From nobody Thu Oct 2 19:27:59 2025 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7C9B62D238B for ; Fri, 12 Sep 2025 23:23:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719425; cv=none; b=pPQJ+RGaaz6dW3a9PqKSAlh32aS2432eGozJTFJ6fievUdc9XSfPJt+dFZR+Y0WyLKxFgvhkLXV7nbH1qZ2DacnlP3xLO95AnHjcYFtAWhXURFZsOMisJ94/AXANNIOuSZC4C1+kweEKVNRrCQQ3mttHY16JLi9fWACkaU+jZd8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719425; c=relaxed/simple; bh=7/QfmUh94cpKnRYcIs/AdmMBk2eIOUXj9qsTocROstw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ttXVVteURJy5GESzx9se5my5c0mkWNNeSdRBBC/BApCUjoNYdxxM0nmn3ch6RIKcaAgOWe+yuh/2fU7HAPJA/0+we8Z2MXNzjagAFC/YUZIMR7I8TTvG3tESf3NVO+/LX12h91BbdivZmCE9tfl1DdFzRKf74spAWyQovhErLB0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=0iF/PjD9; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="0iF/PjD9" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-32e0b001505so184013a91.0 for ; Fri, 12 Sep 2025 16:23:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719423; x=1758324223; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=f+rSSX++v1qgnsGhpIx8DklxJ9wJTs1Gj78GbeI9Rw8=; b=0iF/PjD95vLy/LkAWHsSqQbYARSoOs+rvzEC7tcCVSoShoXnbko19mzDa1b01IuscM K++z00mCKi3vmXRf/EX7O0waRa1mgwzrwFvZiRfDbSa4X93+dK6laUFAOAfqEZ/XHs3C WqvAKZRH+DLaWpMt6IOGQi3Tbt7D7ToFhNvg9nChSogiGAwvcZOrfsqhvVBFs9+zktZw krYytDA1PVYXawf68NYJzGof9YbUZOuWyNg06VEggXA9zXM3kpBmDxwtz8NnmvmnwO58 zlgBn1pLnH8DYE7fy/OZXka5BVacDzw1qbfhYkjw/8jR7zRWtE2hHMo0mzCFtT4S2eue L9Cw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719423; x=1758324223; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=f+rSSX++v1qgnsGhpIx8DklxJ9wJTs1Gj78GbeI9Rw8=; b=gGsjnLnnrXdfuCn6ozVg4r028s5Yckx4ROeeS5gy5wfurobyGJMbWep2IeFFVBlBVO cu5HYVpU57kEzKgOjO2YxxyRZo5QxUJhryyZtgeGvoewSjvSaYK9hOcZit2BNHlStJXY qENXDVwSP0lZpCoNBEaHwlJtR1IXFB10Rgbs65qbee97lvjdxiEg5EjSDF1yo0i307s+ ZyPq7QuKlGuYuNnxlkSI3KsvOY18ATDujXyhEx0gQ7Evv5ZUoorWUoGh1vKXQUR2BHJk HynIxPC7SPROGo9T3OddFMuQk0xGlPZPzOl8YRQvHAmIcBpsyBFbfo62a6qGYJ+aH7Yf N6FA== X-Forwarded-Encrypted: i=1; AJvYcCVvzZuYh+y69YLX/X/x7WkKxvraGW7YfQtgsiGgmFOMOSwVhcvCnMEuQYKVCVuTUNNIr5ZwICKYliwJQX8=@vger.kernel.org X-Gm-Message-State: AOJu0YyVVbrUifSmtwteCW0O8UArqIpY+cf9Vdyn2SI8iFqlpMHuFACp LWqs2zTWHVYxJlC1WVifbTDpW3O4cArm1RDfgsT8B6Qdxo5HSsolFjynlvRV1fLtEkopfhWH18R 0orjEfg== X-Google-Smtp-Source: AGHT+IH1eNU2hQP1gvDQaW9z3NfGk3O72hFIvwJ884+L0C1h8IQkwA5/mG7MdJMxGMHC4seZBdGAjvKVpos= X-Received: from pjm14.prod.google.com ([2002:a17:90b:2fce:b0:325:7c49:9cce]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90a:ec83:b0:32b:9506:1773 with SMTP id 98e67ed59e1d1-32de4fc1430mr5296039a91.33.1757719423002; Fri, 12 Sep 2025 16:23:43 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:22:48 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-11-seanjc@google.com> Subject: [PATCH v15 10/41] KVM: x86: Add fault checks for guest CR4.CET setting From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yang Weijiang Check potential faults for CR4.CET setting per Intel SDM requirements. CET can be enabled if and only if CR0.WP =3D=3D 1, i.e. setting CR4.CET =3D= =3D 1 faults if CR0.WP =3D=3D 0 and setting CR0.WP =3D=3D 0 fails if CR4.CET = =3D=3D 1. Signed-off-by: Yang Weijiang Reviewed-by: Chao Gao Reviewed-by: Maxim Levitsky Reviewed-by: Xiaoyao Li Tested-by: Mathias Krause Tested-by: John Allen Tested-by: Rick Edgecombe Signed-off-by: Chao Gao Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu --- arch/x86/kvm/x86.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index a95ca2fbd3a9..5653ddfe124e 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1176,6 +1176,9 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, unsigned long = cr0) (is_64_bit_mode(vcpu) || kvm_is_cr4_bit_set(vcpu, X86_CR4_PCIDE))) return 1; =20 + if (!(cr0 & X86_CR0_WP) && kvm_is_cr4_bit_set(vcpu, X86_CR4_CET)) + return 1; + kvm_x86_call(set_cr0)(vcpu, cr0); =20 kvm_post_set_cr0(vcpu, old_cr0, cr0); @@ -1376,6 +1379,9 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long = cr4) return 1; } =20 + if ((cr4 & X86_CR4_CET) && !kvm_is_cr0_bit_set(vcpu, X86_CR0_WP)) + return 1; + kvm_x86_call(set_cr4)(vcpu, cr4); =20 kvm_post_set_cr4(vcpu, old_cr4, cr4); --=20 2.51.0.384.g4c02a37b29-goog