhsTpTuZaNUNx+Ai0GycT4WKh6HT
   yRZJ2hvZLfaUIu9fU2bPCQCSTZ0C//FBFYAAyU6Tkd460lFX6RVn9/wyK
   aMnBN4fwYI2oEYha6yW6rHTFYYxiVbHGd8CBVu5OIyVG756xXs3opp00z
   ijP7/xVWakIOqV8Tm63YGLomeivXtg92jtfN106GLFYn+RrkVAHXbWl7i
   elnE+nx2r0PzWAlIq+212pSHUsGhiQ/36Xhh15KCQ70ym3ZBg4qdRPp58
   g==;
X-CSE-ConnectionGUID: lTEIpHgJRrWo0t3+vuO6qw==
X-CSE-MsgGUID: poO5P4eQS4GypyX9WMln9A==
X-IronPort-AV: E=McAfee;i="6800,10657,11518"; a="57100659"
X-IronPort-AV: E=Sophos;i="6.17,284,1747724400";
   d="scan'208";a="57100659"
Received: from fmviesa004.fm.intel.com ([10.60.135.144])
  by orvoesa111.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 11 Aug 2025 19:56:42 -0700
X-CSE-ConnectionGUID: ycQCYsuXQYeAPPPCZ2/kqQ==
X-CSE-MsgGUID: JDI38Bv3QGyiyZ9o448JYg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.17,284,1747724400";
   d="scan'208";a="171321373"
Received: from 984fee019967.jf.intel.com ([10.165.54.94])
  by fmviesa004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 11 Aug 2025 19:56:42 -0700
From: Chao Gao <chao.gao@intel.com>
To: kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: mlevitsk@redhat.com,
	rick.p.edgecombe@intel.com,
	weijiang.yang@intel.com,
	xin@zytor.com,
	Chao Gao <chao.gao@intel.com>,
	Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>,
	Sean Christopherson <seanjc@google.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	x86@kernel.org,
	"H. Peter Anvin" <hpa@zytor.com>
Subject: [PATCH v12 23/24] KVM: nVMX: Add consistency checks for CR0.WP and
 CR4.CET
Date: Mon, 11 Aug 2025 19:55:31 -0700
Message-ID: <20250812025606.74625-24-chao.gao@intel.com>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20250812025606.74625-1-chao.gao@intel.com>
References: <20250812025606.74625-1-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add consistency checks for CR4.CET and CR0.WP in guest-state or host-state
area in the VMCS12. This ensures that configurations with CR4.CET set and
CR0.WP not set result in VM-entry failure, aligning with architectural
behavior.

Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
---
 arch/x86/kvm/vmx/nested.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index f20f205c6560..47e413e56764 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3114,6 +3114,9 @@ static int nested_vmx_check_host_state(struct kvm_vcp=
u *vcpu,
 	    CC(!kvm_vcpu_is_legal_cr3(vcpu, vmcs12->host_cr3)))
 		return -EINVAL;
=20
+	if (CC(vmcs12->host_cr4 & X86_CR4_CET && !(vmcs12->host_cr0 & X86_CR0_WP)=
))
+		return -EINVAL;
+
 	if (CC(is_noncanonical_msr_address(vmcs12->host_ia32_sysenter_esp, vcpu))=
 ||
 	    CC(is_noncanonical_msr_address(vmcs12->host_ia32_sysenter_eip, vcpu)))
 		return -EINVAL;
@@ -3228,6 +3231,9 @@ static int nested_vmx_check_guest_state(struct kvm_vc=
pu *vcpu,
 	    CC(!nested_guest_cr4_valid(vcpu, vmcs12->guest_cr4)))
 		return -EINVAL;
=20
+	if (CC(vmcs12->guest_cr4 & X86_CR4_CET && !(vmcs12->guest_cr0 & X86_CR0_W=
P)))
+		return -EINVAL;
+
 	if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) &&
 	    (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) ||
 	     CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false))=
))
--=20
2.47.1