From nobody Thu Oct 2 19:28:30 2025 Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B9FF2DF6EA for ; Fri, 12 Sep 2025 23:24:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719458; cv=none; b=Zc9LQG/njhuo1bjzHnxwfeqtEDzP5ytaY8N30jMJDyNbeG1qEib9ksX9yiSHbLU22YWckDHeNF6AzzALIEb7xVXv/vqbNkUi5SAJCWg110PZL4cAGNz5Yv0fatcSbL5Mfg9jWOOtD0Y2rJAdRCWAr4KVavXk7j/Cs4SlAURCcVc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757719458; c=relaxed/simple; bh=D9+M1ofPK3BLJQzsUrcajnb1SD4gWSQfdTr3TnAALuU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=aPwzIf8rfRSdUfpakSRBLTQDaMaUdBywnJxCfZawIYpihHdqO7LG6HVW+88dYdMBaS9JCyHH8qBh2RrD14rbAKRv0XRjrG9tMgACXqax9OjhZtejq9E+xAxb9WDJrXAxe7TluDQ3EKNOqNEbAummPCbEisz0tAcmCqLxqCJQWc0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=BQ3fYdIr; arc=none smtp.client-ip=209.85.210.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="BQ3fYdIr" Received: by mail-pf1-f201.google.com with SMTP id d2e1a72fcca58-77614fa6182so2304881b3a.0 for ; Fri, 12 Sep 2025 16:24:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757719456; x=1758324256; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=LhbYsL9ohofofYA5WH0d+8AOzIebXp5NvMLeLGAcWt0=; b=BQ3fYdIr+B5rekEYPiq8hvuL7OHUkgr9QXDNRyFW09gMaC8mHNhyNxITqcxCH1PKYI JJrH4b01KQLWpvgcvP0ErAc+8KEWS0Kz7sXCBFDmtzRxk4mcesW7Uln97o6iF8vtA6xz zaGV4XHGelysfzZkVKJVvvJPxy7+VlM/WHdLXBrx7V/EAQRWsQoKn8v67UhnHlo8CMDI 3qD+LsC/khoGy5b1LqCD+1q2VJTc5gFzUmDPn10xwYEabeGc+2ArHdCZmzLfxxD4yelf 268lUoB9V/xIGJFYywR5Ob2YsWdfMPz+UAqBIP8YJkJcdL2cIOqzUcq5Vj0/I/zs1AlP dIuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757719456; x=1758324256; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LhbYsL9ohofofYA5WH0d+8AOzIebXp5NvMLeLGAcWt0=; b=KoR9H/za1eRYKwatLwq37oRqZne/zEM62Qi0Cv96naIY81UkXpmHJRFM9Tp+kODr18 WHa/OE86H6SCyOnHWWKvDlx97xUH8lfULsrmDd0B8l7WAtLIh1TRNujVR731aex1t+N+ VAXj5B+vJe4Gx5L9TAWGYExFCzXG1cYEL1tDcCPXlOwgkAjhoirWKqfYdBHmZE1qa+tf wE8ouMLjf1Z+D+iCcIqeC+zmzcq9j0WxgaKnRjSynuu0/kY21WBHwMiLDkRrTvp2BTss vuYuyTAOj7dZ9EoFzy7Id9+ULMHSP4Nq0DSpUguhC7spvuVUyKf80/L0Y0EYkSISlqhn 6G6g== X-Forwarded-Encrypted: i=1; AJvYcCVmdEh+nntE2z/4xR69MzleRa/H2T4ygOoE8BtwXtx1H+zUxxkMsH4A90InxgIhWyOexxB4wlGrFxYVNbA=@vger.kernel.org X-Gm-Message-State: AOJu0YxBz2O9KQe6w+uBqZ5MAkLNx29oXhwIk1Kdyq7jHtemF2WN2NSW hNjFmCgei3hC/oBA7XiaG9ghcD0beUcJLRKNg4pUUVUCBUnTQH2WWD4yWydYRRzZ/SJ8/wGIDd4 gElwH2g== X-Google-Smtp-Source: AGHT+IGiazytCcQivJd/z18yTw4cuKfPDtfsmZgzKKLKFis41yXiyg2GvH7sp/nin02dzFY2c+tpO0ox1v0= X-Received: from pfbhr19-n2.prod.google.com ([2002:a05:6a00:6b93:20b0:770:586c:bc01]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a00:9194:b0:772:2bcc:d2d7 with SMTP id d2e1a72fcca58-77602fd1bbcmr9213653b3a.2.1757719456310; Fri, 12 Sep 2025 16:24:16 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Sep 2025 16:23:06 -0700 In-Reply-To: <20250912232319.429659-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250912232319.429659-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250912232319.429659-29-seanjc@google.com> Subject: [PATCH v15 28/41] KVM: x86: SVM: Pass through shadow stack MSRs as appropriate From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Maxim Levitsky , Xiaoyao Li , Zhang Yi Z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: John Allen Pass through XSAVE managed CET MSRs on SVM when KVM supports shadow stack. These cannot be intercepted without also intercepting XSAVE which would likely cause unacceptable performance overhead. MSR_IA32_INT_SSP_TAB is not managed by XSAVE, so it is intercepted. Reviewed-by: Chao Gao Signed-off-by: John Allen Signed-off-by: Sean Christopherson --- arch/x86/kvm/svm/svm.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index c0a16481b9c3..dc4d34e6af33 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -844,6 +844,17 @@ static void svm_recalc_msr_intercepts(struct kvm_vcpu = *vcpu) svm_disable_intercept_for_msr(vcpu, MSR_IA32_MPERF, MSR_TYPE_R); } =20 + if (kvm_cpu_cap_has(X86_FEATURE_SHSTK)) { + bool shstk_enabled =3D guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK); + + svm_set_intercept_for_msr(vcpu, MSR_IA32_U_CET, MSR_TYPE_RW, !shstk_enab= led); + svm_set_intercept_for_msr(vcpu, MSR_IA32_S_CET, MSR_TYPE_RW, !shstk_enab= led); + svm_set_intercept_for_msr(vcpu, MSR_IA32_PL0_SSP, MSR_TYPE_RW, !shstk_en= abled); + svm_set_intercept_for_msr(vcpu, MSR_IA32_PL1_SSP, MSR_TYPE_RW, !shstk_en= abled); + svm_set_intercept_for_msr(vcpu, MSR_IA32_PL2_SSP, MSR_TYPE_RW, !shstk_en= abled); + svm_set_intercept_for_msr(vcpu, MSR_IA32_PL3_SSP, MSR_TYPE_RW, !shstk_en= abled); + } + if (sev_es_guest(vcpu->kvm)) sev_es_recalc_msr_intercepts(vcpu); =20 --=20 2.51.0.384.g4c02a37b29-goog