1. Patchew
  2. linux
  3. [PATCH v16 00/51] KVM: x86: Super Mega CET
  4. View patch

[PATCH v16 24/51] KVM: nVMX: Always forward XSAVES/XRSTORS exits from L2 to L1

Sean Christopherson posted 51 patches 1 week, 5 days ago
[PATCH v16 24/51] KVM: nVMX: Always forward XSAVES/XRSTORS exits from L2 to L1
Posted by Sean Christopherson 1 week, 5 days ago 
Unconditionally forward XSAVES/XRSTORS VM-Exits from L2 to L1, as KVM
doesn't utilize the XSS-bitmap (KVM relies on controlling the XSS value
in hardware to prevent unauthorized access to XSAVES state).  KVM always
loads vmcs02 with vmcs12's bitmap, and so any exit _must_ be due to
vmcs12's XSS-bitmap.

Drop the comment about XSS never being non-zero in anticipation of
enabling CET_KERNEL and CET_USER support.

Opportunistically WARN if XSAVES is not enabled for L2, as the CPU is
supposed to generate #UD before checking the XSS-bitmap.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/vmx/nested.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 2156c9a854f4..846c07380eac 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -6570,14 +6570,17 @@ static bool nested_vmx_l1_wants_exit(struct kvm_vcpu *vcpu,
 		return nested_cpu_has2(vmcs12, SECONDARY_EXEC_WBINVD_EXITING);
 	case EXIT_REASON_XSETBV:
 		return true;
-	case EXIT_REASON_XSAVES: case EXIT_REASON_XRSTORS:
+	case EXIT_REASON_XSAVES:
+	case EXIT_REASON_XRSTORS:
 		/*
-		 * This should never happen, since it is not possible to
-		 * set XSS to a non-zero value---neither in L1 nor in L2.
-		 * If if it were, XSS would have to be checked against
-		 * the XSS exit bitmap in vmcs12.
+		 * Always forward XSAVES/XRSTORS to L1 as KVM doesn't utilize
+		 * XSS-bitmap, and always loads vmcs02 with vmcs12's XSS-bitmap
+		 * verbatim, i.e. any exit is due to L1's bitmap.  WARN if
+		 * XSAVES isn't enabled, as the CPU is supposed to inject #UD
+		 * in that case, before consulting the XSS-bitmap.
 		 */
-		return nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_XSAVES);
+		WARN_ON_ONCE(!nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_XSAVES));
+		return true;
 	case EXIT_REASON_UMWAIT:
 	case EXIT_REASON_TPAUSE:
 		return nested_cpu_has2(vmcs12,
-- 
2.51.0.470.ga7dc726c21-goog
Re: [PATCH v16 24/51] KVM: nVMX: Always forward XSAVES/XRSTORS exits from L2 to L1
Posted by Xiaoyao Li 1 week, 1 day ago 
On 9/20/2025 6:32 AM, Sean Christopherson wrote:
> Unconditionally forward XSAVES/XRSTORS VM-Exits from L2 to L1, as KVM
> doesn't utilize the XSS-bitmap (KVM relies on controlling the XSS value
> in hardware to prevent unauthorized access to XSAVES state).  KVM always
> loads vmcs02 with vmcs12's bitmap, and so any exit _must_ be due to
> vmcs12's XSS-bitmap.
> 
> Drop the comment about XSS never being non-zero in anticipation of
> enabling CET_KERNEL and CET_USER support.
> 
> Opportunistically WARN if XSAVES is not enabled for L2, as the CPU is
> supposed to generate #UD before checking the XSS-bitmap.
> 
> Signed-off-by: Sean Christopherson <seanjc@google.com>

Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>

> ---
>   arch/x86/kvm/vmx/nested.c | 15 +++++++++------
>   1 file changed, 9 insertions(+), 6 deletions(-)
> 
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index 2156c9a854f4..846c07380eac 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -6570,14 +6570,17 @@ static bool nested_vmx_l1_wants_exit(struct kvm_vcpu *vcpu,
>   		return nested_cpu_has2(vmcs12, SECONDARY_EXEC_WBINVD_EXITING);
>   	case EXIT_REASON_XSETBV:
>   		return true;
> -	case EXIT_REASON_XSAVES: case EXIT_REASON_XRSTORS:
> +	case EXIT_REASON_XSAVES:
> +	case EXIT_REASON_XRSTORS:
>   		/*
> -		 * This should never happen, since it is not possible to
> -		 * set XSS to a non-zero value---neither in L1 nor in L2.
> -		 * If if it were, XSS would have to be checked against
> -		 * the XSS exit bitmap in vmcs12.
> +		 * Always forward XSAVES/XRSTORS to L1 as KVM doesn't utilize
> +		 * XSS-bitmap, and always loads vmcs02 with vmcs12's XSS-bitmap
> +		 * verbatim, i.e. any exit is due to L1's bitmap.  WARN if
> +		 * XSAVES isn't enabled, as the CPU is supposed to inject #UD
> +		 * in that case, before consulting the XSS-bitmap.
>   		 */
> -		return nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_XSAVES);
> +		WARN_ON_ONCE(!nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_XSAVES));
> +		return true;
>   	case EXIT_REASON_UMWAIT:
>   	case EXIT_REASON_TPAUSE:
>   		return nested_cpu_has2(vmcs12,
Re: [PATCH v16 24/51] KVM: nVMX: Always forward XSAVES/XRSTORS exits from L2 to L1
Posted by Chao Gao 1 week, 1 day ago 
On Fri, Sep 19, 2025 at 03:32:31PM -0700, Sean Christopherson wrote:
>Unconditionally forward XSAVES/XRSTORS VM-Exits from L2 to L1, as KVM
>doesn't utilize the XSS-bitmap (KVM relies on controlling the XSS value
>in hardware to prevent unauthorized access to XSAVES state).  KVM always
>loads vmcs02 with vmcs12's bitmap, and so any exit _must_ be due to
>vmcs12's XSS-bitmap.
>
>Drop the comment about XSS never being non-zero in anticipation of
>enabling CET_KERNEL and CET_USER support.
>
>Opportunistically WARN if XSAVES is not enabled for L2, as the CPU is
>supposed to generate #UD before checking the XSS-bitmap.
>
>Signed-off-by: Sean Christopherson <seanjc@google.com>

Reviewed-by: Chao Gao <chao.gao@intel.com>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.