From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BA4D2848A4 for ; Fri, 12 Sep 2025 23:23:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719410; cv=none; b=oumWMwtImMxfQWjPzxONQNco6g39IVkAC49G191pDLrpI33VfmJn3qREBimEnsuC7AIpdN3fjD1ek20P+BJxhqxeRuLhIz6y0CsVFGrJGk/3jrEoz5Ap3iJunE1Y+Kn8ASwjf4WTW1i6AOc7ywmb1WMvo+2b3E2P4oRi5+iqtI4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719410; c=relaxed/simple; bh=r7keHhPSl/ZsINgiku4qxCsoIZDRWPCly3Ia9CUnCtM=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=hUIeLTCpn2EwMcH9hHMKqu2s3FvGOrgxcraSjMMQBBSp6PEe2gfHtd8jyo1xIGVOrkQQz/qC7VjrAb+w4hF3J2pVll7MMon3ZmMNZNm0GQQSEqU5FWsUwRjMOKjiXjFRTyY6FOBaGpl1UobpktC0c5CbYV8PLqjJktM9PGpXYfc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=g2Hq5nYv; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="g2Hq5nYv" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-25d449089e8so22390895ad.1 for ; Fri, 12 Sep 2025 16:23:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719407; x=1758324207; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=2aufua2/8jN63zHyNl5OPd1VmsqwIgjY1xs28jVoYjg=; b=g2Hq5nYvywDPeEOIn39Iar5Z3v5QwMY2Gl+ZWnQUgvyk/JS2udb+Zywb/oWL1O5iN3 cyOQQ9ylLUW/UYgok63vrra0JpDSmF35Tsq4YoNe2Hg16gU76DjxB4VYBPfIoMoFBwTJ 8MKMCDMfQhnkV2pwNwTTR/AUPERDdvvfPvpJXynMAzAQK9o1eejWS75f66rdOz5SJbKA 86OagnMcMJt4L8mMNG676gK5RLPCJ/9DPzxJOevxL5fViwbkZJ2qVN60Oy4hJZk3J/sq MvnCk3VWFW+hfhTfDtgWMBQKER/iPZClH2JYRxnYgERtx4qkYqlzFHuyun6lr8Xgkx69 XLdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719407; x=1758324207; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2aufua2/8jN63zHyNl5OPd1VmsqwIgjY1xs28jVoYjg=; b=j5KR+TkAFP8sIvMpvD+0oi9hClF15oL9GXpxzSbzVl82YMXeEgiApmoV6O8LW3LGGQ uxy20jjtyFz42vgKgV4QsiCkfrNp3nwQ963HyzAzvkqbkbS9I6UMmBfnQB7zO/wvTJyj zsOcnNIGQH8AyXw1rjYHFWisDJTBe27XL8KRO9WCg9cT7L5Ym3UpyPvD6baoZe0XIPbv 3bLrReXwTjA/uUwN7JAomep5WaV3TzT5EYjlR2PpPZG8RSPR/5VWqw4nCUTy74bZg3Zh n3hCek3LODSaW0SJj9RntKv7ndMU/Y6C9y0QLAX75PyvOJchx9NRJBRmG2sTsV8/mX77 dgxA== X-Forwarded-Encrypted: i=1; AJvYcCXfNDt54WQ+R4mjZ4aZrlYDEtTnSa671ED+x2CEh8lpwH6O6WFbGOlTLdJZNZV40Qsuox3t4MJMzrIiAZs=@vger.kernel.org X-Gm-Message-State: AOJu0YzZWpR/08yhgU2RFRVWqOq8Z92nr1w603df8C8XlNg3WsEi1e+A bGOHyu7mg6iwDfjQfbsHASl5XzCaYM+p5Xtn7K94YCjv0jVfz85tbHeOuraoUZb3tdpZFO/E21x gZZC5Hw== X-Google-Smtp-Source: AGHT+IHHzgbw/XBQzAtCVBlNqG134UP+Hxy4J40on9uJ3r+AzCZzk5i/NZAmxAjojr+hxUYoGtUH6MD3BAA= X-Received: from plbmu15.prod.google.com ([2002:a17:903:b4f:b0:25c:9927:b204]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:fc47:b0:246:570:2d9a with SMTP id d9443c01a7336-25d286014e7mr57345885ad.59.1757719406796; Fri, 12 Sep 2025 16:23:26 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:39 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-2-seanjc@google.com> Subject: [PATCH v15 01/41] KVM: SEV: Rename kvm_ghcb_get_sw_exit_code() to kvm_get_cached_sw_exit_code() From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Rename kvm_ghcb_get_sw_exit_code() to kvm_get_cached_sw_exit_code() to make it clear that KVM is getting the cached value, not reading directly from the guest-controlled GHCB. More importantly, vacating kvm_ghcb_get_sw_exit_code() will allow adding a KVM-specific macro-built kvm_ghcb_get_##field() helper to read values from the GHCB. No functional change intended. Signed-off-by: Sean Christopherson Reviewed-by: Tom Lendacky --- arch/x86/kvm/svm/sev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 2fdd2e478a97..fe8d148b76c0 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3216,7 +3216,7 @@ void sev_free_vcpu(struct kvm_vcpu *vcpu) kvfree(svm->sev_es.ghcb_sa); } =20 -static u64 kvm_ghcb_get_sw_exit_code(struct vmcb_control_area *control) +static u64 kvm_get_cached_sw_exit_code(struct vmcb_control_area *control) { return (((u64)control->exit_code_hi) << 32) | control->exit_code; } @@ -3242,7 +3242,7 @@ static void dump_ghcb(struct vcpu_svm *svm) */ pr_err("GHCB (GPA=3D%016llx) snapshot:\n", svm->vmcb->control.ghcb_gpa); pr_err("%-20s%016llx is_valid: %u\n", "sw_exit_code", - kvm_ghcb_get_sw_exit_code(control), kvm_ghcb_sw_exit_code_is_valid= (svm)); + kvm_get_cached_sw_exit_code(control), kvm_ghcb_sw_exit_code_is_val= id(svm)); pr_err("%-20s%016llx is_valid: %u\n", "sw_exit_info_1", control->exit_info_1, kvm_ghcb_sw_exit_info_1_is_valid(svm)); pr_err("%-20s%016llx is_valid: %u\n", "sw_exit_info_2", @@ -3331,7 +3331,7 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *s= vm) * Retrieve the exit code now even though it may not be marked valid * as it could help with debugging. */ - exit_code =3D kvm_ghcb_get_sw_exit_code(control); + exit_code =3D kvm_get_cached_sw_exit_code(control); =20 /* Only GHCB Usage code 0 is supported */ if (svm->sev_es.ghcb->ghcb_usage) { @@ -4336,7 +4336,7 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) =20 svm_vmgexit_success(svm, 0); =20 - exit_code =3D kvm_ghcb_get_sw_exit_code(control); + exit_code =3D kvm_get_cached_sw_exit_code(control); switch (exit_code) { case SVM_VMGEXIT_MMIO_READ: ret =3D setup_vmgexit_scratch(svm, true, control->exit_info_2); --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 120E0285073 for ; Fri, 12 Sep 2025 23:23:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719410; cv=none; b=ntSTaYOsnDvIESKFLEp1KzF7whO4RKA9s1OjDFmQuvnZDEaChZzJUnn7UrDKOQH+nqv4w+pGF24VdEq0TylBuVyVNrSr2TMbHB4tY3RbHApf1JyIJJA4BOR3z6JDMHRaFEkLAOPV15knA5MnD4jNyiPKn6DXiLVTEGFjIGijVfY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719410; c=relaxed/simple; bh=RfnrgBKDc/OWIfYX9gHpCwT3SRJavCRaCXwq1r24noI=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=gtI+0LvDfzHGnUYmUpYfedfLSGeO2snGokrX7jrqZnaVXobA1wSFe2hHzHAm9s5vMezFBvLSVFwZLw1XMv2tR/q5X7VhWWJNLDOTvnXVnXk/YKlKsrwMrhQVbaPjKbozLsgCsCXQMvk4rBI9SpQ+VTkKVKHP4NjXo76SQTyTCGM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=kGFKMnVB; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="kGFKMnVB" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-32dc9827f5bso2068643a91.3 for ; Fri, 12 Sep 2025 16:23:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719408; x=1758324208; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=NmaivxQVEFe0XO5/nxLfM/KLjMYMuYOEm/PE5vzh3LQ=; b=kGFKMnVBG9T55+Lr2DMRNn948eGl4O62VpI1k432qw0I/F7uqyypA7r2hXP32AXt53 wCSCbtXzgxjfD8IR7c1rYblZpkGf7r4cy9QqbGeIy34rpR8qNnQG9bmCLV2LaW3sym7u iWaQJOI4UkcTXSF89w1ra9Yn6yN6dwWECNqy2ZsCTk8wUiWrxMGPD1u/z9zevipe73Q4 /rOFaEpbh6j7AqGLmyjg1YN5mIaMcAfxyApv5iPZgXWW7NTo0qkGpbSi3O9+NR8DdpE9 WisxfH8x+AWafYj4pQ4wTkcyZ0Kbv0kM7tWHYir+mkFaxsiQWmGhTfD+JD3hZ5ibPngM EK/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719408; x=1758324208; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NmaivxQVEFe0XO5/nxLfM/KLjMYMuYOEm/PE5vzh3LQ=; b=hPj1/bWVtMK96N+TO9+zVyXeogIwbUdW2Z/iRVQEwlfC9Js5krEG3qL6THeH/5FLLR P4JsuRIP0xuwAhl9WumTaxZ8UwEsoAFoURGHyhkZWWbm6tar00FxZcF/CwFpD/rAUKIO AnnNYQFwWM2C89SGeJJSnpIzyJy0LcmojswjteLQTg7xoAsrzUIFkPXI7xC7yFL2PMWc vuu4/nlfG+yq20+lkPKTnKXmKUiFEMaXUwqSSBynu0DFSf8gUiCEFXS0XmKzeqO7c41K 7axLe7Rw/yMtRT0hhNtaWqtQqu0LHrwuv014hkM6BKgJ5feBycXEtft6mAKsKaVOUrqE 0y8A== X-Forwarded-Encrypted: i=1; AJvYcCUuVik3wLSyjkzb0s9KnL08yetBTpE01+cwJxb92VzFIRSz6qLqezkH0Xp64VHCOF/422OIdk/RaaGpKW8=@vger.kernel.org X-Gm-Message-State: AOJu0YywOmflF1IGpZIVg2CafCVNv07ASdo/w5rhJVypZQFffj2eO5VU FyFUn0OHIs9FEFdGEMnIzfuTtARLh5AbonggAQOQLECEF/Mf+9AYhjtg7XxBjXPjbb6KyJiGoT4 XPHsb/g== X-Google-Smtp-Source: AGHT+IEtFQQ6WoNpVHIEeKbNxUulKYbOustADM2+6byBPG/dE7g3o+WPUD48P0jF3XjgyBxyABZti1EuuNo= X-Received: from pjh11.prod.google.com ([2002:a17:90b:3f8b:b0:327:dcfb:4ee1]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:1986:b0:249:1234:9f7c with SMTP id d9443c01a7336-25d2772a4damr41539885ad.60.1757719408305; Fri, 12 Sep 2025 16:23:28 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:40 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-3-seanjc@google.com> Subject: [PATCH v15 02/41] KVM: SEV: Read save fields from GHCB exactly once From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Wrap all reads of GHCB save fields with READ_ONCE() via a KVM-specific GHCB get() utility to help guard against TOCTOU bugs. Using READ_ONCE() doesn't completely prevent such bugs, e.g. doesn't prevent KVM from redoing get() after checking the initial value, but at least addresses all potential TOCTOU issues in the current KVM code base. Opportunistically reduce the indentation of the macro-defined helpers and clean up the alignment. Fixes: 4e15a0ddc3ff ("KVM: SEV: snapshot the GHCB before accessing it") Signed-off-by: Sean Christopherson Reviewed-by: Tom Lendacky --- arch/x86/kvm/svm/sev.c | 8 ++++---- arch/x86/kvm/svm/svm.h | 26 ++++++++++++++++---------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index fe8d148b76c0..37abbda28685 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3304,16 +3304,16 @@ static void sev_es_sync_from_ghcb(struct vcpu_svm *= svm) svm->vmcb->save.cpl =3D kvm_ghcb_get_cpl_if_valid(svm, ghcb); =20 if (kvm_ghcb_xcr0_is_valid(svm)) { - vcpu->arch.xcr0 =3D ghcb_get_xcr0(ghcb); + vcpu->arch.xcr0 =3D kvm_ghcb_get_xcr0(ghcb); vcpu->arch.cpuid_dynamic_bits_dirty =3D true; } =20 /* Copy the GHCB exit information into the VMCB fields */ - exit_code =3D ghcb_get_sw_exit_code(ghcb); + exit_code =3D kvm_ghcb_get_sw_exit_code(ghcb); control->exit_code =3D lower_32_bits(exit_code); control->exit_code_hi =3D upper_32_bits(exit_code); - control->exit_info_1 =3D ghcb_get_sw_exit_info_1(ghcb); - control->exit_info_2 =3D ghcb_get_sw_exit_info_2(ghcb); + control->exit_info_1 =3D kvm_ghcb_get_sw_exit_info_1(ghcb); + control->exit_info_2 =3D kvm_ghcb_get_sw_exit_info_2(ghcb); svm->sev_es.sw_scratch =3D kvm_ghcb_get_sw_scratch_if_valid(svm, ghcb); =20 /* Clear the valid entries fields */ diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index 5d39c0b17988..c2316adde3cc 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -913,16 +913,22 @@ void __svm_sev_es_vcpu_run(struct vcpu_svm *svm, bool= spec_ctrl_intercepted, void __svm_vcpu_run(struct vcpu_svm *svm, bool spec_ctrl_intercepted); =20 #define DEFINE_KVM_GHCB_ACCESSORS(field) \ - static __always_inline bool kvm_ghcb_##field##_is_valid(const struct vcpu= _svm *svm) \ - { \ - return test_bit(GHCB_BITMAP_IDX(field), \ - (unsigned long *)&svm->sev_es.valid_bitmap); \ - } \ - \ - static __always_inline u64 kvm_ghcb_get_##field##_if_valid(struct vcpu_sv= m *svm, struct ghcb *ghcb) \ - { \ - return kvm_ghcb_##field##_is_valid(svm) ? ghcb->save.field : 0; \ - } \ +static __always_inline u64 kvm_ghcb_get_##field(struct ghcb *ghcb) \ +{ \ + return READ_ONCE(ghcb->save.field); \ +} \ + \ +static __always_inline bool kvm_ghcb_##field##_is_valid(const struct vcpu_= svm *svm) \ +{ \ + return test_bit(GHCB_BITMAP_IDX(field), \ + (unsigned long *)&svm->sev_es.valid_bitmap); \ +} \ + \ +static __always_inline u64 kvm_ghcb_get_##field##_if_valid(struct vcpu_svm= *svm, \ + struct ghcb *ghcb) \ +{ \ + return kvm_ghcb_##field##_is_valid(svm) ? kvm_ghcb_get_##field(ghcb) : 0;= \ +} =20 DEFINE_KVM_GHCB_ACCESSORS(cpl) DEFINE_KVM_GHCB_ACCESSORS(rax) --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD6E8287514 for ; Fri, 12 Sep 2025 23:23:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719412; cv=none; b=KBHTL4yXd8L4J1MCR1jTfVUhjEWM7gwkDGNXIZTCKXCOH4oDCYS8F1EABW/zmVQ7hTWRkQKDJPp9cOtP9TWVaOZj+zbPkqPZRapcP5OWOYTeuZQZH15XXNRKdvH544W/tw9iFR9433DaCcg6WC+jGjJebke7i830o5l6XWar1Ps= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719412; c=relaxed/simple; bh=JgMtGiipAvsajCHzQDSZlw/ojgwsGzJlvzMoyoDNyyg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=TplPEEDFmyJK/dgB4pyWi10f+PB+DkfhOFchMtHoUoGcKIsA82dxz+r8Ck5hTEE6sdTw+hr4PNl8BpghkLLcnrj8laWxh19Ejnks91Ffz2S/mCAvatK6+3xn3kN5vby8/ar0y0Q4OAQjfdc3yWzqWQfa2zU4UQB1Bu5+JyxIDWs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=NCh65ll4; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="NCh65ll4" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-32e0b00138cso179213a91.3 for ; Fri, 12 Sep 2025 16:23:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719410; x=1758324210; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=xbwuOXbdUPdZ5BP99ZPo3T836Bd3RtRn8p0/DAva41U=; b=NCh65ll4DkCqeilv8w6DodpJfy4mCJB9opuy9Z4hl+QRh1+aXk8sL6tO11PKzLfLMY c8zDT8ZiIc7nyRMk61Do7OARIHO1MMvpbp0azadLqki1Zm3G1RcIHfOd1FE7E5LAUQ5L 6r8FE33dtGcA0si2u92o4kSTP2uQRDB1rmXCZZ8O+f3KfXln2JD0rNllbUjQqebitQoJ oAdt49nCVT6xH5dcAqIvKhUgjVjS3SqLvbofv/cxqkZn6byldDly5HSYbiPSdps2QU3q QtfgzZmVG3NLCVaSZfxARJhGnv5u4eNDT91WeeAFwx5hxyrOJ6Le34iPrNqSYynbdQm/ hR7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719410; x=1758324210; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xbwuOXbdUPdZ5BP99ZPo3T836Bd3RtRn8p0/DAva41U=; b=VW68MiZgtpB6FCCJfZVw40A4HCfUpSyUrkc9yZOpWArDUgarBcnt6cKpHKjY92IlvW RnnVg6mZMUYPuPGVtpusdTYvvrQDXHbdO3E2T9cMbucuxsrPkO7T9t4uGZhiiIcDbhdb WW5KpSAEJRgV18AaID92EFU8RY0F665yKykAPI7zxhli0po9oljx09WevouueyLrdJab CfdeCtVDnXIqDtY53rb1UfLqntjIimipKr+P6/6pzt1XrNQ+fpFECdcBhhgjl4z66vVu A8YV7TOLA+wcF4q5ym82L5Nev3Tkkzxd9g9sDFYlyMCu8YY/Y4GJCTCSmqWZ6+rDrKg6 4riw== X-Forwarded-Encrypted: i=1; AJvYcCWp3qyq9JSU6U/WTfdcrqN43UlqABlbgEMY2zspmrh68lL4QNHH6Rk40TTQFgBQitAkod7lKVfbJaTett4=@vger.kernel.org X-Gm-Message-State: AOJu0YwENs3jfA/o0IcDGMfjKJKgL43WC1/0WLQ6ViZUuFWEGcvXo7HU CfMfm6PDh/QZaCY4n5ygGNXP2oYoc+XLZfmz2giz1q58UTuh5vaysISG7iKq9wI/qg1OlQbXzqF 89zAqng== X-Google-Smtp-Source: AGHT+IHq85FsVL5SmVTxL4Oz8O98fzC9mI2W/V9vx9QRJVTsUxxO380i38buUnmI9GAor06pwr2mJlmrR9Y= X-Received: from pjk12.prod.google.com ([2002:a17:90b:558c:b0:327:e7c3:1ffe]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:3883:b0:32b:8582:34be with SMTP id 98e67ed59e1d1-32de4ec9af7mr4786721a91.13.1757719410251; Fri, 12 Sep 2025 16:23:30 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:41 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-4-seanjc@google.com> Subject: [PATCH v15 03/41] KVM: SEV: Validate XCR0 provided by guest in GHCB From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Use __kvm_set_xcr() to propagate XCR0 changes from the GHCB to KVM's software model in order to validate the new XCR0 against KVM's view of the supported XCR0. Allowing garbage is thankfully mostly benign, as kvm_load_{guest,host}_xsave_state() bail early for vCPUs with protected state, xstate_required_size() will simply provide garbage back to the guest, and attempting to save/restore the bad value via KVM_{G,S}ET_XCRS will only harm the guest (setting XCR0 will fail). However, allowing the guest to put junk into a field that KVM assumes is valid is a CVE waiting to happen. And as a bonus, using the proper API eliminates the ugly open coding of setting arch.cpuid_dynamic_bits_dirty. Simply ignore bad values, as either the guest managed to get an unsupported value into hardware, or the guest is misbehaving and providing pure garbage. In either case, KVM can't fix the broken guest. Note, using __kvm_set_xcr() also avoids recomputing dynamic CPUID bits if XCR0 isn't actually changing (relatively to KVM's previous snapshot). Cc: Tom Lendacky Fixes: 291bd20d5d88 ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT") Signed-off-by: Sean Christopherson Reviewed-by: Tom Lendacky --- arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/svm/sev.c | 6 ++---- arch/x86/kvm/x86.c | 3 ++- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos= t.h index cb86f3cca3e9..2762554cbb7b 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -2209,6 +2209,7 @@ int kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigne= d long val); unsigned long kvm_get_dr(struct kvm_vcpu *vcpu, int dr); unsigned long kvm_get_cr8(struct kvm_vcpu *vcpu); void kvm_lmsw(struct kvm_vcpu *vcpu, unsigned long msw); +int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr); int kvm_emulate_xsetbv(struct kvm_vcpu *vcpu); =20 int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr); diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 37abbda28685..0cd77a87dd84 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3303,10 +3303,8 @@ static void sev_es_sync_from_ghcb(struct vcpu_svm *s= vm) =20 svm->vmcb->save.cpl =3D kvm_ghcb_get_cpl_if_valid(svm, ghcb); =20 - if (kvm_ghcb_xcr0_is_valid(svm)) { - vcpu->arch.xcr0 =3D kvm_ghcb_get_xcr0(ghcb); - vcpu->arch.cpuid_dynamic_bits_dirty =3D true; - } + if (kvm_ghcb_xcr0_is_valid(svm)) + __kvm_set_xcr(vcpu, 0, kvm_ghcb_get_xcr0(ghcb)); =20 /* Copy the GHCB exit information into the VMCB fields */ exit_code =3D kvm_ghcb_get_sw_exit_code(ghcb); diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 6d85fbafc679..ba4915456615 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1235,7 +1235,7 @@ static inline u64 kvm_guest_supported_xfd(struct kvm_= vcpu *vcpu) } #endif =20 -static int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr) +int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr) { u64 xcr0 =3D xcr; u64 old_xcr0 =3D vcpu->arch.xcr0; @@ -1279,6 +1279,7 @@ static int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 i= ndex, u64 xcr) vcpu->arch.cpuid_dynamic_bits_dirty =3D true; return 0; } +EXPORT_SYMBOL_GPL(__kvm_set_xcr); =20 int kvm_emulate_xsetbv(struct kvm_vcpu *vcpu) { --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com [209.85.210.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A52A028D8DA for ; Fri, 12 Sep 2025 23:23:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719415; cv=none; b=RBePLx16DARHolu0EkV5j0wOGB9qYer3cM8mWW0T3RoTAXQizu4/3OzMu9T/J4iX+o/44dGkmRIMCYeS4Ws5TfkInAXWAzC4r9DN34aRB6IYfDUP7bV4i4g7cYJxQuvgIE2f2yQRpFB2avQsjvwUBT2SdcHIyvKU77aJ3nw7OjU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719415; c=relaxed/simple; bh=8KNeILVVZZ/zvV4DMFO7xi28VxqUJj5VlyYtdmaDBg8=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=n6oTIYCB/YSOlk4Y+7c6U1u1vNrYymsfSN7G00PqB1f+OJntTIpGu0bqja7Jj9vmklQywC4qw2eW6xzCCJleCH/OnDFAvmly1wpQuuqKMXY2O06r7PpP4RufiintkUlFymFeuICCpawDGQXc1IXaPtb0NdBMyRo4RXAzQje0iJk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=fKXjEO1I; arc=none smtp.client-ip=209.85.210.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="fKXjEO1I" Received: by mail-pf1-f202.google.com with SMTP id d2e1a72fcca58-7725c995dd0so2346100b3a.3 for ; Fri, 12 Sep 2025 16:23:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719412; x=1758324212; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=+/rcVn9D5JFZ6kd1jbyF6xhwK/EcmppFDGu5bnzmfko=; b=fKXjEO1I3URwiLn272dYBLvNZyNFkJQ6eC9Yt3FbW2NZNQB9PFhiPOykGg0spi+mbC 6kKC7fvSbdEtrsEnvSl9sGgj3clhuJAdowshC+ls71OKb9dETpfPEzJL5Ik74/UiKrIz Q98xCLZ4CVE/KmzAk7jM8q01nPyWPAYJi4RB/1cNvAQ/TCQgosk33eMIBYNVUr235B0R G4fhebPpIqlddd6EhO/PYULTCAp2zZAHDVpqc7gBYKn8rvmAf+e7dW08aCXYZ7v5sZJw +boA+H/am3jaTEEIkJGVuAY3DO5cfQfKhlN+MbxGDh3btKOwDg17qHeGGboAdfNpn8or Pcdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719412; x=1758324212; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+/rcVn9D5JFZ6kd1jbyF6xhwK/EcmppFDGu5bnzmfko=; b=NsqPGRfF1IegV4xDdwetQ8uWxBXIeGqOxDbG5qxjk3O/GJloEomenTSNEyK7zxWemC ZVNPVjaVupED5nIE2XqGCL7kcQmOb90PqctO9Ithte30ktgEgmHLrUTS5iY1zqLS918A qCz+V2xKARXZHlw5q+xmf/DYqo1rckSqeIvuin21nwYjqk5LqGbXqztofbD5plNaw8o8 GWjCEKW/77MMyqLMF3nDqzbPsAlNpgmvtDTyumfH4pUXZbK/i+yXVvik6+MFaasj+L5M ZBZJ17GoxK0XlZaDkvegeD/fJ+d0u0ZwMAQIZV9mXLUb1LH7kzeMILm1TkZIZnsNBFRO tM/w== X-Forwarded-Encrypted: i=1; AJvYcCW3zEE9j58kI/bau3l1ubD4ukxMG73A0jyfwv105F2YgzGwYlh55grOKi+o04l2mKkU+7R3fKDboNmT7HM=@vger.kernel.org X-Gm-Message-State: AOJu0YzekQyaA8xsN1qASzsNigIzwcQHtOEt3ddgB65ay9bNWrAkpvaN d/gje6XqYCyrmF+JkzIUeHOPSWLHzWzwZQS3b+xhVKDEheiPiYJe5/4BjOUAdYUG9R+9EP9iZRH /3xIo1Q== X-Google-Smtp-Source: AGHT+IECZ8F/D6jteGasDvjLJj90GMaTFJtWZRHTx6y10e8GMIWIYR4X0H4t0WpvP3UHEpY3RvbB/vqPCJo= X-Received: from pjv6.prod.google.com ([2002:a17:90b:5646:b0:329:7dfc:f4e1]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:7351:b0:243:d1bd:fbc9 with SMTP id adf61e73a8af0-2602cd278e0mr6341625637.56.1757719412051; Fri, 12 Sep 2025 16:23:32 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:42 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-5-seanjc@google.com> Subject: [PATCH v15 04/41] KVM: x86: Introduce KVM_{G,S}ET_ONE_REG uAPIs support From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Enable KVM_{G,S}ET_ONE_REG uAPIs so that userspace can access MSRs and other non-MSR registers through them, along with support for KVM_GET_REG_LIST to enumerate support for KVM-defined registers. This is in preparation for allowing userspace to read/write the guest SSP register, which is needed for the upcoming CET virtualization support. Currently, two types of registers are supported: KVM_X86_REG_TYPE_MSR and KVM_X86_REG_TYPE_KVM. All MSRs are in the former type; the latter type is added for registers that lack existing KVM uAPIs to access them. The "KVM" in the name is intended to be vague to give KVM flexibility to include other potential registers. More precise names like "SYNTHETIC" and "SYNTHETIC_MSR" were considered, but were deemed too confusing (e.g. can be conflated with synthetic guest-visible MSRs) and may put KVM into a corner (e.g. if KVM wants to change how a KVM-defined register is modeled internally). Enumerate only KVM-defined registers in KVM_GET_REG_LIST to avoid duplicating KVM_GET_MSR_INDEX_LIST, and so that KVM can return _only_ registers that are fully supported (KVM_GET_REG_LIST is vCPU-scoped, i.e. can be precise, whereas KVM_GET_MSR_INDEX_LIST is system-scoped). Suggested-by: Sean Christopherson Signed-off-by: Yang Weijiang Link: https://lore.kernel.org/all/20240219074733.122080-18-weijiang.yang@in= tel.com [1] Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu Reviewed-by: Xiaoyao Li --- Documentation/virt/kvm/api.rst | 6 +- arch/x86/include/uapi/asm/kvm.h | 26 +++++++++ arch/x86/kvm/x86.c | 100 ++++++++++++++++++++++++++++++++ 3 files changed, 131 insertions(+), 1 deletion(-) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index ffc350b649ad..abd02675a24d 100644 --- a/Documentation/virt/kvm/api.rst +++ b/Documentation/virt/kvm/api.rst @@ -2908,6 +2908,8 @@ such as set vcpu counter or reset vcpu, and they have= the following id bit patte =20 0x9030 0000 0002 =20 +x86 MSR registers have the following id bit patterns:: + 0x2030 0002 =20 4.69 KVM_GET_ONE_REG -------------------- @@ -3588,7 +3590,7 @@ VCPU matching underlying host. --------------------- =20 :Capability: basic -:Architectures: arm64, mips, riscv +:Architectures: arm64, mips, riscv, x86 (if KVM_CAP_ONE_REG) :Type: vcpu ioctl :Parameters: struct kvm_reg_list (in/out) :Returns: 0 on success; -1 on error @@ -3631,6 +3633,8 @@ Note that s390 does not support KVM_GET_REG_LIST for = historical reasons =20 - KVM_REG_S390_GBEA =20 +Note, for x86, all MSRs enumerated by KVM_GET_MSR_INDEX_LIST are supported= as +type KVM_X86_REG_TYPE_MSR, but are NOT enumerated via KVM_GET_REG_LIST. =20 4.85 KVM_ARM_SET_DEVICE_ADDR (deprecated) ----------------------------------------- diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kv= m.h index 0f15d683817d..508b713ca52e 100644 --- a/arch/x86/include/uapi/asm/kvm.h +++ b/arch/x86/include/uapi/asm/kvm.h @@ -411,6 +411,32 @@ struct kvm_xcrs { __u64 padding[16]; }; =20 +#define KVM_X86_REG_TYPE_MSR 2 +#define KVM_X86_REG_TYPE_KVM 3 + +#define KVM_X86_KVM_REG_SIZE(reg) \ +({ \ + reg =3D=3D KVM_REG_GUEST_SSP ? KVM_REG_SIZE_U64 : 0; \ +}) + +#define KVM_X86_REG_TYPE_SIZE(type, reg) \ +({ \ + __u64 type_size =3D (__u64)type << 32; \ + \ + type_size |=3D type =3D=3D KVM_X86_REG_TYPE_MSR ? KVM_REG_SIZE_U64 : \ + type =3D=3D KVM_X86_REG_TYPE_KVM ? KVM_X86_KVM_REG_SIZE(reg) : \ + 0; \ + type_size; \ +}) + +#define KVM_X86_REG_ENCODE(type, index) \ + (KVM_REG_X86 | KVM_X86_REG_TYPE_SIZE(type, index) | index) + +#define KVM_X86_REG_MSR(index) \ + KVM_X86_REG_ENCODE(KVM_X86_REG_TYPE_MSR, index) +#define KVM_X86_REG_KVM(index) \ + KVM_X86_REG_ENCODE(KVM_X86_REG_TYPE_KVM, index) + #define KVM_SYNC_X86_REGS (1UL << 0) #define KVM_SYNC_X86_SREGS (1UL << 1) #define KVM_SYNC_X86_EVENTS (1UL << 2) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index ba4915456615..771b7c883c66 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -4735,6 +4735,7 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, lon= g ext) case KVM_CAP_IRQFD_RESAMPLE: case KVM_CAP_MEMORY_FAULT_INFO: case KVM_CAP_X86_GUEST_MODE: + case KVM_CAP_ONE_REG: r =3D 1; break; case KVM_CAP_PRE_FAULT_MEMORY: @@ -5913,6 +5914,98 @@ static int kvm_vcpu_ioctl_enable_cap(struct kvm_vcpu= *vcpu, } } =20 +struct kvm_x86_reg_id { + __u32 index; + __u8 type; + __u8 rsvd1; + __u8 rsvd2:4; + __u8 size:4; + __u8 x86; +}; + +static int kvm_translate_kvm_reg(struct kvm_x86_reg_id *reg) +{ + return -EINVAL; +} + +static int kvm_get_one_msr(struct kvm_vcpu *vcpu, u32 msr, u64 __user *use= r_val) +{ + u64 val; + + if (do_get_msr(vcpu, msr, &val)) + return -EINVAL; + + if (put_user(val, user_val)) + return -EFAULT; + + return 0; +} + +static int kvm_set_one_msr(struct kvm_vcpu *vcpu, u32 msr, u64 __user *use= r_val) +{ + u64 val; + + if (get_user(val, user_val)) + return -EFAULT; + + if (do_set_msr(vcpu, msr, &val)) + return -EINVAL; + + return 0; +} + +static int kvm_get_set_one_reg(struct kvm_vcpu *vcpu, unsigned int ioctl, + void __user *argp) +{ + struct kvm_one_reg one_reg; + struct kvm_x86_reg_id *reg; + u64 __user *user_val; + int r; + + if (copy_from_user(&one_reg, argp, sizeof(one_reg))) + return -EFAULT; + + if ((one_reg.id & KVM_REG_ARCH_MASK) !=3D KVM_REG_X86) + return -EINVAL; + + reg =3D (struct kvm_x86_reg_id *)&one_reg.id; + if (reg->rsvd1 || reg->rsvd2) + return -EINVAL; + + if (reg->type =3D=3D KVM_X86_REG_TYPE_KVM) { + r =3D kvm_translate_kvm_reg(reg); + if (r) + return r; + } + + if (reg->type !=3D KVM_X86_REG_TYPE_MSR) + return -EINVAL; + + if ((one_reg.id & KVM_REG_SIZE_MASK) !=3D KVM_REG_SIZE_U64) + return -EINVAL; + + guard(srcu)(&vcpu->kvm->srcu); + + user_val =3D u64_to_user_ptr(one_reg.addr); + if (ioctl =3D=3D KVM_GET_ONE_REG) + r =3D kvm_get_one_msr(vcpu, reg->index, user_val); + else + r =3D kvm_set_one_msr(vcpu, reg->index, user_val); + + return r; +} + +static int kvm_get_reg_list(struct kvm_vcpu *vcpu, + struct kvm_reg_list __user *user_list) +{ + u64 nr_regs =3D 0; + + if (put_user(nr_regs, &user_list->n)) + return -EFAULT; + + return 0; +} + long kvm_arch_vcpu_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg) { @@ -6029,6 +6122,13 @@ long kvm_arch_vcpu_ioctl(struct file *filp, srcu_read_unlock(&vcpu->kvm->srcu, idx); break; } + case KVM_GET_ONE_REG: + case KVM_SET_ONE_REG: + r =3D kvm_get_set_one_reg(vcpu, ioctl, argp); + break; + case KVM_GET_REG_LIST: + r =3D kvm_get_reg_list(vcpu, argp); + break; case KVM_TPR_ACCESS_REPORTING: { struct kvm_tpr_access_ctl tac; =20 --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38912287515 for ; Fri, 12 Sep 2025 23:23:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719415; cv=none; b=BojHtYPlHk6nrViC1aUpYQTMgBjjmOVZGdipCsDAwHV//2+tgO4UsbM2Y3XUNAHoh1VDW/72NDbbIXoEOHp4B/8Jt1ucHz+5bEU7YR0cqGOvSPUhPN+sX15xZzfMk9ZW0YToMrGZNulu0hau3oeN703JUxUzgya58q13GcdcSo4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719415; c=relaxed/simple; bh=G1s+lgWJIgQwzcGoQ1PgYO8Z6+BWK0NfReWmhWVvjvQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=eaOKQKP6gJYdBkE2A60hRp5TskS/JTue8F0x0/MW5o1Y7n+nmIT1L0eshZGqkOS2AQVOOJc3BzHqrp0guwvaxyI0lfwme5n6Kr7jm6t8BH+NDg5YOrDwezqc1vrL+RqFJvO4g2mFMraFD2cUazQ/PNwcEsBT/LvI+4DO8K3Ptx8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=AD/w+J5Q; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="AD/w+J5Q" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-248d9301475so35561105ad.0 for ; Fri, 12 Sep 2025 16:23:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719414; x=1758324214; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=chF3amFQqO9S23sbY27BFQPnaf3vHv1B5sQOjntR35k=; b=AD/w+J5QCZuITExYpNFvjdKiMjAHiWaCJbvxlqheufTJrjT6biKq5aCiMy8XDJtDj1 2BnPORt3AbqaHlDF6r+r82q5Im66MHczQ0uf08N5puhp9TRKobjeiBeCOG0QpVRwhTFL XemdE+mXMIFzzWWKRuKiAHtZFZvzV8IlUwuaM/ieT/hEG7GQphjXyMsyDlytMRauMVSA dfplYdIMX7EBZPjXjTioRWJzBExoqcIyJQTuNYLlX9ISBZaykQv3aVb+cHcst2MJuVMX 5yv6OW+QvkKzsHzpX9sYO5e3euTkMHT4M7HHob00CI9YImdvCpPXC+QOrcScvT3ul8gg Nf5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719414; x=1758324214; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=chF3amFQqO9S23sbY27BFQPnaf3vHv1B5sQOjntR35k=; b=AtTjZxNGuN8u+il0RO8getUeznHkiWXSBW5RIyY3eScp2vkp4pNW0MeuclvMBWM0W8 uq1VWBDkmSNZL4rHnxj1UD6Dcz6H72bgTzgYKwsqHtbdpj/3BRh7S/TJpwpa6UG/aMQX uGUfm87auzsSfsX7oj0dh5jMOT8aLq8EQQWraJvWcJWQLRJbl1qm8Pr0QjJjxV4BcX+R wcFsgD6o4MWjeH8xFPGT9iFGhQ6ePQOYl0q+Pu351ej3F0M7ys2CNd47hmcn9ArTUh9u NIlW2g13E8RsP6eUbwMMCnTIuEPLJ7RsMD1R5pU1lwqo87LXPAiM1bGui1l/7uIi7tD/ jIrg== X-Forwarded-Encrypted: i=1; AJvYcCXICozJFMiVfP4T3M4VHvXreTQsymqFczypo6op3bzkeaV8Qm0SZghJ0eI8NtCS3mRr1U7U2kugEVEbv40=@vger.kernel.org X-Gm-Message-State: AOJu0Yx+ieGQnT9IMXOKbheo3tW1vDfs+hCLLwUOYXHdAYSQ7kBKMbrN zQAWZubgOgJb90X9AioWZ6PhR2obN3JopqYU7lwWkz9H1py9l8EJdF/RI9gek3ge/e5pHLNmAOG 0j5Y6cg== X-Google-Smtp-Source: AGHT+IFrnFD92ng7tEsW/Py55ME1+YlpgRJlsBgfJ2OrgISj1HLtggF+Ec6syamaoACTlL+jqr8UrabQeAw= X-Received: from plii18.prod.google.com ([2002:a17:902:eb52:b0:25d:510:6240]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:284:b0:24a:9b12:5248 with SMTP id d9443c01a7336-25d27038e28mr51496115ad.54.1757719413616; Fri, 12 Sep 2025 16:23:33 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:43 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-6-seanjc@google.com> Subject: [PATCH v15 05/41] KVM: x86: Report XSS as to-be-saved if there are supported features From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add MSR_IA32_XSS to list of MSRs reported to userspace if supported_xss is non-zero, i.e. KVM supports at least one XSS based feature. Before enabling CET virtualization series, guest IA32_MSR_XSS is guaranteed to be 0, i.e., XSAVES/XRSTORS is executed in non-root mode with XSS =3D=3D 0, which equals to the effect of XSAVE/XRSTOR. Signed-off-by: Yang Weijiang Reviewed-by: Maxim Levitsky Reviewed-by: Chao Gao Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Reviewed-by: Xiaoyao Li Signed-off-by: Chao Gao Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu --- arch/x86/kvm/x86.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 771b7c883c66..3b4258b38ad8 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -332,7 +332,7 @@ static const u32 msrs_to_save_base[] =3D { MSR_IA32_RTIT_ADDR3_A, MSR_IA32_RTIT_ADDR3_B, MSR_IA32_UMWAIT_CONTROL, =20 - MSR_IA32_XFD, MSR_IA32_XFD_ERR, + MSR_IA32_XFD, MSR_IA32_XFD_ERR, MSR_IA32_XSS, }; =20 static const u32 msrs_to_save_pmu[] =3D { @@ -7499,6 +7499,10 @@ static void kvm_probe_msr_to_save(u32 msr_index) if (!(kvm_get_arch_capabilities() & ARCH_CAP_TSX_CTRL_MSR)) return; break; + case MSR_IA32_XSS: + if (!kvm_caps.supported_xss) + return; + break; default: break; } --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com [209.85.210.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D8C3428CF4A for ; Fri, 12 Sep 2025 23:23:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719417; cv=none; b=D5ds7YNgn3rZbEGn3pvL+P1KE/7rSrLLLwSw16XoesEPkDbR4fv63jrYsWKVuGEeU44Xrf6NnNdWRLNpjZaLJrfvDVDHMP5jXtpvUUE91FZy5YNFflC10/78ZM9jpcxP8WaYkpPwT6u3ZwuoFm0xURIS8XkEM97IxbgX01d2p+w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719417; c=relaxed/simple; bh=Ts2O3iIiauNKice8KQ4rNc4sfJ/k4xkmItHEORp/rEs=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=qV8yUMkXWWMC3c4XBQF+FRDGb0+ZgfJDDpdz1UWAxSmDCA5RL4Fb7J9LjLegqb2eSk7H4cQUaddRJUQbYwYKruTIp3F3A6TEEcJqHFChbK4RsRH+smqFiLU4Q6s7VoplwBvrKkSTUD/gctdCtTxRDGzDEt7zMBnPliYj91zo57M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=FH5Z/FNO; arc=none smtp.client-ip=209.85.210.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="FH5Z/FNO" Received: by mail-pf1-f202.google.com with SMTP id d2e1a72fcca58-77615e6ee47so1168353b3a.3 for ; Fri, 12 Sep 2025 16:23:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719415; x=1758324215; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=VPSKTOmJ0MbU5RRp5+PoAEPU2M2YZuhj8feB+e76lMo=; b=FH5Z/FNO94uHd5lIT301PJfE8seFRa/gVn1Us2E7YaxKGEvheNAHCr+s4LzAFbs7iF To6sdgO572XCDzTgpFiewtl1RGt/UC7Tcm77nt/wG5FELm8juPW503PK8wPS2CPgd7P5 uM9CxqO3jlD5SQfPUGrGaeC0v3NVUOsWNLUiaw61iOMbqP9d6aK3Fg5NQfM65UKy7GMD LgQhg6kjJdKEOvI46okSZc7zybTy/vMS8ewSH3ZccYpkZcGa+g+NMIv+A4WT09yPSyLW UzDmlcx9Rj775DOzuYvqxd4F0qqmBeUqaJ+F1z6h25pwusvhWExWDNqSuBESSY/b+6mk fNnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719415; x=1758324215; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VPSKTOmJ0MbU5RRp5+PoAEPU2M2YZuhj8feB+e76lMo=; b=lXCegdOmn32yR4/Nlm3TziaZBqSmZO6hdfgaO4C2nvw5p50H4B0LDe9HO8HwVbRU05 M+RooSav7fJzjWRfo7ZHN3FtdmARC/hmPDFWr/7eZY/pk7JTf8ni1GS/GNHOA49Rei4u OOJXtBCM4sZLzl8g+LL5hjSBs4UR3ISGLYipd66f+VdGxtlC8t/bGdI7adRsdwKBkGmk CRZ5BpgLMzhE/WVXXwmIW+J7q/Xk+2qRumCCVSz3ou3o+VNpBxalooSRfCI81hZIZRpf XND/fU5UB4T1+upbatAFveVxa0BxGQ2czD6G2M3EXik9odJWI5fJTp9X05U+kJwRl0Qt ag+g== X-Forwarded-Encrypted: i=1; AJvYcCUQbI/yYvPzOztUn8FMBsfLj8VZNB1mF1kA+CexNekCmu5rhHt2ITARnyQB0bsuN0nabmEKHpnKa7E50RI=@vger.kernel.org X-Gm-Message-State: AOJu0YzN4T8d7Vlu/GWT9SVqNmtl0VOhvo4CXfSK+jj5qDEFYOJw1hMB lkm3toExhgN3RLWqkr+glShA7Vxkb/2/5TmbhRXYSxCmDkHReFcDPiR6cijxWCHGTEzhRTW0a1J 2ZJL5nA== X-Google-Smtp-Source: AGHT+IHx0w8+O1I8ii10DeBVFbxahEaUgIPv8NQFb0AWUVXy/yMPk+G17BdAeITayGtjMl9yPUybw4g3gVA= X-Received: from pfoo15.prod.google.com ([2002:a05:6a00:1a0f:b0:775:fbac:d698]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a00:1ad4:b0:772:871c:1e49 with SMTP id d2e1a72fcca58-7761219836dmr5226705b3a.29.1757719415203; Fri, 12 Sep 2025 16:23:35 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:44 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-7-seanjc@google.com> Subject: [PATCH v15 06/41] KVM: x86: Check XSS validity against guest CPUIDs From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Chao Gao Maintain per-guest valid XSS bits and check XSS validity against them rather than against KVM capabilities. This is to prevent bits that are supported by KVM but not supported for a guest from being set. Opportunistically return KVM_MSR_RET_UNSUPPORTED on IA32_XSS MSR accesses if guest CPUID doesn't enumerate X86_FEATURE_XSAVES. Since KVM_MSR_RET_UNSUPPORTED takes care of host_initiated cases, drop the host_initiated check. Signed-off-by: Chao Gao Reviewed-by: Xiaoyao Li Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu --- arch/x86/include/asm/kvm_host.h | 3 ++- arch/x86/kvm/cpuid.c | 12 ++++++++++++ arch/x86/kvm/x86.c | 7 +++---- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos= t.h index 2762554cbb7b..d931d72d23c9 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -815,7 +815,6 @@ struct kvm_vcpu_arch { bool at_instruction_boundary; bool tpr_access_reporting; bool xfd_no_write_intercept; - u64 ia32_xss; u64 microcode_version; u64 arch_capabilities; u64 perf_capabilities; @@ -876,6 +875,8 @@ struct kvm_vcpu_arch { =20 u64 xcr0; u64 guest_supported_xcr0; + u64 ia32_xss; + u64 guest_supported_xss; =20 struct kvm_pio_request pio; void *pio_data; diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index ad6cadf09930..46cf616663e6 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -263,6 +263,17 @@ static u64 cpuid_get_supported_xcr0(struct kvm_vcpu *v= cpu) return (best->eax | ((u64)best->edx << 32)) & kvm_caps.supported_xcr0; } =20 +static u64 cpuid_get_supported_xss(struct kvm_vcpu *vcpu) +{ + struct kvm_cpuid_entry2 *best; + + best =3D kvm_find_cpuid_entry_index(vcpu, 0xd, 1); + if (!best) + return 0; + + return (best->ecx | ((u64)best->edx << 32)) & kvm_caps.supported_xss; +} + static __always_inline void kvm_update_feature_runtime(struct kvm_vcpu *vc= pu, struct kvm_cpuid_entry2 *entry, unsigned int x86_feature, @@ -424,6 +435,7 @@ void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu) } =20 vcpu->arch.guest_supported_xcr0 =3D cpuid_get_supported_xcr0(vcpu); + vcpu->arch.guest_supported_xss =3D cpuid_get_supported_xss(vcpu); =20 vcpu->arch.pv_cpuid.features =3D kvm_apply_cpuid_pv_features_quirk(vcpu); =20 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 3b4258b38ad8..5a5af40c06a9 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -3984,15 +3984,14 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struc= t msr_data *msr_info) } break; case MSR_IA32_XSS: - if (!msr_info->host_initiated && - !guest_cpuid_has(vcpu, X86_FEATURE_XSAVES)) - return 1; + if (!guest_cpuid_has(vcpu, X86_FEATURE_XSAVES)) + return KVM_MSR_RET_UNSUPPORTED; /* * KVM supports exposing PT to the guest, but does not support * IA32_XSS[bit 8]. Guests have to use RDMSR/WRMSR rather than * XSAVES/XRSTORS to save/restore PT MSRs. */ - if (data & ~kvm_caps.supported_xss) + if (data & ~vcpu->arch.guest_supported_xss) return 1; vcpu->arch.ia32_xss =3D data; vcpu->arch.cpuid_dynamic_bits_dirty =3D true; --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B31022BF01E for ; Fri, 12 Sep 2025 23:23:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719419; cv=none; b=QAJ1XuUwq3HP0qzmzrrXJJSwMHxBPMRMW97iQOAIYhPsJy8eYOGKV1/t88EaWfygDPrdqx4ujw/6aKu5PmS8FxxuihFQ1Z+KqGz4THLosQxhyoTRNtSKvTjKks0Y/5x24PJm7RD0GFDnN/2eSaMK1yarKkrnskKTR0fME25gVlY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719419; c=relaxed/simple; bh=R/hsEZ3OEznvSmN6Xu/NmYJshewwUaH/QtJ9rZVe4y0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=lAwbHuj6N+b0RSURxwDtBxEjYsrt11iZEuxmBC0A1W8gPWMaz9ffL4gcP960Q0JOMw3X0TmZ3bCpaz1D88oT9N1E6v7DJtN2YlVh1NMkhJUw6tOI929jn33jVzdBuKoGvEYn1Ru3ZXyGUTULss1ZocVXxpR+gyIZElLMVkC1ZDs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=iVCTgE3F; arc=none smtp.client-ip=209.85.215.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="iVCTgE3F" Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-b4d48818a04so1668626a12.1 for ; Fri, 12 Sep 2025 16:23:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719417; x=1758324217; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=4x8cFQ9I8IrL0w8PA5lioMQm1qn/X8VrzBwyUBJiKwk=; b=iVCTgE3FlSmFC9ZgtdmHpLzk3CA14ZaCuHajYKMOgVhLCAsRWHSBLcn52ocQeMhx91 dk1z42P0GEDb8GDoUzpvBnr3a6EnbUNYqC0B64er0HvBTnD7n4Y/iDB131kq3MnSk2t8 A9cfZ7zfvZ7wQKy2xtmLC2kWvpfRs+6nf4zp0vzZk9SFyzdFzgsiRM9TiTP5TRXTV6ap EuJCiOu6sE3OwpIsOHtiQKg+S4wczoNUHPIroBKzra7b+vXzo/mxVndsPCkDjcyMVQuR UOWJZNZH/55rt+L8z8Nd6fVwVuA3kgrkKkif46F8mYKdUKpzK7/DIM0cR8AZLgAL5oDO IZ3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719417; x=1758324217; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4x8cFQ9I8IrL0w8PA5lioMQm1qn/X8VrzBwyUBJiKwk=; b=mFBv+wdF6vw085JsTxlUaykNu6tLfHcZ/Czw7aS8Yqr2Yf9r+Zcfvv51krSjM/b5nb QupVVbV5AW8UsZjxjyBCkaljADPGj5WOhmZ4Qi2noEuT/lrvsziskOnJ9vwfAz0mT6Dq AaRUKgGQrLj8Mzrfl9XTehMLmY3qyrtf111JChrHAtOQLgc2GMZYlmDINTckL0aT2I8J m0xkxR2+1MIF1qjtMfHPd+eQ1xV+K66FGqaLr6p7rc+/Lah022LmJ7XS+qxLRJnf2MDW TtSFPow/DOeqzO0yndbY0GuSUdzSRrY0shkxtZEgQG8Rs79VLwf8s+XFaBcf35dF1fSt Asiw== X-Forwarded-Encrypted: i=1; AJvYcCVm6B7DqnhKNSc0iAw5NeJ/o32QC8HVmqfEpkM5qSK579VRaP2TFpeyiSani3x0bWtr0OTb0qcwhkn/by8=@vger.kernel.org X-Gm-Message-State: AOJu0YyY884u0v7svJ6XaL+UKB9Jfs7XCe1jwkG6gyXP/Kb+VAPtaW8f 3SZZAnx3xK5Or/GIJPtUPZntHaFGVOKYbI71wTFHoigbj10R0Kg6tFj4iDi3J3hXAr2vIVdsOC2 aYoK6Ng== X-Google-Smtp-Source: AGHT+IHL2nuJLf6q7uA5vbcBTUvwqLs20KOTZTeKNgV7CYzfjmBlfXMi0Vi99kCRqkOf1/zS/oAOJS5ZmwU= X-Received: from pjbqb3.prod.google.com ([2002:a17:90b:2803:b0:32b:8eda:24e8]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:6ba4:b0:251:e18:bcab with SMTP id adf61e73a8af0-2602c240dfcmr4538494637.38.1757719417056; Fri, 12 Sep 2025 16:23:37 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:45 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-8-seanjc@google.com> Subject: [PATCH v15 07/41] KVM: x86: Refresh CPUID on write to guest MSR_IA32_XSS From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Update CPUID.(EAX=3D0DH,ECX=3D1).EBX to reflect current required xstate size due to XSS MSR modification. CPUID(EAX=3D0DH,ECX=3D1).EBX reports the required storage size of all enabl= ed xstate features in (XCR0 | IA32_XSS). The CPUID value can be used by guest before allocate sufficient xsave buffer. Note, KVM does not yet support any XSS based features, i.e. supported_xss is guaranteed to be zero at this time. Opportunistically skip CPUID updates if XSS value doesn't change. Suggested-by: Sean Christopherson Co-developed-by: Zhang Yi Z Signed-off-by: Zhang Yi Z Signed-off-by: Yang Weijiang Reviewed-by: Maxim Levitsky Reviewed-by: Chao Gao Reviewed-by: Xiaoyao Li Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu --- arch/x86/kvm/cpuid.c | 3 ++- arch/x86/kvm/x86.c | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index 46cf616663e6..b5f87254ced7 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -316,7 +316,8 @@ static void kvm_update_cpuid_runtime(struct kvm_vcpu *v= cpu) best =3D kvm_find_cpuid_entry_index(vcpu, 0xD, 1); if (best && (cpuid_entry_has(best, X86_FEATURE_XSAVES) || cpuid_entry_has(best, X86_FEATURE_XSAVEC))) - best->ebx =3D xstate_required_size(vcpu->arch.xcr0, true); + best->ebx =3D xstate_required_size(vcpu->arch.xcr0 | + vcpu->arch.ia32_xss, true); } =20 static bool kvm_cpuid_has_hyperv(struct kvm_vcpu *vcpu) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 5a5af40c06a9..519d58b82f7f 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -3993,6 +3993,8 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct = msr_data *msr_info) */ if (data & ~vcpu->arch.guest_supported_xss) return 1; + if (vcpu->arch.ia32_xss =3D=3D data) + break; vcpu->arch.ia32_xss =3D data; vcpu->arch.cpuid_dynamic_bits_dirty =3D true; break; --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 270D02C11F2 for ; Fri, 12 Sep 2025 23:23:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719420; cv=none; b=Zs8rVdIcc/ZDF1aHRa2eCLP5tjkR4rScvcxhzk3poUm7eMuqCbj/kSxvEShHv7elDiX4fdFRUESkjbNCC+q7/LUt2KM8uwSSIe4XCFJPGbskma+lJZY390L2McSzF6pKFJnK41eeZCP5gOL0oHH+q/UnV6x90RyIGgD9JoSZhyM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719420; c=relaxed/simple; bh=tDtb6e36U1RgnYsYAJL/llcn1rOU/XJ+a6g/XspMzJ8=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=p9nG/GZ+zBcDLIUQ2AJZEsvswSxbt/xe1s0TFfW5zQZeN7FZV0rlPH8nJKLo5QPaouJZLUSTS0v99ryX2sTg+jbRdsk1WPTRUKxCP6NCkwicBDRGEig2lNqjcr8JTWO9psj7i4xmoozTecHStciCVMNPAMVYUB0FxlbRjF/byZI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=pnuhhq+d; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="pnuhhq+d" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-32df93c787fso830777a91.3 for ; Fri, 12 Sep 2025 16:23:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719418; x=1758324218; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=bOB6PMzdos0m9DY8NnoO+hTec7qvi6LO9WIPoeRpOTU=; b=pnuhhq+d0CJK/8+DBDpvgyd4TMldMFNQFlUSxzNX10ghP9dqS3r1E5+wMHi6EAJ3G1 i4ZqaM5as43pC5jr7z9Q/nT4uvmIJfj1KIugm+7ZhIioGUDbcMKeTFMU/6Z7iwWlgg7n WXG+POdXXUjwhxSObxSrRp5OChOYlLMeDALNaj1S2dHj0RiRmq4ccJH/8bAKlzZmLLrB LWqmPZ1oQSS0K+wtZedKf4Dt4synd/UYwUwjTcOiiwJu2+POkQge/HMA8Iz3xEo0xGOy koWPNQfAspe8P4IMSCXbggU8mLCx+morRCc/ysIsAXEklCQyqMTBtSo6ryRuLHax8jLc /WEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719418; x=1758324218; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bOB6PMzdos0m9DY8NnoO+hTec7qvi6LO9WIPoeRpOTU=; b=B6atwXi1ruYAEgwd10r5QZ4arLTwkB46twBUGKlFoby9JmBb2+KG1gtsUWnvnPvaPF 6YEErKgm0F+kyFvJ5t8e40G5x8Yi/x2xVzgWBU4BAE7U9Bj3eND1TgcYMkLUqnEQMsLC gaWDBRZTABtXWlWQG+dJWP3ZjsjBAxLLxnn5qDmZJfHfJABc9PX6phJg9ce2ZBJN0h4t kNA1M6fSdgVa2/1Pe6OdcbSL3HlZFl64sWkjlP5xeXhEjVpRhrcjCVtUbwlyRUJGWX1s 2ajZLePyuIzWVa3RrDFqj13VEFjD3fJqhpSGD8NJIc/Inv7aTQQ+gM5C5kA23YuK+KUv wzDg== X-Forwarded-Encrypted: i=1; AJvYcCVqe8iTz0zMX1e7tMQ0KN0i8FY7c/Kc2I89aW2RCOEUemZzODLwy1arreo4UGQx9vQyCftkedo8IMIGBh0=@vger.kernel.org X-Gm-Message-State: AOJu0YzvZHEkDoZDDzzq2fDwhttvBb7aayvRaRJ+NNTb2HStLsJLMini sWNNEJEAPsP87KPDsnSt6FeWyx5nrFPpEYn1UURspZqe3tuPPMWQRK00pKdFqSloyRxu6jKqnzW W5vG1bA== X-Google-Smtp-Source: AGHT+IGHJ98Z8UORppHkGQhWL9lJ0tt/CZzti4qasW9DOcRHrkUwEpSYwwio4pFVSdwtqIjRnwHW6lWan6c= X-Received: from pjbpx10.prod.google.com ([2002:a17:90b:270a:b0:327:be52:966d]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:1dd1:b0:32d:a721:8cc7 with SMTP id 98e67ed59e1d1-32de4f90629mr5198540a91.35.1757719418603; Fri, 12 Sep 2025 16:23:38 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:46 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-9-seanjc@google.com> Subject: [PATCH v15 08/41] KVM: x86: Initialize kvm_caps.supported_xss From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Set original kvm_caps.supported_xss to (host_xss & KVM_SUPPORTED_XSS) if XSAVES is supported. host_xss contains the host supported xstate feature bits for thread FPU context switch, KVM_SUPPORTED_XSS includes all KVM enabled XSS feature bits, the resulting value represents the supervisor xstates that are available to guest and are backed by host FPU framework for swapping {guest,host} XSAVE-managed registers/MSRs. Signed-off-by: Yang Weijiang Reviewed-by: Maxim Levitsky Reviewed-by: Chao Gao Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Reviewed-by: Xiaoyao Li Signed-off-by: Chao Gao [sean: relocate and enhance comment about PT / XSS[8] ] Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu --- arch/x86/kvm/x86.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 519d58b82f7f..c5e38d6943fe 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -217,6 +217,14 @@ static struct kvm_user_return_msrs __percpu *user_retu= rn_msrs; | XFEATURE_MASK_BNDCSR | XFEATURE_MASK_AVX512 \ | XFEATURE_MASK_PKRU | XFEATURE_MASK_XTILE) =20 +/* + * Note, KVM supports exposing PT to the guest, but does not support conte= xt + * switching PT via XSTATE (KVM's PT virtualization relies on perf; swappi= ng + * PT via guest XSTATE would clobber perf state), i.e. KVM doesn't support + * IA32_XSS[bit 8] (guests can/must use RDMSR/WRMSR to save/restore PT MSR= s). + */ +#define KVM_SUPPORTED_XSS 0 + bool __read_mostly allow_smaller_maxphyaddr =3D 0; EXPORT_SYMBOL_GPL(allow_smaller_maxphyaddr); =20 @@ -3986,11 +3994,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct= msr_data *msr_info) case MSR_IA32_XSS: if (!guest_cpuid_has(vcpu, X86_FEATURE_XSAVES)) return KVM_MSR_RET_UNSUPPORTED; - /* - * KVM supports exposing PT to the guest, but does not support - * IA32_XSS[bit 8]. Guests have to use RDMSR/WRMSR rather than - * XSAVES/XRSTORS to save/restore PT MSRs. - */ + if (data & ~vcpu->arch.guest_supported_xss) return 1; if (vcpu->arch.ia32_xss =3D=3D data) @@ -9818,14 +9822,17 @@ int kvm_x86_vendor_init(struct kvm_x86_init_ops *op= s) kvm_host.xcr0 =3D xgetbv(XCR_XFEATURE_ENABLED_MASK); kvm_caps.supported_xcr0 =3D kvm_host.xcr0 & KVM_SUPPORTED_XCR0; } + + if (boot_cpu_has(X86_FEATURE_XSAVES)) { + rdmsrq(MSR_IA32_XSS, kvm_host.xss); + kvm_caps.supported_xss =3D kvm_host.xss & KVM_SUPPORTED_XSS; + } + kvm_caps.supported_quirks =3D KVM_X86_VALID_QUIRKS; kvm_caps.inapplicable_quirks =3D KVM_X86_CONDITIONAL_QUIRKS; =20 rdmsrq_safe(MSR_EFER, &kvm_host.efer); =20 - if (boot_cpu_has(X86_FEATURE_XSAVES)) - rdmsrq(MSR_IA32_XSS, kvm_host.xss); - kvm_init_pmu_capability(ops->pmu_ops); =20 if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 14D462C326A for ; Fri, 12 Sep 2025 23:23:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719422; cv=none; b=XPZ8EjVHOtwukAPpsjRLh3FCF7LAQxif1wSHDtic2FGSG8POYaH4cFeJcV+58KFOdTlijcc9jc6c2X7Flkl3ETP7p5HrrP2jpoqhtweZ5ZVZtnvD37PplST1l5vM1hIbDK9t7LJh95yUN2W6pzrw5Y9Jtq5OECRlZ/2EHqyDtPw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719422; c=relaxed/simple; bh=Q4sWENnZ2Fn2hft2ldlC0V7CW+RA9ysgaxIOsYeJde4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Wks2gU/kwyJEyzPbF7HW5lEcbXY1JlWfAgd7nUFwRjqSNS9Uxn2jNEf9MlUCiTjs8ObTEYFzdcVCr0OhbvwHDLN8LIbCA8dnDSEb6YpMJSVNMtw7fmm6GAP220SvX0xUkdMj9glcnZJ25MAxO8XNhxRmEijc+l3CkVCfDTThGYQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ax2aCT+n; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ax2aCT+n" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-329ee69e7deso2264455a91.3 for ; Fri, 12 Sep 2025 16:23:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719420; x=1758324220; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=DBr/44b6lYswEVM0M6nY82+diPPzhiEHpmKTJKrfvSM=; b=ax2aCT+nuXrc9TPPK3LFtRG+f5epSJhpU9Bwaeg9QNjQOWg+fnPJxzE4YOXjAP/39c Ij9eLhtuZZECtisKq2ngDAgF56pj7D9fmzqh1kdevWVWQwlhp05AKRKivyeXKz6O0kym cxLLLr+N3pSMvxv+TkfpoKQ0iUnR0RRNzweCFPYK1mXwy9Dk2J3/ob8F9xjsVumk0+vy WmXpwYSZxZybgDs+0vLZ4qMOhvGADL4WV6ghgWr66WoVqMwZ4fr8UzFOBtug7XrpHQ6Z FEOi+jkGmF0iElcP3bPOQz8LP/EFIRR/L3W+HosLkMYSI/rEeSDR9DfK9rRUkd4kS0B/ kA3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719420; x=1758324220; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DBr/44b6lYswEVM0M6nY82+diPPzhiEHpmKTJKrfvSM=; b=dBjQJK1UCIfUSoGtSmyaHsb9mT+kc7wVMY60tpJMRzGnADoSa11KI6V2Mj55ehrmVp t2uTLWZRMct0gpgzfBsv9ZebwovhzW62YpccDMh7wew5IDZaO8KFRDYKw2IK6EdIfNAO mPdpw0q5YQ/wv4ykBe83M6aAs3hBnoEcm7rGqdwkpdABNkZlvvf+QNhVb8+zV/J5aX3T QitD3HItKt7PPo79YW3Cu38i6X3YqWLHnwBxzn6ouOSLGzDsHGGM8EHHQmQpvVC8r2m+ xY5d6op7mN+TPrW4n/lZV7rsCRprd0gpUiL7A6I/DLSfs1bpUxLoxPbMCAGyfuzLdzHw KeJA== X-Forwarded-Encrypted: i=1; AJvYcCWdPSR8WLkIy4T2/VaELAae9pyieUkw1Wbbs1ETc9tUFqDV1/zwTYm/qPONhCkB3+1NmhqGShnO7GkyTWI=@vger.kernel.org X-Gm-Message-State: AOJu0Yzt0SEYXMio8SuZICVuwv52ddX0XUivtzuJQ2D54Eva0vHoGt39 pIqSN0xHzkNWlz0Fj8RDldMpeMC0jPuJr44JG2LdRsaCRjkcGSRVPUaUxz/iMyxYSzGm0A7utqT Z0vSqNg== X-Google-Smtp-Source: AGHT+IFGRdeIU34eluX7zZwNW8zkRo9xwQ8fp81G0HUaPPTK777520E0YhVr9W2GJDoawOPN3rWjDXwweog= X-Received: from pjee6.prod.google.com ([2002:a17:90b:5786:b0:32d:e264:a78e]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:3c88:b0:327:ced1:26e2 with SMTP id 98e67ed59e1d1-32de4f85704mr4726196a91.18.1757719420434; Fri, 12 Sep 2025 16:23:40 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:47 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-10-seanjc@google.com> Subject: [PATCH v15 09/41] KVM: x86: Load guest FPU state when access XSAVE-managed MSRs From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Load the guest's FPU state if userspace is accessing MSRs whose values are managed by XSAVES. Introduce two helpers, kvm_{get,set}_xstate_msr(), to facilitate access to such kind of MSRs. If MSRs supported in kvm_caps.supported_xss are passed through to guest, the guest MSRs are swapped with host's before vCPU exits to userspace and after it reenters kernel before next VM-entry. Because the modified code is also used for the KVM_GET_MSRS device ioctl(), explicitly check @vcpu is non-null before attempting to load guest state. The XSAVE-managed MSRs cannot be retrieved via the device ioctl() without loading guest FPU state (which doesn't exist). Note that guest_cpuid_has() is not queried as host userspace is allowed to access MSRs that have not been exposed to the guest, e.g. it might do KVM_SET_MSRS prior to KVM_SET_CPUID2. The two helpers are put here in order to manifest accessing xsave-managed MSRs requires special check and handling to guarantee the correctness of read/write to the MSRs. Co-developed-by: Yang Weijiang Signed-off-by: Yang Weijiang Reviewed-by: Maxim Levitsky Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao [sean: drop S_CET, add big comment, move accessors to x86.c] Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu Reviewed-by: Xiaoyao Li Reviewed-by: Xin Li (Intel) --- arch/x86/kvm/x86.c | 86 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 85 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index c5e38d6943fe..a95ca2fbd3a9 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -136,6 +136,9 @@ static int __set_sregs2(struct kvm_vcpu *vcpu, struct k= vm_sregs2 *sregs2); static void __get_sregs2(struct kvm_vcpu *vcpu, struct kvm_sregs2 *sregs2); =20 static DEFINE_MUTEX(vendor_module_lock); +static void kvm_load_guest_fpu(struct kvm_vcpu *vcpu); +static void kvm_put_guest_fpu(struct kvm_vcpu *vcpu); + struct kvm_x86_ops kvm_x86_ops __read_mostly; =20 #define KVM_X86_OP(func) \ @@ -3801,6 +3804,66 @@ static void record_steal_time(struct kvm_vcpu *vcpu) mark_page_dirty_in_slot(vcpu->kvm, ghc->memslot, gpa_to_gfn(ghc->gpa)); } =20 +/* + * Returns true if the MSR in question is managed via XSTATE, i.e. is cont= ext + * switched with the rest of guest FPU state. Note! S_CET is _not_ conte= xt + * switched via XSTATE even though it _is_ saved/restored via XSAVES/XRSTO= RS. + * Because S_CET is loaded on VM-Enter and VM-Exit via dedicated VMCS fiel= ds, + * the value saved/restored via XSTATE is always the host's value. That d= etail + * is _extremely_ important, as the guest's S_CET must _never_ be resident= in + * hardware while executing in the host. Loading guest values for U_CET a= nd + * PL[0-3]_SSP while executing in the kernel is safe, as U_CET is specific= to + * userspace, and PL[0-3]_SSP are only consumed when transitioning to lower + * privilegel levels, i.e. are effectively only consumed by userspace as w= ell. + */ +static bool is_xstate_managed_msr(struct kvm_vcpu *vcpu, u32 msr) +{ + if (!vcpu) + return false; + + switch (msr) { + case MSR_IA32_U_CET: + return guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) || + guest_cpu_cap_has(vcpu, X86_FEATURE_IBT); + case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP: + return guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK); + default: + return false; + } +} + +/* + * Lock and/or reload guest FPU and access xstate MSRs. For accesses initi= ated + * by host, guest FPU is loaded in __msr_io(). For accesses initiated by g= uest, + * guest FPU should have been loaded already. + */ +static __always_inline void kvm_access_xstate_msr(struct kvm_vcpu *vcpu, + struct msr_data *msr_info, + int access) +{ + BUILD_BUG_ON(access !=3D MSR_TYPE_R && access !=3D MSR_TYPE_W); + + KVM_BUG_ON(!is_xstate_managed_msr(vcpu, msr_info->index), vcpu->kvm); + KVM_BUG_ON(!vcpu->arch.guest_fpu.fpstate->in_use, vcpu->kvm); + + kvm_fpu_get(); + if (access =3D=3D MSR_TYPE_R) + rdmsrq(msr_info->index, msr_info->data); + else + wrmsrq(msr_info->index, msr_info->data); + kvm_fpu_put(); +} + +static __maybe_unused void kvm_set_xstate_msr(struct kvm_vcpu *vcpu, struc= t msr_data *msr_info) +{ + kvm_access_xstate_msr(vcpu, msr_info, MSR_TYPE_W); +} + +static __maybe_unused void kvm_get_xstate_msr(struct kvm_vcpu *vcpu, struc= t msr_data *msr_info) +{ + kvm_access_xstate_msr(vcpu, msr_info, MSR_TYPE_R); +} + int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) { u32 msr =3D msr_info->index; @@ -4551,11 +4614,25 @@ static int __msr_io(struct kvm_vcpu *vcpu, struct k= vm_msrs *msrs, int (*do_msr)(struct kvm_vcpu *vcpu, unsigned index, u64 *data)) { + bool fpu_loaded =3D false; int i; =20 - for (i =3D 0; i < msrs->nmsrs; ++i) + for (i =3D 0; i < msrs->nmsrs; ++i) { + /* + * If userspace is accessing one or more XSTATE-managed MSRs, + * temporarily load the guest's FPU state so that the guest's + * MSR value(s) is resident in hardware, i.e. so that KVM can + * get/set the MSR via RDMSR/WRMSR. + */ + if (!fpu_loaded && is_xstate_managed_msr(vcpu, entries[i].index)) { + kvm_load_guest_fpu(vcpu); + fpu_loaded =3D true; + } if (do_msr(vcpu, entries[i].index, &entries[i].data)) break; + } + if (fpu_loaded) + kvm_put_guest_fpu(vcpu); =20 return i; } @@ -5965,6 +6042,7 @@ static int kvm_get_set_one_reg(struct kvm_vcpu *vcpu,= unsigned int ioctl, struct kvm_one_reg one_reg; struct kvm_x86_reg_id *reg; u64 __user *user_val; + bool load_fpu; int r; =20 if (copy_from_user(&one_reg, argp, sizeof(one_reg))) @@ -5991,12 +6069,18 @@ static int kvm_get_set_one_reg(struct kvm_vcpu *vcp= u, unsigned int ioctl, =20 guard(srcu)(&vcpu->kvm->srcu); =20 + load_fpu =3D is_xstate_managed_msr(vcpu, reg->index); + if (load_fpu) + kvm_load_guest_fpu(vcpu); + user_val =3D u64_to_user_ptr(one_reg.addr); if (ioctl =3D=3D KVM_GET_ONE_REG) r =3D kvm_get_one_msr(vcpu, reg->index, user_val); else r =3D kvm_set_one_msr(vcpu, reg->index, user_val); =20 + if (load_fpu) + kvm_put_guest_fpu(vcpu); return r; } =20 --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7C9B62D238B for ; Fri, 12 Sep 2025 23:23:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719425; cv=none; b=pPQJ+RGaaz6dW3a9PqKSAlh32aS2432eGozJTFJ6fievUdc9XSfPJt+dFZR+Y0WyLKxFgvhkLXV7nbH1qZ2DacnlP3xLO95AnHjcYFtAWhXURFZsOMisJ94/AXANNIOuSZC4C1+kweEKVNRrCQQ3mttHY16JLi9fWACkaU+jZd8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719425; c=relaxed/simple; bh=7/QfmUh94cpKnRYcIs/AdmMBk2eIOUXj9qsTocROstw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ttXVVteURJy5GESzx9se5my5c0mkWNNeSdRBBC/BApCUjoNYdxxM0nmn3ch6RIKcaAgOWe+yuh/2fU7HAPJA/0+we8Z2MXNzjagAFC/YUZIMR7I8TTvG3tESf3NVO+/LX12h91BbdivZmCE9tfl1DdFzRKf74spAWyQovhErLB0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=0iF/PjD9; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="0iF/PjD9" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-32e0b001505so184013a91.0 for ; Fri, 12 Sep 2025 16:23:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719423; x=1758324223; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=f+rSSX++v1qgnsGhpIx8DklxJ9wJTs1Gj78GbeI9Rw8=; b=0iF/PjD95vLy/LkAWHsSqQbYARSoOs+rvzEC7tcCVSoShoXnbko19mzDa1b01IuscM K++z00mCKi3vmXRf/EX7O0waRa1mgwzrwFvZiRfDbSa4X93+dK6laUFAOAfqEZ/XHs3C WqvAKZRH+DLaWpMt6IOGQi3Tbt7D7ToFhNvg9nChSogiGAwvcZOrfsqhvVBFs9+zktZw krYytDA1PVYXawf68NYJzGof9YbUZOuWyNg06VEggXA9zXM3kpBmDxwtz8NnmvmnwO58 zlgBn1pLnH8DYE7fy/OZXka5BVacDzw1qbfhYkjw/8jR7zRWtE2hHMo0mzCFtT4S2eue L9Cw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719423; x=1758324223; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=f+rSSX++v1qgnsGhpIx8DklxJ9wJTs1Gj78GbeI9Rw8=; b=gGsjnLnnrXdfuCn6ozVg4r028s5Yckx4ROeeS5gy5wfurobyGJMbWep2IeFFVBlBVO cu5HYVpU57kEzKgOjO2YxxyRZo5QxUJhryyZtgeGvoewSjvSaYK9hOcZit2BNHlStJXY qENXDVwSP0lZpCoNBEaHwlJtR1IXFB10Rgbs65qbee97lvjdxiEg5EjSDF1yo0i307s+ ZyPq7QuKlGuYuNnxlkSI3KsvOY18ATDujXyhEx0gQ7Evv5ZUoorWUoGh1vKXQUR2BHJk HynIxPC7SPROGo9T3OddFMuQk0xGlPZPzOl8YRQvHAmIcBpsyBFbfo62a6qGYJ+aH7Yf N6FA== X-Forwarded-Encrypted: i=1; AJvYcCVvzZuYh+y69YLX/X/x7WkKxvraGW7YfQtgsiGgmFOMOSwVhcvCnMEuQYKVCVuTUNNIr5ZwICKYliwJQX8=@vger.kernel.org X-Gm-Message-State: AOJu0YyVVbrUifSmtwteCW0O8UArqIpY+cf9Vdyn2SI8iFqlpMHuFACp LWqs2zTWHVYxJlC1WVifbTDpW3O4cArm1RDfgsT8B6Qdxo5HSsolFjynlvRV1fLtEkopfhWH18R 0orjEfg== X-Google-Smtp-Source: AGHT+IH1eNU2hQP1gvDQaW9z3NfGk3O72hFIvwJ884+L0C1h8IQkwA5/mG7MdJMxGMHC4seZBdGAjvKVpos= X-Received: from pjm14.prod.google.com ([2002:a17:90b:2fce:b0:325:7c49:9cce]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90a:ec83:b0:32b:9506:1773 with SMTP id 98e67ed59e1d1-32de4fc1430mr5296039a91.33.1757719423002; Fri, 12 Sep 2025 16:23:43 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:48 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-11-seanjc@google.com> Subject: [PATCH v15 10/41] KVM: x86: Add fault checks for guest CR4.CET setting From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Check potential faults for CR4.CET setting per Intel SDM requirements. CET can be enabled if and only if CR0.WP =3D=3D 1, i.e. setting CR4.CET =3D= =3D 1 faults if CR0.WP =3D=3D 0 and setting CR0.WP =3D=3D 0 fails if CR4.CET = =3D=3D 1. Signed-off-by: Yang Weijiang Reviewed-by: Chao Gao Reviewed-by: Maxim Levitsky Reviewed-by: Xiaoyao Li Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu --- arch/x86/kvm/x86.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index a95ca2fbd3a9..5653ddfe124e 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1176,6 +1176,9 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, unsigned long = cr0) (is_64_bit_mode(vcpu) || kvm_is_cr4_bit_set(vcpu, X86_CR4_PCIDE))) return 1; =20 + if (!(cr0 & X86_CR0_WP) && kvm_is_cr4_bit_set(vcpu, X86_CR4_CET)) + return 1; + kvm_x86_call(set_cr0)(vcpu, cr0); =20 kvm_post_set_cr0(vcpu, old_cr0, cr0); @@ -1376,6 +1379,9 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long = cr4) return 1; } =20 + if ((cr4 & X86_CR4_CET) && !kvm_is_cr0_bit_set(vcpu, X86_CR0_WP)) + return 1; + kvm_x86_call(set_cr4)(vcpu, cr4); =20 kvm_post_set_cr4(vcpu, old_cr4, cr4); --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4BCFA2D24A9 for ; Fri, 12 Sep 2025 23:23:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719426; cv=none; b=IaHNeTmf/4ttZcd/JHfZ2f2ZpT5fhdKFshvE+Uz8MrxTFa/LnOoOQ6n4HhtS7lGFOW5+6TxxLUmigDv8tQ9eBuezDq9NhQMs+VilL775THO/DnPgmgTHevoTWHxqZ9ENcdH84rLK2rZ74+XtsUmYFd7qQ+J5InzHkaZfio6gjog= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719426; c=relaxed/simple; bh=e1JeRGkKaj9TgfxxMHwrDucQg8WoISztqz9SDCyYcKE=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=lLjl1/CRUM7PVpoJSH6PCFAg195gEZLEL8oaxdqRRGUFfMm6VLpb9eZvPGfc/qJnGoW5uMZPOTe35iHv5sdA9fzOjvxuXPSob1ag8Mh4NfmC/bJG1vBJ1YcVaUq8qaf3Lzr3wrhrCSl8RL/qZyoOmXR+vk6iY5rDZvQRKyJiR+4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=F6Ba/LOh; arc=none smtp.client-ip=209.85.215.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="F6Ba/LOh" Received: by mail-pg1-f201.google.com with SMTP id 41be03b00d2f7-b549a25ade1so3172775a12.3 for ; Fri, 12 Sep 2025 16:23:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719424; x=1758324224; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=4hD6RqHRhoBQyAEPebACVdMiw3nYWEKr1GVCYwgXxlE=; b=F6Ba/LOhxXFIE45TEJx6ZNROg5MTzlBb9wKdwfnMHgvikaykMxC2WsD8LF5Ex9HBfJ w/idEuUTlyCmI0rKaT4ojXpJUbFxRGFrskXBH+LgOBAbcFGIN01SBKFpnyw1ZjWfth0v /XCoW6uVXXUq0rMYIYNaUiNI69O2BQYmxmcbUtWtRccJzZemxnM0W+40Y05qNghfPv7h uvq2grjH0cAyhEhQspskFhksPOf+tqu2ecyCJad8yvmTKGsP7FHckmYsPZiHJJLBAFje tcQOn747iUc9EYCLgc+p27BURbvw1uqaRcI/gIPtPn7yF3SFRq9z3JlOYvmq6B/doMfd IMug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719424; x=1758324224; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4hD6RqHRhoBQyAEPebACVdMiw3nYWEKr1GVCYwgXxlE=; b=EGugLxc4Sq3hzTJlCMLyFg/vSGiHoTjGXEmSI1fPt7f0as8LQ6VmbECOhQ21hAxXMT XhGUzcOjWhg6dOzYTEtHXaqCLRPKhqFeOxa0S6XamA+Iv6u+t4F/pLmu6LJxQdljf4/s p7Lt+/vK8KvfkHv1cwkwpcUkhEwr/wb6ySyWmi7QffzC+4gat72PmACCwzmltXpDnDYK A/H6mCrv5VAq1kiJvtiHkBlwEkLckKaiST7BLs8KfTn+leubileYmeO1D1dxUCfAXKCo 20X057GQyjb5Q5/qUAvZmetHJg0olNFrrPydqXmAzaKUNsYCegN2IYACATWEPJW5g3wv nX7g== X-Forwarded-Encrypted: i=1; AJvYcCXUHpsWLBDiTKLvdrIWC5gqBqMoydDgw05PNHHDcTKzoTtv6PYJtQwT2HgtR1LSSO3aewHrvuQubTUBD20=@vger.kernel.org X-Gm-Message-State: AOJu0Yy3nmo3J+1TCLOKabU4SSsGxw1Z7Sf/pfqyrddaBndiy9Orbc3l lNgSHEi7EzCm/xwvNmVJhmPDIv3rmqtakPTPYkWZSBoviAHBPWJ2OkD+sX/cQ0QHFeMyi2jOcZ/ aHG98pg== X-Google-Smtp-Source: AGHT+IGWLwsQU+dLejivzjWhZVlfpjqnxSofRQrCbAJJqAIc4rCqQN32hHX4+j9WegaCO61lPFy9geyAemo= X-Received: from pjkk4.prod.google.com ([2002:a17:90b:57e4:b0:31f:b2f:aeed]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a21:32aa:b0:246:d43a:3877 with SMTP id adf61e73a8af0-2602a49da06mr5641736637.8.1757719424555; Fri, 12 Sep 2025 16:23:44 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:49 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-12-seanjc@google.com> Subject: [PATCH v15 11/41] KVM: x86: Report KVM supported CET MSRs as to-be-saved From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Add CET MSRs to the list of MSRs reported to userspace if the feature, i.e. IBT or SHSTK, associated with the MSRs is supported by KVM. Suggested-by: Chao Gao Signed-off-by: Yang Weijiang Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu Reviewed-by: Xiaoyao Li --- arch/x86/kvm/x86.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 5653ddfe124e..2c9908bc8b32 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -344,6 +344,10 @@ static const u32 msrs_to_save_base[] =3D { MSR_IA32_UMWAIT_CONTROL, =20 MSR_IA32_XFD, MSR_IA32_XFD_ERR, MSR_IA32_XSS, + + MSR_IA32_U_CET, MSR_IA32_S_CET, + MSR_IA32_PL0_SSP, MSR_IA32_PL1_SSP, MSR_IA32_PL2_SSP, + MSR_IA32_PL3_SSP, MSR_IA32_INT_SSP_TAB, }; =20 static const u32 msrs_to_save_pmu[] =3D { @@ -7598,6 +7602,20 @@ static void kvm_probe_msr_to_save(u32 msr_index) if (!kvm_caps.supported_xss) return; break; + case MSR_IA32_U_CET: + case MSR_IA32_S_CET: + if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) && + !kvm_cpu_cap_has(X86_FEATURE_IBT)) + return; + break; + case MSR_IA32_INT_SSP_TAB: + if (!kvm_cpu_cap_has(X86_FEATURE_LM)) + return; + fallthrough; + case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP: + if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK)) + return; + break; default: break; } --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 285732D3EE1 for ; Fri, 12 Sep 2025 23:23:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719428; cv=none; b=YMLyNIFM7z3gizq2B9NQ8fOgtbzQ+tirg3gmI/4EYoXQvElAQQYzodzkE0lH7KS9E6Nlax/UGXlbe2Pk9ll0KRTv4/BnPcUMyYpF1TMOCw6kGk/tNm4PK2PTYsUQz+vL1p0trBtWHo5ygzZv4B7JUVYE/uzSUhgRA4xM6wu8748= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719428; c=relaxed/simple; bh=jFuG8SZ3oXYlYLdNCqg5cGDDZwBjK3vSWtK4a4ni1t0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=hyMkmr5Skdx86QhuFRDMTrEa/gsoUxZXoin6yeaMOar5XXjptUDJtuzOP0fCUF7Mc6VMwQjjn1nAQeUPMr1hXyCTYLCzUTlpA+4ejeYYqIbb+9gOOEalksg7JztEGPKjEOHB3yC5vTwvDt7T0qY8xiP9qiHc+DNAR0mbgx5R7Kk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ryTZbXL+; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ryTZbXL+" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-244581ce13aso49437955ad.2 for ; Fri, 12 Sep 2025 16:23:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719426; x=1758324226; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=/p8II4kIeI0l7K05B/fK4WrVrGU6imnR3v3OJDUj/Eo=; b=ryTZbXL+R8/JLVJOxAzG7L6OsvE6oPs1gjY7kBUQESX1xkYC90czzet2anRpl1XKsl isfYP/h9+2gw6YQt/Yb5RLnQIhtfIVkeDWZak3fkvOVZVHF28yJosnx52nrBTe0+jcUW SnOROEw/APue8F9kYKzoqSphteBADJCaX1/ytW4v35B6cRn8Jk4wRWtXgFxCumuD3TAu iI0jSmjoN2QBwZSMjtgTCS7NyV6xjpDSkX79b/LA4u/Uc8wWqR0gL5ZwX9TZS0UgPNAB H2AoZYnQVxIbapRJwSxY7zdIiLHStUtjf9Sy9qnoWREMzKe0Cc0tqfObCHE+5Q++deuF jGpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719426; x=1758324226; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/p8II4kIeI0l7K05B/fK4WrVrGU6imnR3v3OJDUj/Eo=; b=rzto+ocbE0yv8ukH8Qnd0DibeqUTfnBX562ZFIAz5x5SQDLEzS1yhQI2zY4UFJcps4 W5zYr5hJe3wQg3h54ansL3Q8m/4B8khJ16mJHasI9okt1y+Un5Ivopse0K5/KVkPjS4O GXmJBJQQBAWYddNRgau58KahCzPGmQSQ8cjrjsSEoSoB8lb1L03TnQ3x+YBYUQccFDXI T+EM96RcSrLIJXFdfNuX9oRbFAc7fYnuFoZQm41E0o1WwpOEZh4th7gBTRbhsPsJUp8T EHJP+nUtiqvuJeA4BqSH3tGIMC8D0x2r7yhix434/u8olLO4lTqvP19NvjoQQH7vFHVj Vjtw== X-Forwarded-Encrypted: i=1; AJvYcCVyi2NV1iTSSUfEpqD9F/+DihYwZmBbPzRTKOz3dfMEHGz0Zv/1g26DzPkFc7eghAhD1yLSAAZKWG+igXw=@vger.kernel.org X-Gm-Message-State: AOJu0YzZVcAQai+QhkN3dapEo5Ys3r5bvRoV7wKw9xkmENy+bKYDmXM0 LFh57peOLiY91ubI7qJCwJVLNo8xWYKlGnxQ2XpdKiuLEKeV3pREyLGcfXzjZGGtayjfAqL+eu5 0Fd1UQg== X-Google-Smtp-Source: AGHT+IGg6dmIXvzm4jTWf6m62O2N/yxsDeCk+4Uiji5QF9e6I/audnB9epImW8IR/7OE1mc+Q57D/Ute5Lo= X-Received: from pjcc4.prod.google.com ([2002:a17:90b:5744:b0:325:a8d:a485]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:4b47:b0:246:464d:118a with SMTP id d9443c01a7336-25d26d4d433mr54398555ad.46.1757719426448; Fri, 12 Sep 2025 16:23:46 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:50 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-13-seanjc@google.com> Subject: [PATCH v15 12/41] KVM: VMX: Introduce CET VMCS fields and control bits From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Control-flow Enforcement Technology (CET) is a kind of CPU feature used to prevent Return/CALL/Jump-Oriented Programming (ROP/COP/JOP) attacks. It provides two sub-features(SHSTK,IBT) to defend against ROP/COP/JOP style control-flow subversion attacks. Shadow Stack (SHSTK): A shadow stack is a second stack used exclusively for control transfer operations. The shadow stack is separate from the data/normal stack and can be enabled individually in user and kernel mode. When shadow stack is enabled, CALL pushes the return address on both the data and shadow stack. RET pops the return address from both stacks and compares them. If the return addresses from the two stacks do not match, the processor generates a #CP. Indirect Branch Tracking (IBT): IBT introduces instruction(ENDBRANCH)to mark valid target addresses of indirect branches (CALL, JMP etc...). If an indirect branch is executed and the next instruction is _not_ an ENDBRANCH, the processor generates a #CP. These instruction behaves as a NOP on platforms that have no CET. Several new CET MSRs are defined to support CET: MSR_IA32_{U,S}_CET: CET settings for {user,supervisor} CET respectively. MSR_IA32_PL{0,1,2,3}_SSP: SHSTK pointer linear address for CPL{0,1,2,3}. MSR_IA32_INT_SSP_TAB: Linear address of SHSTK pointer table, whose entry is indexed by IST of interrupt gate desc. Two XSAVES state bits are introduced for CET: IA32_XSS:[bit 11]: Control saving/restoring user mode CET states IA32_XSS:[bit 12]: Control saving/restoring supervisor mode CET states. Six VMCS fields are introduced for CET: {HOST,GUEST}_S_CET: Stores CET settings for kernel mode. {HOST,GUEST}_SSP: Stores current active SSP. {HOST,GUEST}_INTR_SSP_TABLE: Stores current active MSR_IA32_INT_SSP_TAB. On Intel platforms, two additional bits are defined in VM_EXIT and VM_ENTRY control fields: If VM_EXIT_LOAD_CET_STATE =3D 1, host CET states are loaded from following VMCS fields at VM-Exit: HOST_S_CET HOST_SSP HOST_INTR_SSP_TABLE If VM_ENTRY_LOAD_CET_STATE =3D 1, guest CET states are loaded from following VMCS fields at VM-Entry: GUEST_S_CET GUEST_SSP GUEST_INTR_SSP_TABLE Co-developed-by: Zhang Yi Z Signed-off-by: Zhang Yi Z Signed-off-by: Yang Weijiang Reviewed-by: Chao Gao Reviewed-by: Maxim Levitsky Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu Reviewed-by: Xiaoyao Li --- arch/x86/include/asm/vmx.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h index cca7d6641287..ce10a7e2d3d9 100644 --- a/arch/x86/include/asm/vmx.h +++ b/arch/x86/include/asm/vmx.h @@ -106,6 +106,7 @@ #define VM_EXIT_CLEAR_BNDCFGS 0x00800000 #define VM_EXIT_PT_CONCEAL_PIP 0x01000000 #define VM_EXIT_CLEAR_IA32_RTIT_CTL 0x02000000 +#define VM_EXIT_LOAD_CET_STATE 0x10000000 =20 #define VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR 0x00036dff =20 @@ -119,6 +120,7 @@ #define VM_ENTRY_LOAD_BNDCFGS 0x00010000 #define VM_ENTRY_PT_CONCEAL_PIP 0x00020000 #define VM_ENTRY_LOAD_IA32_RTIT_CTL 0x00040000 +#define VM_ENTRY_LOAD_CET_STATE 0x00100000 =20 #define VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR 0x000011ff =20 @@ -369,6 +371,9 @@ enum vmcs_field { GUEST_PENDING_DBG_EXCEPTIONS =3D 0x00006822, GUEST_SYSENTER_ESP =3D 0x00006824, GUEST_SYSENTER_EIP =3D 0x00006826, + GUEST_S_CET =3D 0x00006828, + GUEST_SSP =3D 0x0000682a, + GUEST_INTR_SSP_TABLE =3D 0x0000682c, HOST_CR0 =3D 0x00006c00, HOST_CR3 =3D 0x00006c02, HOST_CR4 =3D 0x00006c04, @@ -381,6 +386,9 @@ enum vmcs_field { HOST_IA32_SYSENTER_EIP =3D 0x00006c12, HOST_RSP =3D 0x00006c14, HOST_RIP =3D 0x00006c16, + HOST_S_CET =3D 0x00006c18, + HOST_SSP =3D 0x00006c1a, + HOST_INTR_SSP_TABLE =3D 0x00006c1c }; =20 /* --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B000E2D375C for ; Fri, 12 Sep 2025 23:23:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719430; cv=none; b=jzQeRMcuj5UrTnmfvD1Wt/VMcm0185i5GbgS0vM6kjW0Vs+sIkOeSA2v28n5frSoFJrUUDSZ4bD92/1unCIeHFAg9yimwK+Akq3sOxVlxwIaPwoNVm7y7fCNz9MgYi1pKFwyQJTKlhpeVOVplibYGtukAvrQIQ/1Y6xNqhXrjNw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719430; c=relaxed/simple; bh=985mQqULIGpufOuzaAVFSt7yUo06RAYS1zBwm4OIB80=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=YhTQE8739bGXGAv4+3VayKFR5qGhmrld6WWmw//6q2QunNBqLjj8F/eivpsZkIxMeuy+++Mg7ocyVLnswtIpgF6M2bCPkX5K3I6ahh5BM2jc3kxvXhz1dbzq5P3LMl/NT3VBk974oiikT+ERF20BdMEsceIns93xCxme2Pe705M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=r1d5NAvx; arc=none smtp.client-ip=209.85.215.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="r1d5NAvx" Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-b54ad69f143so1603812a12.1 for ; Fri, 12 Sep 2025 16:23:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719428; x=1758324228; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=EGYFfxiDLtJ7q4NwudFUxWdrWn2kGXus37phRe1p0h4=; b=r1d5NAvxKqmBTnUfjQtH4DnKocTiyZYfNhlMmERlKmyi7MzgvpOE3ygb2Gsjl+CDAq opPYhZ2F+JI0q02wjm5B0NdjewenzS4BQGP2IThFGQDdD4g6hHSf32F6s6gd5tGyDAh8 qN/zJyQnzy3eBjtS+fZCw44iRxH7ML1eC0eZtu5nn/ZyBxcnrfwWsDFkP47pED7EHHfZ p6q/ygdfS4yevQvfLKqcO7nUIXp3Qps3iVlHL16A/uWM6ATStKJk8xXLwJx3ry+mUViX V2nyu9Fr+fvTRVHxbVrqOTbxcbwXxxjKZN1Se28yFgvnfbye6bYnnfQlQe+06qwq3IJP nDcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719428; x=1758324228; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EGYFfxiDLtJ7q4NwudFUxWdrWn2kGXus37phRe1p0h4=; b=HoN8sTH4Mc7B3wUPc0sx2eGnmdB7dgpzi02ecVXy4+nrTEyw7sm/jMmipSKxNEfvBW 7H45muQKEKE33gdMZeBAQuZBfeH4Ip+h3EPTv++GUSmaDA1Qxe6zjZiddGVeKgvufNb0 W39wtJaUYfIEB+2YUtoPrCkWhFWUCMViiMMUk0IduwowCkmF60HKlxY3KzujXfJ5J6CU YO+EIY2h3acvRemIm/dU6x8gSg9CxkVdyFvsupOdCxqkiKql7eV56bJA5gw5UQZ5gdFL iN/ZsYdZUxeW1YJhlLbBkcCMlWb4yi2BNX3LvzQFo64hQExL7IrEi5y3Ktu9o8Xl62mb vsQw== X-Forwarded-Encrypted: i=1; AJvYcCVZDJaxOCK8g+Xjmb0FCKuommga0UtrsHsKH8zBOi5ht41T3apIInfIC2VuWCZVVCfX2sAvFmEFJkaWMvg=@vger.kernel.org X-Gm-Message-State: AOJu0Yy9o5h4wBAwfr5nBV+p9fMXohhZb0lu9/uIApme9LvDCjljZDP2 +mbw5zUakSt4TXz6aoPKEsAEzAJxdk2sW/w8YJ/tsoVTtK9H4vys76zs9G31zOKNTw04bmaSmiC Wt6frbg== X-Google-Smtp-Source: AGHT+IF3EsKj/KEE1isiWP6uA4W6JiQbK2d3C0u8tqB9rJOm/OOK+jqg062W5TZ7UziXwYy9ajwdI76c0fw= X-Received: from pjbee16.prod.google.com ([2002:a17:90a:fc50:b0:32b:5ea2:778]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:9186:b0:243:15b9:765b with SMTP id adf61e73a8af0-2602cd11f0fmr5877361637.53.1757719428215; Fri, 12 Sep 2025 16:23:48 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:51 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-14-seanjc@google.com> Subject: [PATCH v15 13/41] KVM: x86: Enable guest SSP read/write interface with new uAPIs From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Enable guest shadow stack pointer(SSP) access interface with new uAPIs. CET guest SSP is HW register which has corresponding VMCS field to save and restore guest values when VM-{Exit,Entry} happens. KVM handles SSP as a fake/synthetic MSR for userspace access. Use a translation helper to set up mapping for SSP synthetic index and KVM-internal MSR index so that userspace doesn't need to take care of KVM's management for synthetic MSRs and avoid conflicts. Suggested-by: Sean Christopherson Signed-off-by: Yang Weijiang Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson --- Documentation/virt/kvm/api.rst | 8 ++++++++ arch/x86/include/uapi/asm/kvm.h | 3 +++ arch/x86/kvm/x86.c | 23 +++++++++++++++++++++-- arch/x86/kvm/x86.h | 10 ++++++++++ 4 files changed, 42 insertions(+), 2 deletions(-) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index abd02675a24d..6ae24c5ca559 100644 --- a/Documentation/virt/kvm/api.rst +++ b/Documentation/virt/kvm/api.rst @@ -2911,6 +2911,14 @@ such as set vcpu counter or reset vcpu, and they hav= e the following id bit patte x86 MSR registers have the following id bit patterns:: 0x2030 0002 =20 +Following are the KVM-defined registers for x86: + +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D= =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D + Encoding Register Description +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D= =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D + 0x2030 0003 0000 0000 SSP Shadow Stack Pointer +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D= =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D + 4.69 KVM_GET_ONE_REG -------------------- =20 diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kv= m.h index 508b713ca52e..8cc79eca34b2 100644 --- a/arch/x86/include/uapi/asm/kvm.h +++ b/arch/x86/include/uapi/asm/kvm.h @@ -437,6 +437,9 @@ struct kvm_xcrs { #define KVM_X86_REG_KVM(index) \ KVM_X86_REG_ENCODE(KVM_X86_REG_TYPE_KVM, index) =20 +/* KVM-defined registers starting from 0 */ +#define KVM_REG_GUEST_SSP 0 + #define KVM_SYNC_X86_REGS (1UL << 0) #define KVM_SYNC_X86_SREGS (1UL << 1) #define KVM_SYNC_X86_EVENTS (1UL << 2) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 2c9908bc8b32..460ceae11495 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -6017,7 +6017,15 @@ struct kvm_x86_reg_id { =20 static int kvm_translate_kvm_reg(struct kvm_x86_reg_id *reg) { - return -EINVAL; + switch (reg->index) { + case KVM_REG_GUEST_SSP: + reg->type =3D KVM_X86_REG_TYPE_MSR; + reg->index =3D MSR_KVM_INTERNAL_GUEST_SSP; + break; + default: + return -EINVAL; + } + return 0; } =20 static int kvm_get_one_msr(struct kvm_vcpu *vcpu, u32 msr, u64 __user *use= r_val) @@ -6097,11 +6105,22 @@ static int kvm_get_set_one_reg(struct kvm_vcpu *vcp= u, unsigned int ioctl, static int kvm_get_reg_list(struct kvm_vcpu *vcpu, struct kvm_reg_list __user *user_list) { - u64 nr_regs =3D 0; + u64 nr_regs =3D guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) ? 1 : 0; + u64 user_nr_regs; + + if (get_user(user_nr_regs, &user_list->n)) + return -EFAULT; =20 if (put_user(nr_regs, &user_list->n)) return -EFAULT; =20 + if (user_nr_regs < nr_regs) + return -E2BIG; + + if (nr_regs && + put_user(KVM_X86_REG_KVM(KVM_REG_GUEST_SSP), &user_list->reg[0])) + return -EFAULT; + return 0; } =20 diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h index 786e36fcd0fb..a7c9c72fca93 100644 --- a/arch/x86/kvm/x86.h +++ b/arch/x86/kvm/x86.h @@ -101,6 +101,16 @@ do { \ #define KVM_SVM_DEFAULT_PLE_WINDOW_MAX USHRT_MAX #define KVM_SVM_DEFAULT_PLE_WINDOW 3000 =20 +/* + * KVM's internal, non-ABI indices for synthetic MSRs. The values themselv= es + * are arbitrary and have no meaning, the only requirement is that they do= n't + * conflict with "real" MSRs that KVM supports. Use values at the upper end + * of KVM's reserved paravirtual MSR range to minimize churn, i.e. these v= alues + * will be usable until KVM exhausts its supply of paravirtual MSR indices. + */ + +#define MSR_KVM_INTERNAL_GUEST_SSP 0x4b564dff + static inline unsigned int __grow_ple_window(unsigned int val, unsigned int base, unsigned int modifier, unsigned int max) { --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65CB62D5A13 for ; Fri, 12 Sep 2025 23:23:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719432; cv=none; b=kVBUmDcMbQK9r1gyc19l/YhbCS/tr7iWHpeggsRJnIWhRb26JGXoOvGU6ex5sskybo9g2kfA6EV78Sppn0IuyLcVAyTaRqtoDuiZyGPZaRRZg0AIzKFcR52IHsPs2WoDjwwgHpofzBBGFTrMRlExPe+CsSy/adA60KSyuxLh374= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719432; c=relaxed/simple; bh=vQDdu1zHF4bPFrrDNQxsUDgUl3nDRRZ82FO95++Z81I=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=RENyvjbhLPZYXQ+9zt7tIa0fJXp3g8BoifEcXxRrbP+2ACMfHWafRMdvQ2YOKaT534wNFZlpd4sruagI47Islx+lHKrFd6sXGDN8lEdjYED1SATAG5HM1i8LZFJroz3fZrcuY0GQT9qRc/YhVCpXQNBaptB6+wWJjW7cBxe6WRA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=NjE7J40C; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="NjE7J40C" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-32e0b00138cso179437a91.3 for ; Fri, 12 Sep 2025 16:23:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719430; x=1758324230; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=tsK8S7ainZOuiq7DM/VWeS+FQWWRgudnHijGojTqtSE=; b=NjE7J40CbkboexwUpkOVNsySS7jfEvBIcJ9SLkjIMvRAyC1C/QNC93TzI9QxHjMA4u 3r9GAMr7W+8SKm37PxZo+XfzmkekQn4+LlN5MfELwrS56UGuaJBmyuaViIENEziLtIup L+YdMJN2vDfJFHugcxNqr+I5rhwYnvp2M8anMknkJPsAbTLF2UJ1l1cNec1v8tVs/I2+ ed26fka81WYQQlRWSDWxThbZIWIAmwSQjtystieDgNdnzYnu5pcXaAdxd1oGg0PwyjeP DQRBvTTKVINWcRPhf4X+la3NV4hzlkMC0N3Z8HhWqw59syAY2dktdN1pQ+P4ZaH5w4J4 3bdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719430; x=1758324230; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tsK8S7ainZOuiq7DM/VWeS+FQWWRgudnHijGojTqtSE=; b=cn4qPrixtCvJB36S+GpMdkwKvcXsmquThhTy+kHN3CklCB2h+EOxQxoh2XOE0AAF7q veL1F+Vey1gff7XKHChIWMeSKlgn617AKqv1AprfmB+mpJz39rO4ovSCOsbC2taWE3PE 2cLQzLbR5/gVzou5bAk846omHW1S70jc8ma7uY/SrwNkCMLoHGh25nwX6ArUeLJYyIZK Cy8cvU3LN2XVjbA+KiaU7eCeiG9VmvUw5FIAEva9PAdcN24ZhkLdF2TjUUFQvpKlmWYo 4QotgbvQo0rNLt6wezlVAg+sS57i9jJYuVD7NVmHvR0ta62I1V6Kyi1H5yDygoZwfTB4 XCWw== X-Forwarded-Encrypted: i=1; AJvYcCW1Mczb3EHgaoftB3necpaDJTe949DeEub7nab+rIGB6rirl40eqSu7iljU0vfkhPF57/xeRsuS2un4nbw=@vger.kernel.org X-Gm-Message-State: AOJu0YybdrnBDy3a6dJ8d8d1UhI6irV6tn/XrX91juxeDyj5TtfdZEYT mVRwb1CpYeWCM063h0nHEdMa6fCHtreaBy24M5t9uYy4N6ytLtwm6fhbrFB4JoM4LfymkYm8l/O a0sIWcA== X-Google-Smtp-Source: AGHT+IFvmwPke7/pDRYXxhNym9lrKDGTafHhCXPfQmEL//L2GNevsjrfbq484QdlEwKFAEmqSAGwTvkqMxo= X-Received: from pjj16.prod.google.com ([2002:a17:90b:5550:b0:328:887d:69f0]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:1dd1:b0:32d:dadf:b6ac with SMTP id 98e67ed59e1d1-32de4fb1099mr5747605a91.33.1757719429747; Fri, 12 Sep 2025 16:23:49 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:52 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-15-seanjc@google.com> Subject: [PATCH v15 14/41] KVM: VMX: Emulate read and write to CET MSRs From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Add emulation interface for CET MSR access. The emulation code is split into common part and vendor specific part. The former does common checks for MSRs, e.g., accessibility, data validity etc., then passes operation to either XSAVE-managed MSRs via the helpers or CET VMCS fields. SSP can only be read via RDSSP. Writing even requires destructive and potentially faulting operations such as SAVEPREVSSP/RSTORSSP or SETSSBSY/CLRSSBSY. Let the host use a pseudo-MSR that is just a wrapper for the GUEST_SSP field of the VMCS. Suggested-by: Sean Christopherson Signed-off-by: Yang Weijiang Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao [sean: drop call to kvm_set_xstate_msr() for S_CET, consolidate code] Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu Reviewed-by: Xiaoyao Li --- arch/x86/kvm/vmx/vmx.c | 18 ++++++++++++ arch/x86/kvm/x86.c | 64 ++++++++++++++++++++++++++++++++++++++++-- arch/x86/kvm/x86.h | 23 +++++++++++++++ 3 files changed, 103 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 227b45430ad8..4fc1dbba2eb0 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2106,6 +2106,15 @@ int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_da= ta *msr_info) else msr_info->data =3D vmx->pt_desc.guest.addr_a[index / 2]; break; + case MSR_IA32_S_CET: + msr_info->data =3D vmcs_readl(GUEST_S_CET); + break; + case MSR_KVM_INTERNAL_GUEST_SSP: + msr_info->data =3D vmcs_readl(GUEST_SSP); + break; + case MSR_IA32_INT_SSP_TAB: + msr_info->data =3D vmcs_readl(GUEST_INTR_SSP_TABLE); + break; case MSR_IA32_DEBUGCTLMSR: msr_info->data =3D vmx_guest_debugctl_read(); break; @@ -2424,6 +2433,15 @@ int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_da= ta *msr_info) else vmx->pt_desc.guest.addr_a[index / 2] =3D data; break; + case MSR_IA32_S_CET: + vmcs_writel(GUEST_S_CET, data); + break; + case MSR_KVM_INTERNAL_GUEST_SSP: + vmcs_writel(GUEST_SSP, data); + break; + case MSR_IA32_INT_SSP_TAB: + vmcs_writel(GUEST_INTR_SSP_TABLE, data); + break; case MSR_IA32_PERF_CAPABILITIES: if (data & PMU_CAP_LBR_FMT) { if ((data & PMU_CAP_LBR_FMT) !=3D diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 460ceae11495..0b67b1b0e361 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1890,6 +1890,44 @@ static int __kvm_set_msr(struct kvm_vcpu *vcpu, u32 = index, u64 data, =20 data =3D (u32)data; break; + case MSR_IA32_U_CET: + case MSR_IA32_S_CET: + if (!guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) && + !guest_cpu_cap_has(vcpu, X86_FEATURE_IBT)) + return KVM_MSR_RET_UNSUPPORTED; + if (!kvm_is_valid_u_s_cet(vcpu, data)) + return 1; + break; + case MSR_KVM_INTERNAL_GUEST_SSP: + if (!host_initiated) + return 1; + fallthrough; + /* + * Note that the MSR emulation here is flawed when a vCPU + * doesn't support the Intel 64 architecture. The expected + * architectural behavior in this case is that the upper 32 + * bits do not exist and should always read '0'. However, + * because the actual hardware on which the virtual CPU is + * running does support Intel 64, XRSTORS/XSAVES in the + * guest could observe behavior that violates the + * architecture. Intercepting XRSTORS/XSAVES for this + * special case isn't deemed worthwhile. + */ + case MSR_IA32_PL0_SSP ... MSR_IA32_INT_SSP_TAB: + if (!guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK)) + return KVM_MSR_RET_UNSUPPORTED; + /* + * MSR_IA32_INT_SSP_TAB is not present on processors that do + * not support Intel 64 architecture. + */ + if (index =3D=3D MSR_IA32_INT_SSP_TAB && !guest_cpu_cap_has(vcpu, X86_FE= ATURE_LM)) + return KVM_MSR_RET_UNSUPPORTED; + if (is_noncanonical_msr_address(data, vcpu)) + return 1; + /* All SSP MSRs except MSR_IA32_INT_SSP_TAB must be 4-byte aligned */ + if (index !=3D MSR_IA32_INT_SSP_TAB && !IS_ALIGNED(data, 4)) + return 1; + break; } =20 msr.data =3D data; @@ -1934,6 +1972,20 @@ static int __kvm_get_msr(struct kvm_vcpu *vcpu, u32 = index, u64 *data, !guest_cpu_cap_has(vcpu, X86_FEATURE_RDPID)) return 1; break; + case MSR_IA32_U_CET: + case MSR_IA32_S_CET: + if (!guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) && + !guest_cpu_cap_has(vcpu, X86_FEATURE_IBT)) + return KVM_MSR_RET_UNSUPPORTED; + break; + case MSR_KVM_INTERNAL_GUEST_SSP: + if (!host_initiated) + return 1; + fallthrough; + case MSR_IA32_PL0_SSP ... MSR_IA32_INT_SSP_TAB: + if (!guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK)) + return KVM_MSR_RET_UNSUPPORTED; + break; } =20 msr.index =3D index; @@ -3864,12 +3916,12 @@ static __always_inline void kvm_access_xstate_msr(s= truct kvm_vcpu *vcpu, kvm_fpu_put(); } =20 -static __maybe_unused void kvm_set_xstate_msr(struct kvm_vcpu *vcpu, struc= t msr_data *msr_info) +static void kvm_set_xstate_msr(struct kvm_vcpu *vcpu, struct msr_data *msr= _info) { kvm_access_xstate_msr(vcpu, msr_info, MSR_TYPE_W); } =20 -static __maybe_unused void kvm_get_xstate_msr(struct kvm_vcpu *vcpu, struc= t msr_data *msr_info) +static void kvm_get_xstate_msr(struct kvm_vcpu *vcpu, struct msr_data *msr= _info) { kvm_access_xstate_msr(vcpu, msr_info, MSR_TYPE_R); } @@ -4255,6 +4307,10 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct= msr_data *msr_info) vcpu->arch.guest_fpu.xfd_err =3D data; break; #endif + case MSR_IA32_U_CET: + case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP: + kvm_set_xstate_msr(vcpu, msr_info); + break; default: if (kvm_pmu_is_valid_msr(vcpu, msr)) return kvm_pmu_set_msr(vcpu, msr_info); @@ -4604,6 +4660,10 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct= msr_data *msr_info) msr_info->data =3D vcpu->arch.guest_fpu.xfd_err; break; #endif + case MSR_IA32_U_CET: + case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP: + kvm_get_xstate_msr(vcpu, msr_info); + break; default: if (kvm_pmu_is_valid_msr(vcpu, msr_info->index)) return kvm_pmu_get_msr(vcpu, msr_info); diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h index a7c9c72fca93..076eccba0f7e 100644 --- a/arch/x86/kvm/x86.h +++ b/arch/x86/kvm/x86.h @@ -710,4 +710,27 @@ int ____kvm_emulate_hypercall(struct kvm_vcpu *vcpu, i= nt cpl, =20 int kvm_emulate_hypercall(struct kvm_vcpu *vcpu); =20 +#define CET_US_RESERVED_BITS GENMASK(9, 6) +#define CET_US_SHSTK_MASK_BITS GENMASK(1, 0) +#define CET_US_IBT_MASK_BITS (GENMASK_ULL(5, 2) | GENMASK_ULL(63, 10)) +#define CET_US_LEGACY_BITMAP_BASE(data) ((data) >> 12) + +static inline bool kvm_is_valid_u_s_cet(struct kvm_vcpu *vcpu, u64 data) +{ + if (data & CET_US_RESERVED_BITS) + return false; + if (!guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) && + (data & CET_US_SHSTK_MASK_BITS)) + return false; + if (!guest_cpu_cap_has(vcpu, X86_FEATURE_IBT) && + (data & CET_US_IBT_MASK_BITS)) + return false; + if (!IS_ALIGNED(CET_US_LEGACY_BITMAP_BASE(data), 4)) + return false; + /* IBT can be suppressed iff the TRACKER isn't WAIT_ENDBR. */ + if ((data & CET_SUPPRESS) && (data & CET_WAIT_ENDBR)) + return false; + + return true; +} #endif --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E173B28643F for ; Fri, 12 Sep 2025 23:23:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719433; cv=none; b=Q1FolFmxxZ028iDMEB3B8IudPZgdtjDwWeHUmfbcEoWvNdC9yWoO0blImqPwjzBNy6X8oGl6Xzd7aAh9GCBIR1mIcagz+cjVGl1yV/deYB18D/t/xFYrlU54UxBqN2WSgPTdSEAvilQM4kOAN7MdpnlAX5FScoOD5MQXBIqDJ5M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719433; c=relaxed/simple; bh=JEEiCFkCBP5ttonqiWIsRl8yCbVxEhdAgkHtYSFLdVw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=EP9l911UNxAz+eOouS1DeREgTcTPbDVSS2lbCZi2KHdWjv9R0EMqjydoLpmITxe8klKD2sIoD0otMrJTPVwOylKuqfXRvyJqry/KMql2FGOMlNWprQ5fMFjx72F2TphezcY2habLmkPbgN4mZtes2o3Pioh8X5oNAhpNDAaOwdk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Vwwtle6r; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Vwwtle6r" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-25c7a4859e0so17757765ad.1 for ; Fri, 12 Sep 2025 16:23:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719431; x=1758324231; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=oNB6mEDZxyaqSYryMY9uR6ecFN+PIMonXdA8ZyarKi0=; b=Vwwtle6rTcDDy/09sHRRtrONQ9ZaaKagG4e/HKwA2TY1kywnzAXad52SNvQ7cyDOhP 5HX+VlHSNJpNe7xIjdrAglbV/w3k/U4ECt141gv1Q8YIzvowxzfPM0oKHrGmtFCIhRsZ l7Dx7PMijQ5gzKq78ZMm+IIFvO8uO7PbYyYbOYf35rJIBusRQ7VQjfHcN7n6g15JGTwK DnkcfGzwoBxJvilU2iBTVtaXppxb8Vmk0yUVNMHh4n7UQVEZ7FR6MBTjuXCQUI1Vg2X8 YoJNMHbyzUCZZya1PVLd5SJc6F8q2TV0qb3QZVJWqsFW3AlOWHgKaTZXCExMvvEILUCf qhzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719431; x=1758324231; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oNB6mEDZxyaqSYryMY9uR6ecFN+PIMonXdA8ZyarKi0=; b=PM1mhcyKv0wmQCTqn/epWTcUkpjdwbxxHXCqWAZJLOgGvGDVjYtkGdTB0rw/V0OV6J nzPTRAbMi4x5prj4jjbY/vR6R/QK3hiTaKcikens5JTlK5mfx0jFa8/evZoDfdkVcShA wyipX0GKNTUV8QBpLGcyTcm3vrMPYv2niWzvayLbqAVOH+jQ2CU8EcDFmuUEfpx1YNzq GME39DfSM8snJgiAfUVsgnWZ536eibV0HjPFwtIn2nCugnwm1UQywKpc9a4/gy9f8XwX SRGOcvW8fZe6JaPBlPDgZssUSVAqKbMv+SGEtr2ELNXSQLhQJxDWlEaNh4Uk+++TtDPU swGw== X-Forwarded-Encrypted: i=1; AJvYcCXDeGdRofM8K1A29e+8q6CqKWXiJJzTcTjatzQA3njQb5dQ7hM0fLEf7e9ryMZoAtKkGasRo0J9Qrtmsvg=@vger.kernel.org X-Gm-Message-State: AOJu0YxisQ8vwVP0uVaBwYdWfuzWBoIRAcyliYzlYzvguC8HThuVgxhX ZNfiU+WCQebSEc9HlNQGTDKTPd7NRMoCa2gm7jsM7lP1lJfk6JekLuURf25MUJzWyeyCc1/xs0B wjSQLNA== X-Google-Smtp-Source: AGHT+IGS+NoAkSIvkgqHUng4iiyhhkD7f5OcKeKYit5O8WCfjDkLzEvEzCprS1GK1c6HC/ZzIm4cvgzzR3k= X-Received: from pjzz6.prod.google.com ([2002:a17:90b:58e6:b0:327:e172:e96]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:22c3:b0:24c:ea1c:1156 with SMTP id d9443c01a7336-25bae1218abmr92927335ad.24.1757719431283; Fri, 12 Sep 2025 16:23:51 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:53 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-16-seanjc@google.com> Subject: [PATCH v15 15/41] KVM: x86: Save and reload SSP to/from SMRAM From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Save CET SSP to SMRAM on SMI and reload it on RSM. KVM emulates HW arch behavior when guest enters/leaves SMM mode,i.e., save registers to SMRAM at the entry of SMM and reload them at the exit to SMM. Per SDM, SSP is one of such registers on 64-bit Arch, and add the support for SSP. Suggested-by: Sean Christopherson Signed-off-by: Yang Weijiang Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu Reviewed-by: Xiaoyao Li --- arch/x86/kvm/smm.c | 8 ++++++++ arch/x86/kvm/smm.h | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/smm.c b/arch/x86/kvm/smm.c index 5dd8a1646800..b0b14ba37f9a 100644 --- a/arch/x86/kvm/smm.c +++ b/arch/x86/kvm/smm.c @@ -269,6 +269,10 @@ static void enter_smm_save_state_64(struct kvm_vcpu *v= cpu, enter_smm_save_seg_64(vcpu, &smram->gs, VCPU_SREG_GS); =20 smram->int_shadow =3D kvm_x86_call(get_interrupt_shadow)(vcpu); + + if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) && + kvm_msr_read(vcpu, MSR_KVM_INTERNAL_GUEST_SSP, &smram->ssp)) + kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu); } #endif =20 @@ -558,6 +562,10 @@ static int rsm_load_state_64(struct x86_emulate_ctxt *= ctxt, kvm_x86_call(set_interrupt_shadow)(vcpu, 0); ctxt->interruptibility =3D (u8)smstate->int_shadow; =20 + if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) && + kvm_msr_write(vcpu, MSR_KVM_INTERNAL_GUEST_SSP, smstate->ssp)) + return X86EMUL_UNHANDLEABLE; + return X86EMUL_CONTINUE; } #endif diff --git a/arch/x86/kvm/smm.h b/arch/x86/kvm/smm.h index 551703fbe200..db3c88f16138 100644 --- a/arch/x86/kvm/smm.h +++ b/arch/x86/kvm/smm.h @@ -116,8 +116,8 @@ struct kvm_smram_state_64 { u32 smbase; u32 reserved4[5]; =20 - /* ssp and svm_* fields below are not implemented by KVM */ u64 ssp; + /* svm_* fields below are not implemented by KVM */ u64 svm_guest_pat; u64 svm_host_efer; u64 svm_host_cr4; --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0EF7E2D73B8 for ; Fri, 12 Sep 2025 23:23:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719436; cv=none; b=BPkIPOXulzidvuVlx1vcxeHvD2uS5hpsPE+CtTZXqaI/BuBT5lzlSVGQgiu7r3EWrdGElxQZ67TTdnty9E05o0//zX8CILq/tFt6S4lILLwW8NfHGMI7xgMP3nH4t1pCs0T9OYUHItPsLxtToSe/D5mah8MwUVD3cQMHaDDGg+w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719436; c=relaxed/simple; bh=tG3ovMwAMHbfeh5vSjhWEPZM8u9oO+88uWP+MXoRHk0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=qJ2toA6H73zGVaKZMr8pATtC/I2+r7HzxPFMS5lZHJiB7LSxnjWyKRGzOOpqnoq+Q5bxaBP8H+2rlj6Q4BbRAPMmkm4/8hRmK7PKuX2BNsuDTwvY8JZPjKwNiYlz1o2BO4BpDYCbWzEAZhHbNtKtWuiRrV0+GwV+CoooDk+gJkw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=a/mfwBDh; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="a/mfwBDh" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-24458274406so43758165ad.3 for ; Fri, 12 Sep 2025 16:23:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719433; x=1758324233; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=l+XAFKOcKNHNNNkiV3oGUHueNV9uJIbVnDYwxKtJwHg=; b=a/mfwBDhct2C0hSUky4cLJAOkgieuUEf0E4fYMtGe3HdxQOK8qTQo32+rFviNRFhAl OGkJ141bQT4JUli4jkDb6bNo/gzr77Esg19yxZewDzp4PxTPGxZ7LwfBNRAOaOFsr383 1O8/NbyBVuXsZ7JmzrOF5BdStSxLKP4JLHMpa+KZbl/1+VycHgNKkOrp/K+msPTAaCc/ o8Q3zTdUjmLAcvPBmMia0V7RHM7JuupWBvdsnSW3GeWHuhr50tw5Nrur1ic08wZhJA4s ksN1eF76pevU2xEd+7vkSKbOK47Xruw2eBoN5vPs/uZMIw9eHebmY6yPSxgnOcb62x1e SPmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719433; x=1758324233; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=l+XAFKOcKNHNNNkiV3oGUHueNV9uJIbVnDYwxKtJwHg=; b=qMo0HDDaC8hnW5fs/0munWrogR/Kgte7Ehr7yYNVU3rzV1/xpCaJM7mZr92JWi2Y7F UbpbqMD8EVIXn9SWVWmoZp3BVWWdBilD4NjTE+AwjEJmSBh2Auci62oXrmJsyNEAhXSm oht4aoXTAhnsVv6de4rGvyJiapZHSAwKTb+ebfNLV4p72GaYEOjrijRMRvR5+dI78fnD SY9Il/+D1PlQX/chDitZ4Uz8WY1g5ZwfMRpTBdCvpfQ8nfSb4vo/3Kx+a9TZS2PLr6wf Th485PdW6u07Aasqx+y+8lqTW6D0bQ6s1xKBE0yLxDlvm6vXnP3F6mRFKXSWx7paSfby 9oXQ== X-Forwarded-Encrypted: i=1; AJvYcCVAq7Hj2Zrx2PY/qH4CMC+jIHfPxQYpl9nFGCfDwqxDxRojEW+sbdqCjDghfcE5Ig1xW+xJZyD4oQDGHLo=@vger.kernel.org X-Gm-Message-State: AOJu0Yyh8lPjDzTBnyzMU6TmUxxCSmhD5LWe0m9IIZARBYusQzeB6lSO e1ukbF4t2aOW8FfcLfKgxOfy+oNZrzNQj4v/GXD0sXSD6wy7G7fC+OmkIsbQY6673xUeplTZP11 FbuV9mw== X-Google-Smtp-Source: AGHT+IHAP92S8i+ghTT8MEtIwBOjslwrWY+WhIQ0oS3JzmmNNOIpAnQkBypJ1PCU0TwOkGVo/klbGRc7Ao8= X-Received: from pjbee16.prod.google.com ([2002:a17:90a:fc50:b0:321:c441:a0a]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:c410:b0:246:24d:2394 with SMTP id d9443c01a7336-25d2528bf9fmr44876615ad.8.1757719433341; Fri, 12 Sep 2025 16:23:53 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:54 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-17-seanjc@google.com> Subject: [PATCH v15 16/41] KVM: VMX: Set up interception for CET MSRs From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Enable/disable CET MSRs interception per associated feature configuration. Pass through CET MSRs that are managed by XSAVE, as they cannot be intercepted without also intercepting XSAVE. However, intercepting XSAVE would likely cause unacceptable performance overhead. MSR_IA32_INT_SSP_TAB is not managed by XSAVE, so it is intercepted. Note, this MSR design introduced an architectural limitation of SHSTK and IBT control for guest, i.e., when SHSTK is exposed, IBT is also available to guest from architectural perspective since IBT relies on subset of SHSTK relevant MSRs. Suggested-by: Sean Christopherson Signed-off-by: Yang Weijiang Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu Reviewed-by: Xiaoyao Li Reviewed-by: Xin Li (Intel) --- arch/x86/kvm/vmx/vmx.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 4fc1dbba2eb0..adf5af30e537 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -4101,6 +4101,8 @@ void pt_update_intercept_for_msr(struct kvm_vcpu *vcp= u) =20 void vmx_recalc_msr_intercepts(struct kvm_vcpu *vcpu) { + bool intercept; + if (!cpu_has_vmx_msr_bitmap()) return; =20 @@ -4146,6 +4148,23 @@ void vmx_recalc_msr_intercepts(struct kvm_vcpu *vcpu) vmx_set_intercept_for_msr(vcpu, MSR_IA32_FLUSH_CMD, MSR_TYPE_W, !guest_cpu_cap_has(vcpu, X86_FEATURE_FLUSH_L1D)); =20 + if (kvm_cpu_cap_has(X86_FEATURE_SHSTK)) { + intercept =3D !guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK); + + vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL0_SSP, MSR_TYPE_RW, intercept= ); + vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL1_SSP, MSR_TYPE_RW, intercept= ); + vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL2_SSP, MSR_TYPE_RW, intercept= ); + vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL3_SSP, MSR_TYPE_RW, intercept= ); + } + + if (kvm_cpu_cap_has(X86_FEATURE_SHSTK) || kvm_cpu_cap_has(X86_FEATURE_IBT= )) { + intercept =3D !guest_cpu_cap_has(vcpu, X86_FEATURE_IBT) && + !guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK); + + vmx_set_intercept_for_msr(vcpu, MSR_IA32_U_CET, MSR_TYPE_RW, intercept); + vmx_set_intercept_for_msr(vcpu, MSR_IA32_S_CET, MSR_TYPE_RW, intercept); + } + /* * x2APIC and LBR MSR intercepts are modified on-demand and cannot be * filtered by userspace. --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A80872D8774 for ; Fri, 12 Sep 2025 23:23:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719437; cv=none; b=GNVSQnKuwkF688Lq4dPdmTc6XcZlp30A/dD6qHzY0e8rNPHpZpi3T/bWe+rVPwwyB5FZ8TSynU5Fbg1hyYVZyKRCkxj8yQA1008ivr4MMqxzK7qsghoy+Mvrea0KCzhLnoy3Qglw6tX/vNE+HiLjAXWAtxHN7q2SPUGNyPiiVCg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719437; c=relaxed/simple; bh=M1nWD2E0HDgANYcBPl2Wswzs3ho+0obMQ5NM0tyPxik=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=diDPFrU8v9KB9oQ1z79eG1sc0l5MtJ+LeFDMAe4y0EL8rYuekkXXK3G7ID2spAjYF6LqIIqCts0ZGQC1pfsIGRY7U/RzeoW5mQvf9eLDVN71UqBSgLXRqMg1/3KPIwftqHA/dx9B7qYyVG1NV5AHoP+RFaoUSDaOMD9GYvXOmGQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=iY/b/ioY; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="iY/b/ioY" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-24ced7cfa07so26272395ad.1 for ; Fri, 12 Sep 2025 16:23:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719435; x=1758324235; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=lhwMt9LM9CKgLgMN4tyJKQAo1uPkwcDcwQkAMTCyBHE=; b=iY/b/ioY5xhE2gA4mXtUbV7kHb/KlhibDRkQJrgGh3WxNVAqQRKE0J0kW+Qh0FDwFa xlaKjP9OeAzs1yxROgb5CxR1a4o046eE2SaEXuBTzhrVh70dE0+GIwZjVpo0IWLMollE yQMBGSWaCXVKOonLsFA01cTUxrHKRbOKp6W/XePgqysuHxddh3+CLA0yh4dLirKVACfe RNVst1L+3yPUKUK7rLn2w17nPTGxBtQgwBo/VjT+Q6EGilQhztYtyPji7ccU5uQiwKAP uNalmsLc9d8MK3Etj++tKCI7e+yye0kmGDAcK5j34no+l9iZgm19d7Vd2cPPEUu32H5b qmxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719435; x=1758324235; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lhwMt9LM9CKgLgMN4tyJKQAo1uPkwcDcwQkAMTCyBHE=; b=dvcsDzpG+OekcLa/E5HnS2pYQl0X4s7kOC8Ub99T9ooAOebSIBoUZeNvdHAsJH4VAt WPSsMxwJECoZhFHqd0ZLl9gwgVsiTngy6VqwSHEFhvu4cd9gQI+9ZThZ7kqSB5fZyVFj Rh3YV2WS8PIpjgGxdw4OgDfAQatityPNjt45lu5stA5Y/QJcyJpD8zkiR1FxFgsiu5cC 4RKTOoFaScqQIl6Rilx5jVkEl8iBLWzlc3rZh0vYl3v79aMqE0VF/cwafIaypO9qvXo2 N7oAKUULhHRKem8xp5/AqYHkfysHXy1kQ99VHOoke/uiE0z5zCA0tdcZIyctAbEFc3oI zbAA== X-Forwarded-Encrypted: i=1; AJvYcCU06MUscqk8UePHNn6ZVEALXJOWFYWxCa57TcqIbpFFfZotbfH91xLqu+EsXyt8PX3nYGor9elB54k3o4Q=@vger.kernel.org X-Gm-Message-State: AOJu0YwmGH2kA2MCOAr3C44rZZDpDHsxtgjb5rZEoV0kVv8vhHrVrjfH R7hGCjEnAKCDTarSTtEkFOz41ruXk6C7n4RZJ7G0mIC07tMTabrcizkIWw+T0gsFCv2XijGrvfv u/QH3aQ== X-Google-Smtp-Source: AGHT+IHxkFxqerPWrQF0fOHehya6YiGIU7WRAKwhJooJuxvebVGbmgb5kjeZ64kLBkd5ltC5qsu0JkICYXk= X-Received: from pjbqo14.prod.google.com ([2002:a17:90b:3dce:b0:32d:d8df:e3c2]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:ccd2:b0:24a:9344:fc9b with SMTP id d9443c01a7336-25d273360efmr56569695ad.57.1757719435182; Fri, 12 Sep 2025 16:23:55 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:55 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-18-seanjc@google.com> Subject: [PATCH v15 17/41] KVM: VMX: Set host constant supervisor states to VMCS fields From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Save constant values to HOST_{S_CET,SSP,INTR_SSP_TABLE} field explicitly. Kernel IBT is supported and the setting in MSR_IA32_S_CET is static after post-boot(The exception is BIOS call case but vCPU thread never across it) and KVM doesn't need to refresh HOST_S_CET field before every VM-Enter/ VM-Exit sequence. Host supervisor shadow stack is not enabled now and SSP is not accessible to kernel mode, thus it's safe to set host IA32_INT_SSP_TAB/SSP VMCS field to 0s. When shadow stack is enabled for CPL3, SSP is reloaded from PL3_SSP before it exits to userspace. Check SDM Vol 2A/B Chapter 3/4 for SYSCALL/ SYSRET/SYSENTER SYSEXIT/RDSSP/CALL etc. Prevent KVM module loading if host supervisor shadow stack SHSTK_EN is set in MSR_IA32_S_CET as KVM cannot co-exit with it correctly. Suggested-by: Sean Christopherson Suggested-by: Chao Gao Signed-off-by: Yang Weijiang Reviewed-by: Maxim Levitsky Reviewed-by: Chao Gao Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao [sean: snapshot host S_CET if SHSTK *or* IBT is supported] Signed-off-by: Sean Christopherson Reviewed-by: Xiaoyao Li --- arch/x86/kvm/vmx/capabilities.h | 4 ++++ arch/x86/kvm/vmx/vmx.c | 15 +++++++++++++++ arch/x86/kvm/x86.c | 12 ++++++++++++ arch/x86/kvm/x86.h | 1 + 4 files changed, 32 insertions(+) diff --git a/arch/x86/kvm/vmx/capabilities.h b/arch/x86/kvm/vmx/capabilitie= s.h index 5316c27f6099..7d290b2cb0f4 100644 --- a/arch/x86/kvm/vmx/capabilities.h +++ b/arch/x86/kvm/vmx/capabilities.h @@ -103,6 +103,10 @@ static inline bool cpu_has_load_perf_global_ctrl(void) return vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL; } =20 +static inline bool cpu_has_load_cet_ctrl(void) +{ + return (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_CET_STATE); +} static inline bool cpu_has_vmx_mpx(void) { return vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_BNDCFGS; diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index adf5af30e537..e8155635cb42 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -4320,6 +4320,21 @@ void vmx_set_constant_host_state(struct vcpu_vmx *vm= x) =20 if (cpu_has_load_ia32_efer()) vmcs_write64(HOST_IA32_EFER, kvm_host.efer); + + /* + * Supervisor shadow stack is not enabled on host side, i.e., + * host IA32_S_CET.SHSTK_EN bit is guaranteed to 0 now, per SDM + * description(RDSSP instruction), SSP is not readable in CPL0, + * so resetting the two registers to 0s at VM-Exit does no harm + * to kernel execution. When execution flow exits to userspace, + * SSP is reloaded from IA32_PL3_SSP. Check SDM Vol.2A/B Chapter + * 3 and 4 for details. + */ + if (cpu_has_load_cet_ctrl()) { + vmcs_writel(HOST_S_CET, kvm_host.s_cet); + vmcs_writel(HOST_SSP, 0); + vmcs_writel(HOST_INTR_SSP_TABLE, 0); + } } =20 void set_cr4_guest_host_mask(struct vcpu_vmx *vmx) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 0b67b1b0e361..15f208c44cbd 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -9982,6 +9982,18 @@ int kvm_x86_vendor_init(struct kvm_x86_init_ops *ops) return -EIO; } =20 + if (boot_cpu_has(X86_FEATURE_SHSTK) || boot_cpu_has(X86_FEATURE_IBT)) { + rdmsrq(MSR_IA32_S_CET, kvm_host.s_cet); + /* + * Linux doesn't yet support supervisor shadow stacks (SSS), so + * KVM doesn't save/restore the associated MSRs, i.e. KVM may + * clobber the host values. Yell and refuse to load if SSS is + * unexpectedly enabled, e.g. to avoid crashing the host. + */ + if (WARN_ON_ONCE(kvm_host.s_cet & CET_SHSTK_EN)) + return -EIO; + } + memset(&kvm_caps, 0, sizeof(kvm_caps)); =20 x86_emulator_cache =3D kvm_alloc_emulator_cache(); diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h index 076eccba0f7e..65cbd454c4f1 100644 --- a/arch/x86/kvm/x86.h +++ b/arch/x86/kvm/x86.h @@ -50,6 +50,7 @@ struct kvm_host_values { u64 efer; u64 xcr0; u64 xss; + u64 s_cet; u64 arch_capabilities; }; =20 --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C71E2D8DDA for ; Fri, 12 Sep 2025 23:23:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719440; cv=none; b=DMDBQNQxRbW2MUnLvGBpeBGWTeyVMVynWfigeqaYDLHLLzDzaN0A6DI38v323r0eC+MtbTWMHSsgOi39wXrXIGB6DSsV9ijn8c6W7eCGawbdcSrPOZGjEqJFUsN+SSv8ay3LRLS2VurV9MmMI9zv/ibqzHIRaql+3ANuAJdCluE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719440; c=relaxed/simple; bh=ILXfpfV4QAISRnV8e08RSSs6sGm5wnidBw8119awsVk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ZA038Q0W4meG9bkjldByow2XH4b48RR27K4urrebtsi9dsn7nz6rfLxAX+t3oEqGDI/7Lp67hAbbAm0Cehd2G0W0pZe4i3zxSZka9buRKTRhHbLFghdL4W8ogpLahg48mVJqU9en3icH83ibnrWUVemNprxZ+OMxRwjap4XtP6g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=CUWMp0P8; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="CUWMp0P8" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-329ee69e7deso2264573a91.3 for ; Fri, 12 Sep 2025 16:23:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719437; x=1758324237; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=MyQK1G16g10u/8gI0kNUwXWT1Z6XDzESkZjB4MN61kQ=; b=CUWMp0P8UNeswSLGAAHi/rWf5jJlpbmdMTYO/2oa9gri76CovYPvBabYFfMdt9FSIp tCjhCp1EQRrLcEskQMfdJAQxmr9MiFf89Sb51mBHswW45xtgcNz+g5T+mj7ZHvwVUmvI wyg9/Iy5YR1LN7K7TvK7A4XX8vnE73W0SBRmVJL30GKXoXKRxJfhUaqDxt7IUcCXngXu jMHyk0TcWtnIblhD/AlCO8Qyinlm7fh6F4Bxv7tx6au8v9ZpuxnrYb114DmHc6N84GD4 BsnmcN+HPbw1kZ8j8os9m4dlLuBiR4FarIAumlTSuUzUvnCfJMXR7+76L1B6UsikVvYx WVnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719437; x=1758324237; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MyQK1G16g10u/8gI0kNUwXWT1Z6XDzESkZjB4MN61kQ=; b=c7ptfa8Rpmmsi0mziE0YEm3xvJYsxt++BddG5KDzkFORcKFkN+hkoW9NyRNMHCmVnS 1Y/A/wF5OxNZIK8PsEFC6FWJrJ2rstRrGXxiPc3FbKJK4tdEgG6W/6775dKe4AXshUdR VHoNScAVNOJFW5e31SiQOSvvrFSlqT03luf9hHpuu6Jtks3fpa1QJN5F1NYM6AS/0G7K EZeAm2bDRAdsMnZegsTmWaVhU1G/T/ku2G2/OSkD1o6AzCfQUddislLrbb6mOWWc2YO4 je8pySFu8EY/zv2eFX9x9ffYnf3WAa9u/MIozlEIicXL3GDiDhHbvxTXbpj33D6HuviM vY1g== X-Forwarded-Encrypted: i=1; AJvYcCUUghHQPoBTfa6wOAAbOsEWu0hQ6BHxlET/vcIJBEr+wz19TZT0H4kyURXwYai6uIkv/ZI3dFJJw+W6iEA=@vger.kernel.org X-Gm-Message-State: AOJu0YzoMERXOJwy/1KrLQj7H7t7WXGZQXwJXDYqjXgk/GblXoJWUrQn r7rJYHYHebtU3bNP+dz+OfRzi+cG2w+sOCQqRfX48PLvjlEKD/wVLF8WcultvhaUsPgRc+HDgF+ g8eGITg== X-Google-Smtp-Source: AGHT+IG6GcTiV7HVnjqEMd+9l08/0Yz70KsOAVdaxZ4QoMr05MUtXou6SXFQ9Lwz421uIY2R6Rx9X0xDUVM= X-Received: from pjbss7.prod.google.com ([2002:a17:90b:2ec7:b0:312:e266:f849]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:3890:b0:32b:958a:51d4 with SMTP id 98e67ed59e1d1-32de4f96c48mr4718716a91.28.1757719436765; Fri, 12 Sep 2025 16:23:56 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:56 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-19-seanjc@google.com> Subject: [PATCH v15 18/41] KVM: x86: Don't emulate instructions affected by CET features From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Don't emulate branch instructions, e.g. CALL/RET/JMP etc., that are affected by Shadow Stacks and/or Indirect Branch Tracking when said features are enabled in the guest, as fully emulating CET would require significant complexity for no practical benefit (KVM shouldn't need to emulate branch instructions on modern hosts). Simply doing nothing isn't an option as that would allow a malicious entity to subvert CET protections via the emulator. Note! On far transfers, do NOT consult the current privilege level and instead treat SHSTK/IBT as being enabled if they're enabled for User *or* Supervisor mode. On inter-privilege level far transfers, SHSTK and IBT can be in play for the target privilege level, i.e. checking the current privilege could get a false negative, and KVM doesn't know the target privilege level until emulation gets under way. Suggested-by: Chao Gao Signed-off-by: Yang Weijiang Cc: Mathias Krause Cc: John Allen Cc: Rick Edgecombe Signed-off-by: Chao Gao Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Reviewed-by: Xiaoyao Li --- arch/x86/kvm/emulate.c | 58 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 47 insertions(+), 11 deletions(-) diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index 542d3664afa3..e4be54a677b0 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -178,6 +178,8 @@ #define IncSP ((u64)1 << 54) /* SP is incremented before ModRM calc= */ #define TwoMemOp ((u64)1 << 55) /* Instruction has two memory operand = */ #define IsBranch ((u64)1 << 56) /* Instruction is considered a branch.= */ +#define ShadowStack ((u64)1 << 57) /* Instruction protected by Shadow Sta= ck. */ +#define IndirBrnTrk ((u64)1 << 58) /* Instruction protected by IBT. */ =20 #define DstXacc (DstAccLo | SrcAccHi | SrcWrite) =20 @@ -4068,9 +4070,9 @@ static const struct opcode group4[] =3D { static const struct opcode group5[] =3D { F(DstMem | SrcNone | Lock, em_inc), F(DstMem | SrcNone | Lock, em_dec), - I(SrcMem | NearBranch | IsBranch, em_call_near_abs), - I(SrcMemFAddr | ImplicitOps | IsBranch, em_call_far), - I(SrcMem | NearBranch | IsBranch, em_jmp_abs), + I(SrcMem | NearBranch | IsBranch | ShadowStack | IndirBrnTrk, em_call_nea= r_abs), + I(SrcMemFAddr | ImplicitOps | IsBranch | ShadowStack | IndirBrnTrk, em_ca= ll_far), + I(SrcMem | NearBranch | IsBranch | IndirBrnTrk, em_jmp_abs), I(SrcMemFAddr | ImplicitOps | IsBranch, em_jmp_far), I(SrcMem | Stack | TwoMemOp, em_push), D(Undefined), }; @@ -4332,11 +4334,11 @@ static const struct opcode opcode_table[256] =3D { /* 0xC8 - 0xCF */ I(Stack | SrcImmU16 | Src2ImmByte | IsBranch, em_enter), I(Stack | IsBranch, em_leave), - I(ImplicitOps | SrcImmU16 | IsBranch, em_ret_far_imm), - I(ImplicitOps | IsBranch, em_ret_far), - D(ImplicitOps | IsBranch), DI(SrcImmByte | IsBranch, intn), + I(ImplicitOps | SrcImmU16 | IsBranch | ShadowStack, em_ret_far_imm), + I(ImplicitOps | IsBranch | ShadowStack, em_ret_far), + D(ImplicitOps | IsBranch), DI(SrcImmByte | IsBranch | ShadowStack, intn), D(ImplicitOps | No64 | IsBranch), - II(ImplicitOps | IsBranch, em_iret, iret), + II(ImplicitOps | IsBranch | ShadowStack, em_iret, iret), /* 0xD0 - 0xD7 */ G(Src2One | ByteOp, group2), G(Src2One, group2), G(Src2CL | ByteOp, group2), G(Src2CL, group2), @@ -4352,7 +4354,7 @@ static const struct opcode opcode_table[256] =3D { I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in), I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out), /* 0xE8 - 0xEF */ - I(SrcImm | NearBranch | IsBranch, em_call), + I(SrcImm | NearBranch | IsBranch | ShadowStack, em_call), D(SrcImm | ImplicitOps | NearBranch | IsBranch), I(SrcImmFAddr | No64 | IsBranch, em_jmp_far), D(SrcImmByte | ImplicitOps | NearBranch | IsBranch), @@ -4371,7 +4373,7 @@ static const struct opcode opcode_table[256] =3D { static const struct opcode twobyte_table[256] =3D { /* 0x00 - 0x0F */ G(0, group6), GD(0, &group7), N, N, - N, I(ImplicitOps | EmulateOnUD | IsBranch, em_syscall), + N, I(ImplicitOps | EmulateOnUD | IsBranch | ShadowStack | IndirBrnTrk, em= _syscall), II(ImplicitOps | Priv, em_clts, clts), N, DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N, N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N, @@ -4402,8 +4404,8 @@ static const struct opcode twobyte_table[256] =3D { IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc), II(ImplicitOps | Priv, em_rdmsr, rdmsr), IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc), - I(ImplicitOps | EmulateOnUD | IsBranch, em_sysenter), - I(ImplicitOps | Priv | EmulateOnUD | IsBranch, em_sysexit), + I(ImplicitOps | EmulateOnUD | IsBranch | ShadowStack | IndirBrnTrk, em_sy= senter), + I(ImplicitOps | Priv | EmulateOnUD | IsBranch | ShadowStack, em_sysexit), N, N, N, N, N, N, N, N, N, N, /* 0x40 - 0x4F */ @@ -4941,6 +4943,40 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, v= oid *insn, int insn_len, int if (ctxt->d =3D=3D 0) return EMULATION_FAILED; =20 + /* + * Reject emulation if KVM might need to emulate shadow stack updates + * and/or indirect branch tracking enforcement, which the emulator + * doesn't support. + */ + if (opcode.flags & (ShadowStack | IndirBrnTrk) && + ctxt->ops->get_cr(ctxt, 4) & X86_CR4_CET) { + u64 u_cet =3D 0, s_cet =3D 0; + + /* + * Check both User and Supervisor on far transfers as inter- + * privilege level transfers are impacted by CET at the target + * privilege levels, and that is not known at this time. The + * the expectation is that the guest will not require emulation + * of any CET-affected instructions at any privilege level. + */ + if (!(opcode.flags & NearBranch)) + u_cet =3D s_cet =3D CET_SHSTK_EN | CET_ENDBR_EN; + else if (ctxt->ops->cpl(ctxt) =3D=3D 3) + u_cet =3D CET_SHSTK_EN | CET_ENDBR_EN; + else + s_cet =3D CET_SHSTK_EN | CET_ENDBR_EN; + + if ((u_cet && ctxt->ops->get_msr(ctxt, MSR_IA32_U_CET, &u_cet)) || + (s_cet && ctxt->ops->get_msr(ctxt, MSR_IA32_S_CET, &s_cet))) + return EMULATION_FAILED; + + if ((u_cet | s_cet) & CET_SHSTK_EN && opcode.flags & ShadowStack) + return EMULATION_FAILED; + + if ((u_cet | s_cet) & CET_ENDBR_EN && opcode.flags & IndirBrnTrk) + return EMULATION_FAILED; + } + ctxt->execute =3D opcode.u.execute; =20 if (unlikely(emulation_type & EMULTYPE_TRAP_UD) && --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F277E2D9782 for ; Fri, 12 Sep 2025 23:23:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719440; cv=none; b=fbpxsLJZoA4JaUjVGacu/h6SDXew/unmptf/zYYyLHY/TirjDWo0a4MDFelTg0A9ayBtDPVD+GKergxLprGCFMbxiqd/imoorCDOzqbTLPj2m7ukQyP7qLpqaQi0u2bOI5EjxrOdcYQ+Lx+v3HI82I1fQ2KqwsEH8mJPtCRfubQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719440; c=relaxed/simple; bh=gwXlOd4SESKxTmHEm0aB4LgJNSt6NPVO3zXrQRoLVKc=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=RMExcLPKqb2p/8BplJWulwQEuiVJgTMVrIIwGxdmVbRAV8Ta0Uh7XZjrQmJmM/NbIEvi/AjnTfltFfWjCbVLhD6Rr97CNP+Cy5MfWXnEkvbnnkEe9hJ8denTHG4AVSctweDFvDIIoIvqhBKqOPmMMkI8IaOmnfCDVqKXAw/Usn8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=wOmM0Ugl; arc=none smtp.client-ip=209.85.215.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="wOmM0Ugl" Received: by mail-pg1-f201.google.com with SMTP id 41be03b00d2f7-b47630f9aa7so1721156a12.1 for ; Fri, 12 Sep 2025 16:23:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719438; x=1758324238; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=NBODDyJ8GSHm9DUTRdyGD32HGoXQL/eBjTd3wE/g0ao=; b=wOmM0UglJju05SO/ANetoCLgYcP+Me70w8fj43Bf9dW+JDRIRRv47KUxErYo0dSDLr N8eGxM8GV3Gx9361xcQyfx+tq+3KC87dmLDITneiT/4ru7j8J9wZpKFGTZ/1U+R3KuVC aHlBgIhuedO4g6EBwnxR3F9qJgzCiVQlTpx+dFPt5B+Hk/R3nxtUWJUAgqoi/56+XJNQ YoF12hbprNDWgvzwJHi9/W/aPYJv9p25oD54V5yKHgghn5wjooYq/rLGt7OanQcjgx7M LgbyNwHUIp6DsqIN8nzpf8DPA1hi/5j2tY6oHZBVhZCv5aXElDbc+w2hbgaNTOuT6w+L UKcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719438; x=1758324238; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NBODDyJ8GSHm9DUTRdyGD32HGoXQL/eBjTd3wE/g0ao=; b=Zt0X91Te6ECSWG2RFm4zDZe05Ef7Ahz23lObNLiXOaiDGPeSM3sDDGO+KGo0IMSCle cCrVU70XLc3pfBNbcr6OLgNIT9aYWCbYBCaJKLwvUSQisdPVRp41cnLj3VYw4CPCt4yL hS/ogkU8qWCEaFFNc3XZLPzxhHO5ImyS+JWV9jLwfiQY0UDN9TllUood03BQbVPa6uqR y6136pSlwXQc0PqGTnD2x7Vqi/w2RoH9pbwkeNiOp2BYgdc4pJ9gzXnXY8ulr6YL+b1a SD2Nk9XbnYkjxJTyEqvWYYg8lA/g8Sa8f5T/t5EfY+3VPjHiDvIZkdkS7Q2sPNxHjvzm 2Ceg== X-Forwarded-Encrypted: i=1; AJvYcCXPfcyeP2/PpI3HQY0EA2MhtQW9C7+ySaTrBeWFDAHngm8KEaE1grq+Xk6q9c+XQA2/VUGNzpIySLfm1MU=@vger.kernel.org X-Gm-Message-State: AOJu0YyjRQuGHQTZSvDmRhPbS1FoIMDZHmZQMxKBCiuTM61xfIUrrxPv RHSq7EbUjOkBnzPUixcg/BzNvGyHwnQoaFTYywjvseGWTbXc0khvobeBT9546GVxMbp22BBZHmp zR+c+ng== X-Google-Smtp-Source: AGHT+IEmt2UXZJnEe1UJtcincpXQTWI5cn6O38exq5yyfl7Cw8nvzEqLFcpb0oUxx5ju7E3P3gaPD70k9rU= X-Received: from pfst43.prod.google.com ([2002:aa7:8fab:0:b0:772:43b8:ace8]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:748d:b0:249:467e:ba57 with SMTP id adf61e73a8af0-2602a59a02amr5746847637.24.1757719438289; Fri, 12 Sep 2025 16:23:58 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:57 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-20-seanjc@google.com> Subject: [PATCH v15 19/41] KVM: x86: Enable CET virtualization for VMX and advertise to userspace From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Expose CET features to guest if KVM/host can support them, clear CPUID feature bits if KVM/host cannot support. Set CPUID feature bits so that CET features are available in guest CPUID. Add CR4.CET bit support in order to allow guest set CET master control bit. Disable KVM CET feature if unrestricted_guest is unsupported/disabled as KVM does not support emulating CET. The CET load-bits in VM_ENTRY/VM_EXIT control fields should be set to make guest CET xstates isolated from host's. On platforms with VMX_BASIC[bit56] =3D=3D 0, inject #CP at VMX entry with e= rror code will fail, and if VMX_BASIC[bit56] =3D=3D 1, #CP injection with or wit= hout error code is allowed. Disable CET feature bits if the MSR bit is cleared so that nested VMM can inject #CP if and only if VMX_BASIC[bit56] =3D=3D 1. Don't expose CET feature if either of {U,S}_CET xstate bits is cleared in host XSS or if XSAVES isn't supported. CET MSRs are reset to 0s after RESET, power-up and INIT, clear guest CET xsave-area fields so that guest CET MSRs are reset to 0s after the events. Meanwhile explicitly disable SHSTK and IBT for SVM because CET KVM enabling for SVM is not ready. Signed-off-by: Yang Weijiang Signed-off-by: Mathias Krause Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu --- arch/x86/include/asm/kvm_host.h | 2 +- arch/x86/include/asm/vmx.h | 1 + arch/x86/kvm/cpuid.c | 2 ++ arch/x86/kvm/svm/svm.c | 4 ++++ arch/x86/kvm/vmx/capabilities.h | 5 +++++ arch/x86/kvm/vmx/vmx.c | 30 +++++++++++++++++++++++++++++- arch/x86/kvm/vmx/vmx.h | 6 ++++-- arch/x86/kvm/x86.c | 22 +++++++++++++++++++--- arch/x86/kvm/x86.h | 3 +++ 9 files changed, 68 insertions(+), 7 deletions(-) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos= t.h index d931d72d23c9..8c106c8c9081 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -142,7 +142,7 @@ | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_FSGSBASE \ | X86_CR4_OSXMMEXCPT | X86_CR4_LA57 | X86_CR4_VMXE \ | X86_CR4_SMAP | X86_CR4_PKE | X86_CR4_UMIP \ - | X86_CR4_LAM_SUP)) + | X86_CR4_LAM_SUP | X86_CR4_CET)) =20 #define CR8_RESERVED_BITS (~(unsigned long)X86_CR8_TPR) =20 diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h index ce10a7e2d3d9..c85c50019523 100644 --- a/arch/x86/include/asm/vmx.h +++ b/arch/x86/include/asm/vmx.h @@ -134,6 +134,7 @@ #define VMX_BASIC_DUAL_MONITOR_TREATMENT BIT_ULL(49) #define VMX_BASIC_INOUT BIT_ULL(54) #define VMX_BASIC_TRUE_CTLS BIT_ULL(55) +#define VMX_BASIC_NO_HW_ERROR_CODE_CC BIT_ULL(56) =20 static inline u32 vmx_basic_vmcs_revision_id(u64 vmx_basic) { diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index b5f87254ced7..ee05b876c656 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -944,6 +944,7 @@ void kvm_set_cpu_caps(void) VENDOR_F(WAITPKG), F(SGX_LC), F(BUS_LOCK_DETECT), + X86_64_F(SHSTK), ); =20 /* @@ -970,6 +971,7 @@ void kvm_set_cpu_caps(void) F(AMX_INT8), F(AMX_BF16), F(FLUSH_L1D), + F(IBT), ); =20 if (boot_cpu_has(X86_FEATURE_AMD_IBPB_RET) && diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 1650de78648a..d4e1fdcf56da 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -5223,6 +5223,10 @@ static __init void svm_set_cpu_caps(void) kvm_caps.supported_perf_cap =3D 0; kvm_caps.supported_xss =3D 0; =20 + /* KVM doesn't yet support CET virtualization for SVM. */ + kvm_cpu_cap_clear(X86_FEATURE_SHSTK); + kvm_cpu_cap_clear(X86_FEATURE_IBT); + /* CPUID 0x80000001 and 0x8000000A (SVM features) */ if (nested) { kvm_cpu_cap_set(X86_FEATURE_SVM); diff --git a/arch/x86/kvm/vmx/capabilities.h b/arch/x86/kvm/vmx/capabilitie= s.h index 7d290b2cb0f4..47b0dec8665a 100644 --- a/arch/x86/kvm/vmx/capabilities.h +++ b/arch/x86/kvm/vmx/capabilities.h @@ -76,6 +76,11 @@ static inline bool cpu_has_vmx_basic_inout(void) return vmcs_config.basic & VMX_BASIC_INOUT; } =20 +static inline bool cpu_has_vmx_basic_no_hw_errcode(void) +{ + return vmcs_config.basic & VMX_BASIC_NO_HW_ERROR_CODE_CC; +} + static inline bool cpu_has_virtual_nmis(void) { return vmcs_config.pin_based_exec_ctrl & PIN_BASED_VIRTUAL_NMIS && diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index e8155635cb42..8d2186d6549f 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2615,6 +2615,7 @@ static int setup_vmcs_config(struct vmcs_config *vmcs= _conf, { VM_ENTRY_LOAD_IA32_EFER, VM_EXIT_LOAD_IA32_EFER }, { VM_ENTRY_LOAD_BNDCFGS, VM_EXIT_CLEAR_BNDCFGS }, { VM_ENTRY_LOAD_IA32_RTIT_CTL, VM_EXIT_CLEAR_IA32_RTIT_CTL }, + { VM_ENTRY_LOAD_CET_STATE, VM_EXIT_LOAD_CET_STATE }, }; =20 memset(vmcs_conf, 0, sizeof(*vmcs_conf)); @@ -4882,6 +4883,14 @@ void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init= _event) =20 vmcs_write32(VM_ENTRY_INTR_INFO_FIELD, 0); /* 22.2.1 */ =20 + if (kvm_cpu_cap_has(X86_FEATURE_SHSTK)) { + vmcs_writel(GUEST_SSP, 0); + vmcs_writel(GUEST_INTR_SSP_TABLE, 0); + } + if (kvm_cpu_cap_has(X86_FEATURE_IBT) || + kvm_cpu_cap_has(X86_FEATURE_SHSTK)) + vmcs_writel(GUEST_S_CET, 0); + kvm_make_request(KVM_REQ_APIC_PAGE_RELOAD, vcpu); =20 vpid_sync_context(vmx->vpid); @@ -6349,6 +6358,10 @@ void dump_vmcs(struct kvm_vcpu *vcpu) if (vmcs_read32(VM_EXIT_MSR_STORE_COUNT) > 0) vmx_dump_msrs("guest autostore", &vmx->msr_autostore.guest); =20 + if (vmentry_ctl & VM_ENTRY_LOAD_CET_STATE) + pr_err("S_CET =3D 0x%016lx, SSP =3D 0x%016lx, SSP TABLE =3D 0x%016lx\n", + vmcs_readl(GUEST_S_CET), vmcs_readl(GUEST_SSP), + vmcs_readl(GUEST_INTR_SSP_TABLE)); pr_err("*** Host State ***\n"); pr_err("RIP =3D 0x%016lx RSP =3D 0x%016lx\n", vmcs_readl(HOST_RIP), vmcs_readl(HOST_RSP)); @@ -6379,6 +6392,10 @@ void dump_vmcs(struct kvm_vcpu *vcpu) vmcs_read64(HOST_IA32_PERF_GLOBAL_CTRL)); if (vmcs_read32(VM_EXIT_MSR_LOAD_COUNT) > 0) vmx_dump_msrs("host autoload", &vmx->msr_autoload.host); + if (vmexit_ctl & VM_EXIT_LOAD_CET_STATE) + pr_err("S_CET =3D 0x%016lx, SSP =3D 0x%016lx, SSP TABLE =3D 0x%016lx\n", + vmcs_readl(HOST_S_CET), vmcs_readl(HOST_SSP), + vmcs_readl(HOST_INTR_SSP_TABLE)); =20 pr_err("*** Control State ***\n"); pr_err("CPUBased=3D0x%08x SecondaryExec=3D0x%08x TertiaryExec=3D0x%016llx= \n", @@ -7963,7 +7980,6 @@ static __init void vmx_set_cpu_caps(void) kvm_cpu_cap_set(X86_FEATURE_UMIP); =20 /* CPUID 0xD.1 */ - kvm_caps.supported_xss =3D 0; if (!cpu_has_vmx_xsaves()) kvm_cpu_cap_clear(X86_FEATURE_XSAVES); =20 @@ -7975,6 +7991,18 @@ static __init void vmx_set_cpu_caps(void) =20 if (cpu_has_vmx_waitpkg()) kvm_cpu_cap_check_and_set(X86_FEATURE_WAITPKG); + + /* + * Disable CET if unrestricted_guest is unsupported as KVM doesn't + * enforce CET HW behaviors in emulator. On platforms with + * VMX_BASIC[bit56] =3D=3D 0, inject #CP at VMX entry with error code + * fails, so disable CET in this case too. + */ + if (!cpu_has_load_cet_ctrl() || !enable_unrestricted_guest || + !cpu_has_vmx_basic_no_hw_errcode()) { + kvm_cpu_cap_clear(X86_FEATURE_SHSTK); + kvm_cpu_cap_clear(X86_FEATURE_IBT); + } } =20 static bool vmx_is_io_intercepted(struct kvm_vcpu *vcpu, diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index 24d65dac5e89..08a9a0075404 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -484,7 +484,8 @@ static inline u8 vmx_get_rvi(void) VM_ENTRY_LOAD_IA32_EFER | \ VM_ENTRY_LOAD_BNDCFGS | \ VM_ENTRY_PT_CONCEAL_PIP | \ - VM_ENTRY_LOAD_IA32_RTIT_CTL) + VM_ENTRY_LOAD_IA32_RTIT_CTL | \ + VM_ENTRY_LOAD_CET_STATE) =20 #define __KVM_REQUIRED_VMX_VM_EXIT_CONTROLS \ (VM_EXIT_SAVE_DEBUG_CONTROLS | \ @@ -506,7 +507,8 @@ static inline u8 vmx_get_rvi(void) VM_EXIT_LOAD_IA32_EFER | \ VM_EXIT_CLEAR_BNDCFGS | \ VM_EXIT_PT_CONCEAL_PIP | \ - VM_EXIT_CLEAR_IA32_RTIT_CTL) + VM_EXIT_CLEAR_IA32_RTIT_CTL | \ + VM_EXIT_LOAD_CET_STATE) =20 #define KVM_REQUIRED_VMX_PIN_BASED_VM_EXEC_CONTROL \ (PIN_BASED_EXT_INTR_MASK | \ diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 15f208c44cbd..c78acab2ff3f 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -226,7 +226,8 @@ static struct kvm_user_return_msrs __percpu *user_retur= n_msrs; * PT via guest XSTATE would clobber perf state), i.e. KVM doesn't support * IA32_XSS[bit 8] (guests can/must use RDMSR/WRMSR to save/restore PT MSR= s). */ -#define KVM_SUPPORTED_XSS 0 +#define KVM_SUPPORTED_XSS (XFEATURE_MASK_CET_USER | \ + XFEATURE_MASK_CET_KERNEL) =20 bool __read_mostly allow_smaller_maxphyaddr =3D 0; EXPORT_SYMBOL_GPL(allow_smaller_maxphyaddr); @@ -10080,6 +10081,20 @@ int kvm_x86_vendor_init(struct kvm_x86_init_ops *o= ps) if (!kvm_cpu_cap_has(X86_FEATURE_XSAVES)) kvm_caps.supported_xss =3D 0; =20 + if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) && + !kvm_cpu_cap_has(X86_FEATURE_IBT)) + kvm_caps.supported_xss &=3D ~(XFEATURE_MASK_CET_USER | + XFEATURE_MASK_CET_KERNEL); + + if ((kvm_caps.supported_xss & (XFEATURE_MASK_CET_USER | + XFEATURE_MASK_CET_KERNEL)) !=3D + (XFEATURE_MASK_CET_USER | XFEATURE_MASK_CET_KERNEL)) { + kvm_cpu_cap_clear(X86_FEATURE_SHSTK); + kvm_cpu_cap_clear(X86_FEATURE_IBT); + kvm_caps.supported_xss &=3D ~(XFEATURE_MASK_CET_USER | + XFEATURE_MASK_CET_KERNEL); + } + if (kvm_caps.has_tsc_control) { /* * Make sure the user can only configure tsc_khz values that @@ -12735,10 +12750,11 @@ static void kvm_xstate_reset(struct kvm_vcpu *vcp= u, bool init_event) /* * On INIT, only select XSTATE components are zeroed, most components * are unchanged. Currently, the only components that are zeroed and - * supported by KVM are MPX related. + * supported by KVM are MPX and CET related. */ xfeatures_mask =3D (kvm_caps.supported_xcr0 | kvm_caps.supported_xss) & - (XFEATURE_MASK_BNDREGS | XFEATURE_MASK_BNDCSR); + (XFEATURE_MASK_BNDREGS | XFEATURE_MASK_BNDCSR | + XFEATURE_MASK_CET_USER | XFEATURE_MASK_CET_KERNEL); if (!xfeatures_mask) return; =20 diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h index 65cbd454c4f1..f3dc77f006f9 100644 --- a/arch/x86/kvm/x86.h +++ b/arch/x86/kvm/x86.h @@ -680,6 +680,9 @@ static inline bool __kvm_is_valid_cr4(struct kvm_vcpu *= vcpu, unsigned long cr4) __reserved_bits |=3D X86_CR4_PCIDE; \ if (!__cpu_has(__c, X86_FEATURE_LAM)) \ __reserved_bits |=3D X86_CR4_LAM_SUP; \ + if (!__cpu_has(__c, X86_FEATURE_SHSTK) && \ + !__cpu_has(__c, X86_FEATURE_IBT)) \ + __reserved_bits |=3D X86_CR4_CET; \ __reserved_bits; \ }) =20 --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E1FBE2DA74D for ; Fri, 12 Sep 2025 23:24:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719444; cv=none; b=qa4LNP3OMPYCo5rEYE+7U3jXbCPXLjScKHRnt4NXk6IAmkZzNyhCadZA/YU3TfxhnZTOof6xw+xIxkgkuh/yhSdf6MgI/m3SbP2d01Nh/s/uQq5/gPulZiVpwtQ7tH7zi504rEwS1o14QiUJwMY0SciK6xlHaK8WLN2pxlW70mc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719444; c=relaxed/simple; bh=58vGBcmh8JU+yxaCgvebVlHWxJLTvD5JodeHEZVxsf0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=j+97Hgj5O+h7hbu1eoIRpE+SWYceccBoy0LrYT4SoRSihFvwpMHrOoKunVU6lBi0faGPLigXA1/tO/w4Af5QkKNc0PhODlESI0Rq8f694PfFBBkbF8RQEH/y6YwHW+557Sh05ZR9TL3fBKH8Z/V2M99/BJmkLAIuB4DQj/amSR0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=baJdx66k; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="baJdx66k" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-329ee88fb47so3794392a91.2 for ; Fri, 12 Sep 2025 16:24:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719440; x=1758324240; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=2CBYwO5s/sEwZ0rYysRg2EQeeHLFNySc966ViHHu28Y=; b=baJdx66kkW/uCAK3OLgA+5qJz0hKRIGbsUH1Tet3c2dC26rOaCgHQpIrj/YTa/qy5h 9tkl7WTfH5jiVNZO6hfQ/yugcv7hx/wLzejOwcwTpghqbV0tSheK0/KjYdLJD0YtcNz7 RzlGywHCl+WvSZnB2pN/d7rOdpI5yrthLFfqQMt58hnushPoin+BrqXvscgEoDKP4J9I zTcj8yIn4yF6GEMThO5e2onTcuzgJFTA1vO6xz1ET+3zC8thQwGIyBuVSz01bAQ1oFXS HXlCMN986WKjXkS35+x5atj4lHpAFTDeJy5Zkxr6veqQqOibFga71w8eDRjlgEpBJ2mw Zg/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719440; x=1758324240; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2CBYwO5s/sEwZ0rYysRg2EQeeHLFNySc966ViHHu28Y=; b=UlpjbLqt6kMjCICrgkuWxxYQQuTttnbRnvlJ+9J0hHHVurKXMU8M/H9mcSpUS+AQGq yh3EV+lwNeFwaTMSSlSlt+urTDoCvRvYcvK7YVXrlyuvMEcmGOqftgp+RGS7daDvVNrY lp6woMjAFEMOPlQdkWJ4dK5D11z70ym3YGuM3NPp9gac1gSc8WBfJJfdNmwhzi7XAz15 a+OoY28BWpX6TaGP/JBhFdLmDf6mtZVR42z9nVtRFJHDQw0JhQJccqU67UAM4tdSGDsS GD86Adj/NMymwssmNSF78hiO7PlMtpu52px4bylMIxqz4mw0Oye5yjJECNnCbOMWtXk6 O4Ag== X-Forwarded-Encrypted: i=1; AJvYcCVrQp3usOTMYhOUXUsNm0VCU74BAJm19QYYFSPFfKlkDNOhbgzT3Q2OFZd1oCfsFch5jBppockIey1HkxU=@vger.kernel.org X-Gm-Message-State: AOJu0YyjZoruNwHiIU876QkQxrpbJ3nFolvqJ4i27cEuVmVfOdCvHh9h MtOQ4rX2MX2ysj3rsTlhLnQ2wB0JVwoeihUuooxWQi4PMfxKIL5F/nTdUY6z52RMZm+U73SfvuD 0oaihHQ== X-Google-Smtp-Source: AGHT+IHL7k4i2bjik2Fv/iBm2UAr3okgWwEa8q4cQMjTGLOBrHMjoeKLTBHZSsGGU0+pX4MwBSDOppvs8b0= X-Received: from pjbqa14.prod.google.com ([2002:a17:90b:4fce:b0:321:c2a7:cbce]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a21:33a9:b0:253:2fae:5282 with SMTP id adf61e73a8af0-2602bb593bbmr5648471637.28.1757719440164; Fri, 12 Sep 2025 16:24:00 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:58 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-21-seanjc@google.com> Subject: [PATCH v15 20/41] KVM: nVMX: Virtualize NO_HW_ERROR_CODE_CC for L1 event injection to L2 From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Per SDM description(Vol.3D, Appendix A.1): "If bit 56 is read as 1, software can use VM entry to deliver a hardware exception with or without an error code, regardless of vector" Modify has_error_code check before inject events to nested guest. Only enforce the check when guest is in real mode, the exception is not hard exception and the platform doesn't enumerate bit56 in VMX_BASIC, in all other case ignore the check to make the logic consistent with SDM. Signed-off-by: Yang Weijiang Reviewed-by: Maxim Levitsky Reviewed-by: Chao Gao Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu --- arch/x86/kvm/vmx/nested.c | 28 +++++++++++++++++++--------- arch/x86/kvm/vmx/nested.h | 5 +++++ 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 2156c9a854f4..14f9822b611d 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -1272,9 +1272,10 @@ static int vmx_restore_vmx_basic(struct vcpu_vmx *vm= x, u64 data) { const u64 feature_bits =3D VMX_BASIC_DUAL_MONITOR_TREATMENT | VMX_BASIC_INOUT | - VMX_BASIC_TRUE_CTLS; + VMX_BASIC_TRUE_CTLS | + VMX_BASIC_NO_HW_ERROR_CODE_CC; =20 - const u64 reserved_bits =3D GENMASK_ULL(63, 56) | + const u64 reserved_bits =3D GENMASK_ULL(63, 57) | GENMASK_ULL(47, 45) | BIT_ULL(31); =20 @@ -2949,7 +2950,6 @@ static int nested_check_vm_entry_controls(struct kvm_= vcpu *vcpu, u8 vector =3D intr_info & INTR_INFO_VECTOR_MASK; u32 intr_type =3D intr_info & INTR_INFO_INTR_TYPE_MASK; bool has_error_code =3D intr_info & INTR_INFO_DELIVER_CODE_MASK; - bool should_have_error_code; bool urg =3D nested_cpu_has2(vmcs12, SECONDARY_EXEC_UNRESTRICTED_GUEST); bool prot_mode =3D !urg || vmcs12->guest_cr0 & X86_CR0_PE; @@ -2966,12 +2966,20 @@ static int nested_check_vm_entry_controls(struct kv= m_vcpu *vcpu, CC(intr_type =3D=3D INTR_TYPE_OTHER_EVENT && vector !=3D 0)) return -EINVAL; =20 - /* VM-entry interruption-info field: deliver error code */ - should_have_error_code =3D - intr_type =3D=3D INTR_TYPE_HARD_EXCEPTION && prot_mode && - x86_exception_has_error_code(vector); - if (CC(has_error_code !=3D should_have_error_code)) - return -EINVAL; + /* + * Cannot deliver error code in real mode or if the interrupt + * type is not hardware exception. For other cases, do the + * consistency check only if the vCPU doesn't enumerate + * VMX_BASIC_NO_HW_ERROR_CODE_CC. + */ + if (!prot_mode || intr_type !=3D INTR_TYPE_HARD_EXCEPTION) { + if (CC(has_error_code)) + return -EINVAL; + } else if (!nested_cpu_has_no_hw_errcode_cc(vcpu)) { + if (CC(has_error_code !=3D + x86_exception_has_error_code(vector))) + return -EINVAL; + } =20 /* VM-entry exception error code */ if (CC(has_error_code && @@ -7214,6 +7222,8 @@ static void nested_vmx_setup_basic(struct nested_vmx_= msrs *msrs) msrs->basic |=3D VMX_BASIC_TRUE_CTLS; if (cpu_has_vmx_basic_inout()) msrs->basic |=3D VMX_BASIC_INOUT; + if (cpu_has_vmx_basic_no_hw_errcode()) + msrs->basic |=3D VMX_BASIC_NO_HW_ERROR_CODE_CC; } =20 static void nested_vmx_setup_cr_fixed(struct nested_vmx_msrs *msrs) diff --git a/arch/x86/kvm/vmx/nested.h b/arch/x86/kvm/vmx/nested.h index 6eedcfc91070..983484d42ebf 100644 --- a/arch/x86/kvm/vmx/nested.h +++ b/arch/x86/kvm/vmx/nested.h @@ -309,6 +309,11 @@ static inline bool nested_cr4_valid(struct kvm_vcpu *v= cpu, unsigned long val) __kvm_is_valid_cr4(vcpu, val); } =20 +static inline bool nested_cpu_has_no_hw_errcode_cc(struct kvm_vcpu *vcpu) +{ + return to_vmx(vcpu)->nested.msrs.basic & VMX_BASIC_NO_HW_ERROR_CODE_CC; +} + /* No difference in the restrictions on guest and host CR4 in VMX operatio= n. */ #define nested_guest_cr4_valid nested_cr4_valid #define nested_host_cr4_valid nested_cr4_valid --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 575462DA765 for ; Fri, 12 Sep 2025 23:24:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719445; cv=none; b=qGn9B6K2rOaVPYG6aKAtFmszjHgaR4Zy3kP7rdxM47rahBBuutvtpENVsQv9kteNqaN7EJdQBL6IINRvgZYcNd4/FqwkWmIjznz0rbnOqv/BTn2Y4vj6VV8lOKUVzl0uflu2NEmz6skApJXIivSXcYHWR428z3Sfuoaze6kFM/A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719445; c=relaxed/simple; bh=SVc3vKHvqM8aL2a6O6g/g2oxGAeijGGSxnClHNB4C6w=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=jdiDGaEJO7vvy1+HRUCvous9mkhkdZS35ItXoCXTRy8FG7A3tPBUnxYHcS2Qzj2oFnRbHBdj+JBFPbSWyHvYyMGBvnlhVEI27xvlkpgWJcntlf8PE5Eq86lLMnyRwCGz5s4BsP/+qg2NmmB96iJKHYz8PQm7kcJIcfdhFaeDqT0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Qf/fmkt3; arc=none smtp.client-ip=209.85.215.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Qf/fmkt3" Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-b4e63a34f3fso1552407a12.1 for ; Fri, 12 Sep 2025 16:24:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719442; x=1758324242; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=lhvDAsdFtNhqbS2apMIeQwTS5dWNE1AFLyo1ltoYXSk=; b=Qf/fmkt3V8IKaZB8FaJtbbgeeTxSIDnHiXVslVz1QrInPRD2gKOe52XjFQ8Jdqr7Y1 3dtqjN1ZEq+uEYg5nwcd0OEfDIDIN0SvbpfnhJ75q90cp9KwdN0UsFdHL/GWI44RuPIM Rfr5qbwJr0ZvBGkHzjbUNp/e4sxqfUr/RlqAJMqYCVE5yTFzo71BgHRt8Ou071BSHF/2 zpwhBKAoRnq9QJ06CeO6qBZkoQzr4r8Gc8J/h06T7PmwmjneFjzeD8pGQKVtjkYe6yH9 IT3MBz5PDOj/wgF5R61hdeYlB8jC4G1DtTay1XshOhxKq1R4yIMcweLqQoJB/oY3w8dG LkVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719442; x=1758324242; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lhvDAsdFtNhqbS2apMIeQwTS5dWNE1AFLyo1ltoYXSk=; b=b1aKdGDVVZTvzv3xYGKaIaG8ygLMVziEsc0aWrpZBiIMwv4mCuAAqzqKYQor94i9RZ ubaYhVpC9RffEc+izS1h8G2mBXPDSTTUHQu9fUgAXMOCm+VY7W0hPklPPdR2DZ/cpdro OSuzS+LBHrtAWvzEkTRRb1vYF6P1VFepmyrnS8R3Bqw6zsVhP/Y3bPTtAeUZxt1ftk96 epig3VsVI6GUj2Sq8BawZPu5H40pwhaeVQ730YmG8p1Jb5Tvxn0I0CDEwlQ84vAPtWbT n2WD84EbHWGvriJBaYV//8SfL2uXG+ID10yOgKzBFlzCWndX0p7gQbvV2Y0wlE0LZZ2O DtGA== X-Forwarded-Encrypted: i=1; AJvYcCXrgLgs8tXdrmKrMEgiaZF34dfcwnqdnFvlri+zW8ErdyQQriMstxFANlY1lr4kLP1q6etLIBaePd5qw0w=@vger.kernel.org X-Gm-Message-State: AOJu0YybIzUVnRoXDouVJ3cZKJEyIP4aLLOHt0BRs4FtDu8QGoM8clMW O7ONZiwDOJu8J+nIIbxS1ZVc2NffgnstIVCCWS5tXSdrT2ml8eJvwEfZevprkNQt1L/Ww22OXo5 nkJ2rzA== X-Google-Smtp-Source: AGHT+IHXSqQr69qglcbP9OJDJfDaAXmQsfFsYSZg18i2zG0BgbxqeL4rgGFDlGflwb3BFyRBRQzFdblnKeQ= X-Received: from pglu27.prod.google.com ([2002:a63:141b:0:b0:b52:14a4:3f3f]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:e293:b0:250:595e:a69e with SMTP id adf61e73a8af0-2602c04f9ddmr5890176637.43.1757719441731; Fri, 12 Sep 2025 16:24:01 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:59 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-22-seanjc@google.com> Subject: [PATCH v15 21/41] KVM: nVMX: Prepare for enabling CET support for nested guest From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Set up CET MSRs, related VM_ENTRY/EXIT control bits and fixed CR4 setting to enable CET for nested VM. vmcs12 and vmcs02 needs to be synced when L2 exits to L1 or when L1 wants to resume L2, that way correct CET states can be observed by one another. Please note that consistency checks regarding CET state during VM-Entry will be added later to prevent this patch from becoming too large. Advertising the new CET VM_ENTRY/EXIT control bits are also be deferred until after the consistency checks are added. Signed-off-by: Yang Weijiang Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Signed-off-by: Sean Christopherson Reviewed-by: Xin Li (Intel) Tested-by: Xin Li (Intel) --- arch/x86/kvm/vmx/nested.c | 77 +++++++++++++++++++++++++++++++++++++++ arch/x86/kvm/vmx/vmcs12.c | 6 +++ arch/x86/kvm/vmx/vmcs12.h | 14 ++++++- arch/x86/kvm/vmx/vmx.c | 2 + arch/x86/kvm/vmx/vmx.h | 3 ++ 5 files changed, 101 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 14f9822b611d..51d69f368689 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -721,6 +721,24 @@ static inline bool nested_vmx_prepare_msr_bitmap(struc= t kvm_vcpu *vcpu, nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0, MSR_IA32_MPERF, MSR_TYPE_R); =20 + nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0, + MSR_IA32_U_CET, MSR_TYPE_RW); + + nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0, + MSR_IA32_S_CET, MSR_TYPE_RW); + + nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0, + MSR_IA32_PL0_SSP, MSR_TYPE_RW); + + nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0, + MSR_IA32_PL1_SSP, MSR_TYPE_RW); + + nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0, + MSR_IA32_PL2_SSP, MSR_TYPE_RW); + + nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0, + MSR_IA32_PL3_SSP, MSR_TYPE_RW); + kvm_vcpu_unmap(vcpu, &map); =20 vmx->nested.force_msr_bitmap_recalc =3D false; @@ -2521,6 +2539,32 @@ static void prepare_vmcs02_early(struct vcpu_vmx *vm= x, struct loaded_vmcs *vmcs0 } } =20 +static void vmcs_read_cet_state(struct kvm_vcpu *vcpu, u64 *s_cet, + u64 *ssp, u64 *ssp_tbl) +{ + if (guest_cpu_cap_has(vcpu, X86_FEATURE_IBT) || + guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK)) + *s_cet =3D vmcs_readl(GUEST_S_CET); + + if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK)) { + *ssp =3D vmcs_readl(GUEST_SSP); + *ssp_tbl =3D vmcs_readl(GUEST_INTR_SSP_TABLE); + } +} + +static void vmcs_write_cet_state(struct kvm_vcpu *vcpu, u64 s_cet, + u64 ssp, u64 ssp_tbl) +{ + if (guest_cpu_cap_has(vcpu, X86_FEATURE_IBT) || + guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK)) + vmcs_writel(GUEST_S_CET, s_cet); + + if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK)) { + vmcs_writel(GUEST_SSP, ssp); + vmcs_writel(GUEST_INTR_SSP_TABLE, ssp_tbl); + } +} + static void prepare_vmcs02_rare(struct vcpu_vmx *vmx, struct vmcs12 *vmcs1= 2) { struct hv_enlightened_vmcs *hv_evmcs =3D nested_vmx_evmcs(vmx); @@ -2637,6 +2681,10 @@ static void prepare_vmcs02_rare(struct vcpu_vmx *vmx= , struct vmcs12 *vmcs12) vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, vmx->msr_autoload.host.nr); vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, vmx->msr_autoload.guest.nr); =20 + if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE) + vmcs_write_cet_state(&vmx->vcpu, vmcs12->guest_s_cet, + vmcs12->guest_ssp, vmcs12->guest_ssp_tbl); + set_cr4_guest_host_mask(vmx); } =20 @@ -2676,6 +2724,13 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, str= uct vmcs12 *vmcs12, kvm_set_dr(vcpu, 7, vcpu->arch.dr7); vmx_guest_debugctl_write(vcpu, vmx->nested.pre_vmenter_debugctl); } + + if (!vmx->nested.nested_run_pending || + !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE)) + vmcs_write_cet_state(vcpu, vmx->nested.pre_vmenter_s_cet, + vmx->nested.pre_vmenter_ssp, + vmx->nested.pre_vmenter_ssp_tbl); + if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) vmcs_write64(GUEST_BNDCFGS, vmx->nested.pre_vmenter_bndcfgs); @@ -3552,6 +3607,12 @@ enum nvmx_vmentry_status nested_vmx_enter_non_root_m= ode(struct kvm_vcpu *vcpu, !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) vmx->nested.pre_vmenter_bndcfgs =3D vmcs_read64(GUEST_BNDCFGS); =20 + if (!vmx->nested.nested_run_pending || + !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE)) + vmcs_read_cet_state(vcpu, &vmx->nested.pre_vmenter_s_cet, + &vmx->nested.pre_vmenter_ssp, + &vmx->nested.pre_vmenter_ssp_tbl); + /* * Overwrite vmcs01.GUEST_CR3 with L1's CR3 if EPT is disabled *and* * nested early checks are disabled. In the event of a "late" VM-Fail, @@ -4635,6 +4696,10 @@ static void sync_vmcs02_to_vmcs12(struct kvm_vcpu *v= cpu, struct vmcs12 *vmcs12) =20 if (vmcs12->vm_exit_controls & VM_EXIT_SAVE_IA32_EFER) vmcs12->guest_ia32_efer =3D vcpu->arch.efer; + + vmcs_read_cet_state(&vmx->vcpu, &vmcs12->guest_s_cet, + &vmcs12->guest_ssp, + &vmcs12->guest_ssp_tbl); } =20 /* @@ -4760,6 +4825,18 @@ static void load_vmcs12_host_state(struct kvm_vcpu *= vcpu, if (vmcs12->vm_exit_controls & VM_EXIT_CLEAR_BNDCFGS) vmcs_write64(GUEST_BNDCFGS, 0); =20 + /* + * Load CET state from host state if VM_EXIT_LOAD_CET_STATE is set. + * otherwise CET state should be retained across VM-exit, i.e., + * guest values should be propagated from vmcs12 to vmcs01. + */ + if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_CET_STATE) + vmcs_write_cet_state(vcpu, vmcs12->host_s_cet, vmcs12->host_ssp, + vmcs12->host_ssp_tbl); + else + vmcs_write_cet_state(vcpu, vmcs12->guest_s_cet, vmcs12->guest_ssp, + vmcs12->guest_ssp_tbl); + if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_PAT) { vmcs_write64(GUEST_IA32_PAT, vmcs12->host_ia32_pat); vcpu->arch.pat =3D vmcs12->host_ia32_pat; diff --git a/arch/x86/kvm/vmx/vmcs12.c b/arch/x86/kvm/vmx/vmcs12.c index 106a72c923ca..4233b5ca9461 100644 --- a/arch/x86/kvm/vmx/vmcs12.c +++ b/arch/x86/kvm/vmx/vmcs12.c @@ -139,6 +139,9 @@ const unsigned short vmcs12_field_offsets[] =3D { FIELD(GUEST_PENDING_DBG_EXCEPTIONS, guest_pending_dbg_exceptions), FIELD(GUEST_SYSENTER_ESP, guest_sysenter_esp), FIELD(GUEST_SYSENTER_EIP, guest_sysenter_eip), + FIELD(GUEST_S_CET, guest_s_cet), + FIELD(GUEST_SSP, guest_ssp), + FIELD(GUEST_INTR_SSP_TABLE, guest_ssp_tbl), FIELD(HOST_CR0, host_cr0), FIELD(HOST_CR3, host_cr3), FIELD(HOST_CR4, host_cr4), @@ -151,5 +154,8 @@ const unsigned short vmcs12_field_offsets[] =3D { FIELD(HOST_IA32_SYSENTER_EIP, host_ia32_sysenter_eip), FIELD(HOST_RSP, host_rsp), FIELD(HOST_RIP, host_rip), + FIELD(HOST_S_CET, host_s_cet), + FIELD(HOST_SSP, host_ssp), + FIELD(HOST_INTR_SSP_TABLE, host_ssp_tbl), }; const unsigned int nr_vmcs12_fields =3D ARRAY_SIZE(vmcs12_field_offsets); diff --git a/arch/x86/kvm/vmx/vmcs12.h b/arch/x86/kvm/vmx/vmcs12.h index 56fd150a6f24..4ad6b16525b9 100644 --- a/arch/x86/kvm/vmx/vmcs12.h +++ b/arch/x86/kvm/vmx/vmcs12.h @@ -117,7 +117,13 @@ struct __packed vmcs12 { natural_width host_ia32_sysenter_eip; natural_width host_rsp; natural_width host_rip; - natural_width paddingl[8]; /* room for future expansion */ + natural_width host_s_cet; + natural_width host_ssp; + natural_width host_ssp_tbl; + natural_width guest_s_cet; + natural_width guest_ssp; + natural_width guest_ssp_tbl; + natural_width paddingl[2]; /* room for future expansion */ u32 pin_based_vm_exec_control; u32 cpu_based_vm_exec_control; u32 exception_bitmap; @@ -294,6 +300,12 @@ static inline void vmx_check_vmcs12_offsets(void) CHECK_OFFSET(host_ia32_sysenter_eip, 656); CHECK_OFFSET(host_rsp, 664); CHECK_OFFSET(host_rip, 672); + CHECK_OFFSET(host_s_cet, 680); + CHECK_OFFSET(host_ssp, 688); + CHECK_OFFSET(host_ssp_tbl, 696); + CHECK_OFFSET(guest_s_cet, 704); + CHECK_OFFSET(guest_ssp, 712); + CHECK_OFFSET(guest_ssp_tbl, 720); CHECK_OFFSET(pin_based_vm_exec_control, 744); CHECK_OFFSET(cpu_based_vm_exec_control, 748); CHECK_OFFSET(exception_bitmap, 752); diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 8d2186d6549f..989008f5307e 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -7749,6 +7749,8 @@ static void nested_vmx_cr_fixed1_bits_update(struct k= vm_vcpu *vcpu) cr4_fixed1_update(X86_CR4_PKE, ecx, feature_bit(PKU)); cr4_fixed1_update(X86_CR4_UMIP, ecx, feature_bit(UMIP)); cr4_fixed1_update(X86_CR4_LA57, ecx, feature_bit(LA57)); + cr4_fixed1_update(X86_CR4_CET, ecx, feature_bit(SHSTK)); + cr4_fixed1_update(X86_CR4_CET, edx, feature_bit(IBT)); =20 entry =3D kvm_find_cpuid_entry_index(vcpu, 0x7, 1); cr4_fixed1_update(X86_CR4_LAM_SUP, eax, feature_bit(LAM)); diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index 08a9a0075404..ecfdba666465 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -181,6 +181,9 @@ struct nested_vmx { */ u64 pre_vmenter_debugctl; u64 pre_vmenter_bndcfgs; + u64 pre_vmenter_s_cet; + u64 pre_vmenter_ssp; + u64 pre_vmenter_ssp_tbl; =20 /* to migrate it to L1 if L2 writes to L1's CR8 directly */ int l1_tpr_threshold; --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E8FE92DAFBE for ; Fri, 12 Sep 2025 23:24:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719446; cv=none; b=op9atR4LSJiptC1j2M8IokvHTcbEhl0TR433S1p/V3b/MPP5bFcmRwn3c2daHP+1mRnxskiOfoQDQle8KBwPrVcuzLehhRG3XM5UjJEgpWGnyv8rNpvD1LmWLYCkP0WIjOvqJhZL8dWkxA6ZMdJ1v+nGEDjbzk8gUgecSmU7CBg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719446; c=relaxed/simple; bh=+RVQicm4TK8MmrV33Gpsf9YCthCHWpRMM79XaOiiPK8=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=TKaXqgIigHYdHDnIVCy1/dB2o+I98u8RFphtegmkw3fF+hlCR6OpAUMBIjAwyeslzoIX9uJf+JX9TAsf/SVm+zLDvnrbiMjfPXBSZ2MHL1SzS35gxYjrwO1eQhFuDm9X/PxdfwvmYRNLVE4OoxW3rOxKU+swAjdXd97IyqdzOao= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Hncz5h2x; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Hncz5h2x" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-24c9304b7bcso25382515ad.3 for ; Fri, 12 Sep 2025 16:24:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719444; x=1758324244; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=fLo/SEqM2VBVejoE7ds3n2zise52/J9CjN3ZQw5EHn8=; b=Hncz5h2xZGe2PAnu1O5UjGIJHeeADLi6aJyi4xVlL3YhNwIBaEApiW3NBeVHvpntTc 2fN+Giws4icktUhMXKG/0x4gvX6cVPhGZ5zha5COeFa3c3YtJ6m02I9KFg5cjIfewYnW TBgrlSFnOhM79pScXRQUhsQoUfE0KSP3rzUZ0mDu69lXvTu2JdQ23hXI4vuWbtsmsoMH srYZ+UHCkm9Jgap7nSk8H9LOrEx3JNJ2YshD4L8pVmt6BTpP0lvIqp4NehXIHyR99TyU 2wkIJ5AsjTHabc8t1U3MO/8yMTl5GuPEd/Fqfif3GCwNAPpismPVB+WgRK1ibBbh6x0f IaQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719444; x=1758324244; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fLo/SEqM2VBVejoE7ds3n2zise52/J9CjN3ZQw5EHn8=; b=iqozsmP6STBaZx1d7zb9H7HbVBQygN68JNWvpgsQ2jTEOhEB7VsqFyvH/VzgsnkAd8 Ib3Tk9T2cFYhi+4jgqCn0y3oXR4zrGJqEN+u/KzDOT+U/SJ+7bO5yX9Q30faLn0YPoAl wrpbCnVqCOMcmy1K77BRulxin3tLYBK7pnmEEb9OqfnPkZqmz4ghwwXDW/dZYvO+AnIr drKczA4SNPOXlN1n1cyrb2XFl/HehhZKXOApB1idodyYSo0+uQAwS9+AAwIWg6sZiZyv nNLC+oSCM0YzD2RS5ztMrczUpCn0fs7+XP7IByrFdckflevjFZl4iR0n4Zki0PPu+mQq DlFQ== X-Forwarded-Encrypted: i=1; AJvYcCXK7O6dgrYTRvccx0CrE9W4JTSAzEZUzBKv2Cxi8ET41798yPl1gBJqfn9mwYWGt2X0Tek4+BGVsLfa3rI=@vger.kernel.org X-Gm-Message-State: AOJu0YwguIaUwlnrQ2db41zh2hCTvXHZCEpQ8mGiWHeymqoVG/u8vNwd 89yrOU24p+HOH3EypmqnEtNLG7taYtesvJfvJZGshaActbqgpU0rYQtWmIYl8VojOmcEycFDmHU vAtHwRg== X-Google-Smtp-Source: AGHT+IFZ66G99jqjCPVcjm61uKkUswQxYM0js2Pq9O0QazFOGhxlaYFTFHswXm9x+i/mLtHDJdlNTlwG258= X-Received: from pldr19.prod.google.com ([2002:a17:903:4113:b0:249:140e:945a]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:2f85:b0:249:1f5f:f9a2 with SMTP id d9443c01a7336-25d21112648mr41894805ad.0.1757719444289; Fri, 12 Sep 2025 16:24:04 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:00 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-23-seanjc@google.com> Subject: [PATCH v15 22/41] KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Chao Gao Add consistency checks for CR4.CET and CR0.WP in guest-state or host-state area in the VMCS12. This ensures that configurations with CR4.CET set and CR0.WP not set result in VM-entry failure, aligning with architectural behavior. Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Signed-off-by: Sean Christopherson --- arch/x86/kvm/vmx/nested.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 51d69f368689..a73f38d7eea1 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -3111,6 +3111,9 @@ static int nested_vmx_check_host_state(struct kvm_vcp= u *vcpu, CC(!kvm_vcpu_is_legal_cr3(vcpu, vmcs12->host_cr3))) return -EINVAL; =20 + if (CC(vmcs12->host_cr4 & X86_CR4_CET && !(vmcs12->host_cr0 & X86_CR0_WP)= )) + return -EINVAL; + if (CC(is_noncanonical_msr_address(vmcs12->host_ia32_sysenter_esp, vcpu))= || CC(is_noncanonical_msr_address(vmcs12->host_ia32_sysenter_eip, vcpu))) return -EINVAL; @@ -3225,6 +3228,9 @@ static int nested_vmx_check_guest_state(struct kvm_vc= pu *vcpu, CC(!nested_guest_cr4_valid(vcpu, vmcs12->guest_cr4))) return -EINVAL; =20 + if (CC(vmcs12->guest_cr4 & X86_CR4_CET && !(vmcs12->guest_cr0 & X86_CR0_W= P))) + return -EINVAL; + if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) && (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) || CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false))= )) --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C25352DC329 for ; Fri, 12 Sep 2025 23:24:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719448; cv=none; b=dYDTt/DRJp73NjxBoxWaNovsdgnt53cB942ZpWhfVio2PecALsBFOupKqkKjEQKsUz6BbdvozbQiBNGTG4MdkeBlzTUPkuWUbQF2vyv/1FPMHMc820CmCGXrJVPriebOPgYvwJHpIUZp4hviElTVaAdL4gpVYOUELvQR/Wkjgrw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719448; c=relaxed/simple; bh=MPZBvYn5dIhEZftsLXy+k1gliAtB05haepqZLfWlI+o=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=EjA1QptbgPLqy5vWhpHmaYnByRMuTKFaQFqxp8nyJFGmDDYW4w744lgN3fls9JaXPYq0fafgecn77xh+c1IXiA9IbbVPsgRLsjkdiEXcrwLVkacWWkOe14IcDOeWCXFNjS5lQhqVLLsyTJVwGZDgGgtYlGmu6jYyb+GXLdXQ69w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=bmp1dC+P; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="bmp1dC+P" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-32deef33abdso1264980a91.3 for ; Fri, 12 Sep 2025 16:24:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719446; x=1758324246; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=04uvHjxAqDu/hC/6pYykcUt3v/Ox1tG5Jh6i2BGlxXk=; b=bmp1dC+P+WNg5NtZp3TICmvJyu5leYSOWk2XEBrLvdRWnL8cArxcsC1VDDNPkBit2U dx7hDVO7GVJAed4HfnHCNJiTkFSM1fzcVt2yEAV+6H8+St8eaMb1nvkhfBwlCBBerac7 1kmvi6xHfxn1Q7hT5Xp18SDaSrgAdGPIPhPmgOvYq5fdMnpnDR3MUbTcWcp0rca9YRnm dJ6ZLy8JB8gt8impI+odA8d5CiuGsLGF2wl+S91c6Ag3upWYxSkNJg08TxhZj70FNTe7 i1vCPeyXeFiasaf2v69FgVeovfM0Y+biLJXKGtLKn34uBBpVypoVnVsp7OISOzyhdQgw T5VQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719446; x=1758324246; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=04uvHjxAqDu/hC/6pYykcUt3v/Ox1tG5Jh6i2BGlxXk=; b=Kfl15e1ygSpskj2/frI0ETnIAq4/Yhxu7ahTAUbDVjbiFapfsMz1NPOkeDTS+E/KwX AnQ1KQ7g0fz1VfkNG9Gq6tIUG61lj0gdUnek1Bt2OH49XKQyjdaibPfsCmbZlsqmHPvk sq7V2T1SJNo7BfTTdQ9tdL3lxjt0zim+dG0KaC1eEeK4sJe2dy6elAYgpDzJVkrMZtOx z7zCEvkfdZbChTAraAtsYXH+YxWbIiwIvzfCsfLoP38WqHF2eDLD2gRQnfr/XRSwG92f 3bnNRDIo2bvXXRjmKfzf7Uvr9LFdO2ZnR9HaiywdupqnN077R2g/qAGWEbaW79Yva8lZ 0CaQ== X-Forwarded-Encrypted: i=1; AJvYcCUSyyKURl+mSRKHxflbhgy4bcFaIw0AvCWOdVT5N4Yil6/2OMiO+jtoidHRfk3i9uKhtdMJCLIesk38I74=@vger.kernel.org X-Gm-Message-State: AOJu0YxuhRKDwSG33Ji280DgXnE1Q6VUhoyweRHxDxdswfjMVofDVE8c ddJpV5AFSoL1NUEvusG0M8obCB+kzO+X5xcitgKKGn+wadFF1ykiVCe5vQQSFJpICdzTp0naHZz U3f2LmA== X-Google-Smtp-Source: AGHT+IEzQt6auq3+8YRv+SuIK8SxREofv/BnooxdLXGs0d7AyO5RocHDIBzoU5UiRRPS8qyHEi9SECBARug= X-Received: from pjtu6.prod.google.com ([2002:a17:90a:c886:b0:32d:a0b1:2b14]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90a:fc4d:b0:329:e729:b2a1 with SMTP id 98e67ed59e1d1-32de4fa1c8bmr5081666a91.35.1757719446146; Fri, 12 Sep 2025 16:24:06 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:01 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-24-seanjc@google.com> Subject: [PATCH v15 23/41] KVM: nVMX: Add consistency checks for CET states From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Chao Gao Introduce consistency checks for CET states during nested VM-entry. A VMCS contains both guest and host CET states, each comprising the IA32_S_CET MSR, SSP, and IA32_INTERRUPT_SSP_TABLE_ADDR MSR. Various checks are applied to CET states during VM-entry as documented in SDM Vol3 Chapter "VM ENTRIES". Implement all these checks during nested VM-entry to emulate the architectural behavior. In summary, there are three kinds of checks on guest/host CET states during VM-entry: A. Checks applied to both guest states and host states: * The IA32_S_CET field must not set any reserved bits; bits 10 (SUPPRESS) and 11 (TRACKER) cannot both be set. * SSP should not have bits 1:0 set. * The IA32_INTERRUPT_SSP_TABLE_ADDR field must be canonical. B. Checks applied to host states only * IA32_S_CET MSR and SSP must be canonical if the CPU enters 64-bit mode after VM-exit. Otherwise, IA32_S_CET and SSP must have their higher 32 bits cleared. C. Checks applied to guest states only: * IA32_S_CET MSR and SSP are not required to be canonical (i.e., 63:N-1 are identical, where N is the CPU's maximum linear-address width). But, bits 63:N of SSP must be identical. Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Signed-off-by: Sean Christopherson --- arch/x86/kvm/vmx/nested.c | 47 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index a73f38d7eea1..edb3b877a0f6 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -3101,6 +3101,17 @@ static bool is_l1_noncanonical_address_on_vmexit(u64= la, struct vmcs12 *vmcs12) return !__is_canonical_address(la, l1_address_bits_on_exit); } =20 +static bool is_valid_cet_state(struct kvm_vcpu *vcpu, u64 s_cet, u64 ssp, = u64 ssp_tbl) +{ + if (!kvm_is_valid_u_s_cet(vcpu, s_cet) || !IS_ALIGNED(ssp, 4)) + return false; + + if (is_noncanonical_msr_address(ssp_tbl, vcpu)) + return false; + + return true; +} + static int nested_vmx_check_host_state(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12) { @@ -3170,6 +3181,26 @@ static int nested_vmx_check_host_state(struct kvm_vc= pu *vcpu, return -EINVAL; } =20 + if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_CET_STATE) { + if (CC(!is_valid_cet_state(vcpu, vmcs12->host_s_cet, vmcs12->host_ssp, + vmcs12->host_ssp_tbl))) + return -EINVAL; + + /* + * IA32_S_CET and SSP must be canonical if the host will + * enter 64-bit mode after VM-exit; otherwise, higher + * 32-bits must be all 0s. + */ + if (ia32e) { + if (CC(is_noncanonical_msr_address(vmcs12->host_s_cet, vcpu)) || + CC(is_noncanonical_msr_address(vmcs12->host_ssp, vcpu))) + return -EINVAL; + } else { + if (CC(vmcs12->host_s_cet >> 32) || CC(vmcs12->host_ssp >> 32)) + return -EINVAL; + } + } + return 0; } =20 @@ -3280,6 +3311,22 @@ static int nested_vmx_check_guest_state(struct kvm_v= cpu *vcpu, CC((vmcs12->guest_bndcfgs & MSR_IA32_BNDCFGS_RSVD)))) return -EINVAL; =20 + if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE) { + if (CC(!is_valid_cet_state(vcpu, vmcs12->guest_s_cet, vmcs12->guest_ssp, + vmcs12->guest_ssp_tbl))) + return -EINVAL; + + /* + * Guest SSP must have 63:N bits identical, rather than + * be canonical (i.e., 63:N-1 bits identical), where N is + * the CPU's maximum linear-address width. Similar to + * is_noncanonical_msr_address(), use the host's + * linear-address width. + */ + if (CC(!__is_canonical_address(vmcs12->guest_ssp, max_host_virt_addr_bit= s() + 1))) + return -EINVAL; + } + if (nested_check_guest_non_reg_state(vmcs12)) return -EINVAL; =20 --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 410112DAFBD for ; Fri, 12 Sep 2025 23:24:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719449; cv=none; b=XYo1zzbVc29lZXDY/PyOo5tntqvLJCcfKjOXDkoHpQVMBeOh5vu7iNVAjDKa+ZveqxUVSk4lfPNgIxoB42GRfmJfjnEYdoXbzgfMEjM7FoBIuC0Xxp/I8y8io7LsoCdSctG7RKN/EML+EtSUCh7lyUYGIewWQ2LDRLkogEKVKWE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719449; c=relaxed/simple; bh=u6obytA8jhs+D5XP44Ibf3Fk/tIoJ+TGc9bGl3L5dOA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=eYiHA+hL0hI6h9+EzXOUaYzgxJrXY4qBuWlZjwgk+uPI4FIYO3cKerCidlVKwnl6xzkTnNHo5GP24DsVkcFcAvxUB0WKjKHe4U/2UtgqioxyNTZJKg7wW93a7q2xTcw8Q74pCWh7WlJS+lPe/h8E6YdfSYgvaF+0DGnmXDNfUVk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=fEkd+vF1; arc=none smtp.client-ip=209.85.215.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="fEkd+vF1" Received: by mail-pg1-f201.google.com with SMTP id 41be03b00d2f7-b54ad69f143so1604023a12.1 for ; Fri, 12 Sep 2025 16:24:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719448; x=1758324248; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=I6bEobPpCMUaQNNOaa/Shf0wUDSFQDd5DVDJT0PcEeY=; b=fEkd+vF1uXlXWQlL5n5rB7p6V/wmiFHeScwumb42Pi6ONvBrTX7K82Zz1i/dkG5dK9 +BVtbHPtIW32PIv+JwN0t3n9aEeohMghhEE67eH5//5/nTQ0gcHBpxu+qLl1HmRjaqdL M6lKONCQO1vJYcjJd9bKMrxzD75LsJc8chluSjcqqYLT2hLdg7CIsYA4yFDi4zZxhZXO MTY/7MYHS63Nqcvypk6dwqODwOiIdHJMUoLvNA7cVVjwHJrZ9PLio46w1g7TWiiDrg4u DU2+eldi6IE6IQcOzeaMoO3jkEW0j/uyM1jSJ910xRnDC0rk4oRgb+aUsvCiLQd2pX9b KDGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719448; x=1758324248; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=I6bEobPpCMUaQNNOaa/Shf0wUDSFQDd5DVDJT0PcEeY=; b=cYf2njk0Z+nRdequbAON5VZm9Zka7CHLluTFDXF3LS2LuQbXGpKa3P2pSO/Q5WnJB0 5kJUd1s1FXJhWKyxOqwf55ITPQOTJLQo1RYwQPah4LkydBfUaIHAt7ToBlY9kUb45dxU +G/T9B8rlqVpsVUJrWhNnawaPRZZE4cKJxlwb3/UnLqV6xufVhUGwOnojTARrfknYlRy 73U3nO2DKWYJUNEpDp7uS7BnWyB6KF3z6GOBNCm5ntOforQd40xo83ZR5Ur3WPel5pRr CUwMPoxhKZBDFfe5BnsXdBtSE+zFw9kMGXfXmPm5MwD0empSV00UGTj54q/A8AMWRkoc 509A== X-Forwarded-Encrypted: i=1; AJvYcCXY6GIKmuaszPCFeEu6nLFRdE/Fw7Bj74B77K00dQ5y3grvBmkG6iT2oXaKJqkN5fQkhnLLYuc5oQwpIyY=@vger.kernel.org X-Gm-Message-State: AOJu0Yw9AJa6Q5B10oY64yGlD5qX/eE05psDc+dwxI0ZcX1M4ibMC4OZ Q8kXBG02lTAcScE6tulrn9z7JsmV/c0JvIvuypxsu8a+8PMsMJPjtVeR6X8d4b0xeIceof4EKFV zn4kD0g== X-Google-Smtp-Source: AGHT+IHtj+tfTTkNWx+nJoIYfR+Z5Mexj4eaI1LLzMLxspdIKr6yZiJ5WzcH128cOWOdI+CaPgk3IhWMyJs= X-Received: from pjwx7.prod.google.com ([2002:a17:90a:c2c7:b0:327:d54a:8c93]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:72a7:b0:24e:e270:2f4d with SMTP id adf61e73a8af0-2602cc1c69dmr6233860637.52.1757719447756; Fri, 12 Sep 2025 16:24:07 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:02 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-25-seanjc@google.com> Subject: [PATCH v15 24/41] KVM: nVMX: Advertise new VM-Entry/Exit control bits for CET state From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Chao Gao Advertise new VM-Entry/Exit control bits as all nested support for CET virtualization, including consistency checks, is in place. Signed-off-by: Chao Gao Signed-off-by: Sean Christopherson --- arch/x86/kvm/vmx/nested.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index edb3b877a0f6..d7e2fb30fc1a 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -7176,7 +7176,7 @@ static void nested_vmx_setup_exit_ctls(struct vmcs_co= nfig *vmcs_conf, VM_EXIT_HOST_ADDR_SPACE_SIZE | #endif VM_EXIT_LOAD_IA32_PAT | VM_EXIT_SAVE_IA32_PAT | - VM_EXIT_CLEAR_BNDCFGS; + VM_EXIT_CLEAR_BNDCFGS | VM_EXIT_LOAD_CET_STATE; msrs->exit_ctls_high |=3D VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR | VM_EXIT_LOAD_IA32_EFER | VM_EXIT_SAVE_IA32_EFER | @@ -7198,7 +7198,8 @@ static void nested_vmx_setup_entry_ctls(struct vmcs_c= onfig *vmcs_conf, #ifdef CONFIG_X86_64 VM_ENTRY_IA32E_MODE | #endif - VM_ENTRY_LOAD_IA32_PAT | VM_ENTRY_LOAD_BNDCFGS; + VM_ENTRY_LOAD_IA32_PAT | VM_ENTRY_LOAD_BNDCFGS | + VM_ENTRY_LOAD_CET_STATE; msrs->entry_ctls_high |=3D (VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR | VM_ENTRY_LOAD_IA32_EFER | VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL); --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91E4A2DE71E for ; Fri, 12 Sep 2025 23:24:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719453; cv=none; b=InjxtyLM3n2golKfcCTTVJ2gfDDARTxWWQDCDMkoYVlH+fmd1sWvuhfw9NWMQbOhaeBRRu7mqdgvqjE3MSpOHJud+OxlKA1lTqe5o3DHjYqk0xvUXkLc0wAxJB1eGAAAd2ST64mrG7TuGdAt6W7dyPifgGlDjWVO2zuTYz6Ig/A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719453; c=relaxed/simple; bh=ibVx0FQYqXwWEPMynXAQvI8QkDm2bnd6eQ6psaEJve4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=N5iJGS73itcjhxnR07xoMWvjUVM9tCFf0jmmRCVAcczaBCPmpsBwmkRawhiYQS6TYPRw13GyVG5X5zK9IaR7swKXSR3TBCB1KKaCXoFoj+MQkjT0iYB+PWLY2siST2lU0/NHar8MLm2FsgGg8jATy/DvyK2kFw7ARTIU2MnHiro= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=hYWsS14J; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="hYWsS14J" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-32dd9854282so3680723a91.1 for ; Fri, 12 Sep 2025 16:24:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719451; x=1758324251; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=P17T2Hc4cvt7UHogDIDzHK2g+ZOZ7+bJS/PGJRYg480=; b=hYWsS14Jwk96ikD54mq0ofB2+3v2+NSmjKJ2A/2Ya8o1KhlJN/UrTGyUESX2FZJ3N1 6Y/4xb8o79ndd3/h5gEDX2Lfga6ZwIlgEkU08KjCHjSxNkMwpT+SPXeBkyihZ8jKJn2R McLIgMb2w8H1MW9qsBSI7sJF6aWLcTCbH94yL6NilIl8OXv5YWNWTgeJUecR2UGQjuCr XsIGMP6lMz0UKgiAksYSajuKyyloH8RQy0PgMNdFmIIpYgwpT/3Nb7La2dexBe0xfr7q Hj5yFTGhwSK/R/RrmN64K6Q6CaObEwartTFTFMPtIVe0cHOBy2P2pEIad7fPpXxZiT1E fOVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719451; x=1758324251; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=P17T2Hc4cvt7UHogDIDzHK2g+ZOZ7+bJS/PGJRYg480=; b=fnpz/3nsMq+sZ/SLzgU8lMjFXTBDlXSneyyZvYaTSgiCOHkTep0XQnREI52RydNkLw mgLxL75ILo5WnT0lTngiXsY9AIk5IyT4QcIZIM8d3FxEVm0uSxqT9JCVEBSLt5nd+n0c GKWURGVvyeehng07dOh738WzAuFodBPaDVwcUBxj3g8ROVxGFflTUXXnJqRsLuYyRA/X WPrgQmk3NwIBq6sk7wIOJ+48hiOh7pjVThWumkk5QHyg8+yxpQXydV5soUi0bsfrQz1O XTbvj4q0M94+IFHTsZlZPWEXzjFAEYRQgTd72n2FEQLCEmWtQhypfilIC3VYLuVtOFBk n5mA== X-Forwarded-Encrypted: i=1; AJvYcCVuBELAoUsgPs0z+uOBVIHlr2ckzFd1IitkvcBUWTStfw338F8A7oVdNZY+zqyQLp9R5bT4aprGjTFgFy4=@vger.kernel.org X-Gm-Message-State: AOJu0YxtH2CcPjGlvsLCznHA/Lcpxsx4Pi3reW90ZDBjsDrHZ7PVn6sJ TkkOha9aX7teN5D34pH2JXEcyoBcYEr4SCwSU9gcnNbNfxzKJ9+K9+0NSaVz6C3dRfrdZdYYrIo AR8H91A== X-Google-Smtp-Source: AGHT+IGryREUWABLXeI7Y2NygSNQ1QneEizKFfgwAWaJPJ3TP/WQWkAEI/3KUf0ujNHhG9xnm/RoyAv/XdE= X-Received: from pjbqb3.prod.google.com ([2002:a17:90b:2803:b0:32b:8eda:24e8]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90a:ec8e:b0:32c:205d:cd5f with SMTP id 98e67ed59e1d1-32de4f5ca95mr5155245a91.18.1757719451148; Fri, 12 Sep 2025 16:24:11 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:03 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-26-seanjc@google.com> Subject: [PATCH v15 25/41] KVM: x86: SVM: Emulate reads and writes to shadow stack MSRs From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: John Allen Emulate shadow stack MSR access by reading and writing to the corresponding fields in the VMCB. Signed-off-by: John Allen [sean: mark VMCB_CET dirty/clean as appropriate] Signed-off-by: Sean Christopherson --- arch/x86/kvm/svm/svm.c | 21 +++++++++++++++++++++ arch/x86/kvm/svm/svm.h | 3 ++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index d4e1fdcf56da..0c0115b52e5c 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -2767,6 +2767,15 @@ static int svm_get_msr(struct kvm_vcpu *vcpu, struct= msr_data *msr_info) if (guest_cpuid_is_intel_compatible(vcpu)) msr_info->data |=3D (u64)svm->sysenter_esp_hi << 32; break; + case MSR_IA32_S_CET: + msr_info->data =3D svm->vmcb->save.s_cet; + break; + case MSR_IA32_INT_SSP_TAB: + msr_info->data =3D svm->vmcb->save.isst_addr; + break; + case MSR_KVM_INTERNAL_GUEST_SSP: + msr_info->data =3D svm->vmcb->save.ssp; + break; case MSR_TSC_AUX: msr_info->data =3D svm->tsc_aux; break; @@ -2999,6 +3008,18 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct= msr_data *msr) svm->vmcb01.ptr->save.sysenter_esp =3D (u32)data; svm->sysenter_esp_hi =3D guest_cpuid_is_intel_compatible(vcpu) ? (data >= > 32) : 0; break; + case MSR_IA32_S_CET: + svm->vmcb->save.s_cet =3D data; + vmcb_mark_dirty(svm->vmcb01.ptr, VMCB_CET); + break; + case MSR_IA32_INT_SSP_TAB: + svm->vmcb->save.isst_addr =3D data; + vmcb_mark_dirty(svm->vmcb01.ptr, VMCB_CET); + break; + case MSR_KVM_INTERNAL_GUEST_SSP: + svm->vmcb->save.ssp =3D data; + vmcb_mark_dirty(svm->vmcb01.ptr, VMCB_CET); + break; case MSR_TSC_AUX: /* * TSC_AUX is always virtualized for SEV-ES guests when the diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index c2316adde3cc..a42e95883b45 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -74,6 +74,7 @@ enum { * AVIC PHYSICAL_TABLE pointer, * AVIC LOGICAL_TABLE pointer */ + VMCB_CET, /* S_CET, SSP, ISST_ADDR */ VMCB_SW =3D 31, /* Reserved for hypervisor/software use */ }; =20 @@ -82,7 +83,7 @@ enum { (1U << VMCB_ASID) | (1U << VMCB_INTR) | \ (1U << VMCB_NPT) | (1U << VMCB_CR) | (1U << VMCB_DR) | \ (1U << VMCB_DT) | (1U << VMCB_SEG) | (1U << VMCB_CR2) | \ - (1U << VMCB_LBR) | (1U << VMCB_AVIC) | \ + (1U << VMCB_LBR) | (1U << VMCB_AVIC) | (1U << VMCB_CET) | \ (1U << VMCB_SW)) =20 /* TPR and CR2 are always written before VMRUN */ --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68AEB2DEA8F for ; Fri, 12 Sep 2025 23:24:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719454; cv=none; b=UFMkP8o6KY90f9EHAF5NrdTK3m+nDy3p7u+sCW7KLpulikQWHjrwpuClZpRiKA/JOyEJ/TnGrBaWOtwaN5naq3viOYlDv/TvbxLhs1NWw4MmHAh4uxuo40lmf0P9pp9CDgV2eeooEgwCWCfcNvbubx7xeKgo4PR8DYcwmiR3nz0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719454; c=relaxed/simple; bh=LAJPzAlmyWIBgpqdwLkUgQB3TkWNzFrLEjxU5EluKAM=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=qhORTa9n+z01NBuHW6eXAlKZc4Jn+EEtsgo/x7NwHghgSIVGieXYUNx/YlKSAMmvq8HTGs2+o7In/GwyDe6QZjtpfOJct89IR4K/L1EQf9Z91CTRuePbzatHVLtk/gIzAFcBaciWqTG8Wk8YVhCN5oKbJY359py5btgLUHBc43g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=jbllZj0x; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="jbllZj0x" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-32811874948so1949955a91.2 for ; Fri, 12 Sep 2025 16:24:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719453; x=1758324253; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=hzDjAlD4iHwUuuZo4Nh78/wEEXvtZ0Xx1CFsvM7LDXc=; b=jbllZj0xb15tQlQOvp/7SAdhWDVaRdzc7YwkhwTgFh9rDQ5r0lZxytdWjnFD+mFWkX JEwm0awEbAGhoBQivBWHN2/MSVW6R1nDpVWPe+H3RBwrKHseZpWUS5cc7OjVfaHj8i+g 36VKXMXB8OfDkL2s7ze3Yadsq6p5jRFOdEZfBG8+sT8hweURfhk/4BLKilTj8Ys+6Jdm J8zOuSPY8J64mK9B5uG44Qar+zDNzR6VWVURSwzaQq+Y9BUZmCWqKJE0eGNEgCovuTAc fr3wU1ZMQCPFndB08n3n/OfiGhzk9JTZjsqQl1xzUjTbwfj16c6SWvTBKmGR3SoaSKBs 9C0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719453; x=1758324253; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hzDjAlD4iHwUuuZo4Nh78/wEEXvtZ0Xx1CFsvM7LDXc=; b=HpM574Gd1ZYxNZojaxf5TLFO3lHx1O3GJ+logL0j8KB6p0ij1BR19VSdnMBE4oe3iU narZdgaLXlCTcIxys+9s1q/pxkhPnivx+GeGEkIb/pTAyQwrPz9ZeK+sk4Lf9rEQfsI4 HDXkbR1cAgWxnImICyVRtLjm22U281fVhdn9y2nHlbOLH6Ng6o96EDvYv804FegHU9a7 jaHMuKGSdQRZ7rbJVZFpN6g+taQf5rNI1Cv+RoqAR/RapjrRUgXpNwlxa+PNQ+qnOiEV qUXOuQO2nUwsqJOlyaL9gmymEh80/liFSIDTwBbUvFxGIerU4L8HhSojC9wDLDFR3f7x Qhbg== X-Forwarded-Encrypted: i=1; AJvYcCWlaEIQXGBPHzoCFGAGPo1JpZMxDy8gsp3I5KRTYbtBZP40Z80XvK7lfmLSP4tpaZaO9DiE/QthPUJtUa8=@vger.kernel.org X-Gm-Message-State: AOJu0YyqvRupXgNZr3hnnpD7ixVscfjQOmgo8Id7npbxKTt87Ezqq6l5 MZk/x0HYU+5pqe9L2NBpu7UcJCtsxromyuICHT1ri40FjL8PpPKBPWJ1JTm82uTJ0IihltMeSpy oyHZWpg== X-Google-Smtp-Source: AGHT+IHSdGKZy5soiUAoOrnYCvC/h4VFq/ncPK5C7FSM5qNoiAhCXYyzhUL/nqH5X5GNExI4WprY3NEICjc= X-Received: from pjbqa16.prod.google.com ([2002:a17:90b:4fd0:b0:329:e84e:1c50]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90a:da88:b0:32c:c40e:db12 with SMTP id 98e67ed59e1d1-32de4f858f4mr5231651a91.17.1757719452938; Fri, 12 Sep 2025 16:24:12 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:04 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-27-seanjc@google.com> Subject: [PATCH v15 26/41] KVM: nSVM: Save/load CET Shadow Stack state to/from vmcb12/vmcb02 From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Transfer the three CET Shadow Stack VMCB fields (S_CET, ISST_ADDR, and SSP) on VMRUN, #VMEXIT, and loading nested state (saving nested state simply copies the entire save area). SVM doesn't provide a way to disallow L1 from enabling Shadow Stacks for L2, i.e. KVM *must* provide nested support before advertising SHSTK to userspace. Signed-off-by: Sean Christopherson --- arch/x86/kvm/svm/nested.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index 826473f2d7c7..a6443feab252 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -636,6 +636,14 @@ static void nested_vmcb02_prepare_save(struct vcpu_svm= *svm, struct vmcb *vmcb12 vmcb_mark_dirty(vmcb02, VMCB_DT); } =20 + if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) && + (unlikely(new_vmcb12 || vmcb_is_dirty(vmcb12, VMCB_CET)))) { + vmcb02->save.s_cet =3D vmcb12->save.s_cet; + vmcb02->save.isst_addr =3D vmcb12->save.isst_addr; + vmcb02->save.ssp =3D vmcb12->save.ssp; + vmcb_mark_dirty(vmcb02, VMCB_CET); + } + kvm_set_rflags(vcpu, vmcb12->save.rflags | X86_EFLAGS_FIXED); =20 svm_set_efer(vcpu, svm->nested.save.efer); @@ -1044,6 +1052,12 @@ void svm_copy_vmrun_state(struct vmcb_save_area *to_= save, to_save->rsp =3D from_save->rsp; to_save->rip =3D from_save->rip; to_save->cpl =3D 0; + + if (kvm_cpu_cap_has(X86_FEATURE_SHSTK)) { + to_save->s_cet =3D from_save->s_cet; + to_save->isst_addr =3D from_save->isst_addr; + to_save->ssp =3D from_save->ssp; + } } =20 void svm_copy_vmloadsave_state(struct vmcb *to_vmcb, struct vmcb *from_vmc= b) @@ -1111,6 +1125,12 @@ int nested_svm_vmexit(struct vcpu_svm *svm) vmcb12->save.dr6 =3D svm->vcpu.arch.dr6; vmcb12->save.cpl =3D vmcb02->save.cpl; =20 + if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK)) { + vmcb12->save.s_cet =3D vmcb02->save.s_cet; + vmcb12->save.isst_addr =3D vmcb02->save.isst_addr; + vmcb12->save.ssp =3D vmcb02->save.ssp; + } + vmcb12->control.int_state =3D vmcb02->control.int_state; vmcb12->control.exit_code =3D vmcb02->control.exit_code; vmcb12->control.exit_code_hi =3D vmcb02->control.exit_code_hi; --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3D18A288CA6 for ; Fri, 12 Sep 2025 23:24:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719457; cv=none; b=iyH884I/IT1vMr2H7zOTcjPfyLBzrqC0FQC8BFVCv5JprGkKDbGC21mt5ELmVGz+bjBDBYNSzqqe+8dP91J4GwImSVLQIYUYeCikZDIRwMjADvjSPlEPMMkG3In4rWyMZpe6vYa8in6wEhrhJzPsqlMkgt9kC39IRo6bUrWPdJ8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719457; c=relaxed/simple; bh=fBM++utOUJHtYvpSjDE2iy0S74USVtNMtgRTB+NUul4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ofE5AtMoEUEh47xeQb5IYJzjkJ2eBv+4ToyMUjfO8lepnNzQVeE8RwRdI7UP/ME9NJUi6QCzZIq6jmzcEbQdOWQhcaBCkkE0wsYGUHMzgMGpXYxaibQu7aDSNmmvZrGy+4FlOX8HguPNDjxAejMTSZENGJCncZ1hkKwj4P3qAKI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=zjZPEKI2; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="zjZPEKI2" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-32dd9854282so3680776a91.1 for ; Fri, 12 Sep 2025 16:24:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719454; x=1758324254; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=xwixwi/pq7WJn2ZqYO6o3aXpIOBO0K9ZG0HFJymmGLE=; b=zjZPEKI2372tcAxov6mMsu5K+ENONtNKBkDbA8cNk4NOfsYU7EB93J9gm9XHAksUfU pvKH/gTQQhBCfHfqHF8MqWEps8l32ULSgxuOH6UGaEbJqaoqUehXNDHGupHpNCFlKjCu sZqQfER0TjuFgMOdMm7FBagYDo/lCmA5JsOqQjd0x2hcTbbvj4XDm8PkfDNdOTHekB3u QTtklgeiIxQNc9+daV+wGK2vxltIp6zD4BjenBBFyB1b6bO/AaX609CPdiouixXr2B1A IMcKW5aHxiEK/17y+/UzqqZ/hpgP1m3zctIsvN1/p1WaSkaxXJhno4xlAYd13RqRMqQ7 7AqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719454; x=1758324254; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xwixwi/pq7WJn2ZqYO6o3aXpIOBO0K9ZG0HFJymmGLE=; b=pzjFZGohIJgGaYTn+xBI6Nxmvyu3IBTGzUSckLhwCCCNnJgcNXuA1WeagaXfuBOsqv 1BjBFO7FKd+5/bhLndFDsI59XPdhvaWqJ3n7+iL1puKHv14XX6vRvrpSy3qyKxMqPFlL 481YsBHn0f3Ns/8cO2YuDP+34ZqR8+S86e/x0y2RVTNKJiFsArHXw0nyd2u2ih5aY3pm MtuobXuxPQ5RfaXXaLPQtytQCeIZ4z8Fc7FY7xOhp/AYjcK/NLv0YvRNclCaJnwp+VTt IbUzGNwKHJJ1kjuBaO+2PwKcvGH2NmjLMOZpnj8yo4WZgFkI3WLj3p9jlJmdGWazRwHS C/2Q== X-Forwarded-Encrypted: i=1; AJvYcCUcyqxCko7bpwuhrveJ1zlPxY+C2yqKk3e7yI9nUm3s10djCBu9E+P6BT9T/3AF/iq68Kxmj5D/zm3ObQs=@vger.kernel.org X-Gm-Message-State: AOJu0YzzrtPuFOhcImq155zNQ5r53lc401yMQFOhP38N8Zb7RrXIR/UB 9AkLTw2rbxF6kC/jgK4pDdkdtk4tGOoFVqTRYU6NS6mqABNVub0gl4ScwTxYFj9wbDT3mzMQ29k zkQX0Zw== X-Google-Smtp-Source: AGHT+IEwe2z/CoghXdq5pw1tWeWTUfTaSNa0gKl/TqYG+LRtVUmBsUYMFAiW+9zgOymlGloFYvugvYSX/9k= X-Received: from plnd12.prod.google.com ([2002:a17:903:198c:b0:24c:cd65:485c]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:ebd2:b0:25e:37ed:d15d with SMTP id d9443c01a7336-25e37edd357mr33268295ad.0.1757719454481; Fri, 12 Sep 2025 16:24:14 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:05 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-28-seanjc@google.com> Subject: [PATCH v15 27/41] KVM: x86: SVM: Update dump_vmcb with shadow stack save area additions From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: John Allen Add shadow stack VMCB fields to dump_vmcb. PL0_SSP, PL1_SSP, PL2_SSP, PL3_SSP, and U_CET are part of the SEV-ES save area and are encrypted, but can be decrypted and dumped if the guest policy allows debugging. Reviewed-by: Maxim Levitsky Signed-off-by: John Allen Signed-off-by: Sean Christopherson --- arch/x86/kvm/svm/svm.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 0c0115b52e5c..c0a16481b9c3 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -3410,6 +3410,10 @@ static void dump_vmcb(struct kvm_vcpu *vcpu) "rip:", save->rip, "rflags:", save->rflags); pr_err("%-15s %016llx %-13s %016llx\n", "rsp:", save->rsp, "rax:", save->rax); + pr_err("%-15s %016llx %-13s %016llx\n", + "s_cet:", save->s_cet, "ssp:", save->ssp); + pr_err("%-15s %016llx\n", + "isst_addr:", save->isst_addr); pr_err("%-15s %016llx %-13s %016llx\n", "star:", save01->star, "lstar:", save01->lstar); pr_err("%-15s %016llx %-13s %016llx\n", @@ -3434,6 +3438,13 @@ static void dump_vmcb(struct kvm_vcpu *vcpu) pr_err("%-15s %016llx\n", "sev_features", vmsa->sev_features); =20 + pr_err("%-15s %016llx %-13s %016llx\n", + "pl0_ssp:", vmsa->pl0_ssp, "pl1_ssp:", vmsa->pl1_ssp); + pr_err("%-15s %016llx %-13s %016llx\n", + "pl2_ssp:", vmsa->pl2_ssp, "pl3_ssp:", vmsa->pl3_ssp); + pr_err("%-15s %016llx\n", + "u_cet:", vmsa->u_cet); + pr_err("%-15s %016llx %-13s %016llx\n", "rax:", vmsa->rax, "rbx:", vmsa->rbx); pr_err("%-15s %016llx %-13s %016llx\n", --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B9FF2DF6EA for ; Fri, 12 Sep 2025 23:24:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719458; cv=none; b=Zc9LQG/njhuo1bjzHnxwfeqtEDzP5ytaY8N30jMJDyNbeG1qEib9ksX9yiSHbLU22YWckDHeNF6AzzALIEb7xVXv/vqbNkUi5SAJCWg110PZL4cAGNz5Yv0fatcSbL5Mfg9jWOOtD0Y2rJAdRCWAr4KVavXk7j/Cs4SlAURCcVc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719458; c=relaxed/simple; bh=D9+M1ofPK3BLJQzsUrcajnb1SD4gWSQfdTr3TnAALuU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=aPwzIf8rfRSdUfpakSRBLTQDaMaUdBywnJxCfZawIYpihHdqO7LG6HVW+88dYdMBaS9JCyHH8qBh2RrD14rbAKRv0XRjrG9tMgACXqax9OjhZtejq9E+xAxb9WDJrXAxe7TluDQ3EKNOqNEbAummPCbEisz0tAcmCqLxqCJQWc0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=BQ3fYdIr; arc=none smtp.client-ip=209.85.210.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="BQ3fYdIr" Received: by mail-pf1-f201.google.com with SMTP id d2e1a72fcca58-77614fa6182so2304881b3a.0 for ; Fri, 12 Sep 2025 16:24:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719456; x=1758324256; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=LhbYsL9ohofofYA5WH0d+8AOzIebXp5NvMLeLGAcWt0=; b=BQ3fYdIr+B5rekEYPiq8hvuL7OHUkgr9QXDNRyFW09gMaC8mHNhyNxITqcxCH1PKYI JJrH4b01KQLWpvgcvP0ErAc+8KEWS0Kz7sXCBFDmtzRxk4mcesW7Uln97o6iF8vtA6xz zaGV4XHGelysfzZkVKJVvvJPxy7+VlM/WHdLXBrx7V/EAQRWsQoKn8v67UhnHlo8CMDI 3qD+LsC/khoGy5b1LqCD+1q2VJTc5gFzUmDPn10xwYEabeGc+2ArHdCZmzLfxxD4yelf 268lUoB9V/xIGJFYywR5Ob2YsWdfMPz+UAqBIP8YJkJcdL2cIOqzUcq5Vj0/I/zs1AlP dIuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719456; x=1758324256; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LhbYsL9ohofofYA5WH0d+8AOzIebXp5NvMLeLGAcWt0=; b=KoR9H/za1eRYKwatLwq37oRqZne/zEM62Qi0Cv96naIY81UkXpmHJRFM9Tp+kODr18 WHa/OE86H6SCyOnHWWKvDlx97xUH8lfULsrmDd0B8l7WAtLIh1TRNujVR731aex1t+N+ VAXj5B+vJe4Gx5L9TAWGYExFCzXG1cYEL1tDcCPXlOwgkAjhoirWKqfYdBHmZE1qa+tf wE8ouMLjf1Z+D+iCcIqeC+zmzcq9j0WxgaKnRjSynuu0/kY21WBHwMiLDkRrTvp2BTss vuYuyTAOj7dZ9EoFzy7Id9+ULMHSP4Nq0DSpUguhC7spvuVUyKf80/L0Y0EYkSISlqhn 6G6g== X-Forwarded-Encrypted: i=1; AJvYcCVmdEh+nntE2z/4xR69MzleRa/H2T4ygOoE8BtwXtx1H+zUxxkMsH4A90InxgIhWyOexxB4wlGrFxYVNbA=@vger.kernel.org X-Gm-Message-State: AOJu0YxBz2O9KQe6w+uBqZ5MAkLNx29oXhwIk1Kdyq7jHtemF2WN2NSW hNjFmCgei3hC/oBA7XiaG9ghcD0beUcJLRKNg4pUUVUCBUnTQH2WWD4yWydYRRzZ/SJ8/wGIDd4 gElwH2g== X-Google-Smtp-Source: AGHT+IGiazytCcQivJd/z18yTw4cuKfPDtfsmZgzKKLKFis41yXiyg2GvH7sp/nin02dzFY2c+tpO0ox1v0= X-Received: from pfbhr19-n2.prod.google.com ([2002:a05:6a00:6b93:20b0:770:586c:bc01]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a00:9194:b0:772:2bcc:d2d7 with SMTP id d2e1a72fcca58-77602fd1bbcmr9213653b3a.2.1757719456310; Fri, 12 Sep 2025 16:24:16 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:06 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-29-seanjc@google.com> Subject: [PATCH v15 28/41] KVM: x86: SVM: Pass through shadow stack MSRs as appropriate From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: John Allen Pass through XSAVE managed CET MSRs on SVM when KVM supports shadow stack. These cannot be intercepted without also intercepting XSAVE which would likely cause unacceptable performance overhead. MSR_IA32_INT_SSP_TAB is not managed by XSAVE, so it is intercepted. Reviewed-by: Chao Gao Signed-off-by: John Allen Signed-off-by: Sean Christopherson --- arch/x86/kvm/svm/svm.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index c0a16481b9c3..dc4d34e6af33 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -844,6 +844,17 @@ static void svm_recalc_msr_intercepts(struct kvm_vcpu = *vcpu) svm_disable_intercept_for_msr(vcpu, MSR_IA32_MPERF, MSR_TYPE_R); } =20 + if (kvm_cpu_cap_has(X86_FEATURE_SHSTK)) { + bool shstk_enabled =3D guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK); + + svm_set_intercept_for_msr(vcpu, MSR_IA32_U_CET, MSR_TYPE_RW, !shstk_enab= led); + svm_set_intercept_for_msr(vcpu, MSR_IA32_S_CET, MSR_TYPE_RW, !shstk_enab= led); + svm_set_intercept_for_msr(vcpu, MSR_IA32_PL0_SSP, MSR_TYPE_RW, !shstk_en= abled); + svm_set_intercept_for_msr(vcpu, MSR_IA32_PL1_SSP, MSR_TYPE_RW, !shstk_en= abled); + svm_set_intercept_for_msr(vcpu, MSR_IA32_PL2_SSP, MSR_TYPE_RW, !shstk_en= abled); + svm_set_intercept_for_msr(vcpu, MSR_IA32_PL3_SSP, MSR_TYPE_RW, !shstk_en= abled); + } + if (sev_es_guest(vcpu->kvm)) sev_es_recalc_msr_intercepts(vcpu); =20 --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C113D2E0415 for ; Fri, 12 Sep 2025 23:24:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719461; cv=none; b=mg7P74+mX9czr+y1SRstlCRomN+FvgMAdWMXS65JgBTyulsG3OT9ZoCUVYy9xK8B+zVQWHqpKhJYYJfLSZOv3m/BrTNwehdmKmF4VqVOwPd/5txNgYKQS7Vn3LrkuFSBXQ+2nJ2AuBCpOjGJVmn8HUH9+k8k7Fz/kSqAwsiIpIM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719461; c=relaxed/simple; bh=KUIXASNxskjmqUJOgO/QgQkaUDfDVcrrzNQuV3KF8GE=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=cl5ecq8M3e7Xf3AfHyFA5jekmbn5ERlX+s5GAsSrtQpDn4UaP82zMKRH7PFr5VT91fnAzZQneW9AGRaWoJWWkCxD3kmzwMfnxiLwcfiEHPc3yMFlFQdXEVnkLl9JNUfm8o//Ea5VbtYe6xaz9EQnuweErzmYlUepG8xnul72vVQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=uO0zXof7; arc=none smtp.client-ip=209.85.215.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="uO0zXof7" Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-b4e63a34f3fso1552510a12.1 for ; Fri, 12 Sep 2025 16:24:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719458; x=1758324258; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=acVnJCIA0aUw87xnkPi6IWmDTxWY2akxB7SwAIX1iTA=; b=uO0zXof7L1cA0Gyt0nxd23qUt5TMxBcs49WTU1YRTflWNnGFTVk5Nv2ePfUbTJ+mJ4 Iy8xzwcIg/GSuPwfTBO1qK+Xi1mH80plzTKHiI1EOhgArcw8S32ObntRnnUzFjCRmOGx i5U24UIYVp64myqMF6egsk+KZDmhzqDtpjcfSqZ90tzcVDmYZDc+ff/NnQYuny32p0VQ 4JonVZsK8XThK8NWnNYPWg0k/ZFFo4+X+xKbJtT40yuNs/702Ff+wNCYIHTYV3pHCLmr g5Uc7hWxnuU0GY+5iiJD6J1EgBDriiD6FPqc6Ttg1kfP9AQhlxyUMUoSWO/P2UIVbihu 7yOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719458; x=1758324258; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=acVnJCIA0aUw87xnkPi6IWmDTxWY2akxB7SwAIX1iTA=; b=PT6R/yyAVfivHjtqkt2hP8+Gtu8w7266DRNEeriOnL/kfQGJczwatuq/PsARZln3eN ldsuut3oILcVYuaZ4plKYzhkZCaF0qEZ21BmrHAUlMxXIID0y+o3TmH8fFL1jpqt5BmN lyhghCsWM2HNY8T3julrlQGWqWCkJwNRQoyy1Adncydoip3Q31nJQ6pjxF6STVYvhI2/ kgngbqjpjDA2NLnogBr7AKEDoJZXfDF8YOQibHkD0WU4ZhHhc0HJZis+WCkZGky/XYBH f8KuFjWIoS61h7a1l5v+aKmYIJ3WScPD8Asd7aUBytCH/6Mu5iVqIlDGN0mZUHWx7Asa jdHg== X-Forwarded-Encrypted: i=1; AJvYcCXHWiJvtxsErxUDlAfyyPmTDiBlkaqy1em6bFS/sDKEpLiuLrGpx+2p9x+SnYm/4x7+C+U/hhAKxcDK0T4=@vger.kernel.org X-Gm-Message-State: AOJu0YyfkyfW+6k9dYYH8XI9H2Jc4ZyjN76DkUD+qZVVTMt80Q+lQlzw xKCSO3x1rNkcOj/+s5DrQli/bqf0nda5Z+FU7+Y8gvQcHV4D1oaMKT28I17UV9v4bCqmptA5nnn JPg17mA== X-Google-Smtp-Source: AGHT+IFaM+VXOKkAtrGu/dhgQBF1CUqwLyK6WuKd4FpXtAapvPhdPE8MhzSUBP9M9ToqqHcMBUwfbMtgHZ4= X-Received: from pgaa17.prod.google.com ([2002:a63:1a11:0:b0:b4c:2f5f:b986]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:e290:b0:247:374:be22 with SMTP id adf61e73a8af0-260275faa28mr6171128637.0.1757719457908; Fri, 12 Sep 2025 16:24:17 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:07 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-30-seanjc@google.com> Subject: [PATCH v15 29/41] KVM: SEV: Synchronize MSR_IA32_XSS from the GHCB when it's valid From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Synchronize XSS from the GHCB to KVM's internal tracking if the guest marks XSS as valid on a #VMGEXIT. Like XCR0, KVM needs an up-to-date copy of XSS in order to compute the required XSTATE size when emulating CPUID.0xD.0x1 for the guest. Treat the incoming XSS change as an emulated write, i.e. validatate the guest-provided value, to avoid letting the guest load garbage into KVM's tracking. Simply ignore bad values, as either the guest managed to get an unsupported value into hardware, or the guest is misbehaving and providing pure garbage. In either case, KVM can't fix the broken guest. Note, emulating the change as an MSR write also takes care of side effects, e.g. marking dynamic CPUID bits as dirty. Suggested-by: John Allen Signed-off-by: Sean Christopherson --- arch/x86/kvm/svm/sev.c | 3 +++ arch/x86/kvm/svm/svm.h | 1 + 2 files changed, 4 insertions(+) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 0cd77a87dd84..0cd32df7b9b6 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3306,6 +3306,9 @@ static void sev_es_sync_from_ghcb(struct vcpu_svm *sv= m) if (kvm_ghcb_xcr0_is_valid(svm)) __kvm_set_xcr(vcpu, 0, kvm_ghcb_get_xcr0(ghcb)); =20 + if (kvm_ghcb_xss_is_valid(svm)) + __kvm_emulate_msr_write(vcpu, MSR_IA32_XSS, kvm_ghcb_get_xss(ghcb)); + /* Copy the GHCB exit information into the VMCB fields */ exit_code =3D kvm_ghcb_get_sw_exit_code(ghcb); control->exit_code =3D lower_32_bits(exit_code); diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index a42e95883b45..10d764878bcc 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -942,5 +942,6 @@ DEFINE_KVM_GHCB_ACCESSORS(sw_exit_info_1) DEFINE_KVM_GHCB_ACCESSORS(sw_exit_info_2) DEFINE_KVM_GHCB_ACCESSORS(sw_scratch) DEFINE_KVM_GHCB_ACCESSORS(xcr0) +DEFINE_KVM_GHCB_ACCESSORS(xss) =20 #endif --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4D6A92DF6F5 for ; Fri, 12 Sep 2025 23:24:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719462; cv=none; b=EfjMrCQX0MitdDjeFRSQBAcRz2R8USN5mmDEqXc/hmaq5yZzKFivDMUuiiTodoS8fEMUYo2p3cOONlIhQv8CyOWO3ec9PJILLZ0d7782LH0ONOQ93cQ1tAtzEdQ0rArhq301o9DMyEUnq0shmx4CcYObBXSfPG8S2+gKQC1hE1U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719462; c=relaxed/simple; bh=15o9VZMft2MxcQUSFl+ZPSNTP7kKh/VfLBpA5JRopZc=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=lwLFUFLylHw3hP8Vf2ZwX2lHESIc9HexMkFbYDo+U37qoid4PThg8WmmCkWXAfsJbOMNqY7j/cjsKcYYQcKqgkJchbORuQiDJ5DjG1q/+8vsRvXt9itpUHdUzBl+Xfv6MQvM8BXrAlZdjZRV++YyhcdkvA/VQ8gEiAqoFSzYkFI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=wv8Cefo3; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="wv8Cefo3" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-32811874948so1949990a91.2 for ; Fri, 12 Sep 2025 16:24:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719460; x=1758324260; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=oEM1NzRArGwHRfjs11EJFtjqkFE7gqTIfGb/p5R/iqs=; b=wv8Cefo3eFQBjZuDCkq72j4ndqHcwD64wmf/aD5H9jSbZFyNO94focP71m72KFaQtx PJQCSQ3OYvqc7t6U1dHwugHccw4on2HEsA3LNevK6t52PPYTcCM5af0nzMai3OMRbvnc ZAqskRf9CZoq2c1De+mpQwESr1f1fB+MwzqW28uTCgCnaCc6kkPZsPM2329n+7OViXyT KomEcLKxc3U5WaPnindmjfjp6aL3uPThYe4IOH2Z06zgX7BKjf6okI08yRL1qJzG9pOo 9XQaq+VAK/tXv/1AUkOwx5bmoijNN68W63FgHEUJ+DBzHB95eNAwO+a5nRVYQxdAXQJk QYsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719460; x=1758324260; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oEM1NzRArGwHRfjs11EJFtjqkFE7gqTIfGb/p5R/iqs=; b=nIwqAzEpkNPO991MknvNgyWaD8PwxQBrO2OxJGuVelcm7BK3u0Z6sdUztVuHxasqof /OySAQhSuMMFy7EaoHnCUmZ8hXM/NJGTFr9+s+lXI8HfTYbPr7IvNOcUDZHg+HhwzXzV vm0FA+gQ1sZZc0/tX9oGtM7dxRMLB3rqLc9Wql+Z2SCLI4BL8pV0+WUPp02hhmsBJ6kA X7XzSEHnnK+fy/seLmN952VTnRfwU0W8aFBPHDk9b5/b9uDC0ZqufWsFqnQjHre4AkBK lDTDF3rSEAtADPAGjeR0fZOyUE5X3WNnfQb6mpR0+ahcSLf8s9WNtsE9Mocezid3w90p 26vA== X-Forwarded-Encrypted: i=1; AJvYcCW21jUUsYuQKUiiegHd6uFU4yJg1D6dt4TMK6A8wXMst8bb4ZUgegN7CeeuOUsHuo1qAiqVUGDtHwyeIfs=@vger.kernel.org X-Gm-Message-State: AOJu0Yw7A9E+XX3wAfJEiEcCSMfYqqtsI/bozvU+hI9lVt7F5JFP1q2J X3+d3RzDXjH9wkJuMlnYi0FpNquUARTIQrRb+TQFfTA/L7ekqsvj1pHwBzaooF7/eL7yE/1NU61 jvFYcdA== X-Google-Smtp-Source: AGHT+IEI5JovoN5wkH2yZ6fX9zcon0aRMyJn/qFmhwPGnpNLEiLHDGb5/h9oeAOds2uQCKUVhH7aIxxB5Vw= X-Received: from pjbqi2.prod.google.com ([2002:a17:90b:2742:b0:32d:def7:e60f]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:2b44:b0:32d:dc09:5e83 with SMTP id 98e67ed59e1d1-32de4f85901mr4667658a91.18.1757719459656; Fri, 12 Sep 2025 16:24:19 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:08 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-31-seanjc@google.com> Subject: [PATCH v15 30/41] KVM: SVM: Enable shadow stack virtualization for SVM From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: John Allen Remove the explicit clearing of shadow stack CPU capabilities. Reviewed-by: Chao Gao Signed-off-by: John Allen Signed-off-by: Sean Christopherson --- arch/x86/kvm/svm/svm.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index dc4d34e6af33..f2e96cf72938 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -5264,10 +5264,7 @@ static __init void svm_set_cpu_caps(void) kvm_set_cpu_caps(); =20 kvm_caps.supported_perf_cap =3D 0; - kvm_caps.supported_xss =3D 0; =20 - /* KVM doesn't yet support CET virtualization for SVM. */ - kvm_cpu_cap_clear(X86_FEATURE_SHSTK); kvm_cpu_cap_clear(X86_FEATURE_IBT); =20 /* CPUID 0x80000001 and 0x8000000A (SVM features) */ --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C7A4A2DFA31 for ; Fri, 12 Sep 2025 23:24:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719463; cv=none; b=FlOmVVYD4/mSv6KIpxBlM46x3wjaCR/dg7NcIIgfn7pcFb+a2ciPqbetxNnD1z3dhsLwrc3lxaEwmYB/JHzWrTTnNBbxhHKci4NNgxyr2k4iePmeafmr+GPu2tpEu9nqEF/TwsLqeoMRaVvxbkVgJZmeQXIiRkakVTY839/QuWo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719463; c=relaxed/simple; bh=ed/MzbF1y1avxTID6AP6DxCsceWdQmILphigoArAk0w=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=HwcLi0DrCYoDeyHQag1bf90XXeNYRmNr75swWOHH+Hr7McOtDT3aaPaET0532nJkGmkG7vDkRehptdmKPCISYtRxULtFYHk1JgGvXMjylE8PH2T5zbVWydy+UwsiQswuHdaCKPE4yKfgzBIFWbJ9dla84cmS18CZb35B8Jq1VBQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=wvyPZLhY; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="wvyPZLhY" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-25d21fddb85so24992315ad.1 for ; Fri, 12 Sep 2025 16:24:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719461; x=1758324261; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=KsdT1O+ZcgN98Gnhy5HR6tDkPGI+1EFI9KM4O6i9nrU=; b=wvyPZLhY8HuF4E0cytQe1y0gAEX1yrHjlfEkxPuffCCmrGQLqzUlrX1BfHtWctf4uJ GXe3vfhofL/5oprDxsNiq+ugHoumns7GvzmD840z2XW8h0kA28eNrhEJvSNHLARSRwVT 6wpV/UAXzHUMBwQhasL8gbfUR10OHmyJvyiadzokrG6mpMD/hxrn0ZMVIK+9B+LvDj8N xs41wrPy8OiDDd3NXshzJcYGEy1Tkz6B50sOj1KTYg2b0+roYmURzb+huarhOsJQaKQO HOKcBFY6Z8LDDiIoymSudVCjC32Q1R+Vbe5+gdPbXw4NwwBNHpzHBjzRpjVRPCysYgFl 3TgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719461; x=1758324261; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KsdT1O+ZcgN98Gnhy5HR6tDkPGI+1EFI9KM4O6i9nrU=; b=V59sLdnyNH3q9SzxhHv+Ma+GjOdCNqTU4+45v+3HkpwQzjfEko/ZYjt6OeMFiHK/7j pBMW1NPd/wKoQilGc2iVTmVVz1QhPY4WDwxGlVROnhnSOaO+Vd0/4J7yTMvYx3ihbS+Q FGMw783wCAuWLj0TxpIbicUV36Rwcrzk5KhUsIizW/FoC1IjuwSzPA+ut9fnWEh0624d j2/c0HQ9OkJUWEwMA4kOfVoBlEiJDZV+WGmJfRB1TcXFTmNI8arre5HTL0U2DEcMFi4w zkLrWvzj7HwXs3RwrD7cNIkQG3XMbk0c3qWgFRqk1dN7iPs02vkT7q7k7YcasoEn/mBY Gnig== X-Forwarded-Encrypted: i=1; AJvYcCXF0Xq5NbSwI99OiWmSQqnZkrVd6UjcSz/Xhriyyl6Bm1o5T3akeDh6TmG8tl0Hj92Fye4ey/iPJiU+u7I=@vger.kernel.org X-Gm-Message-State: AOJu0Yzdytyzk4A0StRHODAUs0H4WKn/sRMVZjFMHQ/487pi7lHz/A34 IkvbaToIQtkbY+1NldX4WPHnUip37j2A6VhMpha0pCD04mgv7RT7fn3BMfX/j+53A+0zKR3TFQR f1ZG8xA== X-Google-Smtp-Source: AGHT+IHbGZZ1h9nKu7SXm/xlanddL2SEeIpR7+u3oLOeRCfMGKdUZU3ia1PO0ZKO0TtOZ6bvKGOKSAasGww= X-Received: from pjcc4.prod.google.com ([2002:a17:90b:5744:b0:32d:dbd4:5ce8]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:e84d:b0:25c:e2c:6678 with SMTP id d9443c01a7336-25d241005a4mr58801885ad.5.1757719461173; Fri, 12 Sep 2025 16:24:21 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:09 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-32-seanjc@google.com> Subject: [PATCH v15 31/41] KVM: x86: Add human friendly formatting for #XM, and #VE From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add XM_VECTOR and VE_VECTOR pretty-printing for trace_kvm_inj_exception(). Signed-off-by: Sean Christopherson --- arch/x86/kvm/trace.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h index 57d79fd31df0..06da19b370c5 100644 --- a/arch/x86/kvm/trace.h +++ b/arch/x86/kvm/trace.h @@ -461,8 +461,8 @@ TRACE_EVENT(kvm_inj_virq, =20 #define kvm_trace_sym_exc \ EXS(DE), EXS(DB), EXS(BP), EXS(OF), EXS(BR), EXS(UD), EXS(NM), \ - EXS(DF), EXS(TS), EXS(NP), EXS(SS), EXS(GP), EXS(PF), \ - EXS(MF), EXS(AC), EXS(MC) + EXS(DF), EXS(TS), EXS(NP), EXS(SS), EXS(GP), EXS(PF), EXS(MF), \ + EXS(AC), EXS(MC), EXS(XM), EXS(VE) =20 /* * Tracepoint for kvm interrupt injection: --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4EC422E1C58 for ; Fri, 12 Sep 2025 23:24:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719464; cv=none; b=P5uM6GfSDOKKClgOMgWPHZbQCJH05YYaaYQAHIWkb2qQDUBsF9cWyCN40ofhU1BVnQZphr1funfd1zhSpYvtqt2YdnX8OSnR8XPn4kDW9hSDxRS1Ihb3XZgq8l6se8VORV2CRBT3DymLpyplsXmuadHdfErf1vhA/bgsW/3Uv7o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719464; c=relaxed/simple; bh=oqfxEduhxDr+EMb4NgJ6QjjX4Eln5KqTEXpKlxdlRLU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=nMrIjwfVAxZzzspT+jG4AKNGdey71+3SV+mFuerhj4u1t7aBcishUD+1bCYzzUGLWk91f0EisyFm6QURg2fgR1+2Tkg8H06n5Zj//3W0faPaHubE/gjW/fqXq3CtokbToc9HYdGy/3rAVxBZK5apyUvK/3B6njhHpDiB/yd/q9U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=dleISosl; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="dleISosl" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-24458345f5dso29563895ad.3 for ; Fri, 12 Sep 2025 16:24:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719463; x=1758324263; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=oN2KOTjTaXX7Mn3Y30lree8vkKri8RC5m3orTfrrrD0=; b=dleISoslxIrA2H8b4AdUOHZCkSlLd8x6EvolG7fiRdfyavD5Y1198N7RitYQqiTH3Q QXs/gfcMPXyVy8o6IEK81Fy0M7NTm0iv++YAse94/ZEpT3BfXizl8VT4HQmBtAfBbL1+ UheqbyoexQbjfpFquYAXytgVMAwHhlVA6dl6hOQvjQ/ed/SH/pd4DvebVaHJ1a2LSNBP h15Xrre74e9wqQUbpOBPHQpj/PXV5eowRoeCbglw7LtfOdLQDUnXa7ptOLnX5hjbHlai 0hbLWCttwEDmiWiO4FkKIppGCk7mtRHcHdomNk1dNHc/chHLUzRl+5rGvWhar4hSuLsi bbNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719463; x=1758324263; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oN2KOTjTaXX7Mn3Y30lree8vkKri8RC5m3orTfrrrD0=; b=dtcMBFZFnH2iiIkIZQUYqGMmenM2fxnUhyorN//h2is1AtfR2qodAdgPOQgd6OcJvN uHyGqC+yIHs6iiX49HKcEML0GTsBixNaThG8MaR1mH6DAsbyUybBfBUKvIcZHOhTvI4t iI6pOua5BUjjSXcnv/fB2NREHoupnBPl1dk/c/cnpWuikZkc9X7lep/qM3UBCgRrGq0t xEMI4PPmojp598Np5xBV0aQoJMB1YBd6XvyeQWNRGyNxUprLmoLpxLlOUSDVFFHh2KrF xm+b8lRC6xgUsUenhHy2YA9Tm6G7vSeKX6Dso+Cogy6EBpD4/U6n1KT0Lfs8kzDwKaui YWcw== X-Forwarded-Encrypted: i=1; AJvYcCXwJvAkkqLGAq58bE5LTq1Eiaas8z64pul4K9hSe/X8B28a+pjbTL3n0htdyfWM9YN2VIZV8G/KH8EN/5Y=@vger.kernel.org X-Gm-Message-State: AOJu0YxrckQlWYnRAy9mINhosoo8fdU07N+1W1ANk9Wl2SZuMSa4mzIH C5+OYgu2b/jnYhY2Vyh08u1QK8uPHsMnvk9rH1ya/o6Zuo3GCI93naaAW0o6cB2QrmdHWAtY+wA uVdcAHA== X-Google-Smtp-Source: AGHT+IF4ouXasakEIa4631sD0tHiSMgMdyeOf4Be425QMzhF4PkjL+dHALvyxn4cB9SRRLA42F0LmF5uaLw= X-Received: from plblf15.prod.google.com ([2002:a17:902:fb4f:b0:248:753f:cb3a]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:ea02:b0:248:e716:9892 with SMTP id d9443c01a7336-25d278284a6mr52818135ad.59.1757719462726; Fri, 12 Sep 2025 16:24:22 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:10 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-33-seanjc@google.com> Subject: [PATCH v15 32/41] KVM: x86: Define Control Protection Exception (#CP) vector From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a CP_VECTOR definition for CET's Control Protection Exception (#CP), along with human friendly formatting for trace_kvm_inj_exception(). Signed-off-by: Sean Christopherson --- arch/x86/include/uapi/asm/kvm.h | 1 + arch/x86/kvm/trace.h | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kv= m.h index 8cc79eca34b2..6faf0dcedf74 100644 --- a/arch/x86/include/uapi/asm/kvm.h +++ b/arch/x86/include/uapi/asm/kvm.h @@ -35,6 +35,7 @@ #define MC_VECTOR 18 #define XM_VECTOR 19 #define VE_VECTOR 20 +#define CP_VECTOR 21 =20 /* Select x86 specific features in */ #define __KVM_HAVE_PIT diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h index 06da19b370c5..322913dda626 100644 --- a/arch/x86/kvm/trace.h +++ b/arch/x86/kvm/trace.h @@ -462,7 +462,7 @@ TRACE_EVENT(kvm_inj_virq, #define kvm_trace_sym_exc \ EXS(DE), EXS(DB), EXS(BP), EXS(OF), EXS(BR), EXS(UD), EXS(NM), \ EXS(DF), EXS(TS), EXS(NP), EXS(SS), EXS(GP), EXS(PF), EXS(MF), \ - EXS(AC), EXS(MC), EXS(XM), EXS(VE) + EXS(AC), EXS(MC), EXS(XM), EXS(VE), EXS(CP) =20 /* * Tracepoint for kvm interrupt injection: --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4BFDE2E2F03 for ; Fri, 12 Sep 2025 23:24:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719466; cv=none; b=vCf2w0UXqxwVkMjMrsVsx/X2hgcPMowkUajCT+sAcb04AYskbEn/gctFuzeuPYo55F4cRa02T+Pzbxc2a7QqbMZsLJorSq1pfoWLK2WA2/Z2CcjVf5mYOk+W1E6V5+0ACf5Cq7I8ykH3laT1SnFjQGMrx5//wI0zPxyFaJkVcSQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719466; c=relaxed/simple; bh=B3ANx1k9od/UZ7qHXd8tTlFRJtWLSvAyNQMMn7FyBMY=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=tKrVdHJGSG/F8G4fArrCV/WELzHdpMH224ZS/h+pH29vm27YrwJa60bu7JuHqfVh5sknvAFLhUXGFtS4Kwc1YAJFosi1/EFeRAzwZn9znMwPwXfVO1VNpanp7Pl/2MG7wqGh02btcBTUzR29O8j3pUEDJKMZLL8NXVCak4S3dTY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=mfdofDby; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="mfdofDby" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-32d85208e3aso3307781a91.0 for ; Fri, 12 Sep 2025 16:24:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719464; x=1758324264; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=DYEJvMQ+rPiHFwgy9hCCQpkWJu830ze1NI/y95RfWl8=; b=mfdofDby2+5WV3NKavsjHu4rpvQJVDO8YZ6+bokrZTXeXS+DpHCrFU/kdlCWUS0dj+ gQsM/8FNGKPbrO4tkEEtbmRE53FqFwmsoazqihF83hHclfM1PaY0ag1S9lW8XsDy4Uk3 vS5Xa9afePpdVaI/eAvxMk9IF1ccwKrKAjqcBfASVyReclVIvF7gxzlwXaQUE5PJTnV/ IG5G+xDjSGcVA3mdyh/oKChUqydgBMJxJoSCPVh+hkkOhu6WwctdbhsuBzC4jO+IZJIL 1JCWg33Cl2ChhV9QkcgJ4szD/QpOA5yFo0AmwvuoZwqXOk+r5eQxxSp4UYPUrXfgZFAY g8qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719464; x=1758324264; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DYEJvMQ+rPiHFwgy9hCCQpkWJu830ze1NI/y95RfWl8=; b=P89otkp9JXmlHcKIaDzSZJKsJ8IPApdQa1olmkubT2nH+JtApLrflaPjbjWXKQxlru uqeJApQZXb8nJb2EjWCiBl5S7KeE8UY+QqDpxLwDnG4N/sFh8gM1L/qdRpBx8gbyDaYb kuJCDTRlVkbX0nqmyzNihq34UA5WdwkmYvHz94LFYmy8mS7w2c3VL+kACTt4qg7PWpv0 W/NWyU3WXD0qWHMdqymjtd44LfvD3G0b3DUyioj3wy7nHdWhZ/GTMv147O36F23gyG0m 4v43bZLSSKYzq+EwtRJpGzGhiBHP+NbJpi1koamn1NJBu20Ho3DUTBaZqwUiEga13dH0 D0tg== X-Forwarded-Encrypted: i=1; AJvYcCVACV8Vp0IFVCmkx/YqB98S7uYDMp7vsJVBo/8U3+scfGTd0DziWLvPkga+2/0Ply4DKSa8Z37Akbka314=@vger.kernel.org X-Gm-Message-State: AOJu0YzvqvB6BQ1/WPuQrehN/HfYP3aeEYXwmGb3TqcF8yf+pF92tg4S PYf5OfvlkfhP+aGXEEiGscO8gOdZ29mQpM4FN+FcJQYGymAYJfH/HNWuf/8Ay0XfX/tg6qo848B BHcNZ8g== X-Google-Smtp-Source: AGHT+IEzIYXqbBAxA7dJBbESi/lDxCUqXn+5yFgnBkwtiQzLwQEHV9BVSP3o5S9kbO68jEwBc/Vo/rYuLYg= X-Received: from pjbtd16.prod.google.com ([2002:a17:90b:5450:b0:327:4fa6:eaa1]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:3c8c:b0:321:6e1a:1b70 with SMTP id 98e67ed59e1d1-32de4d4b240mr5033084a91.0.1757719464648; Fri, 12 Sep 2025 16:24:24 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:11 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-34-seanjc@google.com> Subject: [PATCH v15 33/41] KVM: x86: Define AMD's #HV, #VC, and #SX exception vectors From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add {HV,CP,SX}_VECTOR definitions for AMD's Hypervisor Injection Exception, VMM Communication Exception, and SVM Security Exception vectors, along with human friendly formatting for trace_kvm_inj_exception(). Note, KVM is all but guaranteed to never observe or inject #SX, and #HV is also unlikely to go unused. Add the architectural collateral mostly for completeness, and on the off chance that hardware goes off the rails. Signed-off-by: Sean Christopherson --- arch/x86/include/uapi/asm/kvm.h | 4 ++++ arch/x86/kvm/trace.h | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kv= m.h index 6faf0dcedf74..2f0386d79f6e 100644 --- a/arch/x86/include/uapi/asm/kvm.h +++ b/arch/x86/include/uapi/asm/kvm.h @@ -37,6 +37,10 @@ #define VE_VECTOR 20 #define CP_VECTOR 21 =20 +#define HV_VECTOR 28 +#define VC_VECTOR 29 +#define SX_VECTOR 30 + /* Select x86 specific features in */ #define __KVM_HAVE_PIT #define __KVM_HAVE_IOAPIC diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h index 322913dda626..e79bc9cb7162 100644 --- a/arch/x86/kvm/trace.h +++ b/arch/x86/kvm/trace.h @@ -462,7 +462,8 @@ TRACE_EVENT(kvm_inj_virq, #define kvm_trace_sym_exc \ EXS(DE), EXS(DB), EXS(BP), EXS(OF), EXS(BR), EXS(UD), EXS(NM), \ EXS(DF), EXS(TS), EXS(NP), EXS(SS), EXS(GP), EXS(PF), EXS(MF), \ - EXS(AC), EXS(MC), EXS(XM), EXS(VE), EXS(CP) + EXS(AC), EXS(MC), EXS(XM), EXS(VE), EXS(CP), \ + EXS(HV), EXS(VC), EXS(SX) =20 /* * Tracepoint for kvm interrupt injection: --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 06B9A2E3B1C for ; Fri, 12 Sep 2025 23:24:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719468; cv=none; b=rj3Zi+lqdE8jmPeE4E4ryd9U4GhAaDa86PsHB1ZeZMol7ZQ2DsLhd09wRRzN7JR8PB/+24ejhOMWrJIOZHiE7O5lZZI/d0IgpOhUb19rD74YyOEej2mWaUhMUmsA194T3Wdp/asZiKdf6oOPOj03I0NQN2EBtiLz7+Tt/9iYEvU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719468; c=relaxed/simple; bh=UPKnKQSfYJAo3EQ9x1VivoNxgTxUElKxA35GroyTf1g=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Is8TIcTzfX/ENiFxlfM3mK5nLR5FOr/DS0mAfi5cDQWbnj8Wj9MYci06+qoVNafNiGXvpjvhGtMpYyoH0Zj7wyI026y6aAApXo449mXAkKjQuBOOnMA8M+RsXl1yIBkzAUxwOh4R1gNPTRHrU7WlhSDgiANYkhNoI+MhqPW1qcQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=joukzraZ; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="joukzraZ" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-329ccb59ef6so2277071a91.0 for ; Fri, 12 Sep 2025 16:24:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719466; x=1758324266; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=Sdm8oDN0/ysJNEKU/fuPIP7nuYKdlTH627rUAA97AnA=; b=joukzraZHJupODE/eznr9DtbHrj5GQttsTmasLb8Rtoda1kelTClQUulyRFOY1PPgR xG1bcR6eoEQAn8jjJrxgV/cGcniVU5csSzMHTvyYSBdp2TuBaMHw4yK4CrZ3ugBQ28ME tdBLl87awDlphX90KrXjZut7vImXBuG4mbK0oNIZo1IWV4s0wyW/uPNszdKFn/QvzLAR BUZ++3MybLVYf9192UGn6oS8YMtlsPnJ35cahXSi+S3/ZVHXeskXVLEPRe7phvmNAE14 /4BnewtNO/nb7uOInOT+sJL/Zi0ryaoqZr7v8SsQEGYnizcpsbnvyGGE4GXXSqoSTQy7 qu3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719466; x=1758324266; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Sdm8oDN0/ysJNEKU/fuPIP7nuYKdlTH627rUAA97AnA=; b=ck8mc1IJOK4nGzYUxArCPxrZxl/TVnS1/pY70B6VsaW3yy2AYFudzweZNhDffEIMYa OX+kuL5sHA27DbFyznh5yfPnpLC4jUAPPtjbSZrfYUsGf0n6CIB+1xeIqKbuXdmfhhnJ L0LNcCiy7zvt6xs+KTNAkMMrP6SY7qKOI53jeq0Edv/cpJe8eS8zlbRZQIttqKKsAd2H LQNr6Xv7FoOI8a/cmEkaXpAyJ1LwbEtgKkZ7c+pq3BKaKJ/E01Z8WzJ4oCeGx77T7vR4 VJNLbIUmgRa/ImuupKaWlVhxVvTokVaYxNndtfDdWUABGUcmVzIEGDGfwl4rYPDgaMUy B7/g== X-Forwarded-Encrypted: i=1; AJvYcCX0ELwPipgrdXZhwAgeT5sByiTRwPz77i3KgGB0L65auoti+WQcbI90R3DH53i9IANhS9QDsA3til0j7lM=@vger.kernel.org X-Gm-Message-State: AOJu0YxUpn3X/eQlFgNht42D5jBDBqqWww5Of/z6UJGj5io5PIW9q2ag ZpZJ0ecCXwTqT7050tFVfMUqhDZSB6a0hmGkQ/FAx0FAFeWVLTvfcb9WNZrlZHxpRQMFFVKrdXG yEuA7hw== X-Google-Smtp-Source: AGHT+IFdxaEc5cFiTTkclO1uSvqiG8c+ZQArkHF+CDxCdQDXFCgmSomwPdUgdl7m0VNTqmhTJiPLYIpJ6Jc= X-Received: from pjbqb3.prod.google.com ([2002:a17:90b:2803:b0:32b:8eda:24e8]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:17cc:b0:327:9e88:7714 with SMTP id 98e67ed59e1d1-32de4fba10dmr5159788a91.37.1757719466439; Fri, 12 Sep 2025 16:24:26 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:12 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-35-seanjc@google.com> Subject: [PATCH v15 34/41] KVM: selftests: Add ex_str() to print human friendly name of exception vectors From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Steal exception_mnemonic() from KVM-Unit-Tests as ex_str() (to keep line lengths reasonable) and use it in assert messages that currently print the raw vector number. Signed-off-by: Sean Christopherson --- .../selftests/kvm/include/x86/processor.h | 2 ++ .../testing/selftests/kvm/lib/x86/processor.c | 33 +++++++++++++++++++ .../selftests/kvm/x86/hyperv_features.c | 16 ++++----- .../selftests/kvm/x86/vmx_pmu_caps_test.c | 4 +-- .../selftests/kvm/x86/xcr0_cpuid_test.c | 12 +++---- 5 files changed, 51 insertions(+), 16 deletions(-) diff --git a/tools/testing/selftests/kvm/include/x86/processor.h b/tools/te= sting/selftests/kvm/include/x86/processor.h index efcc4b1de523..2ad84f3809e8 100644 --- a/tools/testing/selftests/kvm/include/x86/processor.h +++ b/tools/testing/selftests/kvm/include/x86/processor.h @@ -34,6 +34,8 @@ extern uint64_t guest_tsc_khz; =20 #define NMI_VECTOR 0x02 =20 +const char *ex_str(int vector); + #define X86_EFLAGS_FIXED (1u << 1) =20 #define X86_CR4_VME (1ul << 0) diff --git a/tools/testing/selftests/kvm/lib/x86/processor.c b/tools/testin= g/selftests/kvm/lib/x86/processor.c index 3b63c99f7b96..f9182dbd07f2 100644 --- a/tools/testing/selftests/kvm/lib/x86/processor.c +++ b/tools/testing/selftests/kvm/lib/x86/processor.c @@ -23,6 +23,39 @@ bool host_cpu_is_intel; bool is_forced_emulation_enabled; uint64_t guest_tsc_khz; =20 +const char *ex_str(int vector) +{ + switch (vector) { +#define VEC_STR(v) case v##_VECTOR: return "#" #v + case DE_VECTOR: return "no exception"; + case KVM_MAGIC_DE_VECTOR: return "#DE"; + VEC_STR(DB); + VEC_STR(NMI); + VEC_STR(BP); + VEC_STR(OF); + VEC_STR(BR); + VEC_STR(UD); + VEC_STR(NM); + VEC_STR(DF); + VEC_STR(TS); + VEC_STR(NP); + VEC_STR(SS); + VEC_STR(GP); + VEC_STR(PF); + VEC_STR(MF); + VEC_STR(AC); + VEC_STR(MC); + VEC_STR(XM); + VEC_STR(VE); + VEC_STR(CP); + VEC_STR(HV); + VEC_STR(VC); + VEC_STR(SX); + default: return "#??"; +#undef VEC_STR + } +} + static void regs_dump(FILE *stream, struct kvm_regs *regs, uint8_t indent) { fprintf(stream, "%*srax: 0x%.16llx rbx: 0x%.16llx " diff --git a/tools/testing/selftests/kvm/x86/hyperv_features.c b/tools/test= ing/selftests/kvm/x86/hyperv_features.c index 068e9c69710d..99d327084172 100644 --- a/tools/testing/selftests/kvm/x86/hyperv_features.c +++ b/tools/testing/selftests/kvm/x86/hyperv_features.c @@ -54,12 +54,12 @@ static void guest_msr(struct msr_data *msr) =20 if (msr->fault_expected) __GUEST_ASSERT(vector =3D=3D GP_VECTOR, - "Expected #GP on %sMSR(0x%x), got vector '0x%x'", - msr->write ? "WR" : "RD", msr->idx, vector); + "Expected #GP on %sMSR(0x%x), got %s", + msr->write ? "WR" : "RD", msr->idx, ex_str(vector)); else __GUEST_ASSERT(!vector, - "Expected success on %sMSR(0x%x), got vector '0x%x'", - msr->write ? "WR" : "RD", msr->idx, vector); + "Expected success on %sMSR(0x%x), got %s", + msr->write ? "WR" : "RD", msr->idx, ex_str(vector)); =20 if (vector || is_write_only_msr(msr->idx)) goto done; @@ -102,12 +102,12 @@ static void guest_hcall(vm_vaddr_t pgs_gpa, struct hc= all_data *hcall) vector =3D __hyperv_hypercall(hcall->control, input, output, &res); if (hcall->ud_expected) { __GUEST_ASSERT(vector =3D=3D UD_VECTOR, - "Expected #UD for control '%lu', got vector '0x%x'", - hcall->control, vector); + "Expected #UD for control '%lu', got %s", + hcall->control, ex_str(vector)); } else { __GUEST_ASSERT(!vector, - "Expected no exception for control '%lu', got vector '0x%x'", - hcall->control, vector); + "Expected no exception for control '%lu', got %s", + hcall->control, ex_str(vector)); GUEST_ASSERT_EQ(res, hcall->expect); } =20 diff --git a/tools/testing/selftests/kvm/x86/vmx_pmu_caps_test.c b/tools/te= sting/selftests/kvm/x86/vmx_pmu_caps_test.c index a1f5ff45d518..7d37f0cd4eb9 100644 --- a/tools/testing/selftests/kvm/x86/vmx_pmu_caps_test.c +++ b/tools/testing/selftests/kvm/x86/vmx_pmu_caps_test.c @@ -56,8 +56,8 @@ static void guest_test_perf_capabilities_gp(uint64_t val) uint8_t vector =3D wrmsr_safe(MSR_IA32_PERF_CAPABILITIES, val); =20 __GUEST_ASSERT(vector =3D=3D GP_VECTOR, - "Expected #GP for value '0x%lx', got vector '0x%x'", - val, vector); + "Expected #GP for value '0x%lx', got %s", + val, ex_str(vector)); } =20 static void guest_code(uint64_t current_val) diff --git a/tools/testing/selftests/kvm/x86/xcr0_cpuid_test.c b/tools/test= ing/selftests/kvm/x86/xcr0_cpuid_test.c index c8a5c5e51661..d038c1571729 100644 --- a/tools/testing/selftests/kvm/x86/xcr0_cpuid_test.c +++ b/tools/testing/selftests/kvm/x86/xcr0_cpuid_test.c @@ -81,13 +81,13 @@ static void guest_code(void) =20 vector =3D xsetbv_safe(0, XFEATURE_MASK_FP); __GUEST_ASSERT(!vector, - "Expected success on XSETBV(FP), got vector '0x%x'", - vector); + "Expected success on XSETBV(FP), got %s", + ex_str(vector)); =20 vector =3D xsetbv_safe(0, supported_xcr0); __GUEST_ASSERT(!vector, - "Expected success on XSETBV(0x%lx), got vector '0x%x'", - supported_xcr0, vector); + "Expected success on XSETBV(0x%lx), got %s", + supported_xcr0, ex_str(vector)); =20 for (i =3D 0; i < 64; i++) { if (supported_xcr0 & BIT_ULL(i)) @@ -95,8 +95,8 @@ static void guest_code(void) =20 vector =3D xsetbv_safe(0, supported_xcr0 | BIT_ULL(i)); __GUEST_ASSERT(vector =3D=3D GP_VECTOR, - "Expected #GP on XSETBV(0x%llx), supported XCR0 =3D %lx, got vec= tor '0x%x'", - BIT_ULL(i), supported_xcr0, vector); + "Expected #GP on XSETBV(0x%llx), supported XCR0 =3D %lx, got %s", + BIT_ULL(i), supported_xcr0, ex_str(vector)); } =20 GUEST_DONE(); --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A8732E54A3 for ; Fri, 12 Sep 2025 23:24:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719470; cv=none; b=oG84BjanKN6uEHDuCl+e/IkDZF+0Vdb88+A6/1BIjqqU11FJY1AcEOXOBVgFl97UehXOPnekuZmO7fsgRRTZi1tPvr6KP0p0QtBfqbsqie/Kd6C6CrF1oGluoCF5AK/XYa6JeNkwuky9KI69K46edO2RZxHO+yLae149PS+TgfM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719470; c=relaxed/simple; bh=B/+fboJ5jcpg2gOGOCB/m3OcoD4VBafeiF/boJ4NMkk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=PTrfba0znyFzGB9bH3C/5v+0BT6VuLMG3iUh5nYAvId9rIkKX/MMunm0ocrWF4DzGNau05gxwCMExulSK0uUVVbtY5wYbOD53aAQhZujgXyFAhZsCQT/kYX8mTIxkhVvyYbY5X1wSwjHk7e5Oc3nMmmIQdX4uyQyhpa39MDlY0U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=lODHSsYh; arc=none smtp.client-ip=209.85.215.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="lODHSsYh" Received: by mail-pg1-f201.google.com with SMTP id 41be03b00d2f7-b471737c5efso1594613a12.1 for ; Fri, 12 Sep 2025 16:24:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719468; x=1758324268; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=Ody2DPDQuuD4Pb68BebF5fqDAK2OZjnGHkBkDngH0Ec=; b=lODHSsYh6LOB1Teqsjuf1g/+ybRVCMWQgGGmBsUKfjUi0C2xT1HRyFwuzBDWDbMPpD Tv97VIhmNJB088cb3AL1C+L6OroCZr95QTq8dcchEI1vcajbVDbhzbCSrIPItffRmR9q 8sw6kpAfZOtVp2BBvrpq7MmcIXPdLop1gzdziXMV+jvQHIOui/vxyxiz5nZ9r9ucscAl lHARr5A+5Lv4zLywO7gG//aa+DZAxzPPoULj+rA0Tc25lo/IgljZRK4AisFg/J9nrWt8 GOt47m1x6zHbHiyxoTbohhPj+on6OGR0PAG/GgZURs+09y22184KO2wU52U2xdHgrECd yQrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719468; x=1758324268; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Ody2DPDQuuD4Pb68BebF5fqDAK2OZjnGHkBkDngH0Ec=; b=sjvQR2Xcca0D8mGK5K5SujM0cw2MX+J/J5sTiz0FH3NloRzsKTQeSZO+c5R4wqihuf kJU5lYCJe9c+hzl4eQNPkXm4azeHpZX/lV3Y8ET4zvIaamdc48ioZtWZlNDYvwnzkc67 +q7HSFmW+9n0xUZSYWISdaPWGzg4umtLqViuAzgIr2uPh9SIkKGVxAZdfpns+qvFQ70h LJSrEiW3BHB1DmACPNbHCaYRNtLW1gOexsjX/Fyv63Zm0JHe4fhL4G3UKjQEVJ1vpwkT 6ErVwLVS4ucWUXsYmzDKzxy/VroXFMOrxVs0Dalj1iWUiASmc9j4NrRgCaTPqd3WUkHX w4/g== X-Forwarded-Encrypted: i=1; AJvYcCVaUdcgBUzI7+jMp8dVdsbp6JfjWWz+8ldBdqdtfTXjir/FehYWuNeqDJHnS9g4rxlCFzfn30aIC9bE34s=@vger.kernel.org X-Gm-Message-State: AOJu0YxgGF2Fe2sK7xWDYrYyONFabw/0OZsCuamfE549E9cEmqCMFb43 R0EFQiiMi4ER+8KkVdIH/V1bB5R4+ap7d7x0fOnHx0BdBkqknODngNn9EoekO6kpd6yGx0Hdwcu eo55I7g== X-Google-Smtp-Source: AGHT+IHSkHoCYyr2f+mu2dwrdKUG2xiR19xQInw8PU/Rofl1P/JX8mJckrqo+5vlLZh7353SX4R7cbenNtM= X-Received: from pjbss7.prod.google.com ([2002:a17:90b:2ec7:b0:312:e266:f849]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:3ca3:b0:240:1e97:7a15 with SMTP id adf61e73a8af0-2602af7da02mr6197330637.27.1757719468023; Fri, 12 Sep 2025 16:24:28 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:13 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-36-seanjc@google.com> Subject: [PATCH v15 35/41] KVM: selftests: Add an MSR test to exercise guest/host and read/write From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a selftest to verify reads and writes to various MSRs, from both the guest and host, and expect success/failure based on whether or not the vCPU supports the MSR according to supported CPUID. Note, this test is extremely similar to KVM-Unit-Test's "msr" test, but provides more coverage with respect to host accesses, and will be extended to provide addition testing of CPUID-based features, save/restore lists, and KVM_{G,S}ET_ONE_REG, all which are extremely difficult to validate in KUT. Signed-off-by: Sean Christopherson --- tools/testing/selftests/kvm/Makefile.kvm | 1 + tools/testing/selftests/kvm/x86/msrs_test.c | 267 ++++++++++++++++++++ 2 files changed, 268 insertions(+) create mode 100644 tools/testing/selftests/kvm/x86/msrs_test.c diff --git a/tools/testing/selftests/kvm/Makefile.kvm b/tools/testing/selft= ests/kvm/Makefile.kvm index 66c82f51837b..1d1b77dabb36 100644 --- a/tools/testing/selftests/kvm/Makefile.kvm +++ b/tools/testing/selftests/kvm/Makefile.kvm @@ -87,6 +87,7 @@ TEST_GEN_PROGS_x86 +=3D x86/kvm_clock_test TEST_GEN_PROGS_x86 +=3D x86/kvm_pv_test TEST_GEN_PROGS_x86 +=3D x86/kvm_buslock_test TEST_GEN_PROGS_x86 +=3D x86/monitor_mwait_test +TEST_GEN_PROGS_x86 +=3D x86/msrs_test TEST_GEN_PROGS_x86 +=3D x86/nested_emulation_test TEST_GEN_PROGS_x86 +=3D x86/nested_exceptions_test TEST_GEN_PROGS_x86 +=3D x86/platform_info_test diff --git a/tools/testing/selftests/kvm/x86/msrs_test.c b/tools/testing/se= lftests/kvm/x86/msrs_test.c new file mode 100644 index 000000000000..dcb429cf1440 --- /dev/null +++ b/tools/testing/selftests/kvm/x86/msrs_test.c @@ -0,0 +1,267 @@ +// SPDX-License-Identifier: GPL-2.0-only +#include + +#include + +#include "kvm_util.h" +#include "processor.h" + +/* Use HYPERVISOR for MSRs that are emulated unconditionally (as is HYPERV= ISOR). */ +#define X86_FEATURE_NONE X86_FEATURE_HYPERVISOR + +struct kvm_msr { + const struct kvm_x86_cpu_feature feature; + const char *name; + const u64 reset_val; + const u64 write_val; + const u64 rsvd_val; + const u32 index; +}; + +#define __MSR_TEST(msr, str, val, rsvd, reset, feat) \ +{ \ + .index =3D msr, \ + .name =3D str, \ + .write_val =3D val, \ + .rsvd_val =3D rsvd, \ + .reset_val =3D reset, \ + .feature =3D X86_FEATURE_ ##feat, \ +} + +#define MSR_TEST_NON_ZERO(msr, val, rsvd, reset, feat) \ + __MSR_TEST(msr, #msr, val, rsvd, reset, feat) + +#define MSR_TEST(msr, val, rsvd, feat) \ + __MSR_TEST(msr, #msr, val, rsvd, 0, feat) + +/* + * Note, use a page aligned value for the canonical value so that the value + * is compatible with MSRs that use bits 11:0 for things other than addres= ses. + */ +static const u64 canonical_val =3D 0x123456789000ull; + +#define MSR_TEST_CANONICAL(msr, feat) \ + __MSR_TEST(msr, #msr, canonical_val, NONCANONICAL, 0, feat) + +/* + * The main struct must be scoped to a function due to the use of structur= es to + * define features. For the global structure, allocate enough space for t= he + * foreseeable future without getting too ridiculous, to minimize maintena= nce + * costs (bumping the array size every time an MSR is added is really anno= ying). + */ +static struct kvm_msr msrs[128]; +static int idx; + +static u64 fixup_rdmsr_val(u32 msr, u64 want) +{ + /* AMD CPUs drop bits 63:32, and KVM is supposed to emulate that. */ + if (host_cpu_is_amd && + (msr =3D=3D MSR_IA32_SYSENTER_ESP || msr =3D=3D MSR_IA32_SYSENTER_EIP= )) + want &=3D GENMASK_ULL(31, 0); + + return want; +} + +static void __rdmsr(u32 msr, u64 want) +{ + u64 val; + u8 vec; + + vec =3D rdmsr_safe(msr, &val); + __GUEST_ASSERT(!vec, "Unexpected %s on RDMSR(0x%x)", ex_str(vec), msr); + + __GUEST_ASSERT(val =3D=3D want, "Wanted 0x%lx from RDMSR(0x%x), got 0x%lx= ", + want, msr, val); +} + +static void __wrmsr(u32 msr, u64 val) +{ + u8 vec; + + vec =3D wrmsr_safe(msr, val); + __GUEST_ASSERT(!vec, "Unexpected %s on WRMSR(0x%x, 0x%lx)", + ex_str(vec), msr, val); + __rdmsr(msr, fixup_rdmsr_val(msr, val)); +} + +static void guest_test_supported_msr(const struct kvm_msr *msr) +{ + __rdmsr(msr->index, msr->reset_val); + __wrmsr(msr->index, msr->write_val); + GUEST_SYNC(fixup_rdmsr_val(msr->index, msr->write_val)); + + __rdmsr(msr->index, msr->reset_val); +} + +static void guest_test_unsupported_msr(const struct kvm_msr *msr) +{ + u64 val; + u8 vec; + + vec =3D rdmsr_safe(msr->index, &val); + __GUEST_ASSERT(vec =3D=3D GP_VECTOR, "Wanted #GP on RDMSR(0x%x), got %s", + msr->index, ex_str(vec)); + + vec =3D wrmsr_safe(msr->index, msr->write_val); + __GUEST_ASSERT(vec =3D=3D GP_VECTOR, "Wanted #GP on WRMSR(0x%x, 0x%lx), g= ot %s", + msr->index, msr->write_val, ex_str(vec)); + + GUEST_SYNC(0); +} + +static void guest_main(void) +{ + for (;;) { + const struct kvm_msr *msr =3D &msrs[READ_ONCE(idx)]; + + if (this_cpu_has(msr->feature)) + guest_test_supported_msr(msr); + else + guest_test_unsupported_msr(msr); + + /* + * Skipped the "reserved" value check if the CPU will truncate + * the written value (e.g. SYSENTER on AMD), in which case the + * upper value is simply ignored. + */ + if (msr->rsvd_val && + msr->rsvd_val =3D=3D fixup_rdmsr_val(msr->index, msr->rsvd_val)) { + u8 vec =3D wrmsr_safe(msr->index, msr->rsvd_val); + + __GUEST_ASSERT(vec =3D=3D GP_VECTOR, + "Wanted #GP on WRMSR(0x%x, 0x%lx), got %s", + msr->index, msr->rsvd_val, ex_str(vec)); + } + + GUEST_SYNC(msr->reset_val); + } +} + +static void host_test_msr(struct kvm_vcpu *vcpu, u64 guest_val) +{ + u64 reset_val =3D msrs[idx].reset_val; + u32 msr =3D msrs[idx].index; + u64 val; + + if (!kvm_cpu_has(msrs[idx].feature)) + return; + + val =3D vcpu_get_msr(vcpu, msr); + TEST_ASSERT(val =3D=3D guest_val, "Wanted 0x%lx from get_msr(0x%x), got 0= x%lx", + guest_val, msr, val); + + vcpu_set_msr(vcpu, msr, reset_val); + + val =3D vcpu_get_msr(vcpu, msr); + TEST_ASSERT(val =3D=3D reset_val, "Wanted 0x%lx from get_msr(0x%x), got 0= x%lx", + reset_val, msr, val); +} + +static void do_vcpu_run(struct kvm_vcpu *vcpu) +{ + struct ucall uc; + + for (;;) { + vcpu_run(vcpu); + + switch (get_ucall(vcpu, &uc)) { + case UCALL_SYNC: + host_test_msr(vcpu, uc.args[1]); + return; + case UCALL_PRINTF: + pr_info("%s", uc.buffer); + break; + case UCALL_ABORT: + REPORT_GUEST_ASSERT(uc); + case UCALL_DONE: + TEST_FAIL("Unexpected UCALL_DONE"); + default: + TEST_FAIL("Unexpected ucall: %lu", uc.cmd); + } + } +} + +static void __vcpus_run(struct kvm_vcpu **vcpus, const int NR_VCPUS) +{ + int i; + + for (i =3D 0; i < NR_VCPUS; i++) + do_vcpu_run(vcpus[i]); +} + +static void vcpus_run(struct kvm_vcpu **vcpus, const int NR_VCPUS) +{ + __vcpus_run(vcpus, NR_VCPUS); + __vcpus_run(vcpus, NR_VCPUS); +} + +#define MISC_ENABLES_RESET_VAL (MSR_IA32_MISC_ENABLE_PEBS_UNAVAIL | MSR_IA= 32_MISC_ENABLE_BTS_UNAVAIL) + +static void test_msrs(void) +{ + const struct kvm_msr __msrs[] =3D { + MSR_TEST_NON_ZERO(MSR_IA32_MISC_ENABLE, + MISC_ENABLES_RESET_VAL | MSR_IA32_MISC_ENABLE_FAST_STRING, + MSR_IA32_MISC_ENABLE_FAST_STRING, MISC_ENABLES_RESET_VAL, NONE), + MSR_TEST_NON_ZERO(MSR_IA32_CR_PAT, 0x07070707, 0, 0x7040600070406, NONE), + + MSR_TEST(MSR_IA32_SYSENTER_CS, 0x1234, 0, NONE), + /* + * SYSENTER_{ESP,EIP} are technically non-canonical on Intel, + * but KVM doesn't emulate that behavior on emulated writes, + * i.e. this test will observe different behavior if the MSR + * writes are handed by hardware vs. KVM. KVM's behavior is + * intended (though far from ideal), so don't bother testing + * non-canonical values. + */ + MSR_TEST(MSR_IA32_SYSENTER_ESP, canonical_val, 0, NONE), + MSR_TEST(MSR_IA32_SYSENTER_EIP, canonical_val, 0, NONE), + + MSR_TEST_CANONICAL(MSR_FS_BASE, LM), + MSR_TEST_CANONICAL(MSR_GS_BASE, LM), + MSR_TEST_CANONICAL(MSR_KERNEL_GS_BASE, LM), + MSR_TEST_CANONICAL(MSR_LSTAR, LM), + MSR_TEST_CANONICAL(MSR_CSTAR, LM), + MSR_TEST(MSR_SYSCALL_MASK, 0xffffffff, 0, LM), + + MSR_TEST_CANONICAL(MSR_IA32_PL0_SSP, SHSTK), + MSR_TEST(MSR_IA32_PL0_SSP, canonical_val, canonical_val | 1, SHSTK), + MSR_TEST_CANONICAL(MSR_IA32_PL1_SSP, SHSTK), + MSR_TEST(MSR_IA32_PL1_SSP, canonical_val, canonical_val | 1, SHSTK), + MSR_TEST_CANONICAL(MSR_IA32_PL2_SSP, SHSTK), + MSR_TEST(MSR_IA32_PL2_SSP, canonical_val, canonical_val | 1, SHSTK), + MSR_TEST_CANONICAL(MSR_IA32_PL3_SSP, SHSTK), + MSR_TEST(MSR_IA32_PL3_SSP, canonical_val, canonical_val | 1, SHSTK), + }; + + /* + * Create two vCPUs, but run them on the same task, to validate KVM's + * context switching of MSR state. Don't pin the task to a pCPU to + * also validate KVM's handling of cross-pCPU migration. + */ + const int NR_VCPUS =3D 2; + struct kvm_vcpu *vcpus[NR_VCPUS]; + struct kvm_vm *vm; + + kvm_static_assert(sizeof(__msrs) <=3D sizeof(msrs)); + kvm_static_assert(ARRAY_SIZE(__msrs) <=3D ARRAY_SIZE(msrs)); + memcpy(msrs, __msrs, sizeof(__msrs)); + + vm =3D vm_create_with_vcpus(NR_VCPUS, guest_main, vcpus); + + sync_global_to_guest(vm, msrs); + + for (idx =3D 0; idx < ARRAY_SIZE(__msrs); idx++) { + sync_global_to_guest(vm, idx); + + vcpus_run(vcpus, NR_VCPUS); + vcpus_run(vcpus, NR_VCPUS); + } + + kvm_vm_free(vm); +} + +int main(void) +{ + test_msrs(); +} --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 137932E6112 for ; Fri, 12 Sep 2025 23:24:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719471; cv=none; b=fxTxF+GJRFmB4pktvO32PsBfK/CAbgHPf8mFi45kL0Zbe7NuQKoT908c0aSkJ5R6rXD/YsQH5UOgRXfWlYgjO4XrkEK5LvFoyTv2cPGNbmM/cEXJNuOIW5XVbsyryQnKs58bjvhithQd4mswrKvEokMZ7XXo5cBSAK7Cp27Ip5o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719471; c=relaxed/simple; bh=xvVG/b8p4jYJS4exfr9jgNhrzgeq/9Q9GtHal5fWR3M=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=mJhxcqeQihJIamtxOvTj7qIo6HJfSC7DLkw4LTxJozQH4LmsZhHv6NbQv8M+iIz3dM/tT6mK1qGnvjd3IMtjVskJv0XIc6QMcOJ88DV17C5J0KTWOlf6qXgJPTVPKCb1GPQ6NRvN+tkMSxM2j90/VBDYAl0IheYPTNvZd/3UiuU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=4yhqENgK; arc=none smtp.client-ip=209.85.215.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="4yhqENgK" Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-b47630f9aa7so1721490a12.1 for ; Fri, 12 Sep 2025 16:24:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719469; x=1758324269; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=+Cp6gX199ZlnKIcOfZLsEBmM2Loedfz6S2rbDk9pgzs=; b=4yhqENgKgOd4NJM2xRRcENsI9JhhsBY6AjGvS5+ddHy9VumOn8g0k9NiYdujeFi4Iz PPffFq/opQfXKxJkBjdU0yKTlMdU7k+i2Wofu3+k+V0aaLe08tGicUrPNqUafqVcOVRh rIcZNtjqZUamJx32ixt7YTiZhpUWBEqOWeDZbWxmSGMwfqXm0IRMKScx/qR5+wXlJpa4 KUzGZm9oLebaywyMzJx5Ja17IyR8YTMvX/pK4dqcSu1sVtoyg7B28KnBzB6q/5FkHNgg dTFuAz6JfZK3QtfU2cjJ4KKJhjd8uBMNLvEiwspkUUgrMvw2A2Sy83vaYOaF/A88WXlz tO7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719469; x=1758324269; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+Cp6gX199ZlnKIcOfZLsEBmM2Loedfz6S2rbDk9pgzs=; b=iXfFVbirhNHW9wU7THZFGB66XNPb1cNK7ybmgFsPnzjmYgG+4qfLGPDu2j+2ycLmRy vxToCrEtPIUY6Qa5KY97ueG1jZrzi6bwWQP2nEufq+5wGg+u/41WY9MMNskUgApS5yJH ++DccULTXV7K21ZzX/VVG9Oo6v+F6BNQ8hyiBkha24v7Ob1DRoEcnXrv62tTjhVk9fPo h6hb65JnRbI/FuLm7eK+rcaEypF9PGdU8FcuIfw3rYZvLNNSdP3Z9+jn7m/OpdeRzi2F x12jYT0f5uphuISO1xV6Tk4abu2TPqENu+sI2spO+iDpz3hb8UJNuWv2Cwv2ax9ngh9T 41SA== X-Forwarded-Encrypted: i=1; AJvYcCV49WSSWB7KacXPENKmH3hugFyP7Lqd9tlnknamLdxHfdwCitYaL+wKNOAHQIi2qKVX4+JOpnlGV2tSf8Y=@vger.kernel.org X-Gm-Message-State: AOJu0YwLAw+tb2k5sKL28tSOOXFvJVeHVmKVSJwWHpB2kXIyrJwrODCD GoW4BMD1fJc6ExGZbow/nlKBCR5YYASYcjHPXEYpuE7LraJaRq1QdnL68Q67rbx7BbM50++k8bq FnTsO8w== X-Google-Smtp-Source: AGHT+IHs6e7cWzDgsyk/0CjS8WitIQWmIeUJDUgD9RPqnppQ8alYn6o4bKfWriRoJDxWwsY9SJCM1pVycGs= X-Received: from pglu24.prod.google.com ([2002:a63:1418:0:b0:b42:da4:ef4]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:6a0e:b0:251:c33d:2793 with SMTP id adf61e73a8af0-2602c04fba4mr5705820637.44.1757719469478; Fri, 12 Sep 2025 16:24:29 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:14 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-37-seanjc@google.com> Subject: [PATCH v15 36/41] KVM: selftests: Add support for MSR_IA32_{S,U}_CET to MSRs test From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Extend the MSRs test to support {S,U}_CET, which are a bit of a pain to handled due to the MSRs existing if IBT *or* SHSTK is supported. To deal with Intel's wonderful decision to bundle IBT and SHSTK under CET, track the "second" feature and skip RDMSR #GP tests to avoid false failures when running on a CPU with only one of IBT or SHSTK. Signed-off-by: Sean Christopherson --- tools/testing/selftests/kvm/x86/msrs_test.c | 22 ++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/kvm/x86/msrs_test.c b/tools/testing/se= lftests/kvm/x86/msrs_test.c index dcb429cf1440..095d49d07235 100644 --- a/tools/testing/selftests/kvm/x86/msrs_test.c +++ b/tools/testing/selftests/kvm/x86/msrs_test.c @@ -11,6 +11,7 @@ =20 struct kvm_msr { const struct kvm_x86_cpu_feature feature; + const struct kvm_x86_cpu_feature feature2; const char *name; const u64 reset_val; const u64 write_val; @@ -18,7 +19,7 @@ struct kvm_msr { const u32 index; }; =20 -#define __MSR_TEST(msr, str, val, rsvd, reset, feat) \ +#define ____MSR_TEST(msr, str, val, rsvd, reset, feat, f2) \ { \ .index =3D msr, \ .name =3D str, \ @@ -26,14 +27,21 @@ struct kvm_msr { .rsvd_val =3D rsvd, \ .reset_val =3D reset, \ .feature =3D X86_FEATURE_ ##feat, \ + .feature2 =3D X86_FEATURE_ ##f2, \ } =20 +#define __MSR_TEST(msr, str, val, rsvd, reset, feat) \ + ____MSR_TEST(msr, str, val, rsvd, reset, feat, feat) + #define MSR_TEST_NON_ZERO(msr, val, rsvd, reset, feat) \ __MSR_TEST(msr, #msr, val, rsvd, reset, feat) =20 #define MSR_TEST(msr, val, rsvd, feat) \ __MSR_TEST(msr, #msr, val, rsvd, 0, feat) =20 +#define MSR_TEST2(msr, val, rsvd, feat, f2) \ + ____MSR_TEST(msr, #msr, val, rsvd, 0, feat, f2) + /* * Note, use a page aligned value for the canonical value so that the value * is compatible with MSRs that use bits 11:0 for things other than addres= ses. @@ -98,10 +106,18 @@ static void guest_test_unsupported_msr(const struct kv= m_msr *msr) u64 val; u8 vec; =20 + /* + * Skip the RDMSR #GP test if the secondary feature is supported, as + * only the to-be-written value depends on the primary feature. + */ + if (this_cpu_has(msr->feature2)) + goto skip_rdmsr_gp; + vec =3D rdmsr_safe(msr->index, &val); __GUEST_ASSERT(vec =3D=3D GP_VECTOR, "Wanted #GP on RDMSR(0x%x), got %s", msr->index, ex_str(vec)); =20 +skip_rdmsr_gp: vec =3D wrmsr_safe(msr->index, msr->write_val); __GUEST_ASSERT(vec =3D=3D GP_VECTOR, "Wanted #GP on WRMSR(0x%x, 0x%lx), g= ot %s", msr->index, msr->write_val, ex_str(vec)); @@ -224,6 +240,10 @@ static void test_msrs(void) MSR_TEST_CANONICAL(MSR_CSTAR, LM), MSR_TEST(MSR_SYSCALL_MASK, 0xffffffff, 0, LM), =20 + MSR_TEST2(MSR_IA32_S_CET, CET_SHSTK_EN, CET_RESERVED, SHSTK, IBT), + MSR_TEST2(MSR_IA32_S_CET, CET_ENDBR_EN, CET_RESERVED, IBT, SHSTK), + MSR_TEST2(MSR_IA32_U_CET, CET_SHSTK_EN, CET_RESERVED, SHSTK, IBT), + MSR_TEST2(MSR_IA32_U_CET, CET_ENDBR_EN, CET_RESERVED, IBT, SHSTK), MSR_TEST_CANONICAL(MSR_IA32_PL0_SSP, SHSTK), MSR_TEST(MSR_IA32_PL0_SSP, canonical_val, canonical_val | 1, SHSTK), MSR_TEST_CANONICAL(MSR_IA32_PL1_SSP, SHSTK), --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0FCC2E6CB1 for ; Fri, 12 Sep 2025 23:24:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719473; cv=none; b=dUbaC6W6Mb8UAa0ixBYt5RWev+BYIQFeRfezs2N1NvrWpAgFNzzkhrd8AeobZV60iB8pNusWLgBrokUf5+YxDy5eTdt1lEDcm62dnhpVM+OUI07234XlrffDRuOTUTkAi1+Iuf2c4q8f7GWK/wcPrG1a/rEUWEiL8dZxEZaVBwU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719473; c=relaxed/simple; bh=eyeGzyB6mK8cqaplsUFqyS5an9QDaDUBST0i3cQldH4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=hOPxSDbE8iDZw7QfoeGi8MkFWY5wK1nXY4CftI9Zd3WTMwnkt6R835NY5tvK6jSPKDHBblSy5XXikcJOZyjASWmfKxUryxdfYtuj9csMoZBLxno6ODM0Vh7vgxIUsEHCrToY8AYf5/mJsXpRs2XmJjHkGcm9Rgqjb4V/LPXELFE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=CWN+JRe1; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="CWN+JRe1" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-329dca88b5aso3626307a91.1 for ; Fri, 12 Sep 2025 16:24:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719471; x=1758324271; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=2XRylLheuxpKgGPAxOiSFjud1uy6JuPsOzlOavkClSw=; b=CWN+JRe1op/4Af2lP/5JU0SCkXwYVtN1vtD2uM3kpt4LAdqxYEKMjfmq2LZ42dUmHL QxIi9H0iqz2umyUWzMSA2KuUH+LfX1H8prWtGfPFS9xbwJ9GyMb4M51plx5GQFn991Ee uMC4sHV4vb3e0YepDVvCQ7owew68/KABpmZkBvLaXMYvdPxemmFdIpedNWxOhsOTv853 XVyURKBs8C67vLTuJGYo7UVHv0V97TAWKGDiBEL5hb9EybVIV2HHjQT4nmTeVawCq95H IEa9hK5wlyEAIB4XBAIgWGxT97IjV28EuMmd8S+0RPg8nBr6X4fWqcdFNNZnLxqjizmI FXWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719471; x=1758324271; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2XRylLheuxpKgGPAxOiSFjud1uy6JuPsOzlOavkClSw=; b=vyJEUxnNcKb2n4fpd9W06pj6FhKmWqkhksckGC6RwTp5lPZlXRHpHfDdunXcMZsvus lc84SAxYZGbVwa5KeR/CdpPG/GHK4cESbqLYboXizcvEkXRMfiNAkLySpHt4fJYtBSwJ jvJi7GG8HAIsC2U/LLkORDKAmMbiCvXFDxjfb0WEFA5xdx4GYp4N+AXqQa+VwvSntgZg LZpevBLIcBvdISBYjTHih2mv/peSH9DKQftImmTOsSLQTHGSi2HGoDg8s8xZyaUOPoyp X730/NWcs/iiUN9DTaZsVdbZV0c1BtRlTqggfiOiDaAxXk/hzyQ1CbD+WPU09QO8mVlg iXNw== X-Forwarded-Encrypted: i=1; AJvYcCVkUnVthRsScwS74c8L7uAlu/Gs9PahqrAwo+3RVZ0yxAuriF729htiv3xf9gy5kNQ2Gko8lsDwh6JIOTc=@vger.kernel.org X-Gm-Message-State: AOJu0YzyFKZSQV7uDfo3WIfT95btAQo8yQby3n9QlWOtgC+6XnFzUaNX yFc+ydkPQjx+VCWYgs+FgzxjKfHR+a1ok8zOB26qpwm9/l9eBEfZqGWgVGRo5D/Q4+N0z5j/YJn 0VGCafQ== X-Google-Smtp-Source: AGHT+IExCQxf0WOm0sYlLsbevWbvyRx83pzBXQJeDoWAQv7RGz/QPTJwxZ5IUngHXrO2VX388sfppatfXXo= X-Received: from pjm5.prod.google.com ([2002:a17:90b:2fc5:b0:31e:a094:a39]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:4b8c:b0:314:2cd2:595d with SMTP id 98e67ed59e1d1-32de4b9ee5fmr5279110a91.8.1757719471302; Fri, 12 Sep 2025 16:24:31 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:15 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-38-seanjc@google.com> Subject: [PATCH v15 37/41] KVM: selftests: Extend MSRs test to validate vCPUs without supported features From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a third vCPUs to the MSRs test that runs with all features disabled in the vCPU's CPUID model, to verify that KVM does the right thing with respect to emulating accesses to MSRs that shouldn't exist. Use the same VM to verify that KVM is honoring the vCPU model, e.g. isn't looking at per-VM state when emulating MSR accesses. Signed-off-by: Sean Christopherson --- tools/testing/selftests/kvm/x86/msrs_test.c | 28 ++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/kvm/x86/msrs_test.c b/tools/testing/se= lftests/kvm/x86/msrs_test.c index 095d49d07235..98892467438c 100644 --- a/tools/testing/selftests/kvm/x86/msrs_test.c +++ b/tools/testing/selftests/kvm/x86/msrs_test.c @@ -254,12 +254,17 @@ static void test_msrs(void) MSR_TEST(MSR_IA32_PL3_SSP, canonical_val, canonical_val | 1, SHSTK), }; =20 + const struct kvm_x86_cpu_feature feat_none =3D X86_FEATURE_NONE; + const struct kvm_x86_cpu_feature feat_lm =3D X86_FEATURE_LM; + /* - * Create two vCPUs, but run them on the same task, to validate KVM's + * Create three vCPUs, but run them on the same task, to validate KVM's * context switching of MSR state. Don't pin the task to a pCPU to - * also validate KVM's handling of cross-pCPU migration. + * also validate KVM's handling of cross-pCPU migration. Use the full + * set of features for the first two vCPUs, but clear all features in + * third vCPU in order to test both positive and negative paths. */ - const int NR_VCPUS =3D 2; + const int NR_VCPUS =3D 3; struct kvm_vcpu *vcpus[NR_VCPUS]; struct kvm_vm *vm; =20 @@ -271,6 +276,23 @@ static void test_msrs(void) =20 sync_global_to_guest(vm, msrs); =20 + /* + * Clear features in the "unsupported features" vCPU. This needs to be + * done before the first vCPU run as KVM's ABI is that guest CPUID is + * immutable once the vCPU has been run. + */ + for (idx =3D 0; idx < ARRAY_SIZE(__msrs); idx++) { + /* + * Don't clear LM; selftests are 64-bit only, and KVM doesn't + * honor LM=3D0 for MSRs that are supposed to exist if and only + * if the vCPU is a 64-bit model. Ditto for NONE; clearing a + * fake feature flag will result in false failures. + */ + if (memcmp(&msrs[idx].feature, &feat_lm, sizeof(feat_lm)) && + memcmp(&msrs[idx].feature, &feat_none, sizeof(feat_none))) + vcpu_clear_cpuid_feature(vcpus[2], msrs[idx].feature); + } + for (idx =3D 0; idx < ARRAY_SIZE(__msrs); idx++) { sync_global_to_guest(vm, idx); =20 --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B61562E7180 for ; Fri, 12 Sep 2025 23:24:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719475; cv=none; b=D+QlFAqPmFfZjndpAXyt6P2Al+opUZa5BAdSuOqO6cdUW/nLFwcuNlX6GTRKdKpY09JrUNawyq7oUCRefydx56wASfhPH88gy6NasJVpUBaVZavu7KndOQHsm79FACFhs91Wm/Ay6bLo84wcOXTMaBauMdg6WiQbTymB+DCvhlU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719475; c=relaxed/simple; bh=bAvgZqDSKSZSgmY1Bh3aCmVMIAn3w0+mvtW8ENhAZxc=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=OU02ocriRpyNAkwvWAxgYKUQ5apiq2rBQLSpMTmVQeo4E4BmpdHIQEEULuEo2r0ZCdMxxpTNoYgIsdEeTyoW7zauL9LusLvzn4Ep+VDOK3+CITEMdPwZKFQWCN6jZSISfiISPmmhu1EDVbXG+cBjwggTASoWcNviSA5rdnp4sgA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Z9AD2Mek; arc=none smtp.client-ip=209.85.210.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Z9AD2Mek" Received: by mail-pf1-f201.google.com with SMTP id d2e1a72fcca58-7722ef6c864so2061387b3a.1 for ; Fri, 12 Sep 2025 16:24:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719473; x=1758324273; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=gImqUspRMTtFrNyNB/J/yT70FgdU10MOpzMgx8Aa2dM=; b=Z9AD2MekKLLqsMDU4I2LywzvUUexMUBpPad7GGj+M9bCqhUybPwB7hlpxEtwz6orDS 9b3Qa9isVjkdL3+O/c0irCCtqFQpkGkfk/l5tIjTqzVjXiMX5Q2LKzJ9VevYJFXlHHXM XzQmoR/8nqxnWyoIqNIH3fgCvdvbOwMIowRecwiZtzR4yzfOr/Y9YbffUN/wa00QJI27 MUVnZYHDsmeH+cSVF34I9c+UAYgxIzU5WralhPc3c1DeIeq12TUBGL+7SaYKxeI5RiGT DTAbufR4kLHGJFttKM0f5HCH0wuBncHMd55zIxoMOgSLWNrFVuMNMUeIRQY526YJH90v LfWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719473; x=1758324273; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gImqUspRMTtFrNyNB/J/yT70FgdU10MOpzMgx8Aa2dM=; b=fd+0bYM32i+u2ebfjS9oZd2CF0Ni69CjScRYDUA1SyP1/mi8WHl9Qm0F16m0pIjCMS SkGkasJjS+3eKRCdzpdHxQxeuRGLbBCSHTqi2fC2JKtKi53oTzqxaWetLjTGSYXV9t1L vi3sewF9vOAh16MZnWpiVDQyFxY0VMM8IGzjsoo78qRTlN9pnDwhkWzAkpE0VfzqLAgW Rq58zGkHYU61JPCF/47DYCz2ds9+xz4Hl25REBP2FhNGPJ0p0ELxaazUMsC3g8fxw71S CkEckmJebfs+mX6oTHbh82WzwN41pQhk8rlVW0K1Ff9yZIde64WoFk/g86WKX9SgP9+x 64HA== X-Forwarded-Encrypted: i=1; AJvYcCURzpbAZo1nvMP4MLYZGC8X0bVPbFwODQG3lv28CnxnkUTur0zuShqUPdU4tzNm4oPiijnA4LCct/9MMEE=@vger.kernel.org X-Gm-Message-State: AOJu0Yxw1lvAPI9HHknJvCPjWjfkBeOoO5bVPo16DBZEwTGn52NkRCc5 TDnC/DR42cV9jN9qZOowgHzN3R3MbFOCNh6e3F7Zt5Yb6WVw2JJVKNp9ltzDFqa5JOVdPL8M5fp whu3eXw== X-Google-Smtp-Source: AGHT+IHRkUUjDiUAJiC1fpOe+Lr6xbhMzIbft4c1p/ekgTG9fgtV2fBAXwOEYkrIC3xU6auBXmeuJUM0C0I= X-Received: from pfoo15.prod.google.com ([2002:a05:6a00:1a0f:b0:775:fbac:d698]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:9150:b0:24e:84c9:e9b0 with SMTP id adf61e73a8af0-2602aa8a513mr5926870637.17.1757719473102; Fri, 12 Sep 2025 16:24:33 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:16 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-39-seanjc@google.com> Subject: [PATCH v15 38/41] KVM: selftests: Add KVM_{G,S}ET_ONE_REG coverage to MSRs test From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When KVM_{G,S}ET_ONE_REG are supported, verify that MSRs can be accessed via ONE_REG and through the dedicated MSR ioctls. For simplicity, run the test twice, e.g. instead of trying to get MSR values into the exact right state when switching write methods. Signed-off-by: Sean Christopherson --- tools/testing/selftests/kvm/x86/msrs_test.c | 22 ++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/kvm/x86/msrs_test.c b/tools/testing/se= lftests/kvm/x86/msrs_test.c index 98892467438c..53e155ba15d4 100644 --- a/tools/testing/selftests/kvm/x86/msrs_test.c +++ b/tools/testing/selftests/kvm/x86/msrs_test.c @@ -153,6 +153,9 @@ static void guest_main(void) } } =20 +static bool has_one_reg; +static bool use_one_reg; + static void host_test_msr(struct kvm_vcpu *vcpu, u64 guest_val) { u64 reset_val =3D msrs[idx].reset_val; @@ -166,11 +169,21 @@ static void host_test_msr(struct kvm_vcpu *vcpu, u64 = guest_val) TEST_ASSERT(val =3D=3D guest_val, "Wanted 0x%lx from get_msr(0x%x), got 0= x%lx", guest_val, msr, val); =20 - vcpu_set_msr(vcpu, msr, reset_val); + if (use_one_reg) + vcpu_set_reg(vcpu, KVM_X86_REG_MSR(msr), reset_val); + else + vcpu_set_msr(vcpu, msr, reset_val); =20 val =3D vcpu_get_msr(vcpu, msr); TEST_ASSERT(val =3D=3D reset_val, "Wanted 0x%lx from get_msr(0x%x), got 0= x%lx", reset_val, msr, val); + + if (!has_one_reg) + return; + + val =3D vcpu_get_reg(vcpu, KVM_X86_REG_MSR(msr)); + TEST_ASSERT(val =3D=3D reset_val, "Wanted 0x%lx from get_reg(0x%x), got 0= x%lx", + reset_val, msr, val); } =20 static void do_vcpu_run(struct kvm_vcpu *vcpu) @@ -305,5 +318,12 @@ static void test_msrs(void) =20 int main(void) { + has_one_reg =3D kvm_has_cap(KVM_CAP_ONE_REG); + test_msrs(); + + if (has_one_reg) { + use_one_reg =3D true; + test_msrs(); + } } --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 27FF52E7BC7 for ; Fri, 12 Sep 2025 23:24:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719477; cv=none; b=vB4SpdXEDFE4XrjlLcpCKJIkCINd7uVgNgxSNKw3EIgDR+age+r0A5W0gT3XkclGwPKwBqz79+i+u0am1JSTn1OsXGY6aMJS3xVvTLlT3dBG59RLJa5sXOdGPRChCGLablOxgUz5g1U8izQW2MGyr76g1gbPFzl1s+7v7ohliCw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719477; c=relaxed/simple; bh=2wjGULkmS/6PwRSQm8osqaxXFXmRY0fiL5uBUNzOoGg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ZmLpDT3XqG2+nd7zXy+u6uhwTgRBoDUXQ5hVOnv0YQ9ZwbaoNLL7bBmQQl3NRdQRPIbGpdBLL+CfPvVCgIyslh0asnDqzluj1jQx2OY1iheCcRmnZ2K7Qow9r4UPa6RfMMb1bib70WRqFOevsvMP4w/dD3FJLQuoWAQIXXHeb7w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=UzdDs0Up; arc=none smtp.client-ip=209.85.215.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="UzdDs0Up" Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-b54ac2658acso1040685a12.1 for ; Fri, 12 Sep 2025 16:24:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719475; x=1758324275; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=zRTuC+/aMJy18zeUD9dpYx1dSaF5QGiJuAN55i0w7BI=; b=UzdDs0Uptb+D/xhaHbru0ON/EqdbgltGXbOqHkt7Zx08pQ9NGx0afOyZAhunYC3i2i jQFrUj4O2lvox1CrS+VcRgoOPmTU8sdx4jT48DE6h/LbxuCrdeDe6EXWLfJ2x4MTB6fo D73irkEBgoiyTel/sLT1UIXVj+idVGAjCW/TlxQ5N5DhX/UJDUVZkrP8X/XesTUJz9Po wUhfJaEta91YpduGThwT/nulg41bIt73IZtIQrWSoSoVhgE9xgiM0pxyir06TM75wjTJ F46mK4xCEiEZrXWZjcLlJuttrnhisxOgSqj44ie4jKaLeMgUxeXsfl9v3ErszLU9kXqc +0CA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719475; x=1758324275; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zRTuC+/aMJy18zeUD9dpYx1dSaF5QGiJuAN55i0w7BI=; b=TAiE9u3x4zq9jtmwoZOQ18wsNQl32XxhfRyJ87TjpA/W7cCbM0r03knk0MzTvjoCnn kNkmvwQzI1/zpyapDQroYRqv7rZxxUSPW6fNniWH6g9SGwkI9lN4jMHEj24r1igThIXc TMpgY+NVdjTF4Oc3BPZwE1KLMsaTEOKB+SwDxqmgKB7RbF5QxFzw13FLGD+fvyl2QqqE NaBmlYY2uHkbgiSf9zGWaGJRON4KG6DbIWB3PPep0AvXS1JWg/ccS4FEkvsJHG4y/gFo HhHGO8JZ6dxlL1yg6ymyKLCVZzmbZ4qHJ9hyWWzhYlCDwHdr9gtkVB6Dvi5msKzz7FCB HtGw== X-Forwarded-Encrypted: i=1; AJvYcCVkBiDk4WlX25OmitVufj2JGEu2B1l00+ztmxClmRF3Lg4Jp8zz6uPkiiMT1eWBo8OU/amX8OdxhGGBvcQ=@vger.kernel.org X-Gm-Message-State: AOJu0YwwVAL4F5EBa0TWNWMRNvwfLlOhKA0RIA3uNXuNZFP5gIr6KLDZ 95xL6sLDEadqMnTRQANa2Pe2mXQjlluP6EzgUHiLduYuGLBfvPuhLHuaeBBFKoAKM3VOIVkdKna IbfNGbw== X-Google-Smtp-Source: AGHT+IGsu99kW011YxagBqZtOacoDUyKS0gh7c2D27eBAO6VPWe3gQBMghuflC0M7c+1GCHeLayGgWXbLRo= X-Received: from pgha19.prod.google.com ([2002:a63:d413:0:b0:b54:ace3:bd08]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:7d9f:b0:249:9c7a:7702 with SMTP id adf61e73a8af0-2602c243603mr6351072637.36.1757719474660; Fri, 12 Sep 2025 16:24:34 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:17 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-40-seanjc@google.com> Subject: [PATCH v15 39/41] KVM: selftests: Add coverate for KVM-defined registers in MSRs test From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add test coverage for the KVM-defined GUEST_SSP "register" in the MSRs test. While _KVM's_ goal is to not tie the uAPI of KVM-defined registers to any particular internal implementation, i.e. to not commit in uAPI to handling GUEST_SSP as an MSR, treating GUEST_SSP as an MSR for testing purposes is a-ok and is a naturally fit given the semantics of SSP. Signed-off-by: Sean Christopherson --- tools/testing/selftests/kvm/x86/msrs_test.c | 97 ++++++++++++++++++++- 1 file changed, 94 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/kvm/x86/msrs_test.c b/tools/testing/se= lftests/kvm/x86/msrs_test.c index 53e155ba15d4..6a956cfe0c65 100644 --- a/tools/testing/selftests/kvm/x86/msrs_test.c +++ b/tools/testing/selftests/kvm/x86/msrs_test.c @@ -17,9 +17,10 @@ struct kvm_msr { const u64 write_val; const u64 rsvd_val; const u32 index; + const bool is_kvm_defined; }; =20 -#define ____MSR_TEST(msr, str, val, rsvd, reset, feat, f2) \ +#define ____MSR_TEST(msr, str, val, rsvd, reset, feat, f2, is_kvm) \ { \ .index =3D msr, \ .name =3D str, \ @@ -28,10 +29,11 @@ struct kvm_msr { .reset_val =3D reset, \ .feature =3D X86_FEATURE_ ##feat, \ .feature2 =3D X86_FEATURE_ ##f2, \ + .is_kvm_defined =3D is_kvm, \ } =20 #define __MSR_TEST(msr, str, val, rsvd, reset, feat) \ - ____MSR_TEST(msr, str, val, rsvd, reset, feat, feat) + ____MSR_TEST(msr, str, val, rsvd, reset, feat, feat, false) =20 #define MSR_TEST_NON_ZERO(msr, val, rsvd, reset, feat) \ __MSR_TEST(msr, #msr, val, rsvd, reset, feat) @@ -40,7 +42,7 @@ struct kvm_msr { __MSR_TEST(msr, #msr, val, rsvd, 0, feat) =20 #define MSR_TEST2(msr, val, rsvd, feat, f2) \ - ____MSR_TEST(msr, #msr, val, rsvd, 0, feat, f2) + ____MSR_TEST(msr, #msr, val, rsvd, 0, feat, f2, false) =20 /* * Note, use a page aligned value for the canonical value so that the value @@ -51,6 +53,9 @@ static const u64 canonical_val =3D 0x123456789000ull; #define MSR_TEST_CANONICAL(msr, feat) \ __MSR_TEST(msr, #msr, canonical_val, NONCANONICAL, 0, feat) =20 +#define MSR_TEST_KVM(msr, val, rsvd, feat) \ + ____MSR_TEST(KVM_REG_ ##msr, #msr, val, rsvd, 0, feat, feat, true) + /* * The main struct must be scoped to a function due to the use of structur= es to * define features. For the global structure, allocate enough space for t= he @@ -156,6 +161,83 @@ static void guest_main(void) static bool has_one_reg; static bool use_one_reg; =20 +#define KVM_X86_MAX_NR_REGS 1 + +static bool vcpu_has_reg(struct kvm_vcpu *vcpu, u64 reg) +{ + struct { + struct kvm_reg_list list; + u64 regs[KVM_X86_MAX_NR_REGS]; + } regs =3D {}; + int r, i; + + /* + * If KVM_GET_REG_LIST succeeds with n=3D0, i.e. there are no supported + * regs, then the vCPU obviously doesn't support the reg. + */ + r =3D __vcpu_ioctl(vcpu, KVM_GET_REG_LIST, ®s.list.n); + if (!r) + return false; + + TEST_ASSERT_EQ(errno, E2BIG); + + /* + * KVM x86 is expected to support enumerating a relative small number + * of regs. The majority of registers supported by KVM_{G,S}ET_ONE_REG + * are enumerated via other ioctls, e.g. KVM_GET_MSR_INDEX_LIST. For + * simplicity, hardcode the maximum number of regs and manually update + * the test as necessary. + */ + TEST_ASSERT(regs.list.n <=3D KVM_X86_MAX_NR_REGS, + "KVM reports %llu regs, test expects at most %u regs, stale test?", + regs.list.n, KVM_X86_MAX_NR_REGS); + + vcpu_ioctl(vcpu, KVM_GET_REG_LIST, ®s.list.n); + for (i =3D 0; i < regs.list.n; i++) { + if (regs.regs[i] =3D=3D reg) + return true; + } + + return false; +} + +static void host_test_kvm_reg(struct kvm_vcpu *vcpu) +{ + bool has_reg =3D vcpu_cpuid_has(vcpu, msrs[idx].feature); + u64 reset_val =3D msrs[idx].reset_val; + u64 write_val =3D msrs[idx].write_val; + u64 rsvd_val =3D msrs[idx].rsvd_val; + u32 reg =3D msrs[idx].index; + u64 val; + int r; + + if (!use_one_reg) + return; + + TEST_ASSERT_EQ(vcpu_has_reg(vcpu, KVM_X86_REG_KVM(reg)), has_reg); + + if (!has_reg) { + r =3D __vcpu_get_reg(vcpu, KVM_X86_REG_KVM(reg), &val); + TEST_ASSERT(r && errno =3D=3D EINVAL, + "Expected failure on get_reg(0x%x)", reg); + rsvd_val =3D 0; + goto out; + } + + val =3D vcpu_get_reg(vcpu, KVM_X86_REG_KVM(reg)); + TEST_ASSERT(val =3D=3D reset_val, "Wanted 0x%lx from get_reg(0x%x), got 0= x%lx", + reset_val, reg, val); + + vcpu_set_reg(vcpu, KVM_X86_REG_KVM(reg), write_val); + val =3D vcpu_get_reg(vcpu, KVM_X86_REG_KVM(reg)); + TEST_ASSERT(val =3D=3D write_val, "Wanted 0x%lx from get_reg(0x%x), got 0= x%lx", + write_val, reg, val); + +out: + r =3D __vcpu_set_reg(vcpu, KVM_X86_REG_KVM(reg), rsvd_val); + TEST_ASSERT(r, "Expected failure on set_reg(0x%x, 0x%lx)", reg, rsvd_val); +} + static void host_test_msr(struct kvm_vcpu *vcpu, u64 guest_val) { u64 reset_val =3D msrs[idx].reset_val; @@ -265,6 +347,8 @@ static void test_msrs(void) MSR_TEST(MSR_IA32_PL2_SSP, canonical_val, canonical_val | 1, SHSTK), MSR_TEST_CANONICAL(MSR_IA32_PL3_SSP, SHSTK), MSR_TEST(MSR_IA32_PL3_SSP, canonical_val, canonical_val | 1, SHSTK), + + MSR_TEST_KVM(GUEST_SSP, canonical_val, NONCANONICAL, SHSTK), }; =20 const struct kvm_x86_cpu_feature feat_none =3D X86_FEATURE_NONE; @@ -280,6 +364,7 @@ static void test_msrs(void) const int NR_VCPUS =3D 3; struct kvm_vcpu *vcpus[NR_VCPUS]; struct kvm_vm *vm; + int i; =20 kvm_static_assert(sizeof(__msrs) <=3D sizeof(msrs)); kvm_static_assert(ARRAY_SIZE(__msrs) <=3D ARRAY_SIZE(msrs)); @@ -307,6 +392,12 @@ static void test_msrs(void) } =20 for (idx =3D 0; idx < ARRAY_SIZE(__msrs); idx++) { + if (msrs[idx].is_kvm_defined) { + for (i =3D 0; i < NR_VCPUS; i++) + host_test_kvm_reg(vcpus[i]); + continue; + } + sync_global_to_guest(vm, idx); =20 vcpus_run(vcpus, NR_VCPUS); --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3CB7F2E717B for ; Fri, 12 Sep 2025 23:24:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719478; cv=none; b=jXOlH6/Q/3PUwJ8g4EsBDy9oa6m+midFQIffclPBLXiwlvmrtxVS/wcuWzXIYWvbiJKC1Ew4szST7wvffGeZqvxfqN/bKz1cfRpilKh49ioLN2YwnraunR+S0EZqUWhVNzB0CJDeN3dnZbUVvZ41CWtsegBgHAj5EmymroR6OTA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719478; c=relaxed/simple; bh=40dl71ECyFWFXfkSw+70ZDfPeD3+mlVMScAldWN2Rms=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=SJerejL9mBTWdOiUfBcueiisnv0gTdQGCXURpy27A+qg+W14kYaqVNz1ABex5+fzJNweFPv5zeIIquY3VvVinMZUTAROMbOdG7XRjqZ8e7LxSkduLtLgg1aMgNe2KOGhk2DQtjosxyDqbaN6loM/9oCMusYnoVn6VhT0dxu4b+M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=3mhunu8T; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="3mhunu8T" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-24456ebed7bso32282215ad.0 for ; Fri, 12 Sep 2025 16:24:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719476; x=1758324276; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=4jmux4W5u0jC39lKwSsyN7sb7Ko3HpaGxf4gpZSmOsw=; b=3mhunu8T2K3siQmPTFmrVSrev6pslT/F3yvUHmeWNTVnF+I/bYXxpSHqsGYoMEhbXW W0Iv09YZJFzlK/jKRMSVgsMBvwQvtSlP4qCzacMBQLfmuuiJCL/wCx+rjNX8XmK/roBI 6oz75xQDRexEMbfowNYhr3bEt4zDtLzsEDLvzTePpiQ0EpT8nQbHZlsk+kzpegbKqH5c dpSr0gJEpsCq+zBUhMCZwJ+8dMFj59hu5FFnx253bfTaCWLEz1DD7PZBweVSdMdaEaxk HLy8QRg2W+iGyQauZM3iFVCrnErKPyleTm37aFVasuG2G2MOBNRSsVP62HqFxcp1dOKW lNcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719476; x=1758324276; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4jmux4W5u0jC39lKwSsyN7sb7Ko3HpaGxf4gpZSmOsw=; b=o5vDNH2OMdzaJ1fElkEm2VC3Aw8C0CtBL74Yrq/rgDjgIFiqKXzhTQ16x82ZdB7857 kUK97jzPe2AaUw0Mx2xfE4JZTJIa1Y3ANKV7JtFQiMnGf7a0ShtfTQvrbefwPaSiyecc UWt5B/eUw9V9nlsOwzKWb9oQmMpz1+jx2B4sAgOXg35GBG7W0cnExjHMdRYjudvO9fPO 6o7r4PgcmX1mH7UPP7oCY0INqZETjgUp1etDVyGGeaL+NXccv3M+IAuBPjvvMZ8Ra9cg TcCLo3Wab/8HB4YosrTzh5VZkLhdc1tyE0IGrUrb+/yLoeDKPCPfwd9T362CZX1zXXUe Iefg== X-Forwarded-Encrypted: i=1; AJvYcCWgCamfagfKoTijjPkhOd5WA+rFwpMl1BeqdorS/jvcwb/9gTd6pvbMRvb2HaNRndh6olqR4tpwq3uBqCY=@vger.kernel.org X-Gm-Message-State: AOJu0Yz0SVfobtYWylWH6RkMdxS2Wkz5jKD9mVqpOROUUQ2lu0dYBy1g /0QcHXmUhsqq4tvpr4WpFHT5fbIr4u8FlqaIIXD5pKULLktSIyyOQvhyaKYT+Yl2AJPWmwpR577 Q6F/DOQ== X-Google-Smtp-Source: AGHT+IEncGKDA7ljh7ysYahjwxo7KpSwFokIz76a6WA8PrjcR8wVa/sRAtW8DiyFrY9OVvNiumSd5nTV54I= X-Received: from pjbsk9.prod.google.com ([2002:a17:90b:2dc9:b0:32d:bbf6:4b50]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:e750:b0:24d:34:b9e7 with SMTP id d9443c01a7336-25bae8f39c5mr90704225ad.29.1757719476420; Fri, 12 Sep 2025 16:24:36 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:18 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-41-seanjc@google.com> Subject: [PATCH v15 40/41] KVM: selftests: Verify MSRs are (not) in save/restore list when (un)supported From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a check in the MSRs test to verify that KVM's reported support for MSRs with feature bits is consistent between KVM's MSR save/restore lists and KVM's supported CPUID. To deal with Intel's wonderful decision to bundle IBT and SHSTK under CET, track the "second" feature to avoid false failures when running on a CPU with only one of IBT or SHSTK. Signed-off-by: Sean Christopherson --- tools/testing/selftests/kvm/x86/msrs_test.c | 22 ++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/kvm/x86/msrs_test.c b/tools/testing/se= lftests/kvm/x86/msrs_test.c index 6a956cfe0c65..442409e40da0 100644 --- a/tools/testing/selftests/kvm/x86/msrs_test.c +++ b/tools/testing/selftests/kvm/x86/msrs_test.c @@ -392,12 +392,32 @@ static void test_msrs(void) } =20 for (idx =3D 0; idx < ARRAY_SIZE(__msrs); idx++) { - if (msrs[idx].is_kvm_defined) { + struct kvm_msr *msr =3D &msrs[idx]; + + if (msr->is_kvm_defined) { for (i =3D 0; i < NR_VCPUS; i++) host_test_kvm_reg(vcpus[i]); continue; } =20 + /* + * Verify KVM_GET_SUPPORTED_CPUID and KVM_GET_MSR_INDEX_LIST + * are consistent with respect to MSRs whose existence is + * enumerated via CPUID. Note, using LM as a dummy feature + * is a-ok here as well, as all MSRs that abuse LM should be + * unconditionally reported in the save/restore list (and + * selftests are 64-bit only). Note #2, skip the check for + * FS/GS.base MSRs, as they aren't reported in the save/restore + * list since their state is managed via SREGS. + */ + TEST_ASSERT(msr->index =3D=3D MSR_FS_BASE || msr->index =3D=3D MSR_GS_BA= SE || + kvm_msr_is_in_save_restore_list(msr->index) =3D=3D + (kvm_cpu_has(msr->feature) || kvm_cpu_has(msr->feature2)), + "%s %s save/restore list, but %s according to CPUID", msr->name, + kvm_msr_is_in_save_restore_list(msr->index) ? "is" : "isn't", + (kvm_cpu_has(msr->feature) || kvm_cpu_has(msr->feature2)) ? + "supported" : "unsupported"); + sync_global_to_guest(vm, idx); =20 vcpus_run(vcpus, NR_VCPUS); --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 18:06:25 2025 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DDBD42E8B88 for ; Fri, 12 Sep 2025 23:24:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719480; cv=none; b=QZBO9u200pQbGkOJAAQp70Usr/6z8TZXNqhNo9ZiTQCynOxo4Sq2zU7XmOaJyNHkJWlw2m6DUy6ezSadI0sVzsQJl3w5+txr4G+Wl8rBvExyocvuko6+SrniSLDJ6qfYIFQEaAhHGwjT1CXaGQg0slRVV7kBYOY+7HnpzjuibmQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719480; c=relaxed/simple; bh=OWTTMi08oveLIrPuJqP45tpmsLGScshtxdeU8uIZNEk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=N9qTQQlPZiJp1U8ZQgkX8yv+NkV+rRxRRFcakzjPxm9ITyHJxvELd+QyK8fLQ+OIQCnW+/sY6MaGw0q2D4ci4zWsl2iIuSy0NByLhrmzaPs8eB6yEqC+PtF+WSRxl9Q2UCGw0+PNOLlaf+251V++L0G4RqtRC6oNBkfg8QlYERw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=mRcSUT3X; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="mRcSUT3X" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-32dd692614aso3440790a91.1 for ; Fri, 12 Sep 2025 16:24:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719478; x=1758324278; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=UalbFbYpbYP+6PV9nGy4JWWryNap6zGGgleYmZzrupU=; b=mRcSUT3XjYXuFOSCPFJOpRTOY/36djqUjb1k4csghvVxYLpuyMmqz4KSRxzYreceli gKnZO7qhPyCNMga3mtnC1dqG1z5QZYDrwRpgPiyaBxTQUBbrHj7TUQ5i9qMvYoiLdgeK rshJaQltbKNg8/TmGHxvaNQBwo3k+XmtnAFndg+8TxcsXmb/KxW0vFXbRCtun8zI+3Mu sfwbWxEDZe1WbB1leMbfCSK6dr4coLpOmwm5Zy7OZaXvAJpiV3YZK9xxRMkxTP7iP0dV xvK5Aslkfv7VosHA0WYugNDXyWOyWo+95k4QY8+5li3qrDR4mdiKXLd2BGrhGr/j2Tes CH8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719478; x=1758324278; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=UalbFbYpbYP+6PV9nGy4JWWryNap6zGGgleYmZzrupU=; b=mhGAUEakvPLm9+g9KDul3SoDa4tZwtK60dA7xFQu++V1oxkB/7zZxJxWQQa/2/XVwT zFyBY7fj9hA7AX3UvyvGHhbkfANy6KCwfHeCVf/11H2N8gL7lfrJl7Xws6g2wBzb0Mnp l+hXP+B/r6VcVyI0b+ZuMAruT/qm4QAV42yYzFuPNylNB+MiNZUvIalsVEXM8UOctZlD lMrY9orpKvT5j+ERFhBw/Lm8EdL+aGOT8PXDqd9NOXPo5AiUOGKyBPJgLQCIecwJ6K3U 0S3jZWfXpeRSl1DJYrN3J3uG5s46qsqqxh1roZhzZeRPbQ7B4r6keqWn3+pDqtTAsnr9 19uQ== X-Forwarded-Encrypted: i=1; AJvYcCUe/P7ahBdBn/X3Qe878GULh06szM/j+CRuhHRV4oh1vB7LzvbXQON/Ytz03sB2GnNER4VX3EDrb1PAg0g=@vger.kernel.org X-Gm-Message-State: AOJu0Yw2WzGVcUw9EznGr0qfkXxByidRU5m/1EDeE76+omqyZryndKUo 4vOxp2XwCBg82vP794Zkbk1JhxAAJ6LzGVFayh9gao6AP5rvOxMW38k6dztHVrgr2DnFIFCg9v9 7RtKATg== X-Google-Smtp-Source: AGHT+IHUuOlxNOMwEPAMe7F2+HYod0TA3wRiT968IXMC6hLEeFRUjBha/TOLMv9OfQI78AbJpZp4d3uWhq0= X-Received: from pjh8.prod.google.com ([2002:a17:90b:3f88:b0:329:d09b:a3f2]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:4c10:b0:32d:d8de:1929 with SMTP id 98e67ed59e1d1-32de4e7e2ddmr5026221a91.2.1757719478303; Fri, 12 Sep 2025 16:24:38 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:19 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-42-seanjc@google.com> Subject: [PATCH v15 41/41] KVM: VMX: Make CR4.CET a guest owned bit From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Mathias Krause Make CR4.CET a guest-owned bit under VMX by extending KVM_POSSIBLE_CR4_GUEST_BITS accordingly. There's no need to intercept changes to CR4.CET, as it's neither included in KVM's MMU role bits, nor does KVM specifically care about the actual value of a (nested) guest's CR4.CET value, beside for enforcing architectural constraints, i.e. make sure that CR0.WP=3D1 if CR4.CET=3D1. Intercepting writes to CR4.CET is particularly bad for grsecurity kernels with KERNEXEC or, even worse, KERNSEAL enabled. These features heavily make use of read-only kernel objects and use a cpu-local CR0.WP toggle to override it, when needed. Under a CET-enabled kernel, this also requires toggling CR4.CET, hence the motivation to make it guest-owned. Using the old test from [1] gives the following runtime numbers (perf stat -r 5 ssdd 10 50000): * grsec guest on linux-6.16-rc5 + cet patches: 2.4647 +- 0.0706 seconds time elapsed ( +- 2.86% ) * grsec guest on linux-6.16-rc5 + cet patches + CR4.CET guest-owned: 1.5648 +- 0.0240 seconds time elapsed ( +- 1.53% ) Not only does not intercepting CR4.CET make the test run ~35% faster, it's also more stable with less fluctuation due to fewer VMEXITs. Therefore, make CR4.CET a guest-owned bit where possible. This change is VMX-specific, as SVM has no such fine-grained control register intercept control. If KVM's assumptions regarding MMU role handling wrt. a guest's CR4.CET value ever change, the BUILD_BUG_ON()s related to KVM_MMU_CR4_ROLE_BITS and KVM_POSSIBLE_CR4_GUEST_BITS will catch that early. Link: https://lore.kernel.org/kvm/20230322013731.102955-1-minipli@grsecurit= y.net/ [1] Reviewed-by: Chao Gao Signed-off-by: Mathias Krause Signed-off-by: Sean Christopherson --- arch/x86/kvm/kvm_cache_regs.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/kvm_cache_regs.h b/arch/x86/kvm/kvm_cache_regs.h index 36a8786db291..8ddb01191d6f 100644 --- a/arch/x86/kvm/kvm_cache_regs.h +++ b/arch/x86/kvm/kvm_cache_regs.h @@ -7,7 +7,8 @@ #define KVM_POSSIBLE_CR0_GUEST_BITS (X86_CR0_TS | X86_CR0_WP) #define KVM_POSSIBLE_CR4_GUEST_BITS \ (X86_CR4_PVI | X86_CR4_DE | X86_CR4_PCE | X86_CR4_OSFXSR \ - | X86_CR4_OSXMMEXCPT | X86_CR4_PGE | X86_CR4_TSD | X86_CR4_FSGSBASE) + | X86_CR4_OSXMMEXCPT | X86_CR4_PGE | X86_CR4_TSD | X86_CR4_FSGSBASE \ + | X86_CR4_CET) =20 #define X86_CR0_PDPTR_BITS (X86_CR0_CD | X86_CR0_NW | X86_CR0_PG) #define X86_CR4_TLBFLUSH_BITS (X86_CR4_PGE | X86_CR4_PCIDE | X86_CR4_PAE |= X86_CR4_SMEP) --=20 2.51.0.384.g4c02a37b29-goog