From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com
 [209.85.215.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3F14E25F784
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321186; cv=none;
 b=maFQBEKFnTx1BfvMBOcRHEzEWlrcvy811RjnWXZisS3xWVjCeBxB8/eOrv+9LQSyN6gAKuNpawdHTT36kzscB24Fw+OjkVNeyrbdoB/Llnl0IUHhZMoc9MeNfZvlRKYYQFAWzb8sXio4CBMOg7kOfunT7ucibBFksq0Tg/MZk1g=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321186; c=relaxed/simple;
	bh=XlnjwGb/Uv8iDC4X4PssXMxOuSIkF9nMxyWo059j3B4=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=pSOvO4vZXWVBu+ZWz+HrE0se2baUMoR6kf4wEfgTCMFms/U0Wns6YZPgUc3lXSXgAAddej3E/9HwL1J8fzg0UOJyfVqLkCVKB1ac7SDb4RABp7UqwN/rsWRZt2Yc5cgR1+U22xC+9GbpE05fiwyK+BaEJA2RV77ndx351PRbIcw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=XoErpupl; arc=none smtp.client-ip=209.85.215.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="XoErpupl"
Received: by mail-pg1-f201.google.com with SMTP id
 41be03b00d2f7-b55153c5ef2so1334385a12.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321184; x=1758925984;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=cBtq0KlbJNaCLdLypdNbSmqpzS3YAzcVYonMlUie8jk=;
        b=XoErpuplShWczCMlTSNb5Jrg0rcnSzKhLV7Wabm4OuYGe35G0wkeHGLHTJuP4biesd
         QRqx7vwcsBBL4gd0FJaFsGIOY+rW5+VwZ6SBtRzYDl8gTddBZzVLp278ORFCXlc6m4I9
         Yyssg+ehJ3lCmKB/RZVUI+s3A6EOWEo/IBQaAGqhanGj38GIjm+gNFNTu/nKCdmP7s45
         sysK/a9005tzTx9CtkhcZfAkFYsLda0s6b15d2NRAXP7vPSxCy7BKW7SCm14w3q/tz1o
         IZQo/+K6QmoultAn3le5SAojOlttjGhJw9gP4g1WUGqQOHWUQaDim88uOlaoBChWBwOB
         PtPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321184; x=1758925984;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=cBtq0KlbJNaCLdLypdNbSmqpzS3YAzcVYonMlUie8jk=;
        b=UfHRjZ/Vx61LkwTt+nGcMP5i0+ZCeXblyTGi8Q7Npei1PbMnUu1VlRRi3KvhCP1MbL
         Aixyo8GUtLnBfblMv2M2m2Jyc2KC30gdeh+z756vZuX4AbOtK1NU7LS6qyZJ46R0cf6A
         TYucGhu5g0jM9CPxPemLwdkJNft/RZcTYFwb/l3Qgj4KLKZ5g4UQ7BTyhmVqCyuEsvQk
         oymiIF+M7RSoQ7Iiy2SiInb/TDjoYEm6r/qMjeYuPLp7lF2gYlYKdQ3pd5nUVwZ4EgCV
         V3Sui6Fb1yzOqfK6dcZ/nLlTtI/izVJ6bNxmv1c42alxstoI7oCKj0csc7GadA6xksND
         BKIA==
X-Forwarded-Encrypted: i=1;
 AJvYcCXfHvC6wLww2h0IvJALUHTSmfxoQBlPJQ3nrPc3EYukhKct1xGbFjlaAM8H4WVUL5uG8gkeqPbiHKuUhLY=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw+bH6DvRQv3uj/oMj17BSvxi/Z28qNKtpbtg29lc8iP1sMFV45
	9MapgoUmWs6DywECfBLFHhRRsLswO5XxDG31nNvdxzi+yqI0WSLJzXMgb/K5ggVwajWMIx1A4vM
	tb5NPZg==
X-Google-Smtp-Source: 
 AGHT+IFc0Q3XMUJzbgN7Ff9HbAiLY51qcwkDIquE2sFhMr2ysXppYnkJ+NuTwBMNRjK9zuprNbkFBID862w=
X-Received: from pjbqx3.prod.google.com ([2002:a17:90b:3e43:b0:32b:61c4:e48b])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:7d9b:b0:252:9bf:ad80
 with SMTP id adf61e73a8af0-29274fb76b1mr7728324637.54.1758321184578; Fri, 19
 Sep 2025 15:33:04 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:08 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-2-seanjc@google.com>
Subject: [PATCH v16 01/51] KVM: SEV: Rename kvm_ghcb_get_sw_exit_code() to
 kvm_get_cached_sw_exit_code()
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Rename kvm_ghcb_get_sw_exit_code() to kvm_get_cached_sw_exit_code() to make
it clear that KVM is getting the cached value, not reading directly from
the guest-controlled GHCB.  More importantly, vacating
kvm_ghcb_get_sw_exit_code() will allow adding a KVM-specific macro-built
kvm_ghcb_get_##field() helper to read values from the GHCB.

No functional change intended.

Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/svm/sev.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index cce48fff2e6c..f046a587ecaf 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3264,7 +3264,7 @@ void sev_free_vcpu(struct kvm_vcpu *vcpu)
 		kvfree(svm->sev_es.ghcb_sa);
 }
=20
-static u64 kvm_ghcb_get_sw_exit_code(struct vmcb_control_area *control)
+static u64 kvm_get_cached_sw_exit_code(struct vmcb_control_area *control)
 {
 	return (((u64)control->exit_code_hi) << 32) | control->exit_code;
 }
@@ -3290,7 +3290,7 @@ static void dump_ghcb(struct vcpu_svm *svm)
 	 */
 	pr_err("GHCB (GPA=3D%016llx) snapshot:\n", svm->vmcb->control.ghcb_gpa);
 	pr_err("%-20s%016llx is_valid: %u\n", "sw_exit_code",
-	       kvm_ghcb_get_sw_exit_code(control), kvm_ghcb_sw_exit_code_is_valid=
(svm));
+	       kvm_get_cached_sw_exit_code(control), kvm_ghcb_sw_exit_code_is_val=
id(svm));
 	pr_err("%-20s%016llx is_valid: %u\n", "sw_exit_info_1",
 	       control->exit_info_1, kvm_ghcb_sw_exit_info_1_is_valid(svm));
 	pr_err("%-20s%016llx is_valid: %u\n", "sw_exit_info_2",
@@ -3379,7 +3379,7 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *s=
vm)
 	 * Retrieve the exit code now even though it may not be marked valid
 	 * as it could help with debugging.
 	 */
-	exit_code =3D kvm_ghcb_get_sw_exit_code(control);
+	exit_code =3D kvm_get_cached_sw_exit_code(control);
=20
 	/* Only GHCB Usage code 0 is supported */
 	if (svm->sev_es.ghcb->ghcb_usage) {
@@ -4384,7 +4384,7 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu)
=20
 	svm_vmgexit_success(svm, 0);
=20
-	exit_code =3D kvm_ghcb_get_sw_exit_code(control);
+	exit_code =3D kvm_get_cached_sw_exit_code(control);
 	switch (exit_code) {
 	case SVM_VMGEXIT_MMIO_READ:
 		ret =3D setup_vmgexit_scratch(svm, true, control->exit_info_2);
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com
 [209.85.210.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3EFE92D595E
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321188; cv=none;
 b=HoSQUlP3PMs2YG1RIqeg4l9owwhbWQTvLbBACMo9eXsaIkDRx/jjhRyn/oCasMhN33px2gMDng5/PQcMVCN/PBDN5mwCyn12rNZvO6AswcKtO06f+YUIRFF7TZDNGITSBWt4Ik1oFDSkOG/3YQWq6A6WcJUc+y0j+L83jN2GMQY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321188; c=relaxed/simple;
	bh=MGoqbJuB9sCOizQgDYnMaXG/P8e3uUL1d4ZDtIlGQ04=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=QEmuN/vz0h04h8uI7BbefL9cgqxEdtoIdbL9BWEAfFpabb3sWOAEJzZ+sDaxdfmgTkcJHnn8Gue/aslrjMj/XcZGU604diUCO9Dy9a4JwvCe9UsRuPFOiVkCApxx0oLDsDBJEpnLbyr5YGCaHXqdKAIhL5VfiQ9bUL/qRIsbZNc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=df4Pb4fN; arc=none smtp.client-ip=209.85.210.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="df4Pb4fN"
Received: by mail-pf1-f201.google.com with SMTP id
 d2e1a72fcca58-77dff701fb8so1506476b3a.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321186; x=1758925986;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=wqYcd9euZlCyN9BS3XgrU5fRkOaykxhfX02wnyNgUOs=;
        b=df4Pb4fN1+5xBwOnUfndrG3L3hSpJctLcp8n5wAXXz6bhRz1verdI56BsjXua+I3DN
         XS/r5MPmSQ/odHbfKz8QWEl1PsmWYjIZpCvauFWayWLWBKMnCt5NLrGldxIzQqFbswxY
         TuwXlXl+cWM7ZmKnQ+HI35xrn8WojK2KTAEmtJPeHWKym0ZDFjIoHnn3wn5nhY7+MEQ7
         af3mLAnaIB7a0ZXbZ9yLUc9H8GOOcGhtql8z2dnFRC0gw1US5TsYlcoqB/ZVGcbfxBge
         bK3RYjgnmWyV8g7YrY6LNBhZhkG+FbO4u0PO2M63gsLcRZGf8rWNkWPPh8ryxC0Ge8NG
         blow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321186; x=1758925986;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=wqYcd9euZlCyN9BS3XgrU5fRkOaykxhfX02wnyNgUOs=;
        b=aWIOykviabYUBxJHCgk4kfSLO90W/msf8isDQXdQt9yiJaeMqcg2Lk3Sb9hApDgDsQ
         WJM4JqKkXidpM1ZShbuwPeEFrK7aKrC6wq+vjeF40zIPDg4d2A4SnmnC6ZYUjL9hS5Sb
         KBWEnKSOpVXEMpeIAq9smx70m3YxukLnX4pqE11RHs2x5HUJ7+s3KTXEoAst1jDJzsPS
         kwJ9K2PnbdGd6Q+Sh0Wi5TVLwqLCkg14gPkx6VXgpsjaXgQU+vh2bDpzrImnseUvSdNg
         1mIX4R0RtP26cgSySpDuQKp1SJYVpTFhTfVsv1WER2wY9NW7d9dVkuo8r7vHlO5qk1/k
         RUAA==
X-Forwarded-Encrypted: i=1;
 AJvYcCUT0/mPXFWnbr42NH1mgkMhqJT8zlyMXlOzMn0VSW4PoNgFa93lmQxwMxQIIriEZ/qZl7EO+SkKcoXqCJM=@vger.kernel.org
X-Gm-Message-State: AOJu0YxxFVQ9C+IJmFfkkpJGcQa8dOS0oWTD6UmpHT7oRf6bJcB8ceDV
	JOW/BUSHN3LsFRpqlJDwG1hFoJFV6L/grFY5fjeEViAp3eNizBPX59O+J2E3OWY+/vwITeCBEmG
	mcz5F8g==
X-Google-Smtp-Source: 
 AGHT+IHa7+GTGOB/OfVBevbILqcp7CNMwVxukhCmqhE5euiMqraGlNNrlrM+jwtI07qDvfdB/ch8vTN5P0k=
X-Received: from pfmm21.prod.google.com
 ([2002:a05:6a00:2495:b0:77f:1cc1:89eb])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a00:1706:b0:774:615b:c8ad
 with SMTP id d2e1a72fcca58-77e4d127eb2mr6222337b3a.9.1758321186510; Fri, 19
 Sep 2025 15:33:06 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:09 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-3-seanjc@google.com>
Subject: [PATCH v16 02/51] KVM: SEV: Read save fields from GHCB exactly once
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Wrap all reads of GHCB save fields with READ_ONCE() via a KVM-specific
GHCB get() utility to help guard against TOCTOU bugs.  Using READ_ONCE()
doesn't completely prevent such bugs, e.g. doesn't prevent KVM from
redoing get() after checking the initial value, but at least addresses
all potential TOCTOU issues in the current KVM code base.

To prevent unintentional use of the generic helpers, take only @svm for
the kvm_ghcb_get_xxx() helpers and retrieve the ghcb instead of explicitly
passing it in.

Opportunistically reduce the indentation of the macro-defined helpers and
clean up the alignment.

Fixes: 4e15a0ddc3ff ("KVM: SEV: snapshot the GHCB before accessing it")
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
---
 arch/x86/kvm/svm/sev.c | 22 +++++++++++-----------
 arch/x86/kvm/svm/svm.h | 25 +++++++++++++++----------
 2 files changed, 26 insertions(+), 21 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index f046a587ecaf..8d057dbd8a71 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3343,26 +3343,26 @@ static void sev_es_sync_from_ghcb(struct vcpu_svm *=
svm)
 	BUILD_BUG_ON(sizeof(svm->sev_es.valid_bitmap) !=3D sizeof(ghcb->save.vali=
d_bitmap));
 	memcpy(&svm->sev_es.valid_bitmap, &ghcb->save.valid_bitmap, sizeof(ghcb->=
save.valid_bitmap));
=20
-	vcpu->arch.regs[VCPU_REGS_RAX] =3D kvm_ghcb_get_rax_if_valid(svm, ghcb);
-	vcpu->arch.regs[VCPU_REGS_RBX] =3D kvm_ghcb_get_rbx_if_valid(svm, ghcb);
-	vcpu->arch.regs[VCPU_REGS_RCX] =3D kvm_ghcb_get_rcx_if_valid(svm, ghcb);
-	vcpu->arch.regs[VCPU_REGS_RDX] =3D kvm_ghcb_get_rdx_if_valid(svm, ghcb);
-	vcpu->arch.regs[VCPU_REGS_RSI] =3D kvm_ghcb_get_rsi_if_valid(svm, ghcb);
+	vcpu->arch.regs[VCPU_REGS_RAX] =3D kvm_ghcb_get_rax_if_valid(svm);
+	vcpu->arch.regs[VCPU_REGS_RBX] =3D kvm_ghcb_get_rbx_if_valid(svm);
+	vcpu->arch.regs[VCPU_REGS_RCX] =3D kvm_ghcb_get_rcx_if_valid(svm);
+	vcpu->arch.regs[VCPU_REGS_RDX] =3D kvm_ghcb_get_rdx_if_valid(svm);
+	vcpu->arch.regs[VCPU_REGS_RSI] =3D kvm_ghcb_get_rsi_if_valid(svm);
=20
-	svm->vmcb->save.cpl =3D kvm_ghcb_get_cpl_if_valid(svm, ghcb);
+	svm->vmcb->save.cpl =3D kvm_ghcb_get_cpl_if_valid(svm);
=20
 	if (kvm_ghcb_xcr0_is_valid(svm)) {
-		vcpu->arch.xcr0 =3D ghcb_get_xcr0(ghcb);
+		vcpu->arch.xcr0 =3D kvm_ghcb_get_xcr0(svm);
 		vcpu->arch.cpuid_dynamic_bits_dirty =3D true;
 	}
=20
 	/* Copy the GHCB exit information into the VMCB fields */
-	exit_code =3D ghcb_get_sw_exit_code(ghcb);
+	exit_code =3D kvm_ghcb_get_sw_exit_code(svm);
 	control->exit_code =3D lower_32_bits(exit_code);
 	control->exit_code_hi =3D upper_32_bits(exit_code);
-	control->exit_info_1 =3D ghcb_get_sw_exit_info_1(ghcb);
-	control->exit_info_2 =3D ghcb_get_sw_exit_info_2(ghcb);
-	svm->sev_es.sw_scratch =3D kvm_ghcb_get_sw_scratch_if_valid(svm, ghcb);
+	control->exit_info_1 =3D kvm_ghcb_get_sw_exit_info_1(svm);
+	control->exit_info_2 =3D kvm_ghcb_get_sw_exit_info_2(svm);
+	svm->sev_es.sw_scratch =3D kvm_ghcb_get_sw_scratch_if_valid(svm);
=20
 	/* Clear the valid entries fields */
 	memset(ghcb->save.valid_bitmap, 0, sizeof(ghcb->save.valid_bitmap));
diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
index 5d39c0b17988..5365984e82e5 100644
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -913,16 +913,21 @@ void __svm_sev_es_vcpu_run(struct vcpu_svm *svm, bool=
 spec_ctrl_intercepted,
 void __svm_vcpu_run(struct vcpu_svm *svm, bool spec_ctrl_intercepted);
=20
 #define DEFINE_KVM_GHCB_ACCESSORS(field)						\
-	static __always_inline bool kvm_ghcb_##field##_is_valid(const struct vcpu=
_svm *svm) \
-	{									\
-		return test_bit(GHCB_BITMAP_IDX(field),				\
-				(unsigned long *)&svm->sev_es.valid_bitmap);	\
-	}									\
-										\
-	static __always_inline u64 kvm_ghcb_get_##field##_if_valid(struct vcpu_sv=
m *svm, struct ghcb *ghcb) \
-	{									\
-		return kvm_ghcb_##field##_is_valid(svm) ? ghcb->save.field : 0;	\
-	}									\
+static __always_inline u64 kvm_ghcb_get_##field(struct vcpu_svm *svm)			\
+{											\
+	return READ_ONCE(svm->sev_es.ghcb->save.field);					\
+}											\
+											\
+static __always_inline bool kvm_ghcb_##field##_is_valid(const struct vcpu_=
svm *svm)	\
+{											\
+	return test_bit(GHCB_BITMAP_IDX(field),						\
+			(unsigned long *)&svm->sev_es.valid_bitmap);			\
+}											\
+											\
+static __always_inline u64 kvm_ghcb_get_##field##_if_valid(struct vcpu_svm=
 *svm)	\
+{											\
+	return kvm_ghcb_##field##_is_valid(svm) ? kvm_ghcb_get_##field(svm) : 0;	\
+}
=20
 DEFINE_KVM_GHCB_ACCESSORS(cpl)
 DEFINE_KVM_GHCB_ACCESSORS(rax)
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com
 [209.85.215.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 199712D77E6
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321190; cv=none;
 b=d7wGqiCpDxg7GmbTKegDsMtrYdzsgXNTiyKLBUdRc+tC1OM6QgpJzHRW3h+0LN6JX4ZDRZluI4oW/V9NlR2b6BrbrSkdY20tg8JUm6LCPJvqudOA1MpbWNsVnnjz+/FBSi3FK0UeYF9V9PJaa/KAaot9I4MiVmKAVGh2mNWlB60=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321190; c=relaxed/simple;
	bh=UobUTzMqC05bXJMUZdQ8rImj8lRdVYmv6o009lR/JHc=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=rfhdplbJkEgXEKevPWhAzzLY9s9T6HKqKoyhW1Jk22zVumTMeUnXqohUUhP5jXaMgOhCujkMK+u31sayMPyh/k9I2UQi66V+Qg+XaOiYgz1QpK+5fsCzmK/E2pJ7gtkRQWfpIwbi8fv6WQqpPiwCPZausSmwv6mSm4oqU74YC94=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=zGE0KS8m; arc=none smtp.client-ip=209.85.215.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="zGE0KS8m"
Received: by mail-pg1-f202.google.com with SMTP id
 41be03b00d2f7-b5529da7771so522351a12.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321188; x=1758925988;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=ixpPVdW6ymYR/Sgly9KQ3MBVVSS1q02WNDC+Rc0Qg3w=;
        b=zGE0KS8mLfJd3phMpZucwTUGzFNMxNH9F0Dh/42LNEPH5IPrkeytMfO4+S2be5/gDW
         IOdYcmrosJZb0HaYfbvbd4FYDTVO2231QKamIWhT9YvBtETprue1hSHTKww4Sm8D6jLI
         HL9vqetSDE14kV3EroGe6+m2mE2a3mW3XuulEZvwE2shhxXEcn3qQlDj1rseYoX9BmuG
         RfB++iXX/JCnXmvI2v3uKwQj8tOeFuH7Wm88awdDS+q4yQBljQa99LWkCncrgW5j8nXy
         OIoN9sy7Kvd88jmKvRGUaJm5PRvp/wiDbQ4wk5t7t4YG4WtsORbWeh7EW3e4qLgyBZSR
         cczA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321188; x=1758925988;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=ixpPVdW6ymYR/Sgly9KQ3MBVVSS1q02WNDC+Rc0Qg3w=;
        b=KpSM/uHmWia4o/Q51spXaeRVZod8JslWb4neAbWHZNqR9kj6EkLNgjvjU/USwLiZjN
         HOEZwhe8yDzW0wptC69Une4aPvWvbJtFLyuDntLSPJ+5fm3cG/miy0TMq89Imw91SwIz
         HMjtclrXbvTS1UErZTnsWKR1Y0G4bVwh5QhP31Xsu7Gty/dvaiRTSty2YCm70XZPaqrv
         46LF1svrXm/XuQ3nmc70N1Sx5QAGH67lMEIHzWLNhGjVTWBluY6nqne+gSHWi3s5NRxH
         wB8PHuiOqno8Ihj6m16At1PEMkwpnpxc4Fw21WUdFEYDNJkKm0X30K4E9IFHERMEC5Ck
         PwRw==
X-Forwarded-Encrypted: i=1;
 AJvYcCXZL+8+V8wSWMJtJtpLFxrITdW21Y5+Qom9x2yRpcXBiEbBDSfitzKNASqWWapWiRxwLPnyGmdLoIBOigw=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw26Vt9sCgVA7eS0GU96DrayZdKbGYGQkBKJROWnz0FnhrRbAEW
	ayNwnUXs+arIEUoJPUk6sqaxDsRNAOZUARd3+VSdQIU4oWVCO6ayMJJjIuAbJcSJZVyAOwZ1cGy
	iXww+4Q==
X-Google-Smtp-Source: 
 AGHT+IHDIt3mGTg5sdY1TgXVXI8NfCXU6BVeF9xyfPXLCLsKgnEhjYnK38hGEGobV80rZKftecO+qVuofKE=
X-Received: from pjff14.prod.google.com ([2002:a17:90b:562e:b0:32e:c4a9:abe0])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:9143:b0:262:da1c:3c13
 with SMTP id adf61e73a8af0-2925ca2785dmr5941880637.9.1758321188377; Fri, 19
 Sep 2025 15:33:08 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:10 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-4-seanjc@google.com>
Subject: [PATCH v16 03/51] KVM: SEV: Validate XCR0 provided by guest in GHCB
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Use __kvm_set_xcr() to propagate XCR0 changes from the GHCB to KVM's
software model in order to validate the new XCR0 against KVM's view of
the supported XCR0.  Allowing garbage is thankfully mostly benign, as
kvm_load_{guest,host}_xsave_state() bail early for vCPUs with protected
state, xstate_required_size() will simply provide garbage back to the
guest, and attempting to save/restore the bad value via KVM_{G,S}ET_XCRS
will only harm the guest (setting XCR0 will fail).

However, allowing the guest to put junk into a field that KVM assumes is
valid is a CVE waiting to happen.  And as a bonus, using the proper API
eliminates the ugly open coding of setting arch.cpuid_dynamic_bits_dirty.

Simply ignore bad values, as either the guest managed to get an
unsupported value into hardware, or the guest is misbehaving and providing
pure garbage.  In either case, KVM can't fix the broken guest.

Note, using __kvm_set_xcr() also avoids recomputing dynamic CPUID bits
if XCR0 isn't actually changing (relatively to KVM's previous snapshot).

Cc: Tom Lendacky <thomas.lendacky@amd.com>
Fixes: 291bd20d5d88 ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT")
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/include/asm/kvm_host.h | 1 +
 arch/x86/kvm/svm/sev.c          | 6 ++----
 arch/x86/kvm/x86.c              | 3 ++-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos=
t.h
index 17772513b9cc..8695967b7a31 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -2209,6 +2209,7 @@ int kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigne=
d long val);
 unsigned long kvm_get_dr(struct kvm_vcpu *vcpu, int dr);
 unsigned long kvm_get_cr8(struct kvm_vcpu *vcpu);
 void kvm_lmsw(struct kvm_vcpu *vcpu, unsigned long msw);
+int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr);
 int kvm_emulate_xsetbv(struct kvm_vcpu *vcpu);
=20
 int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr);
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 8d057dbd8a71..85e84bb1a368 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3351,10 +3351,8 @@ static void sev_es_sync_from_ghcb(struct vcpu_svm *s=
vm)
=20
 	svm->vmcb->save.cpl =3D kvm_ghcb_get_cpl_if_valid(svm);
=20
-	if (kvm_ghcb_xcr0_is_valid(svm)) {
-		vcpu->arch.xcr0 =3D kvm_ghcb_get_xcr0(svm);
-		vcpu->arch.cpuid_dynamic_bits_dirty =3D true;
-	}
+	if (kvm_ghcb_xcr0_is_valid(svm))
+		__kvm_set_xcr(vcpu, 0, kvm_ghcb_get_xcr0(svm));
=20
 	/* Copy the GHCB exit information into the VMCB fields */
 	exit_code =3D kvm_ghcb_get_sw_exit_code(svm);
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index e07936efacd4..55044d6680c8 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1235,7 +1235,7 @@ static inline u64 kvm_guest_supported_xfd(struct kvm_=
vcpu *vcpu)
 }
 #endif
=20
-static int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr)
+int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr)
 {
 	u64 xcr0 =3D xcr;
 	u64 old_xcr0 =3D vcpu->arch.xcr0;
@@ -1279,6 +1279,7 @@ static int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 i=
ndex, u64 xcr)
 		vcpu->arch.cpuid_dynamic_bits_dirty =3D true;
 	return 0;
 }
+EXPORT_SYMBOL_GPL(__kvm_set_xcr);
=20
 int kvm_emulate_xsetbv(struct kvm_vcpu *vcpu)
 {
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D27AF2D8DA6
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321192; cv=none;
 b=LOflYc1Ga7PEoyygPiCHHh7wusLUyaD9gc0qgI5xLt6I/3SpdU747ebGkh0vGYjDk+bQIIEfze3DLsD19QMHla4XNluq7Wc7Edm9niNkIZcgzXtjAI27ys+ZLc76B+N2r/f+DhbZNV7+ROvUECB7NEyrvHH0OyyF1yGW/pMTF4U=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321192; c=relaxed/simple;
	bh=enmPjhM/d54x63EfajDrrNyPeLQbHVtmoiyg/AZqYog=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=M8TZ+jMzRFIQajphKrevfXm4c5pdALvYySKpTKteQled4XgZMduuJpfAQzlC4xCX57wcU2nmiRHg17V2DhLveKyNZbPPr//R2V4qhREL1qBGBAWm8W1sNsleYFUwW7UoVM6eghi2EZkNqDYaLWcdHL8a1ueKgsOwD9f015n+lPI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=Y1al3ZqI; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="Y1al3ZqI"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-32eaa47c7c8so2578454a91.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321190; x=1758925990;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=k+zz4k5YFJKSRkaVFyKdZddNO84kd++aDqeVUsMIWyw=;
        b=Y1al3ZqI1If6UQ7MyeR7pETklAKssKwkUESL8GXEDaQEuIMpgTr0CZrjOQ8zS5qd7J
         jmFTfm2w3FpztyTqSDmx1HGEgmCerxoKVdupyeiJNywyvbHc3Wk8YWaJn92KMDDTKOjr
         3YUl7QOSs9rfVVvxj31J+6Cwxn4AfIbq2uXB6GpoJpQO8biTISyj8e1+jMtLTkEV0YVb
         7+btNpiBGoKdM9WbhMvf8n+9tyXITIWgzvyrJUvse7t2kd2JiuDgbAh1HdE2tbRqrTDZ
         /dXhEKVxPXBIHpDktQ523t0BRa4zxIpJBPylQTnVrvjHGsTGqqwphaNtR+XBQFCAGh1D
         n8OA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321190; x=1758925990;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=k+zz4k5YFJKSRkaVFyKdZddNO84kd++aDqeVUsMIWyw=;
        b=k4/EypHqLTnSno9WaTwcULkyWSKuxd47dWwbbo6R3Qbm21FsWMuyyjchRlkFmIOcPG
         /TGB01joBzIdBZaVyp6voFE2EPocucSWhZwupFDTQ7Sub4BONhzXe+JwVfoxfRsPNPVe
         KTKjA9np38Dn/X/jH/fJSd9xCPbu05AL3k3N6ai5JXyE1m3xaDPmEuQ+Eo/MHKyuHiEW
         JrK6DpeJmPpIk3JAsKBZAxFbdwr3Vlhf5ZArWZSq6YUguLLogBV0opz48ElqZDeqLsZq
         aP7mqa63RrVf6PlkQ0OoUFJoOoJ66q7CvpZGgSDho7xktSaXsv/EZQcnc+83QT4yqId3
         4QBA==
X-Forwarded-Encrypted: i=1;
 AJvYcCUxLl089BW75xarKxGj8LsBXIHFW6U9GMdT8io2vvtALeWsyj86+TsS1r2TfAhGbqOyTD4zxtG0gfzXUs8=@vger.kernel.org
X-Gm-Message-State: AOJu0YwBBvu2JqWMn/pNzeXK7z2fa8EuNgRWP/970C/zE/wBYjsp5RiV
	J23qbOb9Toleg05jSIRfUbpbrrk7/5VWa+wN11aSJc2Dg6KwmBzBgiUs7NAomNy8YHzHFRGybXu
	JLXECIw==
X-Google-Smtp-Source: 
 AGHT+IHTK4ESE4/S5on3UUyBg9i8YRh5AGKe1diRriWTnVQvCFgstr/DxS8BA8AyWdtfTzPHp6R8dOo0HZY=
X-Received: from pjxx6.prod.google.com ([2002:a17:90b:58c6:b0:32d:a4d4:bb17])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:3e86:b0:32b:cafc:e339
 with SMTP id 98e67ed59e1d1-33098398714mr5461812a91.36.1758321190133; Fri, 19
 Sep 2025 15:33:10 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:11 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-5-seanjc@google.com>
Subject: [PATCH v16 04/51] KVM: x86: Introduce KVM_{G,S}ET_ONE_REG uAPIs
 support
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Enable KVM_{G,S}ET_ONE_REG uAPIs so that userspace can access MSRs and
other non-MSR registers through them, along with support for
KVM_GET_REG_LIST to enumerate support for KVM-defined registers.

This is in preparation for allowing userspace to read/write the guest SSP
register, which is needed for the upcoming CET virtualization support.

Currently, two types of registers are supported: KVM_X86_REG_TYPE_MSR and
KVM_X86_REG_TYPE_KVM. All MSRs are in the former type; the latter type is
added for registers that lack existing KVM uAPIs to access them. The "KVM"
in the name is intended to be vague to give KVM flexibility to include
other potential registers.  More precise names like "SYNTHETIC" and
"SYNTHETIC_MSR" were considered, but were deemed too confusing (e.g. can
be conflated with synthetic guest-visible MSRs) and may put KVM into a
corner (e.g. if KVM wants to change how a KVM-defined register is modeled
internally).

Enumerate only KVM-defined registers in KVM_GET_REG_LIST to avoid
duplicating KVM_GET_MSR_INDEX_LIST, and so that KVM can return _only_
registers that are fully supported (KVM_GET_REG_LIST is vCPU-scoped, i.e.
can be precise, whereas KVM_GET_MSR_INDEX_LIST is system-scoped).

Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Link: https://lore.kernel.org/all/20240219074733.122080-18-weijiang.yang@in=
tel.com [1]
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 Documentation/virt/kvm/api.rst  |   6 +-
 arch/x86/include/uapi/asm/kvm.h |  26 +++++++++
 arch/x86/kvm/x86.c              | 100 ++++++++++++++++++++++++++++++++
 3 files changed, 131 insertions(+), 1 deletion(-)

diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst
index ffc350b649ad..abd02675a24d 100644
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -2908,6 +2908,8 @@ such as set vcpu counter or reset vcpu, and they have=
 the following id bit patte
=20
   0x9030 0000 0002 <reg:16>
=20
+x86 MSR registers have the following id bit patterns::
+  0x2030 0002 <msr number:32>
=20
 4.69 KVM_GET_ONE_REG
 --------------------
@@ -3588,7 +3590,7 @@ VCPU matching underlying host.
 ---------------------
=20
 :Capability: basic
-:Architectures: arm64, mips, riscv
+:Architectures: arm64, mips, riscv, x86 (if KVM_CAP_ONE_REG)
 :Type: vcpu ioctl
 :Parameters: struct kvm_reg_list (in/out)
 :Returns: 0 on success; -1 on error
@@ -3631,6 +3633,8 @@ Note that s390 does not support KVM_GET_REG_LIST for =
historical reasons
=20
 - KVM_REG_S390_GBEA
=20
+Note, for x86, all MSRs enumerated by KVM_GET_MSR_INDEX_LIST are supported=
 as
+type KVM_X86_REG_TYPE_MSR, but are NOT enumerated via KVM_GET_REG_LIST.
=20
 4.85 KVM_ARM_SET_DEVICE_ADDR (deprecated)
 -----------------------------------------
diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kv=
m.h
index 0f15d683817d..aae1033c8afa 100644
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -411,6 +411,32 @@ struct kvm_xcrs {
 	__u64 padding[16];
 };
=20
+#define KVM_X86_REG_TYPE_MSR		2
+#define KVM_X86_REG_TYPE_KVM		3
+
+#define KVM_X86_KVM_REG_SIZE(reg)						\
+({										\
+	reg =3D=3D KVM_REG_GUEST_SSP ? KVM_REG_SIZE_U64 : 0;			\
+})
+
+#define KVM_X86_REG_TYPE_SIZE(type, reg)					\
+({										\
+	__u64 type_size =3D (__u64)type << 32;					\
+										\
+	type_size |=3D type =3D=3D KVM_X86_REG_TYPE_MSR ? KVM_REG_SIZE_U64 :		\
+		     type =3D=3D KVM_X86_REG_TYPE_KVM ? KVM_X86_KVM_REG_SIZE(reg) :	\
+		     0;								\
+	type_size;								\
+})
+
+#define KVM_X86_REG_ID(type, index)				\
+	(KVM_REG_X86 | KVM_X86_REG_TYPE_SIZE(type, index) | index)
+
+#define KVM_X86_REG_MSR(index)					\
+	KVM_X86_REG_ID(KVM_X86_REG_TYPE_MSR, index)
+#define KVM_X86_REG_KVM(index)					\
+	KVM_X86_REG_ID(KVM_X86_REG_TYPE_KVM, index)
+
 #define KVM_SYNC_X86_REGS      (1UL << 0)
 #define KVM_SYNC_X86_SREGS     (1UL << 1)
 #define KVM_SYNC_X86_EVENTS    (1UL << 2)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 55044d6680c8..4ed25d33aaee 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4735,6 +4735,7 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, lon=
g ext)
 	case KVM_CAP_IRQFD_RESAMPLE:
 	case KVM_CAP_MEMORY_FAULT_INFO:
 	case KVM_CAP_X86_GUEST_MODE:
+	case KVM_CAP_ONE_REG:
 		r =3D 1;
 		break;
 	case KVM_CAP_PRE_FAULT_MEMORY:
@@ -5913,6 +5914,98 @@ static int kvm_vcpu_ioctl_enable_cap(struct kvm_vcpu=
 *vcpu,
 	}
 }
=20
+struct kvm_x86_reg_id {
+	__u32 index;
+	__u8  type;
+	__u8  rsvd1;
+	__u8  rsvd2:4;
+	__u8  size:4;
+	__u8  x86;
+};
+
+static int kvm_translate_kvm_reg(struct kvm_x86_reg_id *reg)
+{
+	return -EINVAL;
+}
+
+static int kvm_get_one_msr(struct kvm_vcpu *vcpu, u32 msr, u64 __user *use=
r_val)
+{
+	u64 val;
+
+	if (do_get_msr(vcpu, msr, &val))
+		return -EINVAL;
+
+	if (put_user(val, user_val))
+		return -EFAULT;
+
+	return 0;
+}
+
+static int kvm_set_one_msr(struct kvm_vcpu *vcpu, u32 msr, u64 __user *use=
r_val)
+{
+	u64 val;
+
+	if (get_user(val, user_val))
+		return -EFAULT;
+
+	if (do_set_msr(vcpu, msr, &val))
+		return -EINVAL;
+
+	return 0;
+}
+
+static int kvm_get_set_one_reg(struct kvm_vcpu *vcpu, unsigned int ioctl,
+			       void __user *argp)
+{
+	struct kvm_one_reg one_reg;
+	struct kvm_x86_reg_id *reg;
+	u64 __user *user_val;
+	int r;
+
+	if (copy_from_user(&one_reg, argp, sizeof(one_reg)))
+		return -EFAULT;
+
+	if ((one_reg.id & KVM_REG_ARCH_MASK) !=3D KVM_REG_X86)
+		return -EINVAL;
+
+	reg =3D (struct kvm_x86_reg_id *)&one_reg.id;
+	if (reg->rsvd1 || reg->rsvd2)
+		return -EINVAL;
+
+	if (reg->type =3D=3D KVM_X86_REG_TYPE_KVM) {
+		r =3D kvm_translate_kvm_reg(reg);
+		if (r)
+			return r;
+	}
+
+	if (reg->type !=3D KVM_X86_REG_TYPE_MSR)
+		return -EINVAL;
+
+	if ((one_reg.id & KVM_REG_SIZE_MASK) !=3D KVM_REG_SIZE_U64)
+		return -EINVAL;
+
+	guard(srcu)(&vcpu->kvm->srcu);
+
+	user_val =3D u64_to_user_ptr(one_reg.addr);
+	if (ioctl =3D=3D KVM_GET_ONE_REG)
+		r =3D kvm_get_one_msr(vcpu, reg->index, user_val);
+	else
+		r =3D kvm_set_one_msr(vcpu, reg->index, user_val);
+
+	return r;
+}
+
+static int kvm_get_reg_list(struct kvm_vcpu *vcpu,
+			    struct kvm_reg_list __user *user_list)
+{
+	u64 nr_regs =3D 0;
+
+	if (put_user(nr_regs, &user_list->n))
+		return -EFAULT;
+
+	return 0;
+}
+
 long kvm_arch_vcpu_ioctl(struct file *filp,
 			 unsigned int ioctl, unsigned long arg)
 {
@@ -6029,6 +6122,13 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
 		srcu_read_unlock(&vcpu->kvm->srcu, idx);
 		break;
 	}
+	case KVM_GET_ONE_REG:
+	case KVM_SET_ONE_REG:
+		r =3D kvm_get_set_one_reg(vcpu, ioctl, argp);
+		break;
+	case KVM_GET_REG_LIST:
+		r =3D kvm_get_reg_list(vcpu, argp);
+		break;
 	case KVM_TPR_ACCESS_REPORTING: {
 		struct kvm_tpr_access_ctl tac;
=20
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com
 [209.85.215.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B78D2D97AA
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321193; cv=none;
 b=J6D/0zDcm5MIsQ03a5WX/WxgFGrs7E5oq/AE3K4Iu0jFnKzOO8O1e4FUPzHS4g9HiLEUt9uF78DMkT+3Ren8woeVvFR5ZxNNEEJJrFv0z0HotosTF+oWmmIzsdzLa5yeqUsVwe7tYuyRuRmuv9WJ28eDWrueqFz/IFUuiq7d/Zs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321193; c=relaxed/simple;
	bh=elf8MHZF7Tg3/6PAVVYJVH0hX7ZeQf/uQh/GyUpYdgU=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=p90VqTasJrmLpUF53bJ8OrnnBglLH172Yq7tXzEvfhuMQQx1IZNZhYtT9JTxtjw8hfp23yQo7BR+LJQFt1TswHwL+9eDR8uTm8qwO2VQMhWVE7C5ovxO1tWzN7s133mVlIVnblRww7F3mrZ+z4YPoQBD7Jo8DnV5EmjA+55G5wM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=aG+4Qap/; arc=none smtp.client-ip=209.85.215.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="aG+4Qap/"
Received: by mail-pg1-f202.google.com with SMTP id
 41be03b00d2f7-b54a30515cfso2784373a12.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321192; x=1758925992;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=2sPqYAIK/orSRIg87ZffL/J8UqaK0/FYSKXDGYvA8I0=;
        b=aG+4Qap/FQV9k3Z5A6amH3AvUAHospNxhRCZrwPswciLCnSThnSDyhIsRuuAg2zAwy
         +rS98G+fy8Y9Gk0e2Uox1mHwvuiuyTabuF9QSEVEQb0f9GEXRLQsKqqdMSPv0VhFE573
         eYvntS3Pwb1+eDGCem37SrEnknMiYA2deu7L2sUe7puME9rCC0oW0TeL8kuwdjQhwLCD
         PSJJMPCpY/WO51R/ded9DnkksbQP9A7qtAv5E4yJ/BLNRe3pTD+tSlvpyqpJYEIlFUR+
         enB/U2B0LYqnENf68fyOsa7IKeNQotgAImKZy7BHAqJ4MUtge3Cjw+TX0sdx+N1eZkce
         BRlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321192; x=1758925992;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=2sPqYAIK/orSRIg87ZffL/J8UqaK0/FYSKXDGYvA8I0=;
        b=bInPuiP2Ihr0t7pFkLshsIaExWyQXCt0VPlgci7HMX6YUHwg4eZ8jJa0prS5LuJigg
         vBnwMpme83NSB5bxYC1ZpnlS9OoFEI6EMLlVRMbKeWC/F3yLrNxYs8lIrTE0ujMFcpWn
         7d4j12p2WpOeXie0ffCEZ2Ic8551gtHFTipUPmUps/9eBJ6ct6NPFsJcMBr8glDNC2mk
         YGCo/VIGTQ/k4ZeJacakbtQwnibthWIOXqf4xzRNVSKmT82/SVrAXDcW1PCNXIYImTP4
         qXplGzSofGgTSwGdfe5RXMp0YCU7j2Z+n6qFy8nFlx/9d7tNhZNw6QJINt3gjDRUN8cs
         aNPg==
X-Forwarded-Encrypted: i=1;
 AJvYcCW4JYmh7jLm1cWodw4Ij5LLWEx0L1VkibfTIfZsfL/24AlJ6RUQTcdvW2a5p4fnoGmkJA/ALrP5GKuePVk=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw3515QxmMLFvkds90nIXeqtFP6bGfhXCujZmH8hPfPKuDn+fMQ
	G7n7EJAXKgTbfrrDU5cL0GXR2b/DB1+2vg9Rv25cBJRXTwCAOYb14jBOuOYJALegpFIyAPbEdMv
	MoSsBqA==
X-Google-Smtp-Source: 
 AGHT+IEExI68ZAm9C2IX/lnJ6H2rnMi+In6Lm+EVBdt5y8dIjnCUQiSgJu4fHq6PTe+c6f1AEd/+Jb6BBQo=
X-Received: from pjh8.prod.google.com ([2002:a17:90b:3f88:b0:32e:e4e6:ecfe])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:3945:b0:262:af30:e3c
 with SMTP id adf61e73a8af0-2921cafa18amr7475744637.28.1758321191678; Fri, 19
 Sep 2025 15:33:11 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:12 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-6-seanjc@google.com>
Subject: [PATCH v16 05/51] KVM: x86: Report XSS as to-be-saved if there are
 supported features
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add MSR_IA32_XSS to list of MSRs reported to userspace if supported_xss
is non-zero, i.e. KVM supports at least one XSS based feature.

Before enabling CET virtualization series, guest IA32_MSR_XSS is
guaranteed to be 0, i.e., XSAVES/XRSTORS is executed in non-root mode
with XSS =3D=3D 0, which equals to the effect of XSAVE/XRSTOR.

Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/x86.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 4ed25d33aaee..d202d9532eb2 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -332,7 +332,7 @@ static const u32 msrs_to_save_base[] =3D {
 	MSR_IA32_RTIT_ADDR3_A, MSR_IA32_RTIT_ADDR3_B,
 	MSR_IA32_UMWAIT_CONTROL,
=20
-	MSR_IA32_XFD, MSR_IA32_XFD_ERR,
+	MSR_IA32_XFD, MSR_IA32_XFD_ERR, MSR_IA32_XSS,
 };
=20
 static const u32 msrs_to_save_pmu[] =3D {
@@ -7503,6 +7503,10 @@ static void kvm_probe_msr_to_save(u32 msr_index)
 		if (!(kvm_get_arch_capabilities() & ARCH_CAP_TSX_CTRL_MSR))
 			return;
 		break;
+	case MSR_IA32_XSS:
+		if (!kvm_caps.supported_xss)
+			return;
+		break;
 	default:
 		break;
 	}
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com
 [209.85.214.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D412B2DA763
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321195; cv=none;
 b=LDoq7Uddv8wL6aHbY4OmcVlHBYHPJx9yjcvpkk6vK6A1cG1+E2xz5ZsL1Xkc7IXGS2peOoj9V8v/8wbh65M0O7Ba2qZwqTjfJPvu40+uFy5rY2pcp+pmDH9gRRaLwrcny5CutjbzZc9zDJhUJBdlvg66Sa3AAwafX66Av1tgaLM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321195; c=relaxed/simple;
	bh=jfGM7wnBghMUHDjlWPZeTxsMZ4TuIPSbh4OJ4877SKE=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=t9vXxN0V9YFPnJhai66JO2i5TzPM4uOtvs+xwnfFByEaf/saCGltsiJKqt7TbDWCapD+y9D9WDWkVuluw0iRjMzZED4r09GS2qmTVa2GUCR1Vy4W2g/DTjDE/Y7+igeiokoI/kE5Z9FU+G1D/79RZUCDqAPofG0EBy4Q7zB8hf4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=QHy6EdgX; arc=none smtp.client-ip=209.85.214.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="QHy6EdgX"
Received: by mail-pl1-f202.google.com with SMTP id
 d9443c01a7336-2641084fb5aso27537225ad.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321193; x=1758925993;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=5RFaqBNYsacXxOfISRfTRH70w0K5ILYhOxRUNM9RFhg=;
        b=QHy6EdgX5T0QKozMYLUk8rvzyowRczHkhtrlYPbFMBK/QTen86DGV4LcDeN2TRphvT
         1XPHqKHp3zoD5vcPoR8/h9XSaaB0TRPMM5c1fm0IFy+IBGMZFFuS4rZXGGQsNRdiHYw1
         5FK/UCfCI9MCCrvrbBqeTM8C52b1bfXerFxeONpBtVofte6EXHlm48huMCU2evH3gIh7
         b/JElVeM82n9FvtwgEI8XuuUIfTQIPeG1atYuukAwqWYqwbhpyh5D8hefYm5GJzGLGBy
         h/mAgIkJ+NSD4d/A9gGJ/z2DWYzT0dB6j8Iknj8sk8tfojw6ZiUFDg4fnod4Sw8rEgdr
         y/9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321193; x=1758925993;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=5RFaqBNYsacXxOfISRfTRH70w0K5ILYhOxRUNM9RFhg=;
        b=NR8MWYLPfFp/qEFxGJ/whFoz0Zb/0a2ieGhysYAJiRTu8wHEyXh0Rqwe4yOmaIj+jL
         YiAkbipS5ApjwXHnedqiZPib4/CtMri8BkKzOiJQcRrFyakGwkRxCQwQUVlQuttyQcd0
         BtjFPdbvN2OZ6jYohfNhP0/qivL4MRjBXqPs1LJKkOGrTiNX6BHdQ9af9TIgAxD6Zrk2
         XoIm3oLAARtH6v42SgWwPxSwIXAORwec4Q9xXxqW3HyliAWGGd2d8xhODfJDvaLRNFE7
         VSOn055Y4RPsMpCjyptQH30yzsVl+GoW2sTX7RBY8iFttSDfQ8v8qb9BuXeGUVP56JjB
         p2BA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVOkC153ha94xH9egrJWU6C0a8jieig/chT/nwT/UIVqKjYu7LhGMTIRuYfpuVhZ8CoUTJWK2XdiYZreKM=@vger.kernel.org
X-Gm-Message-State: AOJu0YyXizFfLtRmglUemrEEjvFe5ildmggdw2XwxmiiJApQfPyXRIah
	oKM2rL27lpc4uFRjOQKxjnockuoZSZnl35LSMHtGU2xbGD03QRbVi/MXYGx5+CPTj/Oegue66nk
	eXzl2Xg==
X-Google-Smtp-Source: 
 AGHT+IFrIb3fr2s0qtkeK56mPEY5NS7nbXqbWpySC13gAxRV2LfepKkyhFqcJVi5Ognn5W5Agd2I0Y29i9E=
X-Received: from pjm8.prod.google.com ([2002:a17:90b:2fc8:b0:32d:df7e:6696])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:903:1b10:b0:24d:64bc:1495
 with SMTP id d9443c01a7336-269ba528961mr55393775ad.41.1758321193262; Fri, 19
 Sep 2025 15:33:13 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:13 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-7-seanjc@google.com>
Subject: [PATCH v16 06/51] KVM: x86: Check XSS validity against guest CPUIDs
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Chao Gao <chao.gao@intel.com>

Maintain per-guest valid XSS bits and check XSS validity against them
rather than against KVM capabilities. This is to prevent bits that are
supported by KVM but not supported for a guest from being set.

Opportunistically return KVM_MSR_RET_UNSUPPORTED on IA32_XSS MSR accesses
if guest CPUID doesn't enumerate X86_FEATURE_XSAVES. Since
KVM_MSR_RET_UNSUPPORTED takes care of host_initiated cases, drop the
host_initiated check.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/include/asm/kvm_host.h |  3 ++-
 arch/x86/kvm/cpuid.c            | 12 ++++++++++++
 arch/x86/kvm/x86.c              |  7 +++----
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos=
t.h
index 8695967b7a31..7a7e6356a8dd 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -815,7 +815,6 @@ struct kvm_vcpu_arch {
 	bool at_instruction_boundary;
 	bool tpr_access_reporting;
 	bool xfd_no_write_intercept;
-	u64 ia32_xss;
 	u64 microcode_version;
 	u64 arch_capabilities;
 	u64 perf_capabilities;
@@ -876,6 +875,8 @@ struct kvm_vcpu_arch {
=20
 	u64 xcr0;
 	u64 guest_supported_xcr0;
+	u64 ia32_xss;
+	u64 guest_supported_xss;
=20
 	struct kvm_pio_request pio;
 	void *pio_data;
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index efee08fad72e..6b8b5d8b13cc 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -263,6 +263,17 @@ static u64 cpuid_get_supported_xcr0(struct kvm_vcpu *v=
cpu)
 	return (best->eax | ((u64)best->edx << 32)) & kvm_caps.supported_xcr0;
 }
=20
+static u64 cpuid_get_supported_xss(struct kvm_vcpu *vcpu)
+{
+	struct kvm_cpuid_entry2 *best;
+
+	best =3D kvm_find_cpuid_entry_index(vcpu, 0xd, 1);
+	if (!best)
+		return 0;
+
+	return (best->ecx | ((u64)best->edx << 32)) & kvm_caps.supported_xss;
+}
+
 static __always_inline void kvm_update_feature_runtime(struct kvm_vcpu *vc=
pu,
 						       struct kvm_cpuid_entry2 *entry,
 						       unsigned int x86_feature,
@@ -424,6 +435,7 @@ void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu)
 	}
=20
 	vcpu->arch.guest_supported_xcr0 =3D cpuid_get_supported_xcr0(vcpu);
+	vcpu->arch.guest_supported_xss =3D cpuid_get_supported_xss(vcpu);
=20
 	vcpu->arch.pv_cpuid.features =3D kvm_apply_cpuid_pv_features_quirk(vcpu);
=20
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index d202d9532eb2..d4c192f4c06f 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3984,15 +3984,14 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struc=
t msr_data *msr_info)
 		}
 		break;
 	case MSR_IA32_XSS:
-		if (!msr_info->host_initiated &&
-		    !guest_cpuid_has(vcpu, X86_FEATURE_XSAVES))
-			return 1;
+		if (!guest_cpuid_has(vcpu, X86_FEATURE_XSAVES))
+			return KVM_MSR_RET_UNSUPPORTED;
 		/*
 		 * KVM supports exposing PT to the guest, but does not support
 		 * IA32_XSS[bit 8]. Guests have to use RDMSR/WRMSR rather than
 		 * XSAVES/XRSTORS to save/restore PT MSRs.
 		 */
-		if (data & ~kvm_caps.supported_xss)
+		if (data & ~vcpu->arch.guest_supported_xss)
 			return 1;
 		vcpu->arch.ia32_xss =3D data;
 		vcpu->arch.cpuid_dynamic_bits_dirty =3D true;
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com
 [209.85.214.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 85FF12DF3E8
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321199; cv=none;
 b=tK7HoRHiUA8zxzHXwpafH5N1EGqW5fpLflSZmVR0HLnAlJx5sfGjqUdKzUYFqnIJYCyI5lUbGJg+J6QbeutinrYcdRaj39pSF5+442fKkUBGH8yL2Xg67S2VGUbxfdqWM4atAbEqfzyFBLx8dEzPj3gwEERPjk/4fu0DWn/0+7o=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321199; c=relaxed/simple;
	bh=+2aUDwdBf5VX5aNs40ryCKzqWZJxUH2DBk9jyBgiLiI=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=P7LwlgsOtCNx4lvpEX2ufXEfhpNnmWxT2fQGgM5uOkxhD8nXnFxeXD3mQl9uG4Iyj+lqIcG7Y7hrvLnxHc5YEEMx0C7WYlqy2u+6Ogke785VsqzBVYc2yUfehenvC3lOSHQTcdHmSYDlJC1XLQ8zR+y0dZIT33OFQNdECe/HXtg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=zsRXvhyq; arc=none smtp.client-ip=209.85.214.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="zsRXvhyq"
Received: by mail-pl1-f202.google.com with SMTP id
 d9443c01a7336-2665e11e120so27431385ad.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321195; x=1758925995;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=WxyHpgsKcQtDez3DsslxS7ZG1Vf1q8npPkky8cqh6mc=;
        b=zsRXvhyqhZfq+LGc72f0F0ZDzZ34hVTRg48Amm35ywXu3tV/fbCEIhrGT5BFMrXH2H
         tm8HPbXhZXqAEGJNJyKR1iuWNaV+dpTrjF/68WSFt38P5fPg4axMshQIDe4om3PHRXGs
         osk2Kaql/5sIpkUt1++V8FkMkQAIBDfy8ymjKVBocwOPF79b1kXv6e1raSr12DFJ7uuy
         kzoEP/+f6LPMFMxrgTJpUMyG1TtcA0phKu3i3sHGEUu7iLDxzBGIPB0zX8EolGfxUBw+
         jbgWGeKxq4rOZTXTOUebJRKokizdx8r68ivZmBka8zcoI++zENoBdC/x63G70WxLJnx3
         F79A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321195; x=1758925995;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=WxyHpgsKcQtDez3DsslxS7ZG1Vf1q8npPkky8cqh6mc=;
        b=JbVW8iMNheoljm2UwfeDoVF/IxMCOtqGkXliCeajSTfs7YpN8B3N+qVAoR6FLAjOr3
         BfU2MI5+RRrVdor2ujIIrqPZYPoYPMLxnUXHCtQ0guPMAjp1RmNpF0+2+SZ5Ml/YXy3N
         mX478rTfCJvlIWFbce2j8uo0aKeFhrySbgLHjrTbG+c6eP7mTm9PUfS+7Q4DIefgZHaW
         /006CpuaD6QXt3w/bRlIfLbvGGcrsIJ6c9H4CBWqOhwAim1t90JuRBkg1hMbY1dzZ+/F
         +Lm45EXWNFPOpnp1WKXPwROFnGx/w0EwziuZK1sWxaQraVu/y2UCV5PuFkdvMGkVr+N3
         GeJw==
X-Forwarded-Encrypted: i=1;
 AJvYcCXvARV6d4TNJ8P/CJaSRa+DluMqmIXCqW/4DCL4pvpKokRvECNql6g3vtcHmk7VpRUej4wt1+xnyCYsN0Q=@vger.kernel.org
X-Gm-Message-State: AOJu0YwqWdhZjjDQZmADQIOTQVeuv8vHqLobyGDiMeca/PZhB2XNhj40
	FhjiRq7c1tneRwczyHpgdSr/etGXrwtJ0irW8UrojLhcgOOkWcoinfw08mPbuYGoJGBMl33WGC5
	uPGiQvw==
X-Google-Smtp-Source: 
 AGHT+IHyGMuRch1NMw5bn170EMBOJ+XOXpveOIhzOqOnVTBwfaBx1NBMPmhB0U1bZLjZA351DafhPoYPm3M=
X-Received: from pjbsq12.prod.google.com
 ([2002:a17:90b:530c:b0:32e:cc38:a694])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:3fd0:b0:330:852e:2bcc
 with SMTP id 98e67ed59e1d1-3309834e1f2mr5304908a91.21.1758321194783; Fri, 19
 Sep 2025 15:33:14 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:14 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-8-seanjc@google.com>
Subject: [PATCH v16 07/51] KVM: x86: Refresh CPUID on write to guest
 MSR_IA32_XSS
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Update CPUID.(EAX=3D0DH,ECX=3D1).EBX to reflect current required xstate size
due to XSS MSR modification.
CPUID(EAX=3D0DH,ECX=3D1).EBX reports the required storage size of all enabl=
ed
xstate features in (XCR0 | IA32_XSS). The CPUID value can be used by guest
before allocate sufficient xsave buffer.

Note, KVM does not yet support any XSS based features, i.e. supported_xss
is guaranteed to be zero at this time.

Opportunistically skip CPUID updates if XSS value doesn't change.

Suggested-by: Sean Christopherson <seanjc@google.com>
Co-developed-by: Zhang Yi Z <yi.z.zhang@linux.intel.com>
Signed-off-by: Zhang Yi Z <yi.z.zhang@linux.intel.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/cpuid.c | 3 ++-
 arch/x86/kvm/x86.c   | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 6b8b5d8b13cc..32fde9e80c28 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -316,7 +316,8 @@ static void kvm_update_cpuid_runtime(struct kvm_vcpu *v=
cpu)
 	best =3D kvm_find_cpuid_entry_index(vcpu, 0xD, 1);
 	if (best && (cpuid_entry_has(best, X86_FEATURE_XSAVES) ||
 		     cpuid_entry_has(best, X86_FEATURE_XSAVEC)))
-		best->ebx =3D xstate_required_size(vcpu->arch.xcr0, true);
+		best->ebx =3D xstate_required_size(vcpu->arch.xcr0 |
+						 vcpu->arch.ia32_xss, true);
 }
=20
 static bool kvm_cpuid_has_hyperv(struct kvm_vcpu *vcpu)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index d4c192f4c06f..c87ed216f72a 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3993,6 +3993,8 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct =
msr_data *msr_info)
 		 */
 		if (data & ~vcpu->arch.guest_supported_xss)
 			return 1;
+		if (vcpu->arch.ia32_xss =3D=3D data)
+			break;
 		vcpu->arch.ia32_xss =3D data;
 		vcpu->arch.cpuid_dynamic_bits_dirty =3D true;
 		break;
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C9282DF6F7
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321199; cv=none;
 b=afUlJS52HFbN0qPBIu9MUV6N+wLk3qtBfpPrr4GijuI4M6yueuFy9NIrfcIpO9GCFIFV7qgB5Y9SqeYdp2ZUjNfvGhPlDy6PaMgp8fLy0uZCf31AlOrqK9vwpbjJ9+fhmYFRmDwDlzdXFusWTVeXgDuUbbWT+o2+UCaKpAa1v8s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321199; c=relaxed/simple;
	bh=SUbk9rvQ5iSbOyrSbqe2IoTOG4vNnWYJ/8YngPPf7Nw=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=JBjWZr8zl7gIJtv4t30+tmhNcZ4OszVoyyHI6B2ei+koZW9Q7jRAJKPoJg806LjkbUCCpnl5Xi7I2Fsu+eHPTBA4dJ1cPqMKZ4zCsEywA/1j6S89BhfYdsO8xoAsHKqrnMnEh7tvvumkjN46ZpEAwnGy3g1Z6Nfw8kFOLp1RZ3I=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=FskW+/5M; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="FskW+/5M"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-32e8c800a79so3173101a91.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321197; x=1758925997;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=+JcaMt2ydOaiLW5D8ASKub/1/NSATOOQH1xnCAbO6Bg=;
        b=FskW+/5Mathq1U3ycsGVUUc5Pt1uD2k8V9Q3buttgrSsab1LkxU2D2Y1dd4iHeC6lu
         OTMcIVk//xsFndJqskC3DIo1LDU3s/vUo//aNGnoKCC4HFvFJDQvDABTAhgtn8j2dYeN
         jkXuDKKg1vtUCiV1Wk7yz7Vr5Z6QgUDOfGMpdrG0S1akrpfuuappuDoe/ZbSmnGRg3pN
         ARyYnHOmqD0hcRRigd0UosGeaV9mOnrRUOWfY68omfT2CHaPFqxRakxqjHCClLnF+Lc9
         e05QwdYakgRmLZpmZN2DTt0/IFE/4N3IlEHDFz21tSCddOiMJlQbKVzgDEF+2X7sp6cx
         XE0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321197; x=1758925997;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=+JcaMt2ydOaiLW5D8ASKub/1/NSATOOQH1xnCAbO6Bg=;
        b=d85g4utlu3m+VOcL2wzsD76Fnh50ARL4YuD6J9M8Gg0QFlCWUecVvXSaKoTaKzUmMo
         YjP5gTH/0citWehSinqhDqFIm6OTDwZtG90jEP7ypcBSnvTPa/Auj64y3oBBctJ67z1h
         PNkUnhSLCV19h3xk6HAEQpLRGVNrpsHfDzm9Xm1/iSsm21dlPf3C67w0yiPq+aPCRhGi
         1JHlqd1JAWMDZtrmgcE2N3Na+z7LRe1oLYBuCQiP2ezm9c4MmwvNSsVMR2hezb3m4dZI
         suiX8EVi0VVpcRBWeos/onG2w3cD5MOI55oJdhG7UvcVVcoLIvGywjagcLzg2amn/StK
         tOZg==
X-Forwarded-Encrypted: i=1;
 AJvYcCVYe+UfWhiq1FeswfTClhFfHJ+XpJXMST8oXeMnsuEJFf76zEC8sFA3nSp+VQrc/+NH78Iu459VGJEWMFQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YwpRpR3yigX/QX1jg1xJjWezu7g+2fw7Jv5ljDLCK5vBp4BMpij
	qULQwq+rMOwwvUhwYv3tbr/3OE/wRQGdNasm8WmQG0li38YL5azVQZHumU2hBoko6O3EHergEo8
	6A+vW3Q==
X-Google-Smtp-Source: 
 AGHT+IFcB1z7KUVsuS7swIC4I2jvCN0WHziOqZKe6uLi8biGmkCTogAah3rUQYFyuFlbCrcLz4kefzfXt5w=
X-Received: from pjp3.prod.google.com ([2002:a17:90b:55c3:b0:327:dc48:1406])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:50:b0:32e:749d:fcb6
 with SMTP id 98e67ed59e1d1-33097ff646dmr6029665a91.12.1758321197100; Fri, 19
 Sep 2025 15:33:17 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:15 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-9-seanjc@google.com>
Subject: [PATCH v16 08/51] KVM: x86: Initialize kvm_caps.supported_xss
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Set original kvm_caps.supported_xss to (host_xss & KVM_SUPPORTED_XSS) if
XSAVES is supported. host_xss contains the host supported xstate feature
bits for thread FPU context switch, KVM_SUPPORTED_XSS includes all KVM
enabled XSS feature bits, the resulting value represents the supervisor
xstates that are available to guest and are backed by host FPU framework
for swapping {guest,host} XSAVE-managed registers/MSRs.

[sean: relocate and enhance comment about PT / XSS[8] ]

Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/x86.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index c87ed216f72a..3e66d8c5000a 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -217,6 +217,14 @@ static struct kvm_user_return_msrs __percpu *user_retu=
rn_msrs;
 				| XFEATURE_MASK_BNDCSR | XFEATURE_MASK_AVX512 \
 				| XFEATURE_MASK_PKRU | XFEATURE_MASK_XTILE)
=20
+/*
+ * Note, KVM supports exposing PT to the guest, but does not support conte=
xt
+ * switching PT via XSTATE (KVM's PT virtualization relies on perf; swappi=
ng
+ * PT via guest XSTATE would clobber perf state), i.e. KVM doesn't support
+ * IA32_XSS[bit 8] (guests can/must use RDMSR/WRMSR to save/restore PT MSR=
s).
+ */
+#define KVM_SUPPORTED_XSS     0
+
 bool __read_mostly allow_smaller_maxphyaddr =3D 0;
 EXPORT_SYMBOL_GPL(allow_smaller_maxphyaddr);
=20
@@ -3986,11 +3994,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct=
 msr_data *msr_info)
 	case MSR_IA32_XSS:
 		if (!guest_cpuid_has(vcpu, X86_FEATURE_XSAVES))
 			return KVM_MSR_RET_UNSUPPORTED;
-		/*
-		 * KVM supports exposing PT to the guest, but does not support
-		 * IA32_XSS[bit 8]. Guests have to use RDMSR/WRMSR rather than
-		 * XSAVES/XRSTORS to save/restore PT MSRs.
-		 */
+
 		if (data & ~vcpu->arch.guest_supported_xss)
 			return 1;
 		if (vcpu->arch.ia32_xss =3D=3D data)
@@ -9822,14 +9826,17 @@ int kvm_x86_vendor_init(struct kvm_x86_init_ops *op=
s)
 		kvm_host.xcr0 =3D xgetbv(XCR_XFEATURE_ENABLED_MASK);
 		kvm_caps.supported_xcr0 =3D kvm_host.xcr0 & KVM_SUPPORTED_XCR0;
 	}
+
+	if (boot_cpu_has(X86_FEATURE_XSAVES)) {
+		rdmsrq(MSR_IA32_XSS, kvm_host.xss);
+		kvm_caps.supported_xss =3D kvm_host.xss & KVM_SUPPORTED_XSS;
+	}
+
 	kvm_caps.supported_quirks =3D KVM_X86_VALID_QUIRKS;
 	kvm_caps.inapplicable_quirks =3D KVM_X86_CONDITIONAL_QUIRKS;
=20
 	rdmsrq_safe(MSR_EFER, &kvm_host.efer);
=20
-	if (boot_cpu_has(X86_FEATURE_XSAVES))
-		rdmsrq(MSR_IA32_XSS, kvm_host.xss);
-
 	kvm_init_pmu_capability(ops->pmu_ops);
=20
 	if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES))
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com
 [209.85.215.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 762482DFF13
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321201; cv=none;
 b=KUG+74fVKUZoxwvpTsYb7UYF7SwHIo+LFY761/lDVApok2MehGLhPTUrzfMLNvWr0gNaGmzWbinxLGGMR+G/BCY4o7GMheYdHGz4VXNguN5ufXXeh97QAtKcUn4W7tUTPUxmDctjSjVaUlLAspsYYXXot5C9EyGkVwBkxDOd4AU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321201; c=relaxed/simple;
	bh=dsXd95z/9v7mTGgBcA326k/uaIBVLIcxb8LwmBCbCgg=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=Mi3zkh3eXJbbvw8Pf+jx6YgUWAoPYYpod6pbKZ9rsI0oZIhsY94MqBFzA+dY94G7mSZ/wSh2VzE8Gn3NUu4PB0sRtYIM4HyrTlFT99/TWfiPBvXtJxZsNsflg45WOHq6RM3Xg2ciOejjnfsWq2Up3swSzYFoO+dlZIxFcsv1/4g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=W8KwqFIB; arc=none smtp.client-ip=209.85.215.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="W8KwqFIB"
Received: by mail-pg1-f201.google.com with SMTP id
 41be03b00d2f7-b54d0ffd172so2009738a12.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321199; x=1758925999;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=nbntpQIHa7UZ+mNPJJjW08mJCTxjhm13+odndGQs4Cc=;
        b=W8KwqFIBk4Qw7t5putrWwyYafmUTVb8JGcZbwpLU5RscO3luvSw3W/sWgvoFkCIae3
         6kE1fl2GZSEpai+Sjb3FRy/lPr2oxAFhh5SqiEGhG7dmfJyXyO9/f9Uif87YkzWy2Eo/
         wxNkh683Ki0HhjuxlXzlDXr88PfGAWwRKlu/y8Gwdgk3KI8+GsSNRh1Mz/3X7FkyY4ii
         ocMtwXjnmMjg7eqqbYaAVOwxx43jJTUsRMpZPlKYmEi+FIJ2dinDHaJJRtfbWaYWnloF
         O6a1M36Zp2VHZPY65B5sjm0k1MQnWuGZz26dUxZy+9HsshnJwszMmzerZ/uRt9JyCESZ
         Gigw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321199; x=1758925999;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=nbntpQIHa7UZ+mNPJJjW08mJCTxjhm13+odndGQs4Cc=;
        b=gRui2iIT6efiPrmfBD2vafLlA4ek1hq+ZUiTNAkJ4mYBc4+HbzCGTXtqLFcAt/s50p
         dF9+SQsDOIAgo7EOORBU20dKn8SItavwaqIGiLQ5VgAvy/HUq4gtBLfx3Hk7MPj0cqEF
         rQ/9WoizyuXAA6eDFIaACfn2OCZivpwoehkp4bWOm44eN2SzniU66xpy3xLf/Uo+KxIc
         BvAtnXHhytrBSO6KH637TZ2nTWydSspuvcuJ1odux45ompZcWpnvsntLKTZKJQc9hpuR
         sLd0VLIojPK68hhXAvFeg0DskHyH9AcKYdHeXPDI2U05+Nhduyc6HaehY7kUbE/T20Q6
         C9JA==
X-Forwarded-Encrypted: i=1;
 AJvYcCUKHkvDnvTMrV0jtOW2n+1miWi6qWcXAz2rOD9rvXXtJh2lavnRbFIZLWxMwJHYiLi+4tJBxbUjoFuYa5c=@vger.kernel.org
X-Gm-Message-State: AOJu0YxI5F2Zfqo/Hvjc4DB7+UGGbWs9XK4ZhE1A0+Vs4rb21x5eIVlu
	ZisvnWji0TweGgBnS1wyw7IkieKy5X3h/je7aHUhCiVcsYfWioN1xdWCYTc9+fvYxMN2/eN1/mf
	rmBXEFQ==
X-Google-Smtp-Source: 
 AGHT+IGZKAcZjmQQ81azdKmgHL6yny+FqvmHyUKFjbF1RbLhxL4zTo9wzFiM0mAHk98cSEXMh3Wjtovcb8A=
X-Received: from pgac17.prod.google.com
 ([2002:a05:6a02:2951:b0:b54:faf1:19e5])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:7346:b0:243:fe1e:2f95
 with SMTP id adf61e73a8af0-2844b5c6ae4mr13624113637.6.1758321198654; Fri, 19
 Sep 2025 15:33:18 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:16 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-10-seanjc@google.com>
Subject: [PATCH v16 09/51] KVM: x86: Load guest FPU state when access
 XSAVE-managed MSRs
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Load the guest's FPU state if userspace is accessing MSRs whose values
are managed by XSAVES. Introduce two helpers, kvm_{get,set}_xstate_msr(),
to facilitate access to such kind of MSRs.

If MSRs supported in kvm_caps.supported_xss are passed through to guest,
the guest MSRs are swapped with host's before vCPU exits to userspace and
after it reenters kernel before next VM-entry.

Because the modified code is also used for the KVM_GET_MSRS device ioctl(),
explicitly check @vcpu is non-null before attempting to load guest state.
The XSAVE-managed MSRs cannot be retrieved via the device ioctl() without
loading guest FPU state (which doesn't exist).

Note that guest_cpuid_has() is not queried as host userspace is allowed to
access MSRs that have not been exposed to the guest, e.g. it might do
KVM_SET_MSRS prior to KVM_SET_CPUID2.

The two helpers are put here in order to manifest accessing xsave-managed
MSRs requires special check and handling to guarantee the correctness of
read/write to the MSRs.

Co-developed-by: Yang Weijiang <weijiang.yang@intel.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
[sean: drop S_CET, add big comment, move accessors to x86.c]
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by: Xin Li (Intel) <xin@zytor.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/x86.c | 87 +++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 86 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 3e66d8c5000a..ae402463f991 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -136,6 +136,9 @@ static int __set_sregs2(struct kvm_vcpu *vcpu, struct k=
vm_sregs2 *sregs2);
 static void __get_sregs2(struct kvm_vcpu *vcpu, struct kvm_sregs2 *sregs2);
=20
 static DEFINE_MUTEX(vendor_module_lock);
+static void kvm_load_guest_fpu(struct kvm_vcpu *vcpu);
+static void kvm_put_guest_fpu(struct kvm_vcpu *vcpu);
+
 struct kvm_x86_ops kvm_x86_ops __read_mostly;
=20
 #define KVM_X86_OP(func)					     \
@@ -3801,6 +3804,67 @@ static void record_steal_time(struct kvm_vcpu *vcpu)
 	mark_page_dirty_in_slot(vcpu->kvm, ghc->memslot, gpa_to_gfn(ghc->gpa));
 }
=20
+/*
+ * Returns true if the MSR in question is managed via XSTATE, i.e. is cont=
ext
+ * switched with the rest of guest FPU state.  Note!  S_CET is _not_ conte=
xt
+ * switched via XSTATE even though it _is_ saved/restored via XSAVES/XRSTO=
RS.
+ * Because S_CET is loaded on VM-Enter and VM-Exit via dedicated VMCS fiel=
ds,
+ * the value saved/restored via XSTATE is always the host's value.  That d=
etail
+ * is _extremely_ important, as the guest's S_CET must _never_ be resident=
 in
+ * hardware while executing in the host.  Loading guest values for U_CET a=
nd
+ * PL[0-3]_SSP while executing in the kernel is safe, as U_CET is specific=
 to
+ * userspace, and PL[0-3]_SSP are only consumed when transitioning to lower
+ * privilegel levels, i.e. are effectively only consumed by userspace as w=
ell.
+ */
+static bool is_xstate_managed_msr(struct kvm_vcpu *vcpu, u32 msr)
+{
+	if (!vcpu)
+		return false;
+
+	switch (msr) {
+	case MSR_IA32_U_CET:
+		return guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) ||
+		       guest_cpu_cap_has(vcpu, X86_FEATURE_IBT);
+	case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP:
+		return guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK);
+	default:
+		return false;
+	}
+}
+
+/*
+ * Lock (and if necessary, re-load) the guest FPU, i.e. XSTATE, and access=
 an
+ * MSR that is managed via XSTATE.  Note, the caller is responsible for do=
ing
+ * the initial FPU load, this helper only ensures that guest state is resi=
dent
+ * in hardware (the kernel can load its FPU state in IRQ context).
+ */
+static __always_inline void kvm_access_xstate_msr(struct kvm_vcpu *vcpu,
+						  struct msr_data *msr_info,
+						  int access)
+{
+	BUILD_BUG_ON(access !=3D MSR_TYPE_R && access !=3D MSR_TYPE_W);
+
+	KVM_BUG_ON(!is_xstate_managed_msr(vcpu, msr_info->index), vcpu->kvm);
+	KVM_BUG_ON(!vcpu->arch.guest_fpu.fpstate->in_use, vcpu->kvm);
+
+	kvm_fpu_get();
+	if (access =3D=3D MSR_TYPE_R)
+		rdmsrq(msr_info->index, msr_info->data);
+	else
+		wrmsrq(msr_info->index, msr_info->data);
+	kvm_fpu_put();
+}
+
+static __maybe_unused void kvm_set_xstate_msr(struct kvm_vcpu *vcpu, struc=
t msr_data *msr_info)
+{
+	kvm_access_xstate_msr(vcpu, msr_info, MSR_TYPE_W);
+}
+
+static __maybe_unused void kvm_get_xstate_msr(struct kvm_vcpu *vcpu, struc=
t msr_data *msr_info)
+{
+	kvm_access_xstate_msr(vcpu, msr_info, MSR_TYPE_R);
+}
+
 int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 {
 	u32 msr =3D msr_info->index;
@@ -4551,11 +4615,25 @@ static int __msr_io(struct kvm_vcpu *vcpu, struct k=
vm_msrs *msrs,
 		    int (*do_msr)(struct kvm_vcpu *vcpu,
 				  unsigned index, u64 *data))
 {
+	bool fpu_loaded =3D false;
 	int i;
=20
-	for (i =3D 0; i < msrs->nmsrs; ++i)
+	for (i =3D 0; i < msrs->nmsrs; ++i) {
+		/*
+		 * If userspace is accessing one or more XSTATE-managed MSRs,
+		 * temporarily load the guest's FPU state so that the guest's
+		 * MSR value(s) is resident in hardware and thus can be accessed
+		 * via RDMSR/WRMSR.
+		 */
+		if (!fpu_loaded && is_xstate_managed_msr(vcpu, entries[i].index)) {
+			kvm_load_guest_fpu(vcpu);
+			fpu_loaded =3D true;
+		}
 		if (do_msr(vcpu, entries[i].index, &entries[i].data))
 			break;
+	}
+	if (fpu_loaded)
+		kvm_put_guest_fpu(vcpu);
=20
 	return i;
 }
@@ -5965,6 +6043,7 @@ static int kvm_get_set_one_reg(struct kvm_vcpu *vcpu,=
 unsigned int ioctl,
 	struct kvm_one_reg one_reg;
 	struct kvm_x86_reg_id *reg;
 	u64 __user *user_val;
+	bool load_fpu;
 	int r;
=20
 	if (copy_from_user(&one_reg, argp, sizeof(one_reg)))
@@ -5991,12 +6070,18 @@ static int kvm_get_set_one_reg(struct kvm_vcpu *vcp=
u, unsigned int ioctl,
=20
 	guard(srcu)(&vcpu->kvm->srcu);
=20
+	load_fpu =3D is_xstate_managed_msr(vcpu, reg->index);
+	if (load_fpu)
+		kvm_load_guest_fpu(vcpu);
+
 	user_val =3D u64_to_user_ptr(one_reg.addr);
 	if (ioctl =3D=3D KVM_GET_ONE_REG)
 		r =3D kvm_get_one_msr(vcpu, reg->index, user_val);
 	else
 		r =3D kvm_set_one_msr(vcpu, reg->index, user_val);
=20
+	if (load_fpu)
+		kvm_put_guest_fpu(vcpu);
 	return r;
 }
=20
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com
 [209.85.216.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E39282E0B73
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321202; cv=none;
 b=MGOkWU60LFW6MvI0xF5ARnumW9dnZb98XMIVJGsBeavuOH0ByYdzrqEsnSzumpDWWgotvCsN+mvtKIaroNdVfQDfe4xyCYDg7PEP+hMTL44AXlBsEBGfA2Mx4KRaDTDlXk/WXLpVPGGd2JTO26BYtTMOHOrtk5xCzlS/0znZnIg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321202; c=relaxed/simple;
	bh=ez4a0EvjjtyHc093VLzuQLspYqBK0zm6wW8jLJdW4u0=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=HkMR8JGd19iUetEkaXhStySuSz9hxtn+RhGUEien7x6XtRbA+oEHgtkgCKJ0xSCUw7/Ww7K9jksBEfM4rr33YGYRjG1J27622KjfMNwQ8vFM2MeY+PmIZngfWJzEWVuYTH2ARgPmi9PXtKedDG7ASsQjruPdG6dpyqMSgqXRSXg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=FkIrvUcM; arc=none smtp.client-ip=209.85.216.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="FkIrvUcM"
Received: by mail-pj1-f73.google.com with SMTP id
 98e67ed59e1d1-32ec2211659so2566102a91.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321200; x=1758926000;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=pOmn1hzdWZ666uhIyCKCS3d5Tvi+EBzamfmIdMDGoZg=;
        b=FkIrvUcMMOlDvaHz4TtYYg+OqZ6bGIjIfGA06RdlWDaX3OAwlZVrNCkFTfo/YGPakm
         3617E8eDGx2DJyFdMBZWmi2giukJVytur129LjAjIT1swneau721DWCQ05OLmpkDfJoH
         M/o9SNMuOtMm0eH9fZfAk/HeQZy8EH0D4uPNy0Wv+v8TMHUqA5xNpD/8TofuBHNHPoQW
         BctppUFp7WxOxwZQ2grS8FZmPm6I+4gtXmwVuaAROPLJIuoONJvW6hxmBJqkUIcaDYYk
         xq5FQpPHDnT7d6wSrQoBKStVN5d9+tgB7v7aoPnYfhZ0MlWkPAP8qjD9IGwZExUwy/P6
         XceA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321200; x=1758926000;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=pOmn1hzdWZ666uhIyCKCS3d5Tvi+EBzamfmIdMDGoZg=;
        b=rn4ptujUqhOE6YVp2wzKp9ZZoJHRJM6+nbSVrziOxEGuG+Lqq8fW15F6v8Z8ZkH/t2
         qzgtIAcs98s8FB5ZHMtR/X4XUyFOF4mtMw35fmJ7jA6Ur2Y125UGfKp0JlNuJoxUAotB
         09KR9oYQqDCIHX60dYOGtfH3iTEg5RjjBuHDmoDMmkQ0kaQH+B1CUV8McCi5mo1jbC6Z
         JK7DeJwL05H9fAnIE0ncD2slE+ThEi3Vu4NhxFRS+tT84lFUBGh7VYQwxzYWtIf18Ct3
         w1q7Nrp67vr2L5f4ePhVsLcE+BfvcLvLcGXcUOx3I9AbaezYQLU7mvMO88LA0n/QXIPx
         nYYA==
X-Forwarded-Encrypted: i=1;
 AJvYcCU6UEocaDmvoKFF9jo+pgSslbW8I8cbJIkTBH4Wj05gBCyE28QmpfxP1a63WnZfv8nfIayas2IAFXrFgdA=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw5cvinypfJ+13xJxMYfz4RaXu0lgzUcLtA3Wutc4NcW+89pAJq
	7n6jENufcufKRGlHpsZPigXjhkS1o3Xxl+M2PJqMzJvUht2Og1EkkhxnlY8eSrlFQuXKlzK8tC+
	O/hoDXQ==
X-Google-Smtp-Source: 
 AGHT+IHPp+EMEqqepgMRLXkmh2NAYmJDXHdpPXFvlA0cxdH2fcNuhXSpiI6o1vBaj4gvOZIsi3vnHYEIRwA=
X-Received: from pjbmf16.prod.google.com ([2002:a17:90b:1850:b0:32b:95bb:dbc])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90a:e703:b0:30a:4874:5397
 with SMTP id 98e67ed59e1d1-3309800134amr5713441a91.9.1758321200242; Fri, 19
 Sep 2025 15:33:20 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:17 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-11-seanjc@google.com>
Subject: [PATCH v16 10/51] KVM: x86: Add fault checks for guest CR4.CET
 setting
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Check potential faults for CR4.CET setting per Intel SDM requirements.
CET can be enabled if and only if CR0.WP =3D=3D 1, i.e. setting CR4.CET =3D=
=3D
1 faults if CR0.WP =3D=3D 0 and setting CR0.WP =3D=3D 0 fails if CR4.CET =
=3D=3D 1.

Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/x86.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index ae402463f991..d748b1ce1e81 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1176,6 +1176,9 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, unsigned long =
cr0)
 	    (is_64_bit_mode(vcpu) || kvm_is_cr4_bit_set(vcpu, X86_CR4_PCIDE)))
 		return 1;
=20
+	if (!(cr0 & X86_CR0_WP) && kvm_is_cr4_bit_set(vcpu, X86_CR4_CET))
+		return 1;
+
 	kvm_x86_call(set_cr0)(vcpu, cr0);
=20
 	kvm_post_set_cr0(vcpu, old_cr0, cr0);
@@ -1376,6 +1379,9 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long =
cr4)
 			return 1;
 	}
=20
+	if ((cr4 & X86_CR4_CET) && !kvm_is_cr0_bit_set(vcpu, X86_CR0_WP))
+		return 1;
+
 	kvm_x86_call(set_cr4)(vcpu, cr4);
=20
 	kvm_post_set_cr4(vcpu, old_cr4, cr4);
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com
 [209.85.214.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C0C2D2E2DC1
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321204; cv=none;
 b=dKEevfHaPlUTOnoFLEKRu33D3YKAsAo0Dyqej3tYSqdCRREwHKIhDyxJbJzKeg0tH4/r4aOWgJiDfKENfuJIZ4leY68rJVf8SpH3Ux7+nmPhP7nxb6tQEaD2mXQXvlj41fINDkryZtCGVvnx2dQv5wzA1/jj5A6yo21X08hHcfk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321204; c=relaxed/simple;
	bh=XDTQ3tmfi6PZrBtBwIXn39EFZb7wdac6Jspf4/pSmcQ=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=rOipXQQGdZMhn7I7hCpdsVY3fCRGJqErsl2eeKCFtBZMkdrZILNEqLBtb8s0ErGXX9M8/b5IMGbckJBWvhjqY361eYJSDheIicN1n9JMIwsW2wqUsDtq1C75PhXeFziSEFBNLu0jcfcUmBr9lcdixuBqbnW8ElnXo/HyXCd/dpo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=1CdpEbhi; arc=none smtp.client-ip=209.85.214.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="1CdpEbhi"
Received: by mail-pl1-f201.google.com with SMTP id
 d9443c01a7336-2665df2e24aso46236125ad.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321202; x=1758926002;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=vK7f/VGUWllVW7AxxNHDM2H0xPEmsYVTGx9qq6v/NuQ=;
        b=1CdpEbhiHsg9OTTHfstT6+UN5y9TLvg1ijYKBgZ6nV61eQVLxWAOf/sr+00+TfCEZi
         tjFY/GPtjUHU+48xAxzkICRE9xthzCuu58MprnBnbgEgHUYywExRJg2XtMquL3xj0T0k
         EPXeyK6kbSITJzk8oaXWJ+BSZQTPXe62B+ficmHFvmTBcpQ3HkVNiAHxGui2eCnOmOqO
         ABHJ+18Fv8m9DP9Ph/PCBaosE2YA7wl9qXtCtmuqvK2fTc/65zianMyKhDAbPyl0cQ/l
         EwqN2EZWi91Rnf+fenrNJ51MyhpfMUbtpuNcGp+HtRE/oWacYxSIGqPguZV2BQaXuTKB
         eiUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321202; x=1758926002;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=vK7f/VGUWllVW7AxxNHDM2H0xPEmsYVTGx9qq6v/NuQ=;
        b=j/8zzqOuKDK97eEmXXhYqahNlQBN5KOONDB3ApBn2CS3qixK6+tOauBJM41+obidd5
         yNR9ojgEn0U1AdpYzcfWlFk7XMgzSgjulKQGbA61XWaQXAqbJO+huaW8t0lpm0FSeyK5
         Skqr+4txa/np8tl+SznQXRghCz3nKhevPJ+4co7ImCWNZg10bb85pHgkFq3s0hMi8xLz
         LHomx2FIG+wOoS8Dpq/cinslgrotqGQmHDyGz2Kt/399mGNZBgXTHFRECK30MAWTvT7i
         5xIDrDeJEZTnWg3nIaOVl7gkNhaVTAlD7KtDbto7fjdLdvJABLEZUmjtXbsrInISejaP
         NeMw==
X-Forwarded-Encrypted: i=1;
 AJvYcCWdn9zY339iEGfNA9RcQW9WoMNrS8yJWeunDanGa05k+VT/ATKDoUMAtOrqmXIT0K0TccUH1UZ8bNazep8=@vger.kernel.org
X-Gm-Message-State: AOJu0YxqsqXW5KBNspHCjyoFJk9fGj4QDl7epZVIIX52dGCshzlEYz8O
	BnPf5twWSoiJroD1XeI9+pB+BV8hywG9b8v0jNukiTC4dxN3HXW/sIa8Bz7qN8i1726A2clgfXb
	gPI6MKA==
X-Google-Smtp-Source: 
 AGHT+IEhLi+5mQCpDa2G+QupkEqfe8Hp43V+hOTG8T+hU1K21FndSGDLtWyQBh5uTqjUPG6FYD52vqx9Sh8=
X-Received: from plcz20.prod.google.com ([2002:a17:903:4094:b0:24c:cd65:485c])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:903:2f8d:b0:269:6c70:ee2
 with SMTP id d9443c01a7336-269ba5455b6mr73260355ad.52.1758321201946; Fri, 19
 Sep 2025 15:33:21 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:18 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-12-seanjc@google.com>
Subject: [PATCH v16 11/51] KVM: x86: Report KVM supported CET MSRs as
 to-be-saved
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Add CET MSRs to the list of MSRs reported to userspace if the feature,
i.e. IBT or SHSTK, associated with the MSRs is supported by KVM.

Suggested-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/x86.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index d748b1ce1e81..5245b21168cb 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -344,6 +344,10 @@ static const u32 msrs_to_save_base[] =3D {
 	MSR_IA32_UMWAIT_CONTROL,
=20
 	MSR_IA32_XFD, MSR_IA32_XFD_ERR, MSR_IA32_XSS,
+
+	MSR_IA32_U_CET, MSR_IA32_S_CET,
+	MSR_IA32_PL0_SSP, MSR_IA32_PL1_SSP, MSR_IA32_PL2_SSP,
+	MSR_IA32_PL3_SSP, MSR_IA32_INT_SSP_TAB,
 };
=20
 static const u32 msrs_to_save_pmu[] =3D {
@@ -7603,6 +7607,20 @@ static void kvm_probe_msr_to_save(u32 msr_index)
 		if (!kvm_caps.supported_xss)
 			return;
 		break;
+	case MSR_IA32_U_CET:
+	case MSR_IA32_S_CET:
+		if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) &&
+		    !kvm_cpu_cap_has(X86_FEATURE_IBT))
+			return;
+		break;
+	case MSR_IA32_INT_SSP_TAB:
+		if (!kvm_cpu_cap_has(X86_FEATURE_LM))
+			return;
+		fallthrough;
+	case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP:
+		if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK))
+			return;
+		break;
 	default:
 		break;
 	}
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com
 [209.85.210.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91DC42E54A7
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321206; cv=none;
 b=hWcS9MCnAbcxPi6H9bRBwDln9P29hSb/YCclh0j3dV53xfOSqtfoRKUAbRvNMCzKYw/1SDNjlp7u4CqHwMqQ4f0HYvLxm2C+IPRdzuOeT7+flqCarMr8hggcuAvp9+UBoaIbRVpxKDivdX0X3I8ePSSXtRbyqKsvjY5Zj1oZMww=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321206; c=relaxed/simple;
	bh=ciDUCwc6Ttd5ll3jH+7r+Y8U93IBsxnr6VARfiLxlTM=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=dj0AYtcEcnvcAzhpiQ05hwfQOCpJ5koiTJrtNuJ+4FQUnhFyE6M+J//pzKOjcPd+XA6aQKV6bvEx49YBwr3WFdNxHWikfKhjKqfFaktStFtCQXXtHnkdCBaqedRXCkTqapa0f+EzoNFpfo+k+kWTCj8Tycr8AIx3BpeKVZgq3h0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=hDzXy1hL; arc=none smtp.client-ip=209.85.210.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="hDzXy1hL"
Received: by mail-pf1-f201.google.com with SMTP id
 d2e1a72fcca58-76e2eb787f2so2725633b3a.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321204; x=1758926004;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=BaXJUvrjE2QSg/TjaJo94zJNW+Xa0oNMClFZs3SI+zE=;
        b=hDzXy1hLJIF+iwB4o6o0DBXUShQp2MhHahPhtpqWHWxKLQCz41lzFwxiHKSVAftGxn
         t4jOFEBcCFIgBZJ1bRbqK9k6QLO1PlQa28ssshToqLxROroKVbu99lBk/eiePWPga81O
         Th+J32h7D6DtEFdqof2ePvPzN09gvTvxAqZEjiqAvaIzwXu/fulCXjaYKLbf4T22zHmz
         kdqHfiFOKVa0Nox9WP+/uj58gs/GJ4Vi6z5thgSzcKcQFBHkX8tp6EbTW21Rhhl4PDY4
         aEGxjOer6c/7930yiPFWcFEECawHhM6CC9pcWycUI6J6gj5xteBJ7opUtLAKVnPdgZ1W
         dzow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321204; x=1758926004;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=BaXJUvrjE2QSg/TjaJo94zJNW+Xa0oNMClFZs3SI+zE=;
        b=wCHMaKO+xCUsSR55d8nIpOb/tK3ZdoXuM20sygedU+zUclicItsS72nhNMUDqkD5Y9
         1zwl5RgfibeCBe8loz9P3R2yNMYHIuHtJvn7efptkHwZyxQzW2uVYUkcFFr/BXdC5h1Z
         T+41JtYF+4Q45RLTYSGY39T0gRvF1yPc+glyZpIh6JTMSBgkl3DW5BQPuir8+g0YN0em
         oUOAXXGo82sQ2wQC9ndLghEZZOnjGU4VvU09+RV0BYhJbzFFeKjb73kczWlnvCJAWD1N
         EZHYaX72oBQr4/pgqwOu1o4GD9A7qDsx1ydPfuTJrN9160DUvIj4V4cVi47gJ+w906QY
         OORw==
X-Forwarded-Encrypted: i=1;
 AJvYcCUyxTcHaN897eJPnxmNUHVJOBt0YkVd6dLtZVT89NjzWwG7tWzPblcexoEOWqsxXEQyK2FoPEWcBDte2CA=@vger.kernel.org
X-Gm-Message-State: AOJu0YyoMaQV5vWtPMd8p+DYAWZ1HQfS2bIQ+OM6cYOP9IfG+FfCGsQv
	WrRjc1/j2uAO9CwhWAm7cZjcJ2K6eABDlPCAuEPN7RygDKOj1EKGpnoW5hg9cmaT8t9b2ne1wyS
	zqNDALg==
X-Google-Smtp-Source: 
 AGHT+IEnah+2+GAywHW5F1lZBKE+4dfMBUYBPf381n9jKtr88kwm6t4eubMokF6CdTZqGqKwUCECOd2/MJ4=
X-Received: from pfbdo6.prod.google.com
 ([2002:a05:6a00:4a06:b0:776:1a98:d35d])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a00:2789:b0:772:499e:99c4
 with SMTP id d2e1a72fcca58-77e4eac71famr6442565b3a.18.1758321203756; Fri, 19
 Sep 2025 15:33:23 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:19 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-13-seanjc@google.com>
Subject: [PATCH v16 12/51] KVM: VMX: Introduce CET VMCS fields and control
 bits
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Control-flow Enforcement Technology (CET) is a kind of CPU feature used
to prevent Return/CALL/Jump-Oriented Programming (ROP/COP/JOP) attacks.
It provides two sub-features(SHSTK,IBT) to defend against ROP/COP/JOP
style control-flow subversion attacks.

Shadow Stack (SHSTK):
  A shadow stack is a second stack used exclusively for control transfer
  operations. The shadow stack is separate from the data/normal stack and
  can be enabled individually in user and kernel mode. When shadow stack
  is enabled, CALL pushes the return address on both the data and shadow
  stack. RET pops the return address from both stacks and compares them.
  If the return addresses from the two stacks do not match, the processor
  generates a #CP.

Indirect Branch Tracking (IBT):
  IBT introduces instruction(ENDBRANCH)to mark valid target addresses of
  indirect branches (CALL, JMP etc...). If an indirect branch is executed
  and the next instruction is _not_ an ENDBRANCH, the processor generates
  a #CP. These instruction behaves as a NOP on platforms that have no CET.

Several new CET MSRs are defined to support CET:
  MSR_IA32_{U,S}_CET: CET settings for {user,supervisor} CET respectively.

  MSR_IA32_PL{0,1,2,3}_SSP: SHSTK pointer linear address for CPL{0,1,2,3}.

  MSR_IA32_INT_SSP_TAB: Linear address of SHSTK pointer table, whose entry
			is indexed by IST of interrupt gate desc.

Two XSAVES state bits are introduced for CET:
  IA32_XSS:[bit 11]: Control saving/restoring user mode CET states
  IA32_XSS:[bit 12]: Control saving/restoring supervisor mode CET states.

Six VMCS fields are introduced for CET:
  {HOST,GUEST}_S_CET: Stores CET settings for kernel mode.
  {HOST,GUEST}_SSP: Stores current active SSP.
  {HOST,GUEST}_INTR_SSP_TABLE: Stores current active MSR_IA32_INT_SSP_TAB.

On Intel platforms, two additional bits are defined in VM_EXIT and VM_ENTRY
control fields:
If VM_EXIT_LOAD_CET_STATE =3D 1, host CET states are loaded from following
VMCS fields at VM-Exit:
  HOST_S_CET
  HOST_SSP
  HOST_INTR_SSP_TABLE

If VM_ENTRY_LOAD_CET_STATE =3D 1, guest CET states are loaded from following
VMCS fields at VM-Entry:
  GUEST_S_CET
  GUEST_SSP
  GUEST_INTR_SSP_TABLE

Co-developed-by: Zhang Yi Z <yi.z.zhang@linux.intel.com>
Signed-off-by: Zhang Yi Z <yi.z.zhang@linux.intel.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/include/asm/vmx.h | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index cca7d6641287..ce10a7e2d3d9 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -106,6 +106,7 @@
 #define VM_EXIT_CLEAR_BNDCFGS                   0x00800000
 #define VM_EXIT_PT_CONCEAL_PIP			0x01000000
 #define VM_EXIT_CLEAR_IA32_RTIT_CTL		0x02000000
+#define VM_EXIT_LOAD_CET_STATE                  0x10000000
=20
 #define VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR	0x00036dff
=20
@@ -119,6 +120,7 @@
 #define VM_ENTRY_LOAD_BNDCFGS                   0x00010000
 #define VM_ENTRY_PT_CONCEAL_PIP			0x00020000
 #define VM_ENTRY_LOAD_IA32_RTIT_CTL		0x00040000
+#define VM_ENTRY_LOAD_CET_STATE                 0x00100000
=20
 #define VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR	0x000011ff
=20
@@ -369,6 +371,9 @@ enum vmcs_field {
 	GUEST_PENDING_DBG_EXCEPTIONS    =3D 0x00006822,
 	GUEST_SYSENTER_ESP              =3D 0x00006824,
 	GUEST_SYSENTER_EIP              =3D 0x00006826,
+	GUEST_S_CET                     =3D 0x00006828,
+	GUEST_SSP                       =3D 0x0000682a,
+	GUEST_INTR_SSP_TABLE            =3D 0x0000682c,
 	HOST_CR0                        =3D 0x00006c00,
 	HOST_CR3                        =3D 0x00006c02,
 	HOST_CR4                        =3D 0x00006c04,
@@ -381,6 +386,9 @@ enum vmcs_field {
 	HOST_IA32_SYSENTER_EIP          =3D 0x00006c12,
 	HOST_RSP                        =3D 0x00006c14,
 	HOST_RIP                        =3D 0x00006c16,
+	HOST_S_CET                      =3D 0x00006c18,
+	HOST_SSP                        =3D 0x00006c1a,
+	HOST_INTR_SSP_TABLE             =3D 0x00006c1c
 };
=20
 /*
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com
 [209.85.215.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 608A12E7F1D
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321209; cv=none;
 b=iwYj36IQ+3hEkgdTpzG5ZaMNGC+utrro7K48D7Q/yd2Uzjqd3iRKgA9SDyVmpyTb+5+ht73z3667smK7m2YXe0TIYkDlZqNuIqkyapG6IyTa8VPuKsEek4C6FDCsvmDmxjwHM39uO+ZRT5TgX+coaM5vHtITvG7P9EeV7eycUjE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321209; c=relaxed/simple;
	bh=WAz+OPNGncuQ7MlKExXhXByj1PrQJD9ziBuUEUdKnOQ=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=nLn/5zlNZ4Y/fN3LurWWsqKoN0B6UHOIzNtYAGnAWZAXWF2b3Eb/eDCU9ec9T93N30F2D8FyyU52mQWPHTJsJ3ywi6+zA22lgbEClNgb0f4YILmYHvjdayiWS8dPZK+2ZVod5/tWPWt1MbNlvauC4LR3HrAQ6OF27jwreZiL+4g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=bHZn7hrp; arc=none smtp.client-ip=209.85.215.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="bHZn7hrp"
Received: by mail-pg1-f202.google.com with SMTP id
 41be03b00d2f7-b551ca103d8so756735a12.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321207; x=1758926007;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=8opc7S0Texwr1Y0+7J7NcGWGbaq8Y3HSFNECcKZKOxk=;
        b=bHZn7hrpUtyjr6LgaJ3BWqQFAp3ua3PpKjOGzZ9qGSbFds9z5/rppR55WWFnVwlfYv
         xwtk8bClciJwUZSZlhynA+lWk6kLIbDpaDMoCo/rGZyjWsGtyJN7NHS3wH7SOpIDM7/7
         43GjxVfYgU8U4plHINSi+xXPLDOBGMiqCIkveS76eFlR1Pzk90NcuQvUGGT9N3G6UxUB
         Xm4pYvK3VzELzSaCyq1LQcDcTYdosjDO7UUgc/00YYbB65HbbaLAWXnuBQabksKRoT/l
         1L9Rx0ellRR2unp0BUFQOEVREtfctqf6ZNCZkx+2VvyWxHGAhxWjRHSpNyy3XhMie125
         ey5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321207; x=1758926007;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=8opc7S0Texwr1Y0+7J7NcGWGbaq8Y3HSFNECcKZKOxk=;
        b=rAeoxT1CK5YbsCLkW4iB03iYuSLZjGoRk14Q76bVPRWUEVcVGbt2GWCj37VYC1vWVF
         KFS9Lr4x6bPdWUahS5KEIckDIccgP9Ckjv6bSaTcoSqycpLS3qJYftIxEseX3ymlIosn
         rHFWyhQmA0kzZlQIk9F+vCW1nV7oc3hWWnsKvZMimC55OCuDEx8zUi6rRKXSBS4nno2u
         Syksf79e0AeKrmx5kTfOzjwFsEnCerhXpBmmPvy34FIcuKtXk/7Ge/nwzp+TCtCQoal7
         S/KliPxTURDs+6Bl0ISc887FO8SwUWHV3QAf4k33tQOwTsO5c5f2ay1UxaKlDurjisBu
         IU2Q==
X-Forwarded-Encrypted: i=1;
 AJvYcCXvI+Up17bDSI40P9yC99Clz071sVnqJKy3LGgcoD5eZlJ/KWfHO2dMWaTOR5jtz3ulmpmO4J7HU7qyE3I=@vger.kernel.org
X-Gm-Message-State: AOJu0YydP9V8lCfNdCiLHTgQW4aPZLcHJGRE/s9yDIVdbuCA+S0P99N4
	yT87X1B+6Ccpg8uS538gIXMLkla9sXPfPhQzchwPs6d1bISkLnOp00WtH40wbUg0rPgYEZREiqf
	jIkqI1Q==
X-Google-Smtp-Source: 
 AGHT+IGLcHt3zxuicSOW0aEtZIt9C7ht7qM1vM3VeEofwQHXCWu0JrA1UAYPsGfA+0sHn9V626/TGf2DOOw=
X-Received: from pgco29.prod.google.com ([2002:a63:731d:0:b0:b54:fe45:6acf])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:728b:b0:244:facc:65ea
 with SMTP id adf61e73a8af0-2925f57462emr6706732637.18.1758321206706; Fri, 19
 Sep 2025 15:33:26 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:20 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-14-seanjc@google.com>
Subject: [PATCH v16 13/51] KVM: x86: Enable guest SSP read/write interface
 with new uAPIs
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Add a KVM-defined ONE_REG register, KVM_REG_GUEST_SSP, to let userspace
save and restore the guest's Shadow Stack Pointer (SSP).  On both Intel
and AMD, SSP is a hardware register that can only be accessed by software
via dedicated ISA (e.g. RDSSP) or via VMCS/VMCB fields (used by hardware
to context switch SSP at entry/exit).  As a result, SSP doesn't fit in
any of KVM's existing interfaces for saving/restoring state.

Internally, treat SSP as a fake/synthetic MSR, as the semantics of writes
to SSP follow that of several other Shadow Stack MSRs, e.g. the PLx_SSP
MSRs.  Use a translation layer to hide the KVM-internal MSR index so that
the arbitrary index doesn't become ABI, e.g. so that KVM can rework its
implementation as needed, so long as the ONE_REG ABI is maintained.

Explicitly reject accesses to SSP if the vCPU doesn't have Shadow Stack
support to avoid running afoul of ignore_msrs, which unfortunately applies
to host-initiated accesses (which is a discussion for another day).  I.e.
ensure consistent behavior for KVM-defined registers irrespective of
ignore_msrs.

Link: https://lore.kernel.org/all/aca9d389-f11e-4811-90cf-d98e345a5cc2@inte=
l.com
Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 Documentation/virt/kvm/api.rst  |  8 +++++++
 arch/x86/include/uapi/asm/kvm.h |  3 +++
 arch/x86/kvm/x86.c              | 37 +++++++++++++++++++++++++++++----
 arch/x86/kvm/x86.h              | 10 +++++++++
 4 files changed, 54 insertions(+), 4 deletions(-)

diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst
index abd02675a24d..6ae24c5ca559 100644
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -2911,6 +2911,14 @@ such as set vcpu counter or reset vcpu, and they hav=
e the following id bit patte
 x86 MSR registers have the following id bit patterns::
   0x2030 0002 <msr number:32>
=20
+Following are the KVM-defined registers for x86:
+
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=
=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
+    Encoding            Register  Description
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=
=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
+  0x2030 0003 0000 0000 SSP       Shadow Stack Pointer
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=
=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
+
 4.69 KVM_GET_ONE_REG
 --------------------
=20
diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kv=
m.h
index aae1033c8afa..467116186e71 100644
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -437,6 +437,9 @@ struct kvm_xcrs {
 #define KVM_X86_REG_KVM(index)					\
 	KVM_X86_REG_ID(KVM_X86_REG_TYPE_KVM, index)
=20
+/* KVM-defined registers starting from 0 */
+#define KVM_REG_GUEST_SSP	0
+
 #define KVM_SYNC_X86_REGS      (1UL << 0)
 #define KVM_SYNC_X86_SREGS     (1UL << 1)
 #define KVM_SYNC_X86_EVENTS    (1UL << 2)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 5245b21168cb..720540f102e1 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6016,9 +6016,27 @@ struct kvm_x86_reg_id {
 	__u8  x86;
 };
=20
-static int kvm_translate_kvm_reg(struct kvm_x86_reg_id *reg)
+static int kvm_translate_kvm_reg(struct kvm_vcpu *vcpu,
+				 struct kvm_x86_reg_id *reg)
 {
-	return -EINVAL;
+	switch (reg->index) {
+	case KVM_REG_GUEST_SSP:
+		/*
+		 * FIXME: If host-initiated accesses are ever exempted from
+		 * ignore_msrs (in kvm_do_msr_access()), drop this manual check
+		 * and rely on KVM's standard checks to reject accesses to regs
+		 * that don't exist.
+		 */
+		if (!guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK))
+			return -EINVAL;
+
+		reg->type =3D KVM_X86_REG_TYPE_MSR;
+		reg->index =3D MSR_KVM_INTERNAL_GUEST_SSP;
+		break;
+	default:
+		return -EINVAL;
+	}
+	return 0;
 }
=20
 static int kvm_get_one_msr(struct kvm_vcpu *vcpu, u32 msr, u64 __user *use=
r_val)
@@ -6067,7 +6085,7 @@ static int kvm_get_set_one_reg(struct kvm_vcpu *vcpu,=
 unsigned int ioctl,
 		return -EINVAL;
=20
 	if (reg->type =3D=3D KVM_X86_REG_TYPE_KVM) {
-		r =3D kvm_translate_kvm_reg(reg);
+		r =3D kvm_translate_kvm_reg(vcpu, reg);
 		if (r)
 			return r;
 	}
@@ -6098,11 +6116,22 @@ static int kvm_get_set_one_reg(struct kvm_vcpu *vcp=
u, unsigned int ioctl,
 static int kvm_get_reg_list(struct kvm_vcpu *vcpu,
 			    struct kvm_reg_list __user *user_list)
 {
-	u64 nr_regs =3D 0;
+	u64 nr_regs =3D guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) ? 1 : 0;
+	u64 user_nr_regs;
+
+	if (get_user(user_nr_regs, &user_list->n))
+		return -EFAULT;
=20
 	if (put_user(nr_regs, &user_list->n))
 		return -EFAULT;
=20
+	if (user_nr_regs < nr_regs)
+		return -E2BIG;
+
+	if (nr_regs &&
+	    put_user(KVM_X86_REG_KVM(KVM_REG_GUEST_SSP), &user_list->reg[0]))
+		return -EFAULT;
+
 	return 0;
 }
=20
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index 786e36fcd0fb..a7c9c72fca93 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -101,6 +101,16 @@ do {											\
 #define KVM_SVM_DEFAULT_PLE_WINDOW_MAX	USHRT_MAX
 #define KVM_SVM_DEFAULT_PLE_WINDOW	3000
=20
+/*
+ * KVM's internal, non-ABI indices for synthetic MSRs. The values themselv=
es
+ * are arbitrary and have no meaning, the only requirement is that they do=
n't
+ * conflict with "real" MSRs that KVM supports. Use values at the upper end
+ * of KVM's reserved paravirtual MSR range to minimize churn, i.e. these v=
alues
+ * will be usable until KVM exhausts its supply of paravirtual MSR indices.
+ */
+
+#define MSR_KVM_INTERNAL_GUEST_SSP	0x4b564dff
+
 static inline unsigned int __grow_ple_window(unsigned int val,
 		unsigned int base, unsigned int modifier, unsigned int max)
 {
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com
 [209.85.210.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5883D2E973F
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321214; cv=none;
 b=Spxci+x2jcuxifnNCBxxAafc6Yl624L1n4+T+Xgy+jeuzVyWSlA6T8yEb1o+94tuqz1wgbGx1jF66Zaa2dyq7huEBLH7lRNKTFe2obSlldG7c+ZfZmwHKblqKvfM/PMeQb+FSShvphh3eyi808eDQqRIs5Fr4pbC2YPF0TFMk+k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321214; c=relaxed/simple;
	bh=1H4JKoxS3V8wps7O900Yb2ln5StPCFFY4VKmmk1NeVw=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=lfuprEZMO47MqNgTwCleVuNkd+USYCc5d/OoYhLeG+OGxmgk28SYNrITQIITSh0xTn7pYK/bjRzFF+qTLNDc93sUo3+w0v+FVGgvOdtkF7pn+ZkN8lsPjInnH7ZDWQNZEDEI+A3d+JwppltbPR5357k5UStZ5iScVLpIKu5TJns=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=sFRGttzd; arc=none smtp.client-ip=209.85.210.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="sFRGttzd"
Received: by mail-pf1-f202.google.com with SMTP id
 d2e1a72fcca58-77daad52913so1735335b3a.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321212; x=1758926012;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=EHSMB3YudiESW4kjmExRtv85WymVJpL9tXhY6ETxnPM=;
        b=sFRGttzdxLr1l3MDy/+GCZZ6VEwxGfjB/TwUT0N/bmpTwFx0zLYQEGHHTb0pAXA6ig
         aldbouNDxfVhYFvsbp31Y0oQ1BNwhptLVm7e/X2XDyG9XStlxOwbO6UvoTzf9IeWjHHm
         1SveBWxuJWjOMIY52mScuTMuXF7N8j5IDspyCsWsjI+FahVD91Jr2IvtQMunftBL+IL0
         efz4SOUQMtQoZQPwHKx4Xvxu0jiXQ/LKL5ZyyieChoC0e9Bd0FwcxG/R39nBF0qrHZc/
         VEbWnGSWYXcd/O+OEHt0irVdh6FDQ/QGYcoicVYSm3XG4LU49SDiUpVerJWG1bYhrUZC
         XrEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321212; x=1758926012;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=EHSMB3YudiESW4kjmExRtv85WymVJpL9tXhY6ETxnPM=;
        b=j0ZhA4T7vBEhvsgvW4xLut8RLJaXtOHf8Z3e7eSSnmdb4g8upe0FMEDwZQfDR2NRUZ
         AyyBhEhOfQAPWkAon40Y/Q2Hu1/usDPEfwr75TVR97u9z0OdzgCuJIGZ7lXoLoasPRX5
         fMG7kyH3KqRbWRUxb+bXqThVjEzhrLC68fkRjBhbHg6VbBnT3Ag+mf7OR4EN10MIqhV+
         a5/FKUm67uNd410KRLwzJXqTkLUztEVoODvrX1HVggm6I5rXqMcL0HHj32itIRjMGE7S
         jrezUdMR816MUz/0/3TPGAWylJ0vUS+yw7DaFue3iVAd222taFYZEibI5GPGQu+2clHU
         OBJQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCWZvSjm45tB7bXOMkQFClmTR217R9XKUv/eLpqgEA8T60A/mnnwabZgPOOLX/qSQO/yfmWjzRv45EOMIvY=@vger.kernel.org
X-Gm-Message-State: AOJu0YzrVTrItSnp8N4VHWxlyR9JAHz13yGCPgk5DPYbPJdHQq0ivAm+
	UOo/a1bjEi4u55VEcoi4wy1pdOmE6OxaZTUzR0bfXP5iBusq9vzrnh28kpygyxidVen6FRoIznD
	ZLmgn1w==
X-Google-Smtp-Source: 
 AGHT+IHQqwZx/+upFtcTEoGCJl+OSJOyg9gTYspoU2hAtFEPWklOA4VCzj28Hht77v8pXm74VpXb8kXxnTw=
X-Received: from pfjc16.prod.google.com ([2002:a05:6a00:90:b0:771:ec64:cef2])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a00:a8f:b0:772:3b9d:70fb
 with SMTP id d2e1a72fcca58-77e4f9b4dcdmr6360968b3a.31.1758321208316; Fri, 19
 Sep 2025 15:33:28 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:21 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-15-seanjc@google.com>
Subject: [PATCH v16 14/51] KVM: VMX: Emulate read and write to CET MSRs
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Add emulation interface for CET MSR access. The emulation code is split
into common part and vendor specific part. The former does common checks
for MSRs, e.g., accessibility, data validity etc., then passes operation
to either XSAVE-managed MSRs via the helpers or CET VMCS fields.

SSP can only be read via RDSSP. Writing even requires destructive and
potentially faulting operations such as SAVEPREVSSP/RSTORSSP or
SETSSBSY/CLRSSBSY. Let the host use a pseudo-MSR that is just a wrapper
for the GUEST_SSP field of the VMCS.

Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
[sean: drop call to kvm_set_xstate_msr() for S_CET, consolidate code]
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/vmx/vmx.c | 18 ++++++++++++
 arch/x86/kvm/x86.c     | 64 ++++++++++++++++++++++++++++++++++++++++--
 arch/x86/kvm/x86.h     | 23 +++++++++++++++
 3 files changed, 103 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 35037fc326e5..e271e3785561 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -2106,6 +2106,15 @@ int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_da=
ta *msr_info)
 		else
 			msr_info->data =3D vmx->pt_desc.guest.addr_a[index / 2];
 		break;
+	case MSR_IA32_S_CET:
+		msr_info->data =3D vmcs_readl(GUEST_S_CET);
+		break;
+	case MSR_KVM_INTERNAL_GUEST_SSP:
+		msr_info->data =3D vmcs_readl(GUEST_SSP);
+		break;
+	case MSR_IA32_INT_SSP_TAB:
+		msr_info->data =3D vmcs_readl(GUEST_INTR_SSP_TABLE);
+		break;
 	case MSR_IA32_DEBUGCTLMSR:
 		msr_info->data =3D vmx_guest_debugctl_read();
 		break;
@@ -2424,6 +2433,15 @@ int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_da=
ta *msr_info)
 		else
 			vmx->pt_desc.guest.addr_a[index / 2] =3D data;
 		break;
+	case MSR_IA32_S_CET:
+		vmcs_writel(GUEST_S_CET, data);
+		break;
+	case MSR_KVM_INTERNAL_GUEST_SSP:
+		vmcs_writel(GUEST_SSP, data);
+		break;
+	case MSR_IA32_INT_SSP_TAB:
+		vmcs_writel(GUEST_INTR_SSP_TABLE, data);
+		break;
 	case MSR_IA32_PERF_CAPABILITIES:
 		if (data & PERF_CAP_LBR_FMT) {
 			if ((data & PERF_CAP_LBR_FMT) !=3D
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 720540f102e1..fee90388a861 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1890,6 +1890,44 @@ static int __kvm_set_msr(struct kvm_vcpu *vcpu, u32 =
index, u64 data,
=20
 		data =3D (u32)data;
 		break;
+	case MSR_IA32_U_CET:
+	case MSR_IA32_S_CET:
+		if (!guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) &&
+		    !guest_cpu_cap_has(vcpu, X86_FEATURE_IBT))
+			return KVM_MSR_RET_UNSUPPORTED;
+		if (!kvm_is_valid_u_s_cet(vcpu, data))
+			return 1;
+		break;
+	case MSR_KVM_INTERNAL_GUEST_SSP:
+		if (!host_initiated)
+			return 1;
+		fallthrough;
+		/*
+		 * Note that the MSR emulation here is flawed when a vCPU
+		 * doesn't support the Intel 64 architecture. The expected
+		 * architectural behavior in this case is that the upper 32
+		 * bits do not exist and should always read '0'. However,
+		 * because the actual hardware on which the virtual CPU is
+		 * running does support Intel 64, XRSTORS/XSAVES in the
+		 * guest could observe behavior that violates the
+		 * architecture. Intercepting XRSTORS/XSAVES for this
+		 * special case isn't deemed worthwhile.
+		 */
+	case MSR_IA32_PL0_SSP ... MSR_IA32_INT_SSP_TAB:
+		if (!guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK))
+			return KVM_MSR_RET_UNSUPPORTED;
+		/*
+		 * MSR_IA32_INT_SSP_TAB is not present on processors that do
+		 * not support Intel 64 architecture.
+		 */
+		if (index =3D=3D MSR_IA32_INT_SSP_TAB && !guest_cpu_cap_has(vcpu, X86_FE=
ATURE_LM))
+			return KVM_MSR_RET_UNSUPPORTED;
+		if (is_noncanonical_msr_address(data, vcpu))
+			return 1;
+		/* All SSP MSRs except MSR_IA32_INT_SSP_TAB must be 4-byte aligned */
+		if (index !=3D MSR_IA32_INT_SSP_TAB && !IS_ALIGNED(data, 4))
+			return 1;
+		break;
 	}
=20
 	msr.data =3D data;
@@ -1934,6 +1972,20 @@ static int __kvm_get_msr(struct kvm_vcpu *vcpu, u32 =
index, u64 *data,
 		    !guest_cpu_cap_has(vcpu, X86_FEATURE_RDPID))
 			return 1;
 		break;
+	case MSR_IA32_U_CET:
+	case MSR_IA32_S_CET:
+		if (!guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) &&
+		    !guest_cpu_cap_has(vcpu, X86_FEATURE_IBT))
+			return KVM_MSR_RET_UNSUPPORTED;
+		break;
+	case MSR_KVM_INTERNAL_GUEST_SSP:
+		if (!host_initiated)
+			return 1;
+		fallthrough;
+	case MSR_IA32_PL0_SSP ... MSR_IA32_INT_SSP_TAB:
+		if (!guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK))
+			return KVM_MSR_RET_UNSUPPORTED;
+		break;
 	}
=20
 	msr.index =3D index;
@@ -3865,12 +3917,12 @@ static __always_inline void kvm_access_xstate_msr(s=
truct kvm_vcpu *vcpu,
 	kvm_fpu_put();
 }
=20
-static __maybe_unused void kvm_set_xstate_msr(struct kvm_vcpu *vcpu, struc=
t msr_data *msr_info)
+static void kvm_set_xstate_msr(struct kvm_vcpu *vcpu, struct msr_data *msr=
_info)
 {
 	kvm_access_xstate_msr(vcpu, msr_info, MSR_TYPE_W);
 }
=20
-static __maybe_unused void kvm_get_xstate_msr(struct kvm_vcpu *vcpu, struc=
t msr_data *msr_info)
+static void kvm_get_xstate_msr(struct kvm_vcpu *vcpu, struct msr_data *msr=
_info)
 {
 	kvm_access_xstate_msr(vcpu, msr_info, MSR_TYPE_R);
 }
@@ -4256,6 +4308,10 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct=
 msr_data *msr_info)
 		vcpu->arch.guest_fpu.xfd_err =3D data;
 		break;
 #endif
+	case MSR_IA32_U_CET:
+	case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP:
+		kvm_set_xstate_msr(vcpu, msr_info);
+		break;
 	default:
 		if (kvm_pmu_is_valid_msr(vcpu, msr))
 			return kvm_pmu_set_msr(vcpu, msr_info);
@@ -4605,6 +4661,10 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct=
 msr_data *msr_info)
 		msr_info->data =3D vcpu->arch.guest_fpu.xfd_err;
 		break;
 #endif
+	case MSR_IA32_U_CET:
+	case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP:
+		kvm_get_xstate_msr(vcpu, msr_info);
+		break;
 	default:
 		if (kvm_pmu_is_valid_msr(vcpu, msr_info->index))
 			return kvm_pmu_get_msr(vcpu, msr_info);
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index a7c9c72fca93..076eccba0f7e 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -710,4 +710,27 @@ int ____kvm_emulate_hypercall(struct kvm_vcpu *vcpu, i=
nt cpl,
=20
 int kvm_emulate_hypercall(struct kvm_vcpu *vcpu);
=20
+#define CET_US_RESERVED_BITS		GENMASK(9, 6)
+#define CET_US_SHSTK_MASK_BITS		GENMASK(1, 0)
+#define CET_US_IBT_MASK_BITS		(GENMASK_ULL(5, 2) | GENMASK_ULL(63, 10))
+#define CET_US_LEGACY_BITMAP_BASE(data)	((data) >> 12)
+
+static inline bool kvm_is_valid_u_s_cet(struct kvm_vcpu *vcpu, u64 data)
+{
+	if (data & CET_US_RESERVED_BITS)
+		return false;
+	if (!guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) &&
+	    (data & CET_US_SHSTK_MASK_BITS))
+		return false;
+	if (!guest_cpu_cap_has(vcpu, X86_FEATURE_IBT) &&
+	    (data & CET_US_IBT_MASK_BITS))
+		return false;
+	if (!IS_ALIGNED(CET_US_LEGACY_BITMAP_BASE(data), 4))
+		return false;
+	/* IBT can be suppressed iff the TRACKER isn't WAIT_ENDBR. */
+	if ((data & CET_SUPPRESS) && (data & CET_WAIT_ENDBR))
+		return false;
+
+	return true;
+}
 #endif
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 96BEB2D660A
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321215; cv=none;
 b=PKdbKWScEXP8pgJrrdjE3NhJU5puymIxxpEQYakGGexBjeL7EHhJfDYahly3YPID26LmIhqFdPX+MfncMhaxTj5URuLnaccDB34MT2Um2emGGjogxF6+gWg12wWQycT/fJ7l1SLDO+01A4EeGqBIZy87KJujKS8bRMpdojDhSrA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321215; c=relaxed/simple;
	bh=HEkJNOg3fukhyvlPxWiVIcVFk89Ev4TjVKZ4rbVl6iY=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=uqLtSBshF0GU1/W7NAZyYgrr2PbMjrcHfMSAk0s0V9QPju8Jp6d+FAQsyzh5fOHkGUpRodhwJlem8vLmDz/jXxeCwv/3sq5Z7eyhFYvbM0uxPVqb6sSJ+kMlJyKmThb2lybdmohW57Yt+kNX3jl/KQ12zzoAhGVbmOew96Zaz6A=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=NGUvXG+L; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="NGUvXG+L"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-32e43b0f038so2244419a91.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321213; x=1758926013;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=SgNuCWJ0Kshu8P8RVZ3w+7X0SuHGq8/X41iuZdsbg84=;
        b=NGUvXG+Lv6LcxjoOmv5Wzvk2g7OyXOriOC6/IlvB4TwhAHkHvnaCr5QS+muhLZpx01
         /Pvn/FsMAjGmbBBCsZrKdurEng4Wf3EhMuO+QnVthKmsZPD7MpmpdtdrttvbqtraKZHR
         7H7UvuSrwqBEpmBXlZbC2fuaLthwOWDo78kvoyGkij0uw5AjBwsr4E2bx0/dr4iE8Me3
         VPYQy8Q5B2bU2xc2fBOLE4Xt/jPBmvvg1KEG81q83xwSW7ipGjvGzTfCUwhSI9AwUi/p
         a44PIqutg9/qFov2NnGtiqK8ijTzvyLaxaJGxWuPHWBzvSagGAYT9hEU3PSfMKiUJwt5
         ZvQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321213; x=1758926013;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=SgNuCWJ0Kshu8P8RVZ3w+7X0SuHGq8/X41iuZdsbg84=;
        b=ggllcg8QYC9rUT/zaNkxLERI9VO68n/Ww54jLdpFFdE+DWWvzUEz08ZHBONDycIp02
         oomwEzb/botPo2iaCkUfPYKJaQN7LSqbC1fuwGyO5BpWmOB8xCgDvEwBCqMlfOX45Ws4
         1AeUebgCUTUPT1eMEOERiBqSCb9bsRZKiqV+ecf6gOKFC2KLgjtlX1ZcTYRJX1oZcSnj
         cppibTkA1GZD625RT0/ojbbeFRzUPF72sMd0YJNy8QHvjmLxyGA7QEAgtXqZq+7nldUA
         Yg3EeZhx2KH/ysIEBqmgzIXFHE4HBYj69YF4qUiQjXN8unjWmBT3BHyXi9zh+JAyVkz8
         Pduw==
X-Forwarded-Encrypted: i=1;
 AJvYcCWem26pWJ9pLSxz7koHVPLJSfmUAfDdVqu0zlae6NbVlD5JFZjBoMJfzQvxWNZNjfrVrwQTYIZ5EYDjBrc=@vger.kernel.org
X-Gm-Message-State: AOJu0YwCfBFDeFt4pgZNdX6tP+Y6cDqWxGLkMnY4aaW7u6UZZ+nBAa5Y
	iaWWE7v7oZ1p6x/TeUn+ezQOwiB39ZqznxX1oZ4X8otjKddqjDBiLCkfGIuY29chnU2vmb6C90C
	0LIIylA==
X-Google-Smtp-Source: 
 AGHT+IFlfcEaDECOLCIYlfDWXjUKejDEVlHyepr/5JJ+6BpQhH93ka0y/qLlXn9wdJM8Rl8KPJ2WMOD9FkY=
X-Received: from pjff6.prod.google.com ([2002:a17:90b:5626:b0:329:7dfc:f4e1])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:3a8c:b0:32e:d9db:7a86
 with SMTP id 98e67ed59e1d1-33097fe0889mr5834323a91.7.1758321213138; Fri, 19
 Sep 2025 15:33:33 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:22 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-16-seanjc@google.com>
Subject: [PATCH v16 15/51] KVM: x86: Save and reload SSP to/from SMRAM
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Save CET SSP to SMRAM on SMI and reload it on RSM. KVM emulates HW arch
behavior when guest enters/leaves SMM mode,i.e., save registers to SMRAM
at the entry of SMM and reload them at the exit to SMM. Per SDM, SSP is
one of such registers on 64-bit Arch, and add the support for SSP.

Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/smm.c | 8 ++++++++
 arch/x86/kvm/smm.h | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/smm.c b/arch/x86/kvm/smm.c
index 5dd8a1646800..b0b14ba37f9a 100644
--- a/arch/x86/kvm/smm.c
+++ b/arch/x86/kvm/smm.c
@@ -269,6 +269,10 @@ static void enter_smm_save_state_64(struct kvm_vcpu *v=
cpu,
 	enter_smm_save_seg_64(vcpu, &smram->gs, VCPU_SREG_GS);
=20
 	smram->int_shadow =3D kvm_x86_call(get_interrupt_shadow)(vcpu);
+
+	if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) &&
+	    kvm_msr_read(vcpu, MSR_KVM_INTERNAL_GUEST_SSP, &smram->ssp))
+		kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
 }
 #endif
=20
@@ -558,6 +562,10 @@ static int rsm_load_state_64(struct x86_emulate_ctxt *=
ctxt,
 	kvm_x86_call(set_interrupt_shadow)(vcpu, 0);
 	ctxt->interruptibility =3D (u8)smstate->int_shadow;
=20
+	if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) &&
+	    kvm_msr_write(vcpu, MSR_KVM_INTERNAL_GUEST_SSP, smstate->ssp))
+		return X86EMUL_UNHANDLEABLE;
+
 	return X86EMUL_CONTINUE;
 }
 #endif
diff --git a/arch/x86/kvm/smm.h b/arch/x86/kvm/smm.h
index 551703fbe200..db3c88f16138 100644
--- a/arch/x86/kvm/smm.h
+++ b/arch/x86/kvm/smm.h
@@ -116,8 +116,8 @@ struct kvm_smram_state_64 {
 	u32 smbase;
 	u32 reserved4[5];
=20
-	/* ssp and svm_* fields below are not implemented by KVM */
 	u64 ssp;
+	/* svm_* fields below are not implemented by KVM */
 	u64 svm_guest_pat;
 	u64 svm_host_efer;
 	u64 svm_host_cr4;
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com
 [209.85.216.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E2782EA759
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321216; cv=none;
 b=VjI5mpsmzbYkofOcTTDC620WTUwz6x/5UyN0llDXVKEXZN0rXm7J+k4fARrQMp7xr+qvt3EjXGWT3PkN6JBDDfnQOe/9w6nZ39KqIdxwBEjcn2xboEdzaPZkQKntGttd0zhrUTVqo7659KgM1Rlnxsb/OZU7XjJbxwDkg9ya8eI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321216; c=relaxed/simple;
	bh=3YW5ALbMTURj6Sjxs28ohmWTujGT9wqFhmPph/7ZGKQ=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=RwCP7UkeutcLi1ixFJhSiQRv+9q0jqsuv5xCYhPo3GoUit1pZl8OSt9gY96p6sy5MLRsqYZoYqusOoxZuFY94syV+XO6c5paV6TEuPvtyosSHvuWTfb7CHXIkMYFJpwSGPds3EY7cjMS447B+lRDS/JVNN8vpmf4SyvY7Wzzkfk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=wYW0RpDw; arc=none smtp.client-ip=209.85.216.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="wYW0RpDw"
Received: by mail-pj1-f73.google.com with SMTP id
 98e67ed59e1d1-32eb18b5659so2674480a91.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321215; x=1758926015;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=HJIMM0s+CzzW0R0XC/wBPz1aR1QdnPfhwf5Eo7xoTbM=;
        b=wYW0RpDw1tXL8t9wbBmTrvgBvHnQ6ZIHDhxC1BL9SV1oTd6R8WDRLQy0CdmRhyZpZ/
         D5tNEu9XSku5IFjBfmlB3roqJitkkW3+RBgVCeIsQijch1lt6G7DGGmmIqj/5VHEu9wK
         Yn9A9mDShKLAcnf7QPpEdQcf+2z6VpRUlhBkHISxT4+Pk0nr3VbFfws37wrChQkQk3/k
         2/JsnnjkXaMrooC0JBKgwyivIyIeoVNNGWpl6C0ZX+VCG4cFgxgIYT9RZr1mOh63+6Uj
         wvUU/z3lE+/f8cZfdfipzxoJt4KjR6wDrIk2fUG43ww7R2vHNxemPck1ycC7hqO+toJ/
         9skw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321215; x=1758926015;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=HJIMM0s+CzzW0R0XC/wBPz1aR1QdnPfhwf5Eo7xoTbM=;
        b=Ms/rOa5VkrRrPNxF9EEZldo0wu0CJM2AlMLEaH+0DD+RxEA3dED/CmmT8sblPjPmCk
         qTizifnyGxZK5qj01sqNr1oQQ8nZvFOSu/jwACRFBfy6QD2DUuXY4NQhKt0WJ5b7qKBq
         GEQR5F6t+jU4MGd5wgLUwM80MK/gLF5SfDZi3cJK7gUXkPhFd9qQ2ytbqJQmzYYY8Q0Y
         Tf4e+SngmUgJ0YGWjKT8XD9D5ZqGrcfzyc22gJhTJyY/AZmQxIsev/snRl6Oae6Ti/pI
         LG4V20dQ9VgNOTPWNYniYszyVDMisazm81aeoADGevv9BGbptC5JampP9m3X1ZFN+g88
         nZsg==
X-Forwarded-Encrypted: i=1;
 AJvYcCXHu5Huu6G9wMhqQ7RKwBNEtHxbTEbImJ7nKicmwqPSu1j03gDimZ3IAYRz+PZuKTxRbs9wzmQIIBxVMUQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YzQjpbBH0263LGguMWsEP0w063FIZZ8L7F/PNfpwId1NLIRovEn
	L+/p5RXOvzfiK3w5IVs5QCHGdAnHJnH//gM77gonoIfMnZfUFuDixU2IQkz0WZWLb+TP5frsYFS
	ft5/8tQ==
X-Google-Smtp-Source: 
 AGHT+IEmkGfIrnLcmS2FZ5RIyaY377eRzjxgCjRwQPOigQYkf16nzVZ88oS4j2GSL+UsWOPzsu9q0K2JV9M=
X-Received: from pjbsv5.prod.google.com ([2002:a17:90b:5385:b0:32d:a0b1:2b14])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:4b11:b0:32e:7270:94aa
 with SMTP id 98e67ed59e1d1-3309834e01emr6620022a91.19.1758321214681; Fri, 19
 Sep 2025 15:33:34 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:23 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-17-seanjc@google.com>
Subject: [PATCH v16 16/51] KVM: VMX: Set up interception for CET MSRs
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Disable interception for CET MSRs that can be accessed via XSAVES/XRSTORS,
and exist accordingly to CPUID, as accesses through XSTATE aren't subject
to MSR interception checks, i.e. can't be intercepted without intercepting
and emulating XSAVES/XRSTORS, and KVM doesn't support emulating
XSAVE/XRSTOR instructions.

Don't condition interception on the guest actually having XSAVES as there
is no benefit to intercepting the accesses (when the MSRs exist).  The
MSRs in question are either context switched by the CPU on VM-Enter/VM-Exit
or by KVM via XSAVES/XRSTORS (KVM requires XSAVES to virtualization SHSTK),
i.e. KVM is going to load guest values into hardware irrespective of guest
XSAVES support.

Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by: Xin Li (Intel) <xin@zytor.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/vmx/vmx.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index e271e3785561..5fe4a4b8efb1 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4101,6 +4101,8 @@ void pt_update_intercept_for_msr(struct kvm_vcpu *vcp=
u)
=20
 static void vmx_recalc_msr_intercepts(struct kvm_vcpu *vcpu)
 {
+	bool intercept;
+
 	if (!cpu_has_vmx_msr_bitmap())
 		return;
=20
@@ -4146,6 +4148,23 @@ static void vmx_recalc_msr_intercepts(struct kvm_vcp=
u *vcpu)
 		vmx_set_intercept_for_msr(vcpu, MSR_IA32_FLUSH_CMD, MSR_TYPE_W,
 					  !guest_cpu_cap_has(vcpu, X86_FEATURE_FLUSH_L1D));
=20
+	if (kvm_cpu_cap_has(X86_FEATURE_SHSTK)) {
+		intercept =3D !guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK);
+
+		vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL0_SSP, MSR_TYPE_RW, intercept=
);
+		vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL1_SSP, MSR_TYPE_RW, intercept=
);
+		vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL2_SSP, MSR_TYPE_RW, intercept=
);
+		vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL3_SSP, MSR_TYPE_RW, intercept=
);
+	}
+
+	if (kvm_cpu_cap_has(X86_FEATURE_SHSTK) || kvm_cpu_cap_has(X86_FEATURE_IBT=
)) {
+		intercept =3D !guest_cpu_cap_has(vcpu, X86_FEATURE_IBT) &&
+			    !guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK);
+
+		vmx_set_intercept_for_msr(vcpu, MSR_IA32_U_CET, MSR_TYPE_RW, intercept);
+		vmx_set_intercept_for_msr(vcpu, MSR_IA32_S_CET, MSR_TYPE_RW, intercept);
+	}
+
 	/*
 	 * x2APIC and LBR MSR intercepts are modified on-demand and cannot be
 	 * filtered by userspace.
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com
 [209.85.214.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1E7202EB866
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:36 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321218; cv=none;
 b=G7r0uRvuIUaH0eLYAqXeQhQMVgbcE/k+MoXN4kc0ecnT8+uc+lAwz4A4CpW4MvsL8GXA/APQQYvpLO904boc073+plcsE8pqeKnkyDhrPfTgVwmHmTXFnDrs6fNfacFiXzVkZqIGw2Wj0n8A/jodXZDNqOBs5YEtbiIVHezEzZs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321218; c=relaxed/simple;
	bh=Q70/k7kT3C/xIAA2GvN8tKo5xDe3waYj/eHHxlJ71QE=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=aTqrUHVldOX0UEFT52kALn4fF8mTPTLNnrK0R/PRHX2FzslVFLEeZIBiupOj3B7EV4p0GkGxoM0qt7+Oey72T0z9KRmBeCuIWATyhzarGLnFJ6RoXY3m+Hh8W1Eqq1VvSmpxDVYSDnz/QPR6BIdrs7xMkjvAo1Oiw6EWlxbvYi0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=gjNZ85FR; arc=none smtp.client-ip=209.85.214.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="gjNZ85FR"
Received: by mail-pl1-f202.google.com with SMTP id
 d9443c01a7336-2445806b18aso30840475ad.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321216; x=1758926016;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=AtRSpHI34hOTr14h2nQSWbxYtSYTs8P2X4VzmIFoGGY=;
        b=gjNZ85FRJFJfrKtZ7gHqJpWSzn1oIhKHWOyowPLv/xHxFgIXCeOOL7FiuZCx7ut50P
         W1VAa3ewiOYfFQuDA51Lj2wYeA6TjnvRR7pvhk94jS7ocPL1mX95PB02kod9BkJEhUlA
         N3MRzjKQuwswx1TVRDqgoFaiE2xA5L9TxfmT0Lr+lHKq/j00CARK8B1joJXcyJZQQ2JE
         P2FqPPUGbJ+ajU6KxWNC6zU9RZm7xOotu3zPmm3K8gRycovfe7ZaLohC35r7F503nHbb
         VpvGqfmO7uSiwSsYYaObVQ4BbH5FlEnXe5T3Flzw5tcSMtv+PUiZMjdgnbSKplW2ciiA
         AaDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321216; x=1758926016;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=AtRSpHI34hOTr14h2nQSWbxYtSYTs8P2X4VzmIFoGGY=;
        b=je2ZbaOqH1CsJdDIU4lWHNIIdgwB8SoOs1Z98xqUKnQkH3NOrQngL2qrfj99Qf0pGW
         ZMeaigzmTtU2AiDVwAGFXKSZgRe08HlYaH2a2QSZl8tIfvvLdqsgpmXMWn/iwOJcWIjz
         +o4KNIgPcigleHe/J0L2gGSJiy/WLe/VGouGCiV1lEJqaFAPPH5vZNeHbSGVcUghkl89
         XuFeXBCdMYZcra5RZSe+XsAikoXx2CNAU7JamZrLhGIuTzCQnFHy4Niyx4E6vPvGALxs
         51U6/stlfMGAyIkY/8Scp6iWo6ekaKyfXM+2OfOZNiQLOL8ZzXHEQCYRfJ1334xsnGY+
         Lzeg==
X-Forwarded-Encrypted: i=1;
 AJvYcCV9P3wE4AFFbwg+SNjQdGchWwgX0Ikow+4fJt0ELQC1JvJKz2uU1+UFdETY/jXb9vwGhUp5WzblafpwMoA=@vger.kernel.org
X-Gm-Message-State: AOJu0YyiwzoH4j33QseDTqvoly600lphatdiQd8CHI7HX/9THpJ7Bufs
	6ZV9+ZBIutVWkDagBwdLVs11mPSUu89EfNiVcsYVQzmWKIDCfP8afOsx2wpMQxYcyPVWI5xTD2B
	yA+rcbQ==
X-Google-Smtp-Source: 
 AGHT+IFXLtgMEwJfJvCkz3ezqcjpkSQU3hEfExnTcdinaUlwRHSERdOcM8Vkmlk4Ob3hgkUERHIIWXSRSy0=
X-Received: from pjbqx3.prod.google.com ([2002:a17:90b:3e43:b0:330:793a:2e77])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:5585:b0:330:84dc:d129
 with SMTP id 98e67ed59e1d1-33098387b2bmr5494044a91.36.1758321216510; Fri, 19
 Sep 2025 15:33:36 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:24 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-18-seanjc@google.com>
Subject: [PATCH v16 17/51] KVM: VMX: Set host constant supervisor states to
 VMCS fields
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Save constant values to HOST_{S_CET,SSP,INTR_SSP_TABLE} field explicitly.
Kernel IBT is supported and the setting in MSR_IA32_S_CET is static after
post-boot(The exception is BIOS call case but vCPU thread never across it)
and KVM doesn't need to refresh HOST_S_CET field before every VM-Enter/
VM-Exit sequence.

Host supervisor shadow stack is not enabled now and SSP is not accessible
to kernel mode, thus it's safe to set host IA32_INT_SSP_TAB/SSP VMCS field
to 0s. When shadow stack is enabled for CPL3, SSP is reloaded from PL3_SSP
before it exits to userspace. Check SDM Vol 2A/B Chapter 3/4 for SYSCALL/
SYSRET/SYSENTER SYSEXIT/RDSSP/CALL etc.

Prevent KVM module loading if host supervisor shadow stack SHSTK_EN is set
in MSR_IA32_S_CET as KVM cannot co-exit with it correctly.

Suggested-by: Sean Christopherson <seanjc@google.com>
Suggested-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
[sean: snapshot host S_CET if SHSTK *or* IBT is supported]
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
---
 arch/x86/kvm/vmx/capabilities.h |  4 ++++
 arch/x86/kvm/vmx/vmx.c          | 15 +++++++++++++++
 arch/x86/kvm/x86.c              | 12 ++++++++++++
 arch/x86/kvm/x86.h              |  1 +
 4 files changed, 32 insertions(+)

diff --git a/arch/x86/kvm/vmx/capabilities.h b/arch/x86/kvm/vmx/capabilitie=
s.h
index f614428dbeda..59c83888bdc0 100644
--- a/arch/x86/kvm/vmx/capabilities.h
+++ b/arch/x86/kvm/vmx/capabilities.h
@@ -100,6 +100,10 @@ static inline bool cpu_has_load_perf_global_ctrl(void)
 	return vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL;
 }
=20
+static inline bool cpu_has_load_cet_ctrl(void)
+{
+	return (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_CET_STATE);
+}
 static inline bool cpu_has_vmx_mpx(void)
 {
 	return vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_BNDCFGS;
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 5fe4a4b8efb1..a7d9e60b2771 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4325,6 +4325,21 @@ void vmx_set_constant_host_state(struct vcpu_vmx *vm=
x)
=20
 	if (cpu_has_load_ia32_efer())
 		vmcs_write64(HOST_IA32_EFER, kvm_host.efer);
+
+	/*
+	 * Supervisor shadow stack is not enabled on host side, i.e.,
+	 * host IA32_S_CET.SHSTK_EN bit is guaranteed to 0 now, per SDM
+	 * description(RDSSP instruction), SSP is not readable in CPL0,
+	 * so resetting the two registers to 0s at VM-Exit does no harm
+	 * to kernel execution. When execution flow exits to userspace,
+	 * SSP is reloaded from IA32_PL3_SSP. Check SDM Vol.2A/B Chapter
+	 * 3 and 4 for details.
+	 */
+	if (cpu_has_load_cet_ctrl()) {
+		vmcs_writel(HOST_S_CET, kvm_host.s_cet);
+		vmcs_writel(HOST_SSP, 0);
+		vmcs_writel(HOST_INTR_SSP_TABLE, 0);
+	}
 }
=20
 void set_cr4_guest_host_mask(struct vcpu_vmx *vmx)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index fee90388a861..d2cccc7594d4 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -9997,6 +9997,18 @@ int kvm_x86_vendor_init(struct kvm_x86_init_ops *ops)
 		return -EIO;
 	}
=20
+	if (boot_cpu_has(X86_FEATURE_SHSTK) || boot_cpu_has(X86_FEATURE_IBT)) {
+		rdmsrq(MSR_IA32_S_CET, kvm_host.s_cet);
+		/*
+		 * Linux doesn't yet support supervisor shadow stacks (SSS), so
+		 * KVM doesn't save/restore the associated MSRs, i.e. KVM may
+		 * clobber the host values.  Yell and refuse to load if SSS is
+		 * unexpectedly enabled, e.g. to avoid crashing the host.
+		 */
+		if (WARN_ON_ONCE(kvm_host.s_cet & CET_SHSTK_EN))
+			return -EIO;
+	}
+
 	memset(&kvm_caps, 0, sizeof(kvm_caps));
=20
 	x86_emulator_cache =3D kvm_alloc_emulator_cache();
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index 076eccba0f7e..65cbd454c4f1 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -50,6 +50,7 @@ struct kvm_host_values {
 	u64 efer;
 	u64 xcr0;
 	u64 xss;
+	u64 s_cet;
 	u64 arch_capabilities;
 };
=20
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com
 [209.85.214.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F2F82EC0B6
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:38 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321220; cv=none;
 b=Cp6o5WuY3iRzZSBNBXqJ57x7Xpc55fAeGhf98lDxruZztStYOAL4/iE3sjhq6zo70ec4iv1GLpfzuq6AFVcuEDrjP39d8djB0JMidqAuemFd2OJVsLzbrF9sCIT8fIvpJg7LyJEeU3HjBuRoNsOMCKDUQIL1ZcdcddwwPacgx2Q=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321220; c=relaxed/simple;
	bh=Tpg2UM0UvnKI0EcEqQuDVNWgIEpvwyrxg6cQAn7ER8Y=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=nLS8vRP5Gz67/6TgEudQi8a/rF8fev34NLuECSvnVWV/PVSn2pn/EDNCHazPxdSO1yCLvKFpiBkKI3PvWqFwwcjyvaRUKJT9so4eM90pkJ/R7YJ/f+rXecnVZovi+BMNthvN2aGu9fAo55T8AhWDrASNXRRL4IlrAXmzKPVjVcU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=f2hXGLwU; arc=none smtp.client-ip=209.85.214.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="f2hXGLwU"
Received: by mail-pl1-f201.google.com with SMTP id
 d9443c01a7336-268141f759aso27027655ad.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321218; x=1758926018;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=IAfbQv0zL/PVgzn0UmAWoXWN2DzfV7FmZQyvK2wocFE=;
        b=f2hXGLwUz5AkHoHzvb78MpA0EOZMwE4XFN9pZzii5/WXX+3k34KbshX4rLPbgFAK2L
         9q9Nn6LXceUbjsc2ioRvvBFUKM9uQAsN7OZCyrAkdfJwLtPRVcOuv9dSMIa2+BpauT0v
         nvzRNxgK8qXCeCi56idmZB9SDYVDYTGzKp3Ba9H/Y6L4wAUUYx5vnDPvXBJ5XeOLe03R
         mcqWJG4oJxp+kgJ8zVtCAsYoZHykZ1jUktCqVGK/xFzq4jBZiT26VLZlYrhkOC9UA216
         kxsFM4ebXZmCg4KNRbpDbpUni9tiTpT+bqFad68VJnxPDHeXsun8xiG+b9OF9kNADjxv
         nBrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321218; x=1758926018;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=IAfbQv0zL/PVgzn0UmAWoXWN2DzfV7FmZQyvK2wocFE=;
        b=cRPMQa6QBaoZ5TlmPwDHGL/lnAIniWmYjqJlZRZgi19nPzgO8vXBp34MwxB3/czX7B
         33MjAvNEtiYjz2DLd0tYEkDFGaH4Q2QMjKrdoMPZDyqUX7IW306Ocs+v7H61eC3q++SE
         F0G1MJl/H/cyeo8S1aiR88XsbH5egvdnPRxs5aYzFDHCZYBCIV9FrcnxDT3uKB01cV7u
         A/MMsgVQzwWZ5rVQiWRTxtMHyx/NWpGYXMr14CUGLo89I3vYDZWmMSKuRKOxVbHAOkxe
         HpjFWGfVJV8Z/s853B8kmEvSmztgkm7Y3WUv5v/fe223VKOnmXIgz/rSKUIS4wTksC1d
         2aVQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCUa6gUkg+PqP2mYe2QxYRYeHwObwKAoyNpfGOBZo57PU8uCzXytUHuYWhA6BT7FfDgGbvjHXF4U706Sx2g=@vger.kernel.org
X-Gm-Message-State: AOJu0YwjhrvuDl30TELMNnVwy2VL1XkuNpwvE6uFjH3calOTjOsZbF/g
	rsrNWRFNnZAjaWgS3onLz83eF5wkcZjIfP80eTpJGDaD058J0zqlLigm50eHxHBkZIQmZM/L+jf
	UAPO67A==
X-Google-Smtp-Source: 
 AGHT+IGgnEd9An0oTTkKddH6r2SKIE+nBXhRDnlLzXh4X8cUqKGkuYGhcAUT8W0ACXO6gS760WwfruKphHY=
X-Received: from plss12.prod.google.com ([2002:a17:902:c64c:b0:260:3d:8a7c])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:903:298c:b0:249:f16:f086
 with SMTP id d9443c01a7336-269ba534e93mr62799945ad.42.1758321218046; Fri, 19
 Sep 2025 15:33:38 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:25 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-19-seanjc@google.com>
Subject: [PATCH v16 18/51] KVM: x86: Don't emulate instructions affected by
 CET features
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Don't emulate branch instructions, e.g. CALL/RET/JMP etc., that are
affected by Shadow Stacks and/or Indirect Branch Tracking when said
features are enabled in the guest, as fully emulating CET would require
significant complexity for no practical benefit (KVM shouldn't need to
emulate branch instructions on modern hosts).  Simply doing nothing isn't
an option as that would allow a malicious entity to subvert CET
protections via the emulator.

To detect instructions that are subject to IBT or affect IBT state, use
the existing IsBranch flag along with the source operand type to detect
indirect branches, and the existing NearBranch flag to detect far branches
(which can affect IBT state even if the branch itself is direct).

For Shadow Stacks, explicitly track instructions that directly affect the
current SSP, as KVM's emulator doesn't have existing flags that can be
used to precisely detect such instructions.  Alternatively, the em_xxx()
helpers could directly check for ShadowStack interactions, but using a
dedicated flag is arguably easier to audit, and allows for handling both
IBT and SHSTK in one fell swoop.

Note!  On far transfers, do NOT consult the current privilege level and
instead treat SHSTK/IBT as being enabled if they're enabled for User *or*
Supervisor mode.  On inter-privilege level far transfers, SHSTK and IBT
can be in play for the target privilege level, i.e. checking the current
privilege could get a false negative, and KVM doesn't know the target
privilege level until emulation gets under way.

Note #2, FAR JMP from 64-bit mode to compatibility mode interacts with
the current SSP, but only to ensure SSP[63:32] =3D=3D 0.  Don't tag FAR JMP
as SHSTK, which would be rather confusing and would result in FAR JMP
being rejected unnecessarily the vast majority of the time (ignoring that
it's unlikely to ever be emulated).  A future commit will add the #GP(0)
check for the specific FAR JMP scenario.

Note #3, task switches also modify SSP and so need to be rejected.  That
too will be addressed in a future commit.

Suggested-by: Chao Gao <chao.gao@intel.com>
Originally-by: Yang Weijiang <weijiang.yang@intel.com>
Cc: Mathias Krause <minipli@grsecurity.net>
Cc: John Allen <john.allen@amd.com>
Cc: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 arch/x86/kvm/emulate.c | 114 ++++++++++++++++++++++++++++++++++++-----
 1 file changed, 100 insertions(+), 14 deletions(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 23929151a5b8..dc0249929cbf 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -178,6 +178,7 @@
 #define IncSP       ((u64)1 << 54)  /* SP is incremented before ModRM calc=
 */
 #define TwoMemOp    ((u64)1 << 55)  /* Instruction has two memory operand =
*/
 #define IsBranch    ((u64)1 << 56)  /* Instruction is considered a branch.=
 */
+#define ShadowStack ((u64)1 << 57)  /* Instruction affects Shadow Stacks. =
*/
=20
 #define DstXacc     (DstAccLo | SrcAccHi | SrcWrite)
=20
@@ -660,6 +661,57 @@ static inline bool emul_is_noncanonical_address(u64 la,
 	return !ctxt->ops->is_canonical_addr(ctxt, la, flags);
 }
=20
+static bool is_shstk_instruction(u64 flags)
+{
+	return flags & ShadowStack;
+}
+
+static bool is_ibt_instruction(u64 flags)
+{
+	if (!(flags & IsBranch))
+		return false;
+
+	/*
+	 * Far transfers can affect IBT state even if the branch itself is
+	 * direct, e.g. when changing privilege levels and loading a conforming
+	 * code segment.  For simplicity, treat all far branches as affecting
+	 * IBT.  False positives are acceptable (emulating far branches on an
+	 * IBT-capable CPU won't happen in practice), while false negatives
+	 * could impact guest security.
+	 *
+	 * Note, this also handles SYCALL and SYSENTER.
+	 */
+	if (!(flags & NearBranch))
+		return true;
+
+	switch (flags & (OpMask << SrcShift)) {
+	case SrcReg:
+	case SrcMem:
+	case SrcMem16:
+	case SrcMem32:
+		return true;
+	case SrcMemFAddr:
+	case SrcImmFAddr:
+		/* Far branches should be handled above. */
+		WARN_ON_ONCE(1);
+		return true;
+	case SrcNone:
+	case SrcImm:
+	case SrcImmByte:
+	/*
+	 * Note, ImmU16 is used only for the stack adjustment operand on ENTER
+	 * and RET instructions.  ENTER isn't a branch and RET FAR is handled
+	 * by the NearBranch check above.  RET itself isn't an indirect branch.
+	 */
+	case SrcImmU16:
+		return false;
+	default:
+		WARN_ONCE(1, "Unexpected Src operand '%llx' on branch",
+			  (flags & (OpMask << SrcShift)));
+		return false;
+	}
+}
+
 /*
  * x86 defines three classes of vector instructions: explicitly
  * aligned, explicitly unaligned, and the rest, which change behaviour
@@ -4068,9 +4120,9 @@ static const struct opcode group4[] =3D {
 static const struct opcode group5[] =3D {
 	F(DstMem | SrcNone | Lock,		em_inc),
 	F(DstMem | SrcNone | Lock,		em_dec),
-	I(SrcMem | NearBranch | IsBranch,       em_call_near_abs),
-	I(SrcMemFAddr | ImplicitOps | IsBranch, em_call_far),
-	I(SrcMem | NearBranch | IsBranch,       em_jmp_abs),
+	I(SrcMem | NearBranch | IsBranch | ShadowStack, em_call_near_abs),
+	I(SrcMemFAddr | ImplicitOps | IsBranch | ShadowStack, em_call_far),
+	I(SrcMem | NearBranch | IsBranch, em_jmp_abs),
 	I(SrcMemFAddr | ImplicitOps | IsBranch, em_jmp_far),
 	I(SrcMem | Stack | TwoMemOp,		em_push), D(Undefined),
 };
@@ -4304,7 +4356,7 @@ static const struct opcode opcode_table[256] =3D {
 	DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
 	/* 0x98 - 0x9F */
 	D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
-	I(SrcImmFAddr | No64 | IsBranch, em_call_far), N,
+	I(SrcImmFAddr | No64 | IsBranch | ShadowStack, em_call_far), N,
 	II(ImplicitOps | Stack, em_pushf, pushf),
 	II(ImplicitOps | Stack, em_popf, popf),
 	I(ImplicitOps, em_sahf), I(ImplicitOps, em_lahf),
@@ -4324,19 +4376,19 @@ static const struct opcode opcode_table[256] =3D {
 	X8(I(DstReg | SrcImm64 | Mov, em_mov)),
 	/* 0xC0 - 0xC7 */
 	G(ByteOp | Src2ImmByte, group2), G(Src2ImmByte, group2),
-	I(ImplicitOps | NearBranch | SrcImmU16 | IsBranch, em_ret_near_imm),
-	I(ImplicitOps | NearBranch | IsBranch, em_ret),
+	I(ImplicitOps | NearBranch | SrcImmU16 | IsBranch | ShadowStack, em_ret_n=
ear_imm),
+	I(ImplicitOps | NearBranch | IsBranch | ShadowStack, em_ret),
 	I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
 	I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
 	G(ByteOp, group11), G(0, group11),
 	/* 0xC8 - 0xCF */
 	I(Stack | SrcImmU16 | Src2ImmByte, em_enter),
 	I(Stack, em_leave),
-	I(ImplicitOps | SrcImmU16 | IsBranch, em_ret_far_imm),
-	I(ImplicitOps | IsBranch, em_ret_far),
-	D(ImplicitOps | IsBranch), DI(SrcImmByte | IsBranch, intn),
+	I(ImplicitOps | SrcImmU16 | IsBranch | ShadowStack, em_ret_far_imm),
+	I(ImplicitOps | IsBranch | ShadowStack, em_ret_far),
+	D(ImplicitOps | IsBranch), DI(SrcImmByte | IsBranch | ShadowStack, intn),
 	D(ImplicitOps | No64 | IsBranch),
-	II(ImplicitOps | IsBranch, em_iret, iret),
+	II(ImplicitOps | IsBranch | ShadowStack, em_iret, iret),
 	/* 0xD0 - 0xD7 */
 	G(Src2One | ByteOp, group2), G(Src2One, group2),
 	G(Src2CL | ByteOp, group2), G(Src2CL, group2),
@@ -4352,7 +4404,7 @@ static const struct opcode opcode_table[256] =3D {
 	I2bvIP(SrcImmUByte | DstAcc, em_in,  in,  check_perm_in),
 	I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
 	/* 0xE8 - 0xEF */
-	I(SrcImm | NearBranch | IsBranch, em_call),
+	I(SrcImm | NearBranch | IsBranch | ShadowStack, em_call),
 	D(SrcImm | ImplicitOps | NearBranch | IsBranch),
 	I(SrcImmFAddr | No64 | IsBranch, em_jmp_far),
 	D(SrcImmByte | ImplicitOps | NearBranch | IsBranch),
@@ -4371,7 +4423,7 @@ static const struct opcode opcode_table[256] =3D {
 static const struct opcode twobyte_table[256] =3D {
 	/* 0x00 - 0x0F */
 	G(0, group6), GD(0, &group7), N, N,
-	N, I(ImplicitOps | EmulateOnUD | IsBranch, em_syscall),
+	N, I(ImplicitOps | EmulateOnUD | IsBranch | ShadowStack, em_syscall),
 	II(ImplicitOps | Priv, em_clts, clts), N,
 	DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
 	N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
@@ -4402,8 +4454,8 @@ static const struct opcode twobyte_table[256] =3D {
 	IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
 	II(ImplicitOps | Priv, em_rdmsr, rdmsr),
 	IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
-	I(ImplicitOps | EmulateOnUD | IsBranch, em_sysenter),
-	I(ImplicitOps | Priv | EmulateOnUD | IsBranch, em_sysexit),
+	I(ImplicitOps | EmulateOnUD | IsBranch | ShadowStack, em_sysenter),
+	I(ImplicitOps | Priv | EmulateOnUD | IsBranch | ShadowStack, em_sysexit),
 	N, N,
 	N, N, N, N, N, N, N, N,
 	/* 0x40 - 0x4F */
@@ -4941,6 +4993,40 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, v=
oid *insn, int insn_len, int
 	if (ctxt->d =3D=3D 0)
 		return EMULATION_FAILED;
=20
+	/*
+	 * Reject emulation if KVM might need to emulate shadow stack updates
+	 * and/or indirect branch tracking enforcement, which the emulator
+	 * doesn't support.
+	 */
+	if ((is_ibt_instruction(ctxt->d) || is_shstk_instruction(ctxt->d)) &&
+	    ctxt->ops->get_cr(ctxt, 4) & X86_CR4_CET) {
+		u64 u_cet =3D 0, s_cet =3D 0;
+
+		/*
+		 * Check both User and Supervisor on far transfers as inter-
+		 * privilege level transfers are impacted by CET at the target
+		 * privilege level, and that is not known at this time.  The
+		 * the expectation is that the guest will not require emulation
+		 * of any CET-affected instructions at any privilege level.
+		 */
+		if (!(ctxt->d & NearBranch))
+			u_cet =3D s_cet =3D CET_SHSTK_EN | CET_ENDBR_EN;
+		else if (ctxt->ops->cpl(ctxt) =3D=3D 3)
+			u_cet =3D CET_SHSTK_EN | CET_ENDBR_EN;
+		else
+			s_cet =3D CET_SHSTK_EN | CET_ENDBR_EN;
+
+		if ((u_cet && ctxt->ops->get_msr(ctxt, MSR_IA32_U_CET, &u_cet)) ||
+		    (s_cet && ctxt->ops->get_msr(ctxt, MSR_IA32_S_CET, &s_cet)))
+			return EMULATION_FAILED;
+
+		if ((u_cet | s_cet) & CET_SHSTK_EN && is_shstk_instruction(ctxt->d))
+			return EMULATION_FAILED;
+
+		if ((u_cet | s_cet) & CET_ENDBR_EN && is_ibt_instruction(ctxt->d))
+			return EMULATION_FAILED;
+	}
+
 	ctxt->execute =3D opcode.u.execute;
=20
 	if (unlikely(emulation_type & EMULTYPE_TRAP_UD) &&
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com
 [209.85.214.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8851F2ED848
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321222; cv=none;
 b=K13/TyvOzGjnPhu4HaYoAbaMSuf+FSmGCdgJBym18yh9Edl6KqsuuSVrwmRT4ehBylLkSXhNPcG7kOsE7aNUeY0wTQPhiur/syKNKq+hRagKbV8CL+Y+FLncw1ioxE9Lb9pnRDthJlMAnpU9eAvp/CrGIaeJLdKdJWrCzYdet1k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321222; c=relaxed/simple;
	bh=uG9bXWDIWzkiZpTlZg3ixCoLZTrBCn9VZQhCLroy1xM=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=m0yj8bQOKSTe++B9/5vwCN1DMD33rSgIdI6QxAQkOJj930t7RPzV3uY+F+f6r7YYnKpXHOj6EhMl8KS+w4gDacCLTBAbCY+r8ZgUoLVH++y/TCGvHCHPj/pgVrkc67CHML7SW+sELvvbhrg5nss8eULirzSvW/+lT+LznnzB8U4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=Ts83Oy/I; arc=none smtp.client-ip=209.85.214.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="Ts83Oy/I"
Received: by mail-pl1-f202.google.com with SMTP id
 d9443c01a7336-25bdf8126ceso51486855ad.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321220; x=1758926020;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=jXbbUJTAlZz0ESr1zTujfBxBxuUlILmrloK4p7bMQkI=;
        b=Ts83Oy/IDGe6K5GD7XdDpe65dqzKc8PWBUHREzWnbI2AKf/yvFBk3m19h1EM677IBc
         qGenBPQOp+N/23cvIX24hPgnS57fEvUtMDDPp1ZMQ38SEQtdMDs2zh8mghac5+Ng9vDD
         92xvE1pJ+gib6vEs+v7BiM6YPeH14G6TnkUtUIwx3LYBxHwxc+okQBsloG+VQqcChkfj
         cEBqWY33qk9Nq5x834wjPKgBTgnDh+fCBBY7qcXrVrFXQoqVwXKibNzk4sYLPnkwq7qQ
         MYBE6utyqiQICjk5Gp50uszq/NtN5j5XX0vCZ4Ss5mdTGiPxhiO98X67Vze1NsdxnQx0
         Qn8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321220; x=1758926020;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=jXbbUJTAlZz0ESr1zTujfBxBxuUlILmrloK4p7bMQkI=;
        b=O+tixH/cj7HiqLtj2XjpD6td4BugfY2zBFx26HXlRBI+cHNY5pycaz4r4YIHBj0WDR
         PmxjRVbC5sX6OyLIl6l+UOrH3f2eO7W2EOmEr9/AvRDXvRVTAhJLNcdJQVKgfB/VCV83
         lh0kS6REfyRzKxlKzj3e1DCziw1W34oxuQULfR8ZA+bXUUAN63rbFiLVg+DFryWXinwf
         34jaeOuzBPS361KBJS/fjQRgpnHOOg/OkBh2eXGGnqEr4IEZod9iQSawx9e8fFyTdjZG
         jq9e8OkINBQVLbjoec5JA1wxTvfNVJxUh1WKtpfZuOy4ShbzdFZMwt3UVsoobn93JNYj
         hlTQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCW8LDTsALq9HWoa/rT20kqdFoopPErrgAy7bhJEJZnU9098jB+jvrqUUnGz4ByVZPu7TpYURi4YFh5/R44=@vger.kernel.org
X-Gm-Message-State: AOJu0YxbNEvVkuRa+N6x3Bv0lnXuzeK1CEXB6fAxLvpMxblLx3gWYYVj
	cgL3JF8ysYVjhU0Mp7k55oO6gGY7kjHRAjplZ4cV2cEjbfFJX8RmSuwPAhjlBn9Ys0Cpgn6g34k
	y0p7Wmw==
X-Google-Smtp-Source: 
 AGHT+IGQL7tEj9y3QqIy9rxMayS2h3ZvzQjM9aM2+GrEwNHAtkUXVl4yGiUS3J18F9JoCCXAg1ftO+S5XNY=
X-Received: from pjbqx8.prod.google.com ([2002:a17:90b:3e48:b0:32e:3830:65f2])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:902:cccc:b0:263:3e96:8c21
 with SMTP id d9443c01a7336-269ba40208amr52153615ad.9.1758321219818; Fri, 19
 Sep 2025 15:33:39 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:26 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-20-seanjc@google.com>
Subject: [PATCH v16 19/51] KVM: x86: Don't emulate task switches when IBT or
 SHSTK is enabled
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Exit to userspace with KVM_INTERNAL_ERROR_EMULATION if the guest triggers
task switch emulation with Indirect Branch Tracking or Shadow Stacks
enabled, as attempting to do the right thing would require non-trivial
effort and complexity, KVM doesn't support emulating CET generally, and
it's extremely unlikely that any guest will do task switches while also
utilizing CET.  Defer taking on the complexity until someone cares enough
to put in the time and effort to add support.

Per the SDM:

  If shadow stack is enabled, then the SSP of the task is located at the
  4 bytes at offset 104 in the 32-bit TSS and is used by the processor to
  establish the SSP when a task switch occurs from a task associated with
  this TSS. Note that the processor does not write the SSP of the task
  initiating the task switch to the TSS of that task, and instead the SSP
  of the previous task is pushed onto the shadow stack of the new task.

Note, per the SDM's pseudocode on TASK SWITCHING, IBT state for the new
privilege level is updated.  To keep things simple, check both S_CET and
U_CET (again, anyone that wants more precise checking can have the honor
of implementing support).

Reported-by: Binbin Wu <binbin.wu@linux.intel.com>
Closes: https://lore.kernel.org/all/819bd98b-2a60-4107-8e13-41f1e4c706b1@li=
nux.intel.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 arch/x86/kvm/x86.c | 35 ++++++++++++++++++++++++++++-------
 1 file changed, 28 insertions(+), 7 deletions(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index d2cccc7594d4..0c060e506f9d 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -12178,6 +12178,25 @@ int kvm_task_switch(struct kvm_vcpu *vcpu, u16 tss=
_selector, int idt_index,
 	struct x86_emulate_ctxt *ctxt =3D vcpu->arch.emulate_ctxt;
 	int ret;
=20
+	if (kvm_is_cr4_bit_set(vcpu, X86_CR4_CET)) {
+		u64 u_cet, s_cet;
+
+		/*
+		 * Check both User and Supervisor on task switches as inter-
+		 * privilege level task switches are impacted by CET at both
+		 * the current privilege level and the new privilege level, and
+		 * that information is not known at this time.  The expectation
+		 * is that the guest won't require emulation of task switches
+		 * while using IBT or Shadow Stacks.
+		 */
+		if (__kvm_emulate_msr_read(vcpu, MSR_IA32_U_CET, &u_cet) ||
+		    __kvm_emulate_msr_read(vcpu, MSR_IA32_S_CET, &s_cet))
+			return EMULATION_FAILED;
+
+		if ((u_cet | s_cet) & CET_SHSTK_EN)
+			goto unhandled_task_switch;
+	}
+
 	init_emulate_ctxt(vcpu);
=20
 	ret =3D emulator_task_switch(ctxt, tss_selector, idt_index, reason,
@@ -12187,17 +12206,19 @@ int kvm_task_switch(struct kvm_vcpu *vcpu, u16 ts=
s_selector, int idt_index,
 	 * Report an error userspace if MMIO is needed, as KVM doesn't support
 	 * MMIO during a task switch (or any other complex operation).
 	 */
-	if (ret || vcpu->mmio_needed) {
-		vcpu->mmio_needed =3D false;
-		vcpu->run->exit_reason =3D KVM_EXIT_INTERNAL_ERROR;
-		vcpu->run->internal.suberror =3D KVM_INTERNAL_ERROR_EMULATION;
-		vcpu->run->internal.ndata =3D 0;
-		return 0;
-	}
+	if (ret || vcpu->mmio_needed)
+		goto unhandled_task_switch;
=20
 	kvm_rip_write(vcpu, ctxt->eip);
 	kvm_set_rflags(vcpu, ctxt->eflags);
 	return 1;
+
+unhandled_task_switch:
+	vcpu->mmio_needed =3D false;
+	vcpu->run->exit_reason =3D KVM_EXIT_INTERNAL_ERROR;
+	vcpu->run->internal.suberror =3D KVM_INTERNAL_ERROR_EMULATION;
+	vcpu->run->internal.ndata =3D 0;
+	return 0;
 }
 EXPORT_SYMBOL_GPL(kvm_task_switch);
=20
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com
 [209.85.215.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 345962D739A
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321223; cv=none;
 b=J6dEdW5dmrmODNJWMCvYvHIzPPdtlx1ZKR4NOvb23mk18qN2jRle9rjtV7aXL/+SaqGirrCeP/SynttGxKXa+zmFd9Scklh8tMnPlpxrOGcegHyp/8QvgGB3BLmOhTVaHYHH0LgaLlo1mFf+AOaN/TErqnIHX8ed/c50abOiItw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321223; c=relaxed/simple;
	bh=wgYw8ozkadV8sXS3nZIwTZqPK/YSRs0FDT9dSwL/FF8=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=q/druNKZE+WxI7Bn52rRsMEQhNPO0zH5XOg3pxZ73MdqYywRvpYMRNoPcYLQivG/XMZVdkWuclxjnJb9NACLhe91xwdFGZGmW74kLvBj9Qc4U/+fMW2bZG6G7DNJTM95/K+TLIsBO7Lyr4N1JrnZac0Fk+lDaE9fLFEQ4luac7A=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=O0kig3pp; arc=none smtp.client-ip=209.85.215.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="O0kig3pp"
Received: by mail-pg1-f201.google.com with SMTP id
 41be03b00d2f7-b5515a1f5b8so1212902a12.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321221; x=1758926021;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=bCIuuIHnaL0fIYMIiIbisfqCMaEn93EQb+W1xCqgz9Q=;
        b=O0kig3ppSMhe9rB839/Bqb/SnSmg8o8azSCkuLlfnPDx4gR/fi008jLTkh6meGT/wg
         T5LxYyM+eKnL77oUE5ilmrwqSYBGNaWLipDMN2TLjMAz4wHCUtCRN/ZLVMrK2vEtZlnX
         0mwT05DN42SCvFgb9aMTc9ovVs7ZbqKSLzUTCvGd6LyDUfBAZjLxwEbSudt0Kiaq7vLw
         4o3RuceQK0II83FkWJq8x+07FtHDZjuO0lq3d2mkw3mWw21PKLgvn4iDaYzRPD9/qEoD
         lcrvFvAMTtFxYMaMwqzcebLRkrzYOKpyub+IbljTpiP/UpmxfosuuiG1Qcv9CCeKouGr
         oN9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321221; x=1758926021;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=bCIuuIHnaL0fIYMIiIbisfqCMaEn93EQb+W1xCqgz9Q=;
        b=IdWOEKosXvatshkKrBOsqd7UoavpIpNjvOJquN50r64m6BUEk+MxPf8SHSKJclpdVH
         xh3LNyH1twIp6iypDvB+vcJ5IRJXozatTZ7x1wzt7MgJcPMoOL5S0VhIucarMMEWqsHS
         j4rTysD+vlnUQpndBvtQaeNc+Pwnqer79KaQigt7psA1cW8ryDTwyitFKITsc22oOaX3
         DDz3fZS5ifHCADiYbSyCwjLne7JLTLwU6jfeyIAIvrarQiGg9KOiiPuGOse8i0Pg9NpO
         94aml/VgvNvUI2i8XMjxjFVEm6050fpGsQagfx5RXCqwQBPiMn68Geazi3vjnRgrf366
         w8tg==
X-Forwarded-Encrypted: i=1;
 AJvYcCW/kNfindCtoK0imie66WTg/5qjB0DtEUuLgjxXyBO4kgHmqNqtbK8I1NKovbS+DLyv7GKsBylVcJDK9EY=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy/PeW/aEOPgUl89PUj8HnZQ6vEp//gEIxaOXppNh31AQhLE3c0
	2e3CFGNrnlaJXBeWgfG4yxHXGBcw/hinr+bcKUeM9HZpHwUROr7ynp1nX2gJvbV0TqKVKf2ehh7
	3MqyuSA==
X-Google-Smtp-Source: 
 AGHT+IELLZM/jwk7FC1E3YNdiVUktTtTGDXXOG0EsAH4gahBIguSEvIoz5oJuiX5uW4836VqNGg9D748hx8=
X-Received: from pjh16.prod.google.com ([2002:a17:90b:3f90:b0:32f:d1f3:646f])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:1b11:b0:32d:f352:f764
 with SMTP id 98e67ed59e1d1-33097feda1cmr4993404a91.2.1758321221548; Fri, 19
 Sep 2025 15:33:41 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:27 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-21-seanjc@google.com>
Subject: [PATCH v16 20/51] KVM: x86: Emulate SSP[63:32]!=0 #GP(0) for FAR JMP
 to 32-bit mode
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Emulate the Shadow Stack restriction that the current SSP must be a 32-bit
value on a FAR JMP from 64-bit mode to compatibility mode.  From the SDM's
pseudocode for FAR JMP:

  IF ShadowStackEnabled(CPL)
    IF (IA32_EFER.LMA and DEST(segment selector).L) =3D 0
      (* If target is legacy or compatibility mode then the SSP must be in =
low 4GB *)
      IF (SSP & 0xFFFFFFFF00000000 !=3D 0); THEN
        #GP(0);
      FI;
    FI;
  FI;

Note, only the current CPL needs to be considered, as FAR JMP can't be
used for inter-privilege level transfers, and KVM rejects emulation of all
other far branch instructions when Shadow Stacks are enabled.

To give the emulator access to GUEST_SSP, special case handling
MSR_KVM_INTERNAL_GUEST_SSP in emulator_get_msr() to treat the access as a
host access (KVM doesn't allow guest accesses to internal "MSRs").  The
->get_msr() API is only used for implicit accesses from the emulator, i.e.
is only used with hardcoded MSR indices, and so any access to
MSR_KVM_INTERNAL_GUEST_SSP is guaranteed to be from KVM, i.e. not from the
guest via RDMSR.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 arch/x86/kvm/emulate.c | 35 +++++++++++++++++++++++++++++++++++
 arch/x86/kvm/x86.c     |  9 +++++++++
 2 files changed, 44 insertions(+)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index dc0249929cbf..5c5fb6a6f7f9 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1605,6 +1605,37 @@ static int write_segment_descriptor(struct x86_emula=
te_ctxt *ctxt,
 	return linear_write_system(ctxt, addr, desc, sizeof(*desc));
 }
=20
+static bool emulator_is_ssp_invalid(struct x86_emulate_ctxt *ctxt, u8 cpl)
+{
+	const u32 MSR_IA32_X_CET =3D cpl =3D=3D 3 ? MSR_IA32_U_CET : MSR_IA32_S_C=
ET;
+	u64 efer =3D 0, cet =3D 0, ssp =3D 0;
+
+	if (!(ctxt->ops->get_cr(ctxt, 4) & X86_CR4_CET))
+		return false;
+
+	if (ctxt->ops->get_msr(ctxt, MSR_EFER, &efer))
+		return true;
+
+	/* SSP is guaranteed to be valid if the vCPU was already in 32-bit mode. =
*/
+	if (!(efer & EFER_LMA))
+		return false;
+
+	if (ctxt->ops->get_msr(ctxt, MSR_IA32_X_CET, &cet))
+		return true;
+
+	if (!(cet & CET_SHSTK_EN))
+		return false;
+
+	if (ctxt->ops->get_msr(ctxt, MSR_KVM_INTERNAL_GUEST_SSP, &ssp))
+		return true;
+
+	/*
+	 * On transfer from 64-bit mode to compatibility mode, SSP[63:32] must
+	 * be 0, i.e. SSP must be a 32-bit value outside of 64-bit mode.
+	 */
+	return ssp >> 32;
+}
+
 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
 				     u16 selector, int seg, u8 cpl,
 				     enum x86_transfer_type transfer,
@@ -1745,6 +1776,10 @@ static int __load_segment_descriptor(struct x86_emul=
ate_ctxt *ctxt,
 			if (efer & EFER_LMA)
 				goto exception;
 		}
+		if (!seg_desc.l && emulator_is_ssp_invalid(ctxt, cpl)) {
+			err_code =3D 0;
+			goto exception;
+		}
=20
 		/* CS(RPL) <- CPL */
 		selector =3D (selector & 0xfffc) | cpl;
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 0c060e506f9d..40596fc5142e 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -8741,6 +8741,15 @@ static int emulator_set_msr_with_filter(struct x86_e=
mulate_ctxt *ctxt,
 static int emulator_get_msr(struct x86_emulate_ctxt *ctxt,
 			    u32 msr_index, u64 *pdata)
 {
+	/*
+	 * Treat emulator accesses to the current shadow stack pointer as host-
+	 * initiated, as they aren't true MSR accesses (SSP is a "just a reg"),
+	 * and this API is used only for implicit accesses, i.e. not RDMSR, and
+	 * so the index is fully KVM-controlled.
+	 */
+	if (unlikely(msr_index =3D=3D MSR_KVM_INTERNAL_GUEST_SSP))
+		return kvm_msr_read(emul_to_vcpu(ctxt), msr_index, pdata);
+
 	return __kvm_emulate_msr_read(emul_to_vcpu(ctxt), msr_index, pdata);
 }
=20
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com
 [209.85.216.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94D5D2F25F2
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321225; cv=none;
 b=eXT+vuTrxlVa5U7TQUbyEL0zBW0nCTahqnUoR+W4cowWTkG5pdgKQGiedQh4/gEUx8dab32wl9fACgTyzV+en9A1odqyo4JtP7oewLarZaBHKjA39hAtMui6X9N1zl27n5/thfq+3fmJXe0qL755OC5qtgNjA20/zDbABmbwmbU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321225; c=relaxed/simple;
	bh=rpVh75mAWc90Kmd1sQ3vNdQYrlDA6S9Mr25QmozHze0=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=qLkpUYfkFhAzDg/Shh0w4YjSBgOjm/rN3MeZnYHVYuoBNpZipRu2nJTruZ25AAS7b9t4250lWmDwaAqowt4O0QzXTbhRea64AJWORTbKorxuFrb5Ec7OikYFx8qvyLC9Kx3mlaWPxuSRqPTU8Z5SFw+mTgz2ZVWRhz40Nvf5rC4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=zvazRuNO; arc=none smtp.client-ip=209.85.216.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="zvazRuNO"
Received: by mail-pj1-f73.google.com with SMTP id
 98e67ed59e1d1-32eddb7e714so2482055a91.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321223; x=1758926023;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=mc4zr64q9I53J/mHWnTuVG/JA2NjeAIyTICHVI5Cnpo=;
        b=zvazRuNOGHo6LAikOd0tQqHr9J0bPVTDSEaa2duifmPuACf0ijxJo7JVgjj0Yg4qaS
         in5+OwYAhZtse0EXbuJ3oh3caoc0KG+8Y2SdXdcifYEe0Z6saCIdUDjAGhFQsCV7BrGw
         EzueDC+I3Tek5KsNA1mE4iZZONYxl9JwfKgSr9YQMgID7K8CZ4ubJvICKPvF8Qma9M2q
         9GA3dDd95TKZmztwd+FXaz3RMfXCDkgGytnnmfOu73ks2O2ZUVi9TZN/XfCgjQDqP/S1
         eJtSvxGb1tMO2zZ2BGqtYk/5Nu+/zbSVhlgE6JHwDoOA9FbflSQzZNJLOcl3QbV6s8PM
         NkUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321223; x=1758926023;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=mc4zr64q9I53J/mHWnTuVG/JA2NjeAIyTICHVI5Cnpo=;
        b=ORnJWtI6EkEAaitquf2osOpK8PC1GDjxl8k2HAiTxHJIqxuv47afdXDTd3564WVAQc
         m2uXxvhsSgBOr91ySxvAShAWn0YJdDaFRtipQGljbJCVXQgZXS1F0G3kUNVZW1hTzllu
         qI9aterffUgIXGTXwHpetX8CAzAIwfBamRiZxm09D76Wy8jrimTbe7hc/I8zVgIdPC+4
         zRodru/a6A5M8vk+HUjZsoPTIE9h/T3zR1sDonKhuJF69UYYzeqFVBBoHjV1uvC6e8tM
         0Z1/FGB4G78WHcltl6mx4ZGHyv/z4uKOmRqH4/wxsADOrpyOF8MJLvC0MW3ReVxPURIN
         iczA==
X-Forwarded-Encrypted: i=1;
 AJvYcCUTVbYbfNPWzXZOuXSA7bYRYwhzX9a9VzSoQEJbHh7cwdBIPY+sxb4v7LAfP66K252ZaCiKBE+YktOKze8=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz8g07kACIBHzm0yDANIHdKdYplHvo/IGAwi3HbGKiVHw29gzF1
	IxM9ORJznEYVcR8QPn5dlNTFyA/aqDi7Swyo4iJ0H2ep/eArgvMfGqwT+UxN3Cs599dTxmHC73p
	g4TrnOQ==
X-Google-Smtp-Source: 
 AGHT+IFZzfIT1j7HXoMnKG/lCB0JXUy1fRMf4Dvka+kZ1wEnhwYNXTXXTxyCpQ0YuRnLk3fG/+zdkO9nUaU=
X-Received: from pjbse5.prod.google.com ([2002:a17:90b:5185:b0:330:852e:2bb6])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:1dce:b0:32e:e186:726d
 with SMTP id 98e67ed59e1d1-3309838e140mr5676352a91.31.1758321223130; Fri, 19
 Sep 2025 15:33:43 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:28 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-22-seanjc@google.com>
Subject: [PATCH v16 21/51] KVM: x86/mmu: WARN on attempt to check permissions
 for Shadow Stack #PF
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add PFERR_SS_MASK, a.k.a. Shadow Stack access, and WARN if KVM attempts to
check permissions for a Shadow Stack access as KVM hasn't been taught to
understand the magic Writable=3D0,Dirty=3D0 combination that is required for
Shadow Stack accesses, and likely will never learn.  There are no plans to
support Shadow Stacks with the Shadow MMU, and the emulator rejects all
instructions that affect Shadow Stacks, i.e. it should be impossible for
KVM to observe a #PF due to a shadow stack access.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 arch/x86/include/asm/kvm_host.h | 1 +
 arch/x86/kvm/mmu.h              | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos=
t.h
index 7a7e6356a8dd..554d83ff6135 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -267,6 +267,7 @@ enum x86_intercept_stage;
 #define PFERR_RSVD_MASK		BIT(3)
 #define PFERR_FETCH_MASK	BIT(4)
 #define PFERR_PK_MASK		BIT(5)
+#define PFERR_SS_MASK		BIT(6)
 #define PFERR_SGX_MASK		BIT(15)
 #define PFERR_GUEST_RMP_MASK	BIT_ULL(31)
 #define PFERR_GUEST_FINAL_MASK	BIT_ULL(32)
diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
index b4b6860ab971..f63074048ec6 100644
--- a/arch/x86/kvm/mmu.h
+++ b/arch/x86/kvm/mmu.h
@@ -212,7 +212,7 @@ static inline u8 permission_fault(struct kvm_vcpu *vcpu=
, struct kvm_mmu *mmu,
=20
 	fault =3D (mmu->permissions[index] >> pte_access) & 1;
=20
-	WARN_ON(pfec & (PFERR_PK_MASK | PFERR_RSVD_MASK));
+	WARN_ON_ONCE(pfec & (PFERR_PK_MASK | PFERR_SS_MASK | PFERR_RSVD_MASK));
 	if (unlikely(mmu->pkru_mask)) {
 		u32 pkru_bits, offset;
=20
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com
 [209.85.210.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3D9912D73BC
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321226; cv=none;
 b=u0CQp2jtpcMZQIItHmo3D0bRL4zxKRtBiOu1gpJd6dDzijVktRd97yjibSwrffUL3SMh5GlpPAhxv1h5uu6E6Pxk6D2CnKLhQxPuXPDyuXKnYN79I5U4NQqR8WqNAlnBDDGG7x7lFCbt5ZQIWBSqIQSCCETUhFw4xStm2lmUM6A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321226; c=relaxed/simple;
	bh=1g+suQtn60veXfeytSPxGzA9zEex48KEjHyupko4/EE=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=HMsWe4NyZ/sCRR6yUc50r16XyAPXtVx4p9cUO0n6D2b7vVngb/M/wo3Fd8hlOhYSOof5Z7JjZwTIxDIvW6fUQZ6eczOO8I6Y/uG/8qXo34658pUBMwtoZoxmu2hc+Ha6TiYpXigk+cWSWlZJjCca03D7cQAS0T0AB+up7m22jUw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=LRwzIf3Y; arc=none smtp.client-ip=209.85.210.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="LRwzIf3Y"
Received: by mail-pf1-f201.google.com with SMTP id
 d2e1a72fcca58-77ecac44d33so891307b3a.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321224; x=1758926024;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=Fx9hg+85vjiGkpy9V7/uhZK1m1ipmBfIS5//YWebLXI=;
        b=LRwzIf3Y9yR9ElzLHd2dFdY2bAmouRnEJRQfuy3ro6tx04tm5fo1qsXdK/kbEvkH25
         F2qTRP/BuCQi3LvT78OKgNOfdCcKM8KhDA7ZlX1F63LEHycL5H8Wht1pd3wYJy02C1re
         nixelWzgWqP/YvxMjg+brC1NBaPkqfO+c0GXnYRno4P82v0foEkx7q2chFl8cjQLIfFo
         eAtSutDEDlmMNDjRqerYvppPbTbibhtrvRIBUV/KUsRPG57V30K0lY3mat0N4cbwF5/9
         mGnvkyvbUM9ydS1bWpt469uiouneqrBca7Vuif1Bx38pgg3CAI8vPIu4RVffZsFNnG3F
         qYLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321224; x=1758926024;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Fx9hg+85vjiGkpy9V7/uhZK1m1ipmBfIS5//YWebLXI=;
        b=aCRYYLRa3HNr2CNaGA7SJtsNwt2qjX1U0Awku2Jq7AHU2segUd7v/VuVeB7r4Lae0E
         eq/NHvhWVnBKvdgua9ZHi98wx22AlF7/jCIMJeS32KWt0oDwyCqfgOTDnvZaVC6ZLA7m
         A9rFk8INZcxmTTWii51NrbVJuwl1tdD0eHNIqCHCJ3WP5UamCy7J4YUC9Lcd8FCIaAnH
         /SmOa81rix3AotpWBW4ZKAAWwcMq5+imboCZeQB2uIn5YZWozVi+kZbTtPioEiaBoW5Z
         1p0SGk6pi8nrNl3uco3AHXDgqSgGNvXMYcNabapuIRViNIQY/F0rszTM0H5DIn+97q1y
         Rmzw==
X-Forwarded-Encrypted: i=1;
 AJvYcCWaUUU/a7874Xnr1PyudKl20fwuP/0dyxiLrMEW3jXYlJWQG9Qz5fwTI4bzei0tD94Iq0MdCCvCt7OIfJI=@vger.kernel.org
X-Gm-Message-State: AOJu0YxlOZq3R78L7I6Tg+x/2dPRmsamuUi9wqws64MTI/+KDbP2jsJc
	ajd30xbJW3nM+TvZuuFlhPbVtkbm/P/RRCjV7qstmu532B0Q1KCvRdGUrNavpntmPeX0qHY/imp
	wGq3OlA==
X-Google-Smtp-Source: 
 AGHT+IEhZFpddRJqAtv3ixHm1tklJi/Tv5LlRaFO2FnSMxXxfU+E3oTG1YYf+oq6xBsrKCc/j4UqdgAp1jE=
X-Received: from pjj4.prod.google.com ([2002:a17:90b:5544:b0:327:d54a:8c93])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:2589:b0:261:f6d2:e733
 with SMTP id adf61e73a8af0-2925bace0f5mr7496586637.16.1758321224632; Fri, 19
 Sep 2025 15:33:44 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:29 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-23-seanjc@google.com>
Subject: [PATCH v16 22/51] KVM: x86/mmu: Pretty print PK, SS, and SGX flags in
 MMU tracepoints
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add PK (Protection Keys), SS (Shadow Stacks), and SGX (Software Guard
Extensions) to the set of #PF error flags handled via
kvm_mmu_trace_pferr_flags.  While KVM doesn't expect PK or SS #PFs in
particular, pretty print their names instead of the raw hex value saves
the user from having to go spelunking in the SDM to figure out what's
going on.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 arch/x86/kvm/mmu/mmutrace.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/kvm/mmu/mmutrace.h b/arch/x86/kvm/mmu/mmutrace.h
index f35a830ce469..764e3015d021 100644
--- a/arch/x86/kvm/mmu/mmutrace.h
+++ b/arch/x86/kvm/mmu/mmutrace.h
@@ -51,6 +51,9 @@
 	{ PFERR_PRESENT_MASK, "P" },	\
 	{ PFERR_WRITE_MASK, "W" },	\
 	{ PFERR_USER_MASK, "U" },	\
+	{ PFERR_PK_MASK, "PK" },	\
+	{ PFERR_SS_MASK, "SS" },	\
+	{ PFERR_SGX_MASK, "SGX" },	\
 	{ PFERR_RSVD_MASK, "RSVD" },	\
 	{ PFERR_FETCH_MASK, "F" }
=20
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com
 [209.85.214.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EDDFD2F60AD
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321228; cv=none;
 b=X1reBXkILahOO6gaPwCOW4OukK3AVOhc0HGdwuhgLqwniAg9hChO9k2Gigj8godOC3Wza8+No7zop7UifC2lgE6ey7yBRn5aWhL5L/3pkeugjwcdRqvrIimDLbm/VaW+FIgte+rCuW0Milu3ui8V2ilmNZB4zoO9QlGdEFvg0lE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321228; c=relaxed/simple;
	bh=Lksy7fgnHb3oGFbHmwu7Ep1364/PziXfDdmvLhbhInE=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=spaqeklHjs+NCxDciDvbl1lqqi6eSYiXtVwOa8hUC04l+8njP4X5tQntg24Ud8k5l9ALRc6qUA+1cMjfGxyqQrN5WrKbP8DZgXrg1MrbvnIw+4TAx4RJXqXbWtkHxonL7AWTmz6DiYNzZDRabBDLBT7r0JsH0YV/pIkIlQmDaFA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=2527/r1Y; arc=none smtp.client-ip=209.85.214.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="2527/r1Y"
Received: by mail-pl1-f202.google.com with SMTP id
 d9443c01a7336-267fa90a2fbso40288745ad.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321226; x=1758926026;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=sOIGEq5gDcEIjyNKw2jybRiZJubyWXYuSTFzzG+izY0=;
        b=2527/r1YfJ7Pkj+wYw5QqSb8yW//xQ5VvEfPAjqIiSEYRcuyOUy7EUYXbmSzI1e72A
         jscxd+1ezrdENQ/GpJ2utaLjNtZxwdaUMCincTaQTQP1IIWrbujoblUWxjvD39dyUus5
         2076mkEamh3EdjtSpwOKDIgidGDoWGf5b9eEh9yEv0kmoL53LCJdNpMgqlBlPNX8e2wo
         tHiWkXuzfHrXeJV71I68rCLoBw+ynmluvwxJHAOK0Wu0Mm/L3xPz2iXXBYEx2EpsTry2
         GuwwYVS1E6FjSH7SuvU4kFW1pTXtdLIWNAV4Q0gSmUf2NjA1xt8FxUJEFX1LYpjhkyzE
         OwPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321226; x=1758926026;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=sOIGEq5gDcEIjyNKw2jybRiZJubyWXYuSTFzzG+izY0=;
        b=qaNyKfNTa7EiglgLkcOVxs70Xqx1eJ1LElFYSe3owSfgcUVNfbSTSqOcA/sVhPJ44q
         tI5tKwmm4yN5RUVRiXS3cE/0KD/L4G6ys15+u5In1T9U55Y8UwwHCkSUQ0BinExWczSF
         //XQowok09VOeULFHWQGv76WdsOIyuaeKXnyJSlUyApDU7ChYjys+51MceBqTMsiHNrV
         rv0AyxCgc4gVYVfj/zGGTAUeblATCFIcQLSxwwxazeC6pB9D0Sz0taFDXH9kdJ1MrHDq
         nFUyTaylxvdxRZP6rwYMz6PxSNUgkOay6VMw7ll+gBWCHLbfYll7BB2eqUOtPjto8I2U
         r+GA==
X-Forwarded-Encrypted: i=1;
 AJvYcCUsGBSJ6wuGrV3WxWRbe+hjuNUmMgP9SNb3g/Q/zyvXFZEvQmLYVSu5KVefEFRu/ra1iMwjxHbInV7M35U=@vger.kernel.org
X-Gm-Message-State: AOJu0YxfbRFwAmZVAf0s7/hcAUVETm/BP6ygpJHYytI2hx2XcYV42Y4F
	2KTcRAISNjNjbxQx3QKP/ehickJ5XBsZxx5r94+v/Gjkux9oT0RRy6dkOceLSG94hWFMjoS3o4E
	h1FI7rg==
X-Google-Smtp-Source: 
 AGHT+IG9W+mhuWq/3Edt85NHzcquQu8FlWM08mGeajSH2y4PssgONNdFP+QiMP2Z0IRNUW5w2WZKrx2hyT4=
X-Received: from pjur5.prod.google.com ([2002:a17:90a:d405:b0:330:6eb8:6ae4])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:3c88:b0:327:53f0:6368
 with SMTP id 98e67ed59e1d1-33091915146mr6219417a91.2.1758321226177; Fri, 19
 Sep 2025 15:33:46 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:30 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-24-seanjc@google.com>
Subject: [PATCH v16 23/51] KVM: x86: Allow setting CR4.CET if IBT or SHSTK is
 supported
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Drop X86_CR4_CET from CR4_RESERVED_BITS and instead mark CET as reserved
if and only if IBT *and* SHSTK are unsupported, i.e. allow CR4.CET to be
set if IBT or SHSTK is supported.  This creates a virtualization hole if
the CPU supports both IBT and SHSTK, but the kernel or vCPU model only
supports one of the features.  However, it's entirely legal for a CPU to
have only one of IBT or SHSTK, i.e. the hole is a flaw in the architecture,
not in KVM.

More importantly, so long as KVM is careful to initialize and context
switch both IBT and SHSTK state (when supported in hardware) if either
feature is exposed to the guest, a misbehaving guest can only harm itself.
E.g. VMX initializes host CET VMCS fields based solely on hardware
capabilities.

Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
[sean: split to separate patch, write changelog]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 arch/x86/include/asm/kvm_host.h | 2 +-
 arch/x86/kvm/x86.h              | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos=
t.h
index 554d83ff6135..39231da3a3ff 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -142,7 +142,7 @@
 			  | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_FSGSBASE \
 			  | X86_CR4_OSXMMEXCPT | X86_CR4_LA57 | X86_CR4_VMXE \
 			  | X86_CR4_SMAP | X86_CR4_PKE | X86_CR4_UMIP \
-			  | X86_CR4_LAM_SUP))
+			  | X86_CR4_LAM_SUP | X86_CR4_CET))
=20
 #define CR8_RESERVED_BITS (~(unsigned long)X86_CR8_TPR)
=20
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index 65cbd454c4f1..f3dc77f006f9 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -680,6 +680,9 @@ static inline bool __kvm_is_valid_cr4(struct kvm_vcpu *=
vcpu, unsigned long cr4)
 		__reserved_bits |=3D X86_CR4_PCIDE;       \
 	if (!__cpu_has(__c, X86_FEATURE_LAM))           \
 		__reserved_bits |=3D X86_CR4_LAM_SUP;     \
+	if (!__cpu_has(__c, X86_FEATURE_SHSTK) &&       \
+	    !__cpu_has(__c, X86_FEATURE_IBT))           \
+		__reserved_bits |=3D X86_CR4_CET;         \
 	__reserved_bits;                                \
 })
=20
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com
 [209.85.210.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A97D2F7466
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321229; cv=none;
 b=OAsDx+Pq7eqRfbFgnWTGsDaz9tPbzt3gH6ewXDaEAdI7A3MpZC3OHkV02nIsBTQBnhRqBA+9F0teZ/YpRudlxt96FbMcI/1Clx7xWY5kJyErGP9tVV/qxPee7Xqr6Gv2KMPoQGg2oEEptqJo4YtEFcC478OQe9Lkil0E5BiUYGo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321229; c=relaxed/simple;
	bh=YXWxcN5ooFHzqnHIABGYf8Ki0nUZbdPJHRUwd/y69Sg=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=ZJ2uriONA7zmPl/OZDxJVzF3SBb1rSzUawdj+LoBXuqBCFt+VFQhu/0/bNZw5rYxK5L5vYB8d2DtcvTzgyji+ZU/coH9iF2m1OHcBY4Sobu7V+s9y0TQHsJJPt+uuZZuaNM5/N2R6RMMWz7AIhBskeJVgIoOqT4SG3sR9XrxPaU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=4QTlCx8A; arc=none smtp.client-ip=209.85.210.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="4QTlCx8A"
Received: by mail-pf1-f201.google.com with SMTP id
 d2e1a72fcca58-77f18d99ebaso190987b3a.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321228; x=1758926028;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=oawoE6LRs/Nu1QjyiEx29qtiXpbR7RT6KFUgBZxZwV4=;
        b=4QTlCx8A31fyzt+7lNI+vatJqLddodmJHpWdBbhpqZMbX6N5BVUiRaDBkZkErDM8JV
         h/Yg4vqRNiaU4c3Gjhsrf93lF6LVM+2vvW6wanS3QHAKWG5Ewat9wDlaEHUK//bQtAcb
         QsOh/+KPbEpSeAZrCatAG0NiLr9tSfj4kZQw38bzPh/5YBjqpxxJrgZ35h97IdVmAwvQ
         fgbY5HOzM6k2CmdSL1f4TgPwH/g2qjSS0S95w0Sr3jj92Sck15OoOWny8rtXHbG5iSlP
         gsvhZDMuqMTQelAcCP8sbwASpPPo5i1x84fH5lR+pwD5TCQHLC9+fxr0S5MRd7uE1c0I
         k6dQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321228; x=1758926028;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=oawoE6LRs/Nu1QjyiEx29qtiXpbR7RT6KFUgBZxZwV4=;
        b=T8MUS/uShzCWbxnY69TKVxfhByO9MwX/VAVhuODYwb5Je87SiCrHum1qOaXamasEI1
         6ufoi3M7m/LUppG9QdoS5hxYhMBrJ0inyRK3REnLpjslJwaTz1tuGSqKaEvnRfCF1Y/U
         Cr6pRzrFF8Bh/jzO8cf7WZpoeLv5c4LZe7IG4Qh7BTcuuKDGLQ9ZsDbEs6L2t99XCXTR
         /ZCcUlWAU7sxAT82p9gC1FppDuZD9/8Dop64kY8dI7vCZwEZlFKSVI5XTemVJtEGZUz+
         1FPe57PoJdr5+1SGlJ3dwp+xQg8GbUuSBO5FXqfTpDW8E2TFSfBMxiAIJ0lOFAYkexZU
         8kyg==
X-Forwarded-Encrypted: i=1;
 AJvYcCWloRruzzEVUhi5HALE1aVYD9XrGwhuu4+bxKd39ab1OAXZMlUTZL5hVTY1LKh2w0UUM0GvgeXnuSoSlz0=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywf1BMBPsIIIOEQkTCtosNVAPWYYETmJcKMg9a/MmPSNnPp1exC
	Z6goET2CwE0ROIuWNLAi8fvj0G/8ZRKwnEzuCSaVeipJGA/kkz7SopeHPOGc2lkmQNNGxrxmAaN
	+StzRGA==
X-Google-Smtp-Source: 
 AGHT+IFK38KbNfStRa0r2xJb1UUQc4eKGeyf9ZN8JeCGEzXGI61Mb/D8u/wHGdl8K0ljHHIEwrJT9LOA6Js=
X-Received: from pjes22.prod.google.com ([2002:a17:90a:756:b0:330:acc9:302e])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:7d9d:b0:246:3a6:3e41
 with SMTP id adf61e73a8af0-2925a79eb77mr7834170637.6.1758321227737; Fri, 19
 Sep 2025 15:33:47 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:31 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-25-seanjc@google.com>
Subject: [PATCH v16 24/51] KVM: nVMX: Always forward XSAVES/XRSTORS exits from
 L2 to L1
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Unconditionally forward XSAVES/XRSTORS VM-Exits from L2 to L1, as KVM
doesn't utilize the XSS-bitmap (KVM relies on controlling the XSS value
in hardware to prevent unauthorized access to XSAVES state).  KVM always
loads vmcs02 with vmcs12's bitmap, and so any exit _must_ be due to
vmcs12's XSS-bitmap.

Drop the comment about XSS never being non-zero in anticipation of
enabling CET_KERNEL and CET_USER support.

Opportunistically WARN if XSAVES is not enabled for L2, as the CPU is
supposed to generate #UD before checking the XSS-bitmap.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 arch/x86/kvm/vmx/nested.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 2156c9a854f4..846c07380eac 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -6570,14 +6570,17 @@ static bool nested_vmx_l1_wants_exit(struct kvm_vcp=
u *vcpu,
 		return nested_cpu_has2(vmcs12, SECONDARY_EXEC_WBINVD_EXITING);
 	case EXIT_REASON_XSETBV:
 		return true;
-	case EXIT_REASON_XSAVES: case EXIT_REASON_XRSTORS:
+	case EXIT_REASON_XSAVES:
+	case EXIT_REASON_XRSTORS:
 		/*
-		 * This should never happen, since it is not possible to
-		 * set XSS to a non-zero value---neither in L1 nor in L2.
-		 * If if it were, XSS would have to be checked against
-		 * the XSS exit bitmap in vmcs12.
+		 * Always forward XSAVES/XRSTORS to L1 as KVM doesn't utilize
+		 * XSS-bitmap, and always loads vmcs02 with vmcs12's XSS-bitmap
+		 * verbatim, i.e. any exit is due to L1's bitmap.  WARN if
+		 * XSAVES isn't enabled, as the CPU is supposed to inject #UD
+		 * in that case, before consulting the XSS-bitmap.
 		 */
-		return nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_XSAVES);
+		WARN_ON_ONCE(!nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_XSAVES));
+		return true;
 	case EXIT_REASON_UMWAIT:
 	case EXIT_REASON_TPAUSE:
 		return nested_cpu_has2(vmcs12,
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com
 [209.85.215.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CF70E2F83B0
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321231; cv=none;
 b=etc4qcc0GMc42u/Ske9TsxtYYSlKLlBgDc1dHwvkAzMSYUFPkAcB4l2DCU1SPDDyfK5YczeDhncMThQ+Oq9ZidfwBwB4Niynq0oj2TZmGvprRQLEdbo6QudKZzvf7jVgKg+vfWfe442vMjn+v+0GQKhvW+U7pG7bnUL1uquim5Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321231; c=relaxed/simple;
	bh=wv7lXNgVXI4fQTSq3s9gMycF70a9TxUw41cJRljoKaw=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=I6qVKfrONtUrBX2qizvIdgv4Izs2m7Zzs1mrlA9BSLlXS1q8M6sZwptme0MrBzzYF2ZWWYXBKwHxmjLaivRB4ontMVkAPnoDriXJySaLBzhJkAukdj4iKj/IeewkMoieeZgWYS2n5xdrIp4G3vUSJZqvTAj3mQIHCJLgw+jkI+4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=qf6XfOFd; arc=none smtp.client-ip=209.85.215.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="qf6XfOFd"
Received: by mail-pg1-f202.google.com with SMTP id
 41be03b00d2f7-b551ca103d8so756906a12.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321229; x=1758926029;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=w/iGcLBCIDmuuGH4TifEpczWER6MZ2hzrzutZDTwD2M=;
        b=qf6XfOFdvKE4Eh41F71fXqatOU8VOjVv/1ycwd83DbGY97LsCUWCNSOuANGzBJPhBa
         GXufSlfjk7Rq0IGdRPJm9cDDyaOE92orl3QJdVimqgLvdUT+9MdE8+xefBMsp+z0dpRa
         M2755SNZRlzUTYSJsK+wPHPoYyfYuaCKqFgUhblEL16LJ/KIctXT8vLJA1dIOYuGwXU8
         5GUxgaVt1xn6J0C7zvqExr6ida+nIdVpYaYFd6ejwG2SK5EbEMHp7D8L7ZZ3z+VMm8Gh
         n6H/RIaVknlNFw0qNINwuBoeNL1uAQkx7dTGuOjbZTukPDDlN/HqdZSZfpjQ5IUrZRig
         qH7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321229; x=1758926029;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=w/iGcLBCIDmuuGH4TifEpczWER6MZ2hzrzutZDTwD2M=;
        b=P12+YF20aCFEvBXNyDljXT4x6IxiSZrU1MSE4YRxH5ggGqCBmWVqO2bgnS2eBeE66u
         RybjmZOS0UJ1+OTHt7YyVYpXkAylaxqmzNLqv8BORvuGSAWNaHn9HCivWmQ1mmXz4WO3
         39AX52zeVTenv3vAaHkVU8TIpXRQMsGu29RGd9nMErRst/XkvEjOG+UhZkkECi9uKN2h
         2H+FNnt+sCaM79IU8WN8O139uzotPNpIFo5mgRsA1LtcUbmU/ScUoRSDvMXNmNMAVoum
         7xCXKygVI9A7ySYB0IslUSxK8KRSCe+gfQs6a4YjnbE56PtVCPNe9YdBZeoJWrL5DKYZ
         WUrA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVqB64DUJXQMTcwxCyFGyzJ22ulouqhXJozz5Sxr1VZxKE6cksgHfmU/Zr+DNxV1/8RG9vvKZqWaDWQApk=@vger.kernel.org
X-Gm-Message-State: AOJu0YxiG5jhTymBevUq817jQKBV3y5HUL0YNV6e+wKQjw7Xc3ruSlbR
	T8EKBZPTGRQrBH3kuJhW0aZ+/1170TlUOewVe/dLS+wqDSrIt2/vvqj/uJo2wrCG4FSzv9QQYfj
	Mt1cvRA==
X-Google-Smtp-Source: 
 AGHT+IFLpZ19sMUVPW7XTee4GCwUM+fUepgiPmhknZvL7FVi33FmwxD0JTaLQPmdhcW+I9E7s5Uh5DAQkxc=
X-Received: from pjbqx3.prod.google.com ([2002:a17:90b:3e43:b0:330:793a:2e77])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:7347:b0:243:78a:82bd
 with SMTP id adf61e73a8af0-292764cd565mr7126926637.55.1758321229259; Fri, 19
 Sep 2025 15:33:49 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:32 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-26-seanjc@google.com>
Subject: [PATCH v16 25/51] KVM: x86: Add XSS support for CET_KERNEL and
 CET_USER
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Add CET_KERNEL and CET_USER to KVM's set of supported XSS bits when IBT
*or* SHSTK is supported.  Like CR4.CET, XFEATURE support for IBT and SHSTK
are bundle together under the CET umbrella, and thus prone to
virtualization holes if KVM or the guest supports only one of IBT or SHSTK,
but hardware supports both.  However, again like CR4.CET, such
virtualization holes are benign from the host's perspective so long as KVM
takes care to always honor the "or" logic.

Require CET_KERNEL and CET_USER to come as a pair, and refuse to support
IBT or SHSTK if one (or both) features is missing, as the (host) kernel
expects them to come as a pair, i.e. may get confused and corrupt state if
only one of CET_KERNEL or CET_USER is supported.

Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
[sean: split to separate patch, write changelog, add XFEATURE_MASK_CET_ALL]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 arch/x86/kvm/x86.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 40596fc5142e..4a0ff0403bb2 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -220,13 +220,14 @@ static struct kvm_user_return_msrs __percpu *user_ret=
urn_msrs;
 				| XFEATURE_MASK_BNDCSR | XFEATURE_MASK_AVX512 \
 				| XFEATURE_MASK_PKRU | XFEATURE_MASK_XTILE)
=20
+#define XFEATURE_MASK_CET_ALL	(XFEATURE_MASK_CET_USER | XFEATURE_MASK_CET_=
KERNEL)
 /*
  * Note, KVM supports exposing PT to the guest, but does not support conte=
xt
  * switching PT via XSTATE (KVM's PT virtualization relies on perf; swappi=
ng
  * PT via guest XSTATE would clobber perf state), i.e. KVM doesn't support
  * IA32_XSS[bit 8] (guests can/must use RDMSR/WRMSR to save/restore PT MSR=
s).
  */
-#define KVM_SUPPORTED_XSS     0
+#define KVM_SUPPORTED_XSS	(XFEATURE_MASK_CET_ALL)
=20
 bool __read_mostly allow_smaller_maxphyaddr =3D 0;
 EXPORT_SYMBOL_GPL(allow_smaller_maxphyaddr);
@@ -10104,6 +10105,16 @@ int kvm_x86_vendor_init(struct kvm_x86_init_ops *o=
ps)
 	if (!kvm_cpu_cap_has(X86_FEATURE_XSAVES))
 		kvm_caps.supported_xss =3D 0;
=20
+	if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) &&
+	    !kvm_cpu_cap_has(X86_FEATURE_IBT))
+		kvm_caps.supported_xss &=3D ~XFEATURE_MASK_CET_ALL;
+
+	if ((kvm_caps.supported_xss & XFEATURE_MASK_CET_ALL) !=3D XFEATURE_MASK_C=
ET_ALL) {
+		kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
+		kvm_cpu_cap_clear(X86_FEATURE_IBT);
+		kvm_caps.supported_xss &=3D ~XFEATURE_MASK_CET_ALL;
+	}
+
 	if (kvm_caps.has_tsc_control) {
 		/*
 		 * Make sure the user can only configure tsc_khz values that
@@ -12775,10 +12786,11 @@ static void kvm_xstate_reset(struct kvm_vcpu *vcp=
u, bool init_event)
 	/*
 	 * On INIT, only select XSTATE components are zeroed, most components
 	 * are unchanged.  Currently, the only components that are zeroed and
-	 * supported by KVM are MPX related.
+	 * supported by KVM are MPX and CET related.
 	 */
 	xfeatures_mask =3D (kvm_caps.supported_xcr0 | kvm_caps.supported_xss) &
-			 (XFEATURE_MASK_BNDREGS | XFEATURE_MASK_BNDCSR);
+			 (XFEATURE_MASK_BNDREGS | XFEATURE_MASK_BNDCSR |
+			  XFEATURE_MASK_CET_ALL);
 	if (!xfeatures_mask)
 		return;
=20
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com
 [209.85.214.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 987082FB09F
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:51 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321233; cv=none;
 b=d3dceOxWLSnLgHyNghG2QiueSTaNqIcDj3pZ/gmp9D4rLqjaRRdTjTqAkrllVL5x3r6IoMrad8ACeh0N/yqJVKpttWPOHQpaNEYXjF7+5If5IMApsduHr92hl8/zcc8WwjdQObc5I3vh55uVlJXT7IpG5+7FI6kSMXqQJWNpg6I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321233; c=relaxed/simple;
	bh=/tqPBTeDuMrFe1AL4FE5D/cKrgiWfqZL6tyxrCfO6SU=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=m9fnw8b55Ba7CMtE5OATsKq4FdWX8FvRu8ZBBH324gQ+0VRmnG1Qt3Qrg+y5ZyFt7Afa3DNNmehY1qF4C4iGnvMs5wx/wwJLfJ5M9HIi0NllSJgkJzvN509fkN2j6v0jhLESYTqwEdFo7nGINX1+BJtKYr5+Voyx9QNVB2QC4lg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=fOK0S79l; arc=none smtp.client-ip=209.85.214.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="fOK0S79l"
Received: by mail-pl1-f202.google.com with SMTP id
 d9443c01a7336-24456ebed7bso32555345ad.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321231; x=1758926031;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=HedB0vqjCe4vRRpTggbdQsycmWfrhYSfaZmK+vmSq88=;
        b=fOK0S79l7H4WA0EbcTcovTJcXBa49hpS1Wv3uL0TCmgk9opC+S0z8AEMnaCnhFRppp
         onmPslFCJ0MLZDZ9Whpoxw8/gZ3iHL4hFEhYFKW/9pIGj/ruq10gNIYXrk24Vr+u32z0
         MRVuMlX/IKx80+nhdLmd/v5gces8fbRgZJinAXVpzzRzGtsQmYRJcklirdgh8wDH4eWn
         ViWdW+hx0OqzqGw9nmWtK6pQn4//unZNqsl02pLgB/aT4PUguupPQosgBhuAbaSUqEL1
         NdvkPTz3im3ProQD4aNTnokbiLzL53+k3Yo/zr7mTuYe5ti1tYUh8fKTM2f4nnqJ+C3u
         MqYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321231; x=1758926031;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=HedB0vqjCe4vRRpTggbdQsycmWfrhYSfaZmK+vmSq88=;
        b=NbicgFNqkYHABp1xcHa0IXNnJKCw874j+y+XW1sW9OIidG5UPTHiuUJPNmcF1mE94a
         jw+T7wbDD7c21+GIvpg/c5b/QjAN4c5l06YFM1DIYYz/fZuVQCKTUDZEa6Rz/hr3rYGn
         ruTMxGt/5OM4WC8rhstG35t16E2mopzJPJNWqpWTwUDEhdbcmIiLgZDPgtRBBGZlJUN4
         e8poLF5CHNrOX6ztFEwDWDPfT7ro1VUeIenKnLP7+srBl+icC4A8Fl1ZjtTZwgQXDQsh
         2we6tpuqGBRBg4fhywe1tjxoroR83WQzCnC+WNAJTdX+ddAD9FjMithtYPVU9M6HI4lT
         GHiA==
X-Forwarded-Encrypted: i=1;
 AJvYcCXS6Ln62j5mLgUYtHPH5S1jY+kk8n7RYGgs6iQZwa+xcSPkxcVfLNI/BJ5rRRo3b5ArJaqo932//0myhrE=@vger.kernel.org
X-Gm-Message-State: AOJu0YyTo8g461PCeU7zbPCCurzqNBNa4PBF9v63hxpsTEoaLLqAxVCs
	Xgkw92ejNPSmiC6fdc622856wKRlYh9qhXqFcPvr1fS35w0VvxvRowk+xBxSapzrnsdtzoRsrPc
	m28U8jA==
X-Google-Smtp-Source: 
 AGHT+IEljnIzRoy1UyE5BtCbUU4Z9ZtjJtcURZf7n7UmCN9hEURvx8fd1jTPH7oZwx5u199EJlJyB4GvKnY=
X-Received: from pjbsw8.prod.google.com ([2002:a17:90b:2c88:b0:32e:e155:ee48])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:902:cec8:b0:267:99be:628e
 with SMTP id d9443c01a7336-2697c7ea3c2mr109901915ad.2.1758321231052; Fri, 19
 Sep 2025 15:33:51 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:33 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-27-seanjc@google.com>
Subject: [PATCH v16 26/51] KVM: x86: Disable support for Shadow Stacks if TDP
 is disabled
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Make TDP a hard requirement for Shadow Stacks, as there are no plans to
add Shadow Stack support to the Shadow MMU.  E.g. KVM hasn't been taught
to understand the magic Writable=3D0,Dirty=3D0 combination that is required
for Shadow Stack accesses, and so enabling Shadow Stacks when using
shadow paging will put the guest into an infinite #PF loop (KVM thinks the
shadow page tables have a valid mapping, hardware says otherwise).

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 arch/x86/kvm/cpuid.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 32fde9e80c28..499c86bd457e 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -955,6 +955,14 @@ void kvm_set_cpu_caps(void)
 	if (!tdp_enabled || !boot_cpu_has(X86_FEATURE_OSPKE))
 		kvm_cpu_cap_clear(X86_FEATURE_PKU);
=20
+	/*
+	 * Shadow Stacks aren't implemented in the Shadow MMU.  Shadow Stack
+	 * accesses require "magic" Writable=3D0,Dirty=3D1 protection, which KVM
+	 * doesn't know how to emulate or map.
+	 */
+	if (!tdp_enabled)
+		kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
+
 	kvm_cpu_cap_init(CPUID_7_EDX,
 		F(AVX512_4VNNIW),
 		F(AVX512_4FMAPS),
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com
 [209.85.215.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8E4332FBE01
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321235; cv=none;
 b=WM7SEW2whny6tu0H8MbCp7+kZt0xOhcRE/Uod/u84ES/azM4q1VPlEAjETpxzHfJFdvHL4IwS1SzfgHEMyZ30uF1avWC1oGXy2LcZWyvF4KcoDBg25qgo2fodQCv896fVQZtZ9PZIoaqCKStFdqxE0hq17TcXQs+0qTDjOcUHCI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321235; c=relaxed/simple;
	bh=2gM7Uop8vPVEXUGMYiag2AvONubl/l+I+/souHg70aw=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=EO06LL6S86vQItLW1n3I8g73MGrGbDqeSEF3EdL3tv1TPyiyegXRBHM4CaxfzCbRqt700Yd0kBj680oeG1O2/AHs6Bee0Wm+1FK0SABWup+1c1k8uyS8gljqrDIN1JF6gUUFjmPPST4nbf8A41Gh8mHg91assFx9CNrfWxEvDcM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=xtJH13b7; arc=none smtp.client-ip=209.85.215.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="xtJH13b7"
Received: by mail-pg1-f202.google.com with SMTP id
 41be03b00d2f7-b551ca103d8so756918a12.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321233; x=1758926033;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=23qlWqf4oRLqIZNu0WNA2q5Vhl7DiLF7Tw6OyPY4Ueg=;
        b=xtJH13b7xTbSjKYicpoSCk7twmXeU8gZ8/+EEw5wi7IGbEeMb2sZJuFNidq/6kQa93
         X7ULUE5pX4VgF0aa8bcJu8wn7xgHC6ahltko3X/CMpkPVhLFMlwe5cdtz5IxPeenJjv2
         6zS8EoWXjCYzETUJ0qNFe0Ft1263glGWXh1DTDlYIpXAdAKPOrFRMQrpjNIRAXKpL1mU
         dwlDs4juHaj7e8ymfLgraHRb+PUq/JqLHNritCYLrVxGFRcVC+3PFzDcJ1+8tyHsY0b0
         8rlsgK9V4PWjdFz+ChiDTrfMgWG28APedAeIYFc5ftxDcCRri5d3ib+VN5CS+Uuo4bCW
         UtZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321233; x=1758926033;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=23qlWqf4oRLqIZNu0WNA2q5Vhl7DiLF7Tw6OyPY4Ueg=;
        b=dj5gCeJbneLyMEHp4DWEjrlFwMi1iuWfF3xhRWX6VEf7KL4bdyG4ltEzxholI6C8/C
         QA9ur6DmPnsvMO6B9t8mqlEQFajRCWjZPgICivt8mPABwdOllFvaHo3+4zz2w4QjoVjI
         DAb8/Dn55ht3mCL/P08m9nFN2aWnoJH4RZVyuxJwbdIaKLHxalLw3SL6PobTN3S/eEIS
         Ur1lyFMIy2g20xcKfS6BonVBbk6ouv/q2dU/04lrKkBsI+2bbWD06273BakcjK1Bo+57
         wH6aUccOOAuDoQLU5cpi99VU9r27Oc8lIBaLc3fLL3McyswLp8+/4krgWEyN8dz3XKEC
         HMEQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCVfhGjI8CAhzgFYexzlRKNzB4p6uHzt8kIFNfjMXVxYf3uI+U4YNYjRWFhAgXIVsvKTR2A7wFKzu0xcUbg=@vger.kernel.org
X-Gm-Message-State: AOJu0YxfIbqzOAZVrJdFd1KVDhoutKiPQQh4jUwnWGAEZfbslJlM2NNq
	jPWzDcTX9JX2CiFIv5oq5ZTScskRSn1BZZknB0nvOS0PjhJqxIHaXumeNlGo2on7W2dUU1NgvSh
	8Q5+Gqw==
X-Google-Smtp-Source: 
 AGHT+IHttAp5meToldAIyK6UP8vRXnlxncg/zpxLk/f31AwWxs8t6p1klk35VhoiSoa10kmYsFy/XIQ3Pjg=
X-Received: from pjbsd13.prod.google.com ([2002:a17:90b:514d:b0:325:a8d:a485])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a21:e083:b0:262:cc1a:abdd
 with SMTP id adf61e73a8af0-2927689e7admr7584917637.60.1758321232887; Fri, 19
 Sep 2025 15:33:52 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:34 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-28-seanjc@google.com>
Subject: [PATCH v16 27/51] KVM: x86: Disable support for IBT and SHSTK if
 allow_smaller_maxphyaddr is true
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Make IBT and SHSTK virtualization mutually exclusive with "officially"
supporting setups with guest.MAXPHYADDR < host.MAXPHYADDR, i.e. if the
allow_smaller_maxphyaddr module param is set.  Running a guest with a
smaller MAXPHYADDR requires intercepting #PF, and can also trigger
emulation of arbitrary instructions.  Intercepting and reacting to #PFs
doesn't play nice with SHSTK, as KVM's MMU hasn't been taught to handle
Shadow Stack accesses, and emulating arbitrary instructions doesn't play
nice with IBT or SHSTK, as KVM's emulator doesn't handle the various side
effects, e.g. doesn't enforce end-branch markers or model Shadow Stack
updates.

Note, hiding IBT and SHSTK based solely on allow_smaller_maxphyaddr is
overkill, as allow_smaller_maxphyaddr is only problematic if the guest is
actually configured to have a smaller MAXPHYADDR.  However, KVM's ABI
doesn't provide a way to express that IBT and SHSTK may break if enabled
in conjunction with guest.MAXPHYADDR < host.MAXPHYADDR.  I.e. the
alternative is to do nothing in KVM and instead update documentation and
hope KVM users are thorough readers.  Go with the conservative-but-correct
approach; worst case scenario, this restriction can be dropped if there's
a strong use case for enabling CET on hosts with allow_smaller_maxphyaddr.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
---
 arch/x86/kvm/cpuid.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 499c86bd457e..b5c4cb13630c 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -963,6 +963,16 @@ void kvm_set_cpu_caps(void)
 	if (!tdp_enabled)
 		kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
=20
+	/*
+	 * Disable support for IBT and SHSTK if KVM is configured to emulate
+	 * accesses to reserved GPAs, as KVM's emulator doesn't support IBT or
+	 * SHSTK, nor does KVM handle Shadow Stack #PFs (see above).
+	 */
+	if (allow_smaller_maxphyaddr) {
+		kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
+		kvm_cpu_cap_clear(X86_FEATURE_IBT);
+	}
+
 	kvm_cpu_cap_init(CPUID_7_EDX,
 		F(AVX512_4VNNIW),
 		F(AVX512_4FMAPS),
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com
 [209.85.214.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5664D2FC87A
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321237; cv=none;
 b=JIopwvaDK+wPoA5G/1z8ZP54kLeP3diucdcO/Cs0+97RCj1/9Rnl7Hirxb+Dd8hKhm4Zj4/AoQXRe01I6nNj6mF1I8LWo4c0mB5TUdBd8gYKoFKgNEsUyp3dN038nBqlPkzgTIXpn7TUwX/qzs+Iy615CtJMSJTI6kbhpDHi7Cw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321237; c=relaxed/simple;
	bh=H85izHo3sM6kNkmT1jTPpHBNMJmymsnKRWYhCXf1xIQ=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=rtKtfRqBodMFk6+Vb/nJdrc0F+NBiwksH7eqx4AGeQhcn2s2kBGLPKc8Mryxbn8nDQbs3LQnbrMdn06wuF3A8zqtvt+6SjbqdLpoG5dYFr45FsZMgAvxX0sa8IHUl49T9QOMeeTTdgmuGn3dAEet3AEFeNzLRTQEA6tyIzwd2cE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=w56vZVoe; arc=none smtp.client-ip=209.85.214.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="w56vZVoe"
Received: by mail-pl1-f201.google.com with SMTP id
 d9443c01a7336-24ca417fb41so26512765ad.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321235; x=1758926035;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=PjK5+Yt+wjh8VShHpuKoKCtX5MZ19p55Nm6f0snPAks=;
        b=w56vZVoenyKCclyorDg9e9tyS218pPHL4xT1MHrtabRmtukWMBy/tosrL19uEDdmE3
         RQubKiLp0ZHiZr8/zNF1ifUZXdNfFjVznlLoczYKlrbe2wYLIPAcBh0AL4AGFFgpzwVd
         uReFVRlL8ESlYc4RGxr2GjR1uoosC9wUdqFZK4EK222jCqk3O0eOAWTPQpr3o9tEh0XJ
         Mpo/XHzSMJME1fOgPIoibdtVjszzPRPrqsoiIGo9tNcHFQ+Z/4USf8g/XLdEvvt8hxtw
         R6stVGquatqB2lQJte+m+fKyDaYsWIApOWx4yaakh7W+1mqy+mifXNTR89aK5OWcTWIM
         +u4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321235; x=1758926035;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=PjK5+Yt+wjh8VShHpuKoKCtX5MZ19p55Nm6f0snPAks=;
        b=qmYKUpUxTpEaUfLzA4pZFbYqD/mKOU30JEIS9IFfwWegJlAof/geCuJvlfyfbcRR34
         DjVGmFwyUNOrUSWuHSzAbGBCyHneQf5WwpggE8IZL2ffyEHdBtCzmkGPs6vWXXP5c2gd
         WlnHwgoeI2XJX0lG4WY+M4Sc77EWyTHKoLw3R/OhTy6pDLTkUtcrncGq4QG2pu4xNt3j
         TFTkVUbxL+2e8Mxxq8N9X3wKuwwfx0Sb5OsFcXIYbSERjt7v8nTnx7bY+54wmTTZ0YuF
         G4JI3ME+190Dzud6qR6eBdI3KrkBfJTOjOnkniWE+b/iR5Kb76TFp7n+Fjtt9RJwXx9K
         XYrA==
X-Forwarded-Encrypted: i=1;
 AJvYcCWLAEEBSaYE0vHNp7tVKUfJK5R/EVRdvOXEEv9e4kg6OIm7U/z03WPEi7y7LENZlePM1RLUypSSyPhHfE4=@vger.kernel.org
X-Gm-Message-State: AOJu0YzHHWMaMBN1XQgUkuLAbV5q776U7OEQVUGrA7i7THE115MrN6hA
	21W1pvu10y8rscwHnwFmWX/8zZ89OL5zL71XOTGnauiBkk0T3BInkGZcqqIpFwdCWiiN+EnUJKK
	BajUoEQ==
X-Google-Smtp-Source: 
 AGHT+IH7oW74ad5r7dOGMu9LUzDr9y7Upw5+k1X7yrhcCg7TokB+Tkp43mKDPjj87CuGA4qb8Q9yBtJXo5I=
X-Received: from pjbsf15.prod.google.com
 ([2002:a17:90b:51cf:b0:325:220a:dd41])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:902:db12:b0:251:493c:43e3
 with SMTP id d9443c01a7336-269ba516161mr66907895ad.31.1758321234774; Fri, 19
 Sep 2025 15:33:54 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:35 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-29-seanjc@google.com>
Subject: [PATCH v16 28/51] KVM: x86: Enable CET virtualization for VMX and
 advertise to userspace
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Add support for the LOAD_CET_STATE VM-Enter and VM-Exit controls, the
CET XFEATURE bits in XSS, and  advertise support for IBT and SHSTK to
userspace.  Explicitly clear IBT and SHSTK onn SVM, as additional work is
needed to enable CET on SVM, e.g. to context switch S_CET and other state.

Disable KVM CET feature if unrestricted_guest is unsupported/disabled as
KVM does not support emulating CET, as running without Unrestricted Guest
can result in KVM emulating large swaths of guest code.  While it's highly
unlikely any guest will trigger emulation while also utilizing IBT or
SHSTK, there's zero reason to allow CET without Unrestricted Guest as that
combination should only be possible when explicitly disabling
unrestricted_guest for testing purposes.

Disable CET if VMX_BASIC[bit56] =3D=3D 0, i.e. if hardware strictly enforces
the presence of an Error Code based on exception vector, as attempting to
inject a #CP with an Error Code (#CP architecturally has an Error Code)
will fail due to the #CP vector historically not having an Error Code.

Clear S_CET and SSP-related VMCS on "reset" to emulate the architectural
of CET MSRs and SSP being reset to 0 after RESET, power-up and INIT.  Note,
KVM already clears guest CET state that is managed via XSTATE in
kvm_xstate_reset().

Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
[sean: move some bits to separate patches, massage changelog]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 arch/x86/include/asm/vmx.h      |  1 +
 arch/x86/kvm/cpuid.c            |  2 ++
 arch/x86/kvm/svm/svm.c          |  4 ++++
 arch/x86/kvm/vmx/capabilities.h |  5 +++++
 arch/x86/kvm/vmx/vmx.c          | 30 +++++++++++++++++++++++++++++-
 arch/x86/kvm/vmx/vmx.h          |  6 ++++--
 6 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index ce10a7e2d3d9..c85c50019523 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -134,6 +134,7 @@
 #define VMX_BASIC_DUAL_MONITOR_TREATMENT	BIT_ULL(49)
 #define VMX_BASIC_INOUT				BIT_ULL(54)
 #define VMX_BASIC_TRUE_CTLS			BIT_ULL(55)
+#define VMX_BASIC_NO_HW_ERROR_CODE_CC		BIT_ULL(56)
=20
 static inline u32 vmx_basic_vmcs_revision_id(u64 vmx_basic)
 {
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index b5c4cb13630c..b861a88083e1 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -946,6 +946,7 @@ void kvm_set_cpu_caps(void)
 		VENDOR_F(WAITPKG),
 		F(SGX_LC),
 		F(BUS_LOCK_DETECT),
+		X86_64_F(SHSTK),
 	);
=20
 	/*
@@ -990,6 +991,7 @@ void kvm_set_cpu_caps(void)
 		F(AMX_INT8),
 		F(AMX_BF16),
 		F(FLUSH_L1D),
+		F(IBT),
 	);
=20
 	if (boot_cpu_has(X86_FEATURE_AMD_IBPB_RET) &&
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 67f4eed01526..73dde1645e46 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -5221,6 +5221,10 @@ static __init void svm_set_cpu_caps(void)
 	kvm_caps.supported_perf_cap =3D 0;
 	kvm_caps.supported_xss =3D 0;
=20
+	/* KVM doesn't yet support CET virtualization for SVM. */
+	kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
+	kvm_cpu_cap_clear(X86_FEATURE_IBT);
+
 	/* CPUID 0x80000001 and 0x8000000A (SVM features) */
 	if (nested) {
 		kvm_cpu_cap_set(X86_FEATURE_SVM);
diff --git a/arch/x86/kvm/vmx/capabilities.h b/arch/x86/kvm/vmx/capabilitie=
s.h
index 59c83888bdc0..02aadb9d730e 100644
--- a/arch/x86/kvm/vmx/capabilities.h
+++ b/arch/x86/kvm/vmx/capabilities.h
@@ -73,6 +73,11 @@ static inline bool cpu_has_vmx_basic_inout(void)
 	return	vmcs_config.basic & VMX_BASIC_INOUT;
 }
=20
+static inline bool cpu_has_vmx_basic_no_hw_errcode_cc(void)
+{
+	return	vmcs_config.basic & VMX_BASIC_NO_HW_ERROR_CODE_CC;
+}
+
 static inline bool cpu_has_virtual_nmis(void)
 {
 	return vmcs_config.pin_based_exec_ctrl & PIN_BASED_VIRTUAL_NMIS &&
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index a7d9e60b2771..69e35440cee7 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -2615,6 +2615,7 @@ static int setup_vmcs_config(struct vmcs_config *vmcs=
_conf,
 		{ VM_ENTRY_LOAD_IA32_EFER,		VM_EXIT_LOAD_IA32_EFER },
 		{ VM_ENTRY_LOAD_BNDCFGS,		VM_EXIT_CLEAR_BNDCFGS },
 		{ VM_ENTRY_LOAD_IA32_RTIT_CTL,		VM_EXIT_CLEAR_IA32_RTIT_CTL },
+		{ VM_ENTRY_LOAD_CET_STATE,		VM_EXIT_LOAD_CET_STATE },
 	};
=20
 	memset(vmcs_conf, 0, sizeof(*vmcs_conf));
@@ -4881,6 +4882,14 @@ void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init=
_event)
=20
 	vmcs_write32(VM_ENTRY_INTR_INFO_FIELD, 0);  /* 22.2.1 */
=20
+	if (kvm_cpu_cap_has(X86_FEATURE_SHSTK)) {
+		vmcs_writel(GUEST_SSP, 0);
+		vmcs_writel(GUEST_INTR_SSP_TABLE, 0);
+	}
+	if (kvm_cpu_cap_has(X86_FEATURE_IBT) ||
+	    kvm_cpu_cap_has(X86_FEATURE_SHSTK))
+		vmcs_writel(GUEST_S_CET, 0);
+
 	kvm_make_request(KVM_REQ_APIC_PAGE_RELOAD, vcpu);
=20
 	vpid_sync_context(vmx->vpid);
@@ -6348,6 +6357,10 @@ void dump_vmcs(struct kvm_vcpu *vcpu)
 	if (vmcs_read32(VM_EXIT_MSR_STORE_COUNT) > 0)
 		vmx_dump_msrs("guest autostore", &vmx->msr_autostore.guest);
=20
+	if (vmentry_ctl & VM_ENTRY_LOAD_CET_STATE)
+		pr_err("S_CET =3D 0x%016lx, SSP =3D 0x%016lx, SSP TABLE =3D 0x%016lx\n",
+		       vmcs_readl(GUEST_S_CET), vmcs_readl(GUEST_SSP),
+		       vmcs_readl(GUEST_INTR_SSP_TABLE));
 	pr_err("*** Host State ***\n");
 	pr_err("RIP =3D 0x%016lx  RSP =3D 0x%016lx\n",
 	       vmcs_readl(HOST_RIP), vmcs_readl(HOST_RSP));
@@ -6378,6 +6391,10 @@ void dump_vmcs(struct kvm_vcpu *vcpu)
 		       vmcs_read64(HOST_IA32_PERF_GLOBAL_CTRL));
 	if (vmcs_read32(VM_EXIT_MSR_LOAD_COUNT) > 0)
 		vmx_dump_msrs("host autoload", &vmx->msr_autoload.host);
+	if (vmexit_ctl & VM_EXIT_LOAD_CET_STATE)
+		pr_err("S_CET =3D 0x%016lx, SSP =3D 0x%016lx, SSP TABLE =3D 0x%016lx\n",
+		       vmcs_readl(HOST_S_CET), vmcs_readl(HOST_SSP),
+		       vmcs_readl(HOST_INTR_SSP_TABLE));
=20
 	pr_err("*** Control State ***\n");
 	pr_err("CPUBased=3D0x%08x SecondaryExec=3D0x%08x TertiaryExec=3D0x%016llx=
\n",
@@ -7959,7 +7976,6 @@ static __init void vmx_set_cpu_caps(void)
 		kvm_cpu_cap_set(X86_FEATURE_UMIP);
=20
 	/* CPUID 0xD.1 */
-	kvm_caps.supported_xss =3D 0;
 	if (!cpu_has_vmx_xsaves())
 		kvm_cpu_cap_clear(X86_FEATURE_XSAVES);
=20
@@ -7971,6 +7987,18 @@ static __init void vmx_set_cpu_caps(void)
=20
 	if (cpu_has_vmx_waitpkg())
 		kvm_cpu_cap_check_and_set(X86_FEATURE_WAITPKG);
+
+	/*
+	 * Disable CET if unrestricted_guest is unsupported as KVM doesn't
+	 * enforce CET HW behaviors in emulator. On platforms with
+	 * VMX_BASIC[bit56] =3D=3D 0, inject #CP at VMX entry with error code
+	 * fails, so disable CET in this case too.
+	 */
+	if (!cpu_has_load_cet_ctrl() || !enable_unrestricted_guest ||
+	    !cpu_has_vmx_basic_no_hw_errcode_cc()) {
+		kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
+		kvm_cpu_cap_clear(X86_FEATURE_IBT);
+	}
 }
=20
 static bool vmx_is_io_intercepted(struct kvm_vcpu *vcpu,
diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
index 23d6e89b96f2..af8224e074ee 100644
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -484,7 +484,8 @@ static inline u8 vmx_get_rvi(void)
 	 VM_ENTRY_LOAD_IA32_EFER |					\
 	 VM_ENTRY_LOAD_BNDCFGS |					\
 	 VM_ENTRY_PT_CONCEAL_PIP |					\
-	 VM_ENTRY_LOAD_IA32_RTIT_CTL)
+	 VM_ENTRY_LOAD_IA32_RTIT_CTL |					\
+	 VM_ENTRY_LOAD_CET_STATE)
=20
 #define __KVM_REQUIRED_VMX_VM_EXIT_CONTROLS				\
 	(VM_EXIT_SAVE_DEBUG_CONTROLS |					\
@@ -506,7 +507,8 @@ static inline u8 vmx_get_rvi(void)
 	       VM_EXIT_LOAD_IA32_EFER |					\
 	       VM_EXIT_CLEAR_BNDCFGS |					\
 	       VM_EXIT_PT_CONCEAL_PIP |					\
-	       VM_EXIT_CLEAR_IA32_RTIT_CTL)
+	       VM_EXIT_CLEAR_IA32_RTIT_CTL |				\
+	       VM_EXIT_LOAD_CET_STATE)
=20
 #define KVM_REQUIRED_VMX_PIN_BASED_VM_EXEC_CONTROL			\
 	(PIN_BASED_EXT_INTR_MASK |					\
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com
 [209.85.215.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 516362D837B
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321238; cv=none;
 b=H32OKR2yb4ton42iM+D2c7+WX8G33PJ4ZewaxY0GWLyldHCwhUGE2dQkjXfpc2jXz5D3nK6XFn5EOzXyj5nXE2Q8awno+Hcjo3i1v7wYCuatAC+qI8OWO7DMF9QLZkNjfxTZR79Jub+6iiR0jnpP1UDKCSn6p0kI8n9ib4Ec4/s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321238; c=relaxed/simple;
	bh=81bLgs7WWEP4RHsG/996GiM8z8fF+N7LKbDI/yvDNY8=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=i85/shFmjxtnXuMHo0AB+sfcffKDjP4WxBll1K2fyy3puuGOPiu3R9gJdLtNgb395nyEGiY3rU2pEUCYePLhnWg/nUJIPA1i5kH2rnDbdRGFTiStk6Q93AzrNThmFAFGZUbcDsg1vE5WvxFlDiWrOJJlMaXvSYzG/hDN8cNlYDo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=4nqAvOya; arc=none smtp.client-ip=209.85.215.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="4nqAvOya"
Received: by mail-pg1-f202.google.com with SMTP id
 41be03b00d2f7-b521995d498so2045413a12.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321237; x=1758926037;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=FWNNcPWz59Ty6udq/sKrbnnVGPaggW2BoAcUNvSRGEE=;
        b=4nqAvOya8oWkMwRW9lTWPdMGuzfUyXO6PohB5NwmPrY54YNaPnpNTGEhtu8OtWZQN/
         5HZEl6IrviQj1k6c/Hhu2RK5ItQk4T99C9+4RzmLhGi5ppkB7kRGS0P0tWOFByr6JI1I
         mw1zn4LhpI2IaatYLhqsoO9tdPnL0kkLYEZ9h73SAP/VC4eH+SGfzfdE462xc4R4nCmY
         ikasrDzcfA58qK1DwBBK/JrCxLulx8LOkp5LgLXxDOf3P9ovouNZanVj/bZQMNZo4IiW
         FVG6V+Zfi6BrxQOJ9mqKnDApGel1rTAABr8oyBo6/0PZYoryBqbsDbBEvubYcoczl0bR
         NaHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321237; x=1758926037;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=FWNNcPWz59Ty6udq/sKrbnnVGPaggW2BoAcUNvSRGEE=;
        b=VMeSMbj536eibdBwx1G8wnB6sXD1YLocyHS2Ga4N7QrTezXWf5F4D5f3igNIPZp7Ej
         opI5AVv2mP7fapEdvTmMjm9Eb6IQS7urRcpR2KHto3cayix+FV6DSbOLrEOPWIK2AoNv
         ewVryBV5wLycb89uzzOB3DR6otLJPr7GR8lvLsQO+UPVwH2H/d0sc4da4ccp8S0fJTXd
         pqoclJ6tEn1mmSP0JZ1d32fbQo6PTtYUArMmt2iB5gDwK/mO5DPkMG2gRG/+sdi58iCX
         WjHAv9YEVi67apdPmIKbuH08ocRnxy+u8CSeWvplizM54mEWrFlNv+lLLnfNDtymt2Fe
         tJDg==
X-Forwarded-Encrypted: i=1;
 AJvYcCWymjdTZzKWoI8lWnxwDqs2VFyJkmep1y9mQ2XkVnwptf6poaBxVabgnkrC3okWZtsFmb8dVsxAVeMaiCs=@vger.kernel.org
X-Gm-Message-State: AOJu0YyJsLSJYIKjEBMaliMOHjG/hXIC8lv6SVZVpJKdLiz9ZOivILRe
	tFBJM/8AWCQsUM2OYknU9lzkkK46wpKoSKuPL2CywyWFRa9w2562ItNVFSHkHIAERLKxDSBovpE
	/ElJHGg==
X-Google-Smtp-Source: 
 AGHT+IHcBUk+tK3zNAtEgLO3ydAANiXuYpE2t7HChEGpqmf2Wh2ALYrEVAwmFv0js2gMpqhaC2ppaWjmLHk=
X-Received: from pjbpd9.prod.google.com ([2002:a17:90b:1dc9:b0:31f:b2f:aeed])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a21:9991:b0:220:10e5:825d
 with SMTP id adf61e73a8af0-29257e10c37mr7147586637.8.1758321236618; Fri, 19
 Sep 2025 15:33:56 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:36 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-30-seanjc@google.com>
Subject: [PATCH v16 29/51] KVM: VMX: Configure nested capabilities after CPU
 capabilities
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Swap the order between configuring nested VMX capabilities and base CPU
capabilities, so that nested VMX support can be conditioned on core KVM
support, e.g. to allow conditioning support for LOAD_CET_STATE on the
presence of IBT or SHSTK.  Because the sanity checks on nested VMX config
performed by vmx_check_processor_compat() run _after_ vmx_hardware_setup(),
any use of kvm_cpu_cap_has() when configuring nested VMX support will lead
to failures in vmx_check_processor_compat().

While swapping the order of two (or more) configuration flows can lead to
a game of whack-a-mole, in this case nested support inarguably should be
done after base support.  KVM should never condition base support on nested
support, because nested support is fully optional, while obviously it's
desirable to condition nested support on base support.  And there's zero
evidence the current ordering was intentional, e.g. commit 66a6950f9995
("KVM: x86: Introduce kvm_cpu_caps to replace runtime CPUID masking")
likely placed the call to kvm_set_cpu_caps() after nested setup because it
looked pretty.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
---
 arch/x86/kvm/vmx/vmx.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 69e35440cee7..29e1bc118479 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -8602,6 +8602,13 @@ __init int vmx_hardware_setup(void)
=20
 	setup_default_sgx_lepubkeyhash();
=20
+	vmx_set_cpu_caps();
+
+	/*
+	 * Configure nested capabilities after core CPU capabilities so that
+	 * nested support can be conditional on base support, e.g. so that KVM
+	 * can hide/show features based on kvm_cpu_cap_has().
+	 */
 	if (nested) {
 		nested_vmx_setup_ctls_msrs(&vmcs_config, vmx_capability.ept);
=20
@@ -8610,8 +8617,6 @@ __init int vmx_hardware_setup(void)
 			return r;
 	}
=20
-	vmx_set_cpu_caps();
-
 	r =3D alloc_kvm_area();
 	if (r && nested)
 		nested_vmx_hardware_unsetup();
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com
 [209.85.210.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF4282FE075
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321240; cv=none;
 b=jmdxqAYiFyC8jb2DQXiKAHL/73UvqTGASIg4oaHES9qgCzKgoXikLEl+R7or143OUupC0BppZeJRUZNJiO1nQMzfYOGtK6h4t6xZQvHJXyTtVnGyFth20txg1m481MBdi5sGCFuoNcf1wCjwVIUVMuftHKKL1aNQ4WGsR1toi54=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321240; c=relaxed/simple;
	bh=WR4i1/hdD/UAQYUG4b+D0r37b5OVC230JQ21pAZcWyk=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=VmTP64DbPQh2Xa3lSxaa/LKnonRBVbJEkbRisy76C0XzkHeirIi8By2ec9CDCC0hTodAEKrK/M3is0zlRKKCgVzmxuZcrrNinLE1+/oFctDojJ/17gE4LVPymNDlp+tKXN3Zs3+M+kPFs9QQWOxbpg3P6sJgdNHokAmYmvInXNY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=jUqeZECN; arc=none smtp.client-ip=209.85.210.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="jUqeZECN"
Received: by mail-pf1-f201.google.com with SMTP id
 d2e1a72fcca58-77ecac44d33so891395b3a.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321238; x=1758926038;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=mCZj1AprmeC+Fo0fgebUJJjVh7kTElMFVQRkgXXYJBc=;
        b=jUqeZECN7+FGCKK57puJdziSWrcYnyaQEIdI3PT6LnHzROaGDQOwdimwoxHrvk8vdp
         mLtOFWF2pDtYk1bq365bEwLMo9EBFsHQo9ZEKXAbFm6bbO0Lw6v0dA/Fe+V6yNgC/amq
         2bUPcOR+NkOxZs/xs8zAJGlNEr7G76zd/Kaa9LQL7HFHURKdqg8TqWZntxjplcQouU0/
         qnyCrlxdrxw5PZVUOxhDTfwGkmRJpo1h99Chh7VpxUxMa1xiplORRL+zKCr7h+RfLP9J
         Lll2MDjnFJLUggOGIuazEcIAZfDxMfXE6W3Z1nEVIe08+MKwLJDZytmM5favt/u984JH
         YYDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321238; x=1758926038;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=mCZj1AprmeC+Fo0fgebUJJjVh7kTElMFVQRkgXXYJBc=;
        b=JwVP9AmLi7mxHkIpNQk8KRIPj3SMgocoul1yH+gTUhM16zLhG+BPYnHgqeSRa2mzo/
         pJIJ/6whJBLJLRjiwGJ7ljwl8oa/CNiPYxeyIVeJj0wAASZ2s121r3VX1X/RQAs6m444
         TGhV8o2VplNA2aUQ96HXFDCjTem0EYpvWwDyk9aZ0USEibm9lnokmvnZYUmkA0QSpjpJ
         XCAxmmGq0teOvuzPsSHFawrS9xUGj8Kd5/BbB8NLAdLwSxArR2ZMKHx0EIAZGW0F2OXM
         CtVqdqNAf9pTor/A13YKLh9kyerSBZ5qbzmiboVf/JW8/0D+obrDCzFtfO2gGZokKU+o
         Ev6g==
X-Forwarded-Encrypted: i=1;
 AJvYcCVg8BsaIJG1t7Ytv+BrqavimaJ91c7JdUk8pBW5hfO7Wi7vEozsUn6BtONyty/tpi5B4CMm3BsAk5KEafk=@vger.kernel.org
X-Gm-Message-State: AOJu0YzTd2G4dGRmkLhpxr0qNqiBDTSXCvNpHdlAVWu0zoLQxAQz63pl
	dHoPG0gmSy+mAWDk+q14yiYH4kJ2ufzkOAoa6//z92xrlDRLCgKEuVOArzWleKsPHQ507N4Alak
	/E090AQ==
X-Google-Smtp-Source: 
 AGHT+IE08Knot0aER/MkKkj+clVf2474u3XY/LuEAkLxWcUdGc2j5TSeDcijAGM3iVwTU0f6XUf1HFNdKhE=
X-Received: from pjuw14.prod.google.com ([2002:a17:90a:d60e:b0:32e:ddac:6ea5])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:939f:b0:262:9461:2e59
 with SMTP id adf61e73a8af0-2926dcb867emr7398660637.39.1758321238233; Fri, 19
 Sep 2025 15:33:58 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:37 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-31-seanjc@google.com>
Subject: [PATCH v16 30/51] KVM: nVMX: Virtualize NO_HW_ERROR_CODE_CC for L1
 event injection to L2
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Per SDM description(Vol.3D, Appendix A.1):
"If bit 56 is read as 1, software can use VM entry to deliver a hardware
exception with or without an error code, regardless of vector"

Modify has_error_code check before inject events to nested guest. Only
enforce the check when guest is in real mode, the exception is not hard
exception and the platform doesn't enumerate bit56 in VMX_BASIC, in all
other case ignore the check to make the logic consistent with SDM.

Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
---
 arch/x86/kvm/vmx/nested.c | 27 ++++++++++++++++++---------
 arch/x86/kvm/vmx/nested.h |  5 +++++
 2 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 846c07380eac..b644f4599f70 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -1272,9 +1272,10 @@ static int vmx_restore_vmx_basic(struct vcpu_vmx *vm=
x, u64 data)
 {
 	const u64 feature_bits =3D VMX_BASIC_DUAL_MONITOR_TREATMENT |
 				 VMX_BASIC_INOUT |
-				 VMX_BASIC_TRUE_CTLS;
+				 VMX_BASIC_TRUE_CTLS |
+				 VMX_BASIC_NO_HW_ERROR_CODE_CC;
=20
-	const u64 reserved_bits =3D GENMASK_ULL(63, 56) |
+	const u64 reserved_bits =3D GENMASK_ULL(63, 57) |
 				  GENMASK_ULL(47, 45) |
 				  BIT_ULL(31);
=20
@@ -2949,7 +2950,6 @@ static int nested_check_vm_entry_controls(struct kvm_=
vcpu *vcpu,
 		u8 vector =3D intr_info & INTR_INFO_VECTOR_MASK;
 		u32 intr_type =3D intr_info & INTR_INFO_INTR_TYPE_MASK;
 		bool has_error_code =3D intr_info & INTR_INFO_DELIVER_CODE_MASK;
-		bool should_have_error_code;
 		bool urg =3D nested_cpu_has2(vmcs12,
 					   SECONDARY_EXEC_UNRESTRICTED_GUEST);
 		bool prot_mode =3D !urg || vmcs12->guest_cr0 & X86_CR0_PE;
@@ -2966,12 +2966,19 @@ static int nested_check_vm_entry_controls(struct kv=
m_vcpu *vcpu,
 		    CC(intr_type =3D=3D INTR_TYPE_OTHER_EVENT && vector !=3D 0))
 			return -EINVAL;
=20
-		/* VM-entry interruption-info field: deliver error code */
-		should_have_error_code =3D
-			intr_type =3D=3D INTR_TYPE_HARD_EXCEPTION && prot_mode &&
-			x86_exception_has_error_code(vector);
-		if (CC(has_error_code !=3D should_have_error_code))
-			return -EINVAL;
+		/*
+		 * Cannot deliver error code in real mode or if the interrupt
+		 * type is not hardware exception. For other cases, do the
+		 * consistency check only if the vCPU doesn't enumerate
+		 * VMX_BASIC_NO_HW_ERROR_CODE_CC.
+		 */
+		if (!prot_mode || intr_type !=3D INTR_TYPE_HARD_EXCEPTION) {
+			if (CC(has_error_code))
+				return -EINVAL;
+		} else if (!nested_cpu_has_no_hw_errcode_cc(vcpu)) {
+			if (CC(has_error_code !=3D x86_exception_has_error_code(vector)))
+				return -EINVAL;
+		}
=20
 		/* VM-entry exception error code */
 		if (CC(has_error_code &&
@@ -7217,6 +7224,8 @@ static void nested_vmx_setup_basic(struct nested_vmx_=
msrs *msrs)
 	msrs->basic |=3D VMX_BASIC_TRUE_CTLS;
 	if (cpu_has_vmx_basic_inout())
 		msrs->basic |=3D VMX_BASIC_INOUT;
+	if (cpu_has_vmx_basic_no_hw_errcode_cc())
+		msrs->basic |=3D VMX_BASIC_NO_HW_ERROR_CODE_CC;
 }
=20
 static void nested_vmx_setup_cr_fixed(struct nested_vmx_msrs *msrs)
diff --git a/arch/x86/kvm/vmx/nested.h b/arch/x86/kvm/vmx/nested.h
index 6eedcfc91070..983484d42ebf 100644
--- a/arch/x86/kvm/vmx/nested.h
+++ b/arch/x86/kvm/vmx/nested.h
@@ -309,6 +309,11 @@ static inline bool nested_cr4_valid(struct kvm_vcpu *v=
cpu, unsigned long val)
 	       __kvm_is_valid_cr4(vcpu, val);
 }
=20
+static inline bool nested_cpu_has_no_hw_errcode_cc(struct kvm_vcpu *vcpu)
+{
+	return to_vmx(vcpu)->nested.msrs.basic & VMX_BASIC_NO_HW_ERROR_CODE_CC;
+}
+
 /* No difference in the restrictions on guest and host CR4 in VMX operatio=
n. */
 #define nested_guest_cr4_valid	nested_cr4_valid
 #define nested_host_cr4_valid	nested_cr4_valid
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A545E2FFF8A
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321243; cv=none;
 b=gcSgSQokcbuZW/9OhB/s6YPj6WrfUxQulkS1satN68suSyEAV7p9gQ/LuyCsA6RWHUlFb4qInOX4Jytu0tik8W65GlIPaRht0zOhFKJJtSHe1CKg8FmHBECrnw7AH2az3FcHMwKFy8+4Hw5yC+XhV20xF23oogLPv8b34T4V4b4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321243; c=relaxed/simple;
	bh=XfJrhk1n3kRk/UlDU4xmYWmCpho5OCt3/GJ8TH3UtvU=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=SBjRFlK0HDvkj3r+o4lDDPFXhZltsmqZ1hdSdkXEdgJno4laWzthDzlZzlQ0mJDgUfYrJsixvhe/n+d7zbPOuIjqG7kzU/9gphztqLaGzqcr3iVdaIWtGiweTIUnIL6ztVglAT3UmESenMZ7gQXsObqE8mb5mHlS1HzN1dGTCUA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=ORo1mG1W; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="ORo1mG1W"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-329b750757aso2248752a91.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321241; x=1758926041;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=8kqhi1JD3QmHgz3kxUx5l9MmZIyWLcKKHvCESvJAmjQ=;
        b=ORo1mG1W8WFLvJluxDJCQ0dSf4ar9z7ct+O+63Vs+XU0cf/9fIdMc4WoG8gagVmwsY
         N0QE6SsIfa7tyytikRsnUrair/WKk1obBsPiL26lt6zRTI3Or5tIcrN9qj/B/B4Pii2t
         n5xZfaA8p86Iaiixy0bcnWd9Xxe9p0WMmpX+6mYmfQfvzVOVYDYDbVuJO5UWUJnFJrzm
         K80Adux+/HL5fr8nDcsEEG9pjChELehou5eOZxZLGMsZIdho0v3jbNQiNoFueRZ8pgv/
         xvoHqc5R1qczQaUZ+OPWwKnZ1TR6Sp1KrQ/BQXVkiwlkxakj0deNZzSt+ZTgbFWz+1u7
         S1Hw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321241; x=1758926041;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=8kqhi1JD3QmHgz3kxUx5l9MmZIyWLcKKHvCESvJAmjQ=;
        b=Ss5PZTvb3rkY6Tc0WUUtSoUJfAm0qXMgMi9TRZ5/u4iUgAAdE0pw43C2+gbfRmy8JY
         6CXHn+d4SwuuuRm/d0x3JcVm3WWOF1spnAY/MXqRonVVgW7eRbunfl97Aiw9BYE79tT6
         h0BNulMGDIs9jyeap8u2Eu3DT293Hj/jCMs9B42CBiujqZyTDcsUyxuK0XMB+mLnOZ5O
         jyBhR89sWXFEN2lsmTMUGMpLZWT3s51W39wgvcmzkih4ouiNZ8rs0Bme+DHTR9w5Iz1E
         AnC7hwSPdeeL5OlmpF3LASXQSRYEoq3+dyW8+KaQyI+neElGKAu6xDqINNK9h7XOBhvn
         9/MA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVasbOSuXXjDLPYbH7Ukfkikr7s6JEWt+FPndiDbtX58HAS0ulK0GnsPDQ3qqkI2fz3jVNkoAScDkYtx1A=@vger.kernel.org
X-Gm-Message-State: AOJu0YyUqNP34o+CuG0CbR717MQePRHi8KOgrs7mP4OC37hurIOKNiKD
	v97yrMx3+tfbFpKXDmszSNXLFo7uPT3mIGxHfAWkrxPw3pQRZY0ytDpjqQTn/lW/h+QHGWbxhFY
	JUxzwiQ==
X-Google-Smtp-Source: 
 AGHT+IF6QYLX33wuMQYK42eRORiBumlN60G5rSQC+45wsSGH+z+X34t++k9a/tBmDBzfbe47yD0zrWKQIjY=
X-Received: from pjbnd17.prod.google.com
 ([2002:a17:90b:4cd1:b0:32e:b34b:92eb])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:57ce:b0:327:83e1:5bf
 with SMTP id 98e67ed59e1d1-3309836301bmr5341557a91.28.1758321241091; Fri, 19
 Sep 2025 15:34:01 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:38 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-32-seanjc@google.com>
Subject: [PATCH v16 31/51] KVM: nVMX: Prepare for enabling CET support for
 nested guest
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Set up CET MSRs, related VM_ENTRY/EXIT control bits and fixed CR4 setting
to enable CET for nested VM.

vmcs12 and vmcs02 needs to be synced when L2 exits to L1 or when L1 wants
to resume L2, that way correct CET states can be observed by one another.

Please note that consistency checks regarding CET state during VM-Entry
will be added later to prevent this patch from becoming too large.
Advertising the new CET VM_ENTRY/EXIT control bits are also be deferred
until after the consistency checks are added.

Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Xin Li (Intel) <xin@zytor.com>
Tested-by: Xin Li (Intel) <xin@zytor.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/vmx/nested.c | 77 +++++++++++++++++++++++++++++++++++++++
 arch/x86/kvm/vmx/vmcs12.c |  6 +++
 arch/x86/kvm/vmx/vmcs12.h | 14 ++++++-
 arch/x86/kvm/vmx/vmx.c    |  2 +
 arch/x86/kvm/vmx/vmx.h    |  3 ++
 5 files changed, 101 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index b644f4599f70..11e5d3569933 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -721,6 +721,24 @@ static inline bool nested_vmx_prepare_msr_bitmap(struc=
t kvm_vcpu *vcpu,
 	nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
 					 MSR_IA32_MPERF, MSR_TYPE_R);
=20
+	nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+					 MSR_IA32_U_CET, MSR_TYPE_RW);
+
+	nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+					 MSR_IA32_S_CET, MSR_TYPE_RW);
+
+	nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+					 MSR_IA32_PL0_SSP, MSR_TYPE_RW);
+
+	nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+					 MSR_IA32_PL1_SSP, MSR_TYPE_RW);
+
+	nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+					 MSR_IA32_PL2_SSP, MSR_TYPE_RW);
+
+	nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
+					 MSR_IA32_PL3_SSP, MSR_TYPE_RW);
+
 	kvm_vcpu_unmap(vcpu, &map);
=20
 	vmx->nested.force_msr_bitmap_recalc =3D false;
@@ -2521,6 +2539,32 @@ static void prepare_vmcs02_early(struct vcpu_vmx *vm=
x, struct loaded_vmcs *vmcs0
 	}
 }
=20
+static void vmcs_read_cet_state(struct kvm_vcpu *vcpu, u64 *s_cet,
+				u64 *ssp, u64 *ssp_tbl)
+{
+	if (guest_cpu_cap_has(vcpu, X86_FEATURE_IBT) ||
+	    guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK))
+		*s_cet =3D vmcs_readl(GUEST_S_CET);
+
+	if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK)) {
+		*ssp =3D vmcs_readl(GUEST_SSP);
+		*ssp_tbl =3D vmcs_readl(GUEST_INTR_SSP_TABLE);
+	}
+}
+
+static void vmcs_write_cet_state(struct kvm_vcpu *vcpu, u64 s_cet,
+				 u64 ssp, u64 ssp_tbl)
+{
+	if (guest_cpu_cap_has(vcpu, X86_FEATURE_IBT) ||
+	    guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK))
+		vmcs_writel(GUEST_S_CET, s_cet);
+
+	if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK)) {
+		vmcs_writel(GUEST_SSP, ssp);
+		vmcs_writel(GUEST_INTR_SSP_TABLE, ssp_tbl);
+	}
+}
+
 static void prepare_vmcs02_rare(struct vcpu_vmx *vmx, struct vmcs12 *vmcs1=
2)
 {
 	struct hv_enlightened_vmcs *hv_evmcs =3D nested_vmx_evmcs(vmx);
@@ -2637,6 +2681,10 @@ static void prepare_vmcs02_rare(struct vcpu_vmx *vmx=
, struct vmcs12 *vmcs12)
 	vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, vmx->msr_autoload.host.nr);
 	vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, vmx->msr_autoload.guest.nr);
=20
+	if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE)
+		vmcs_write_cet_state(&vmx->vcpu, vmcs12->guest_s_cet,
+				     vmcs12->guest_ssp, vmcs12->guest_ssp_tbl);
+
 	set_cr4_guest_host_mask(vmx);
 }
=20
@@ -2676,6 +2724,13 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, str=
uct vmcs12 *vmcs12,
 		kvm_set_dr(vcpu, 7, vcpu->arch.dr7);
 		vmx_guest_debugctl_write(vcpu, vmx->nested.pre_vmenter_debugctl);
 	}
+
+	if (!vmx->nested.nested_run_pending ||
+	    !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE))
+		vmcs_write_cet_state(vcpu, vmx->nested.pre_vmenter_s_cet,
+				     vmx->nested.pre_vmenter_ssp,
+				     vmx->nested.pre_vmenter_ssp_tbl);
+
 	if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending ||
 	    !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)))
 		vmcs_write64(GUEST_BNDCFGS, vmx->nested.pre_vmenter_bndcfgs);
@@ -3551,6 +3606,12 @@ enum nvmx_vmentry_status nested_vmx_enter_non_root_m=
ode(struct kvm_vcpu *vcpu,
 	     !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)))
 		vmx->nested.pre_vmenter_bndcfgs =3D vmcs_read64(GUEST_BNDCFGS);
=20
+	if (!vmx->nested.nested_run_pending ||
+	    !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE))
+		vmcs_read_cet_state(vcpu, &vmx->nested.pre_vmenter_s_cet,
+				    &vmx->nested.pre_vmenter_ssp,
+				    &vmx->nested.pre_vmenter_ssp_tbl);
+
 	/*
 	 * Overwrite vmcs01.GUEST_CR3 with L1's CR3 if EPT is disabled *and*
 	 * nested early checks are disabled.  In the event of a "late" VM-Fail,
@@ -4634,6 +4695,10 @@ static void sync_vmcs02_to_vmcs12(struct kvm_vcpu *v=
cpu, struct vmcs12 *vmcs12)
=20
 	if (vmcs12->vm_exit_controls & VM_EXIT_SAVE_IA32_EFER)
 		vmcs12->guest_ia32_efer =3D vcpu->arch.efer;
+
+	vmcs_read_cet_state(&vmx->vcpu, &vmcs12->guest_s_cet,
+			    &vmcs12->guest_ssp,
+			    &vmcs12->guest_ssp_tbl);
 }
=20
 /*
@@ -4759,6 +4824,18 @@ static void load_vmcs12_host_state(struct kvm_vcpu *=
vcpu,
 	if (vmcs12->vm_exit_controls & VM_EXIT_CLEAR_BNDCFGS)
 		vmcs_write64(GUEST_BNDCFGS, 0);
=20
+	/*
+	 * Load CET state from host state if VM_EXIT_LOAD_CET_STATE is set.
+	 * otherwise CET state should be retained across VM-exit, i.e.,
+	 * guest values should be propagated from vmcs12 to vmcs01.
+	 */
+	if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_CET_STATE)
+		vmcs_write_cet_state(vcpu, vmcs12->host_s_cet, vmcs12->host_ssp,
+				     vmcs12->host_ssp_tbl);
+	else
+		vmcs_write_cet_state(vcpu, vmcs12->guest_s_cet, vmcs12->guest_ssp,
+				     vmcs12->guest_ssp_tbl);
+
 	if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_PAT) {
 		vmcs_write64(GUEST_IA32_PAT, vmcs12->host_ia32_pat);
 		vcpu->arch.pat =3D vmcs12->host_ia32_pat;
diff --git a/arch/x86/kvm/vmx/vmcs12.c b/arch/x86/kvm/vmx/vmcs12.c
index 106a72c923ca..4233b5ca9461 100644
--- a/arch/x86/kvm/vmx/vmcs12.c
+++ b/arch/x86/kvm/vmx/vmcs12.c
@@ -139,6 +139,9 @@ const unsigned short vmcs12_field_offsets[] =3D {
 	FIELD(GUEST_PENDING_DBG_EXCEPTIONS, guest_pending_dbg_exceptions),
 	FIELD(GUEST_SYSENTER_ESP, guest_sysenter_esp),
 	FIELD(GUEST_SYSENTER_EIP, guest_sysenter_eip),
+	FIELD(GUEST_S_CET, guest_s_cet),
+	FIELD(GUEST_SSP, guest_ssp),
+	FIELD(GUEST_INTR_SSP_TABLE, guest_ssp_tbl),
 	FIELD(HOST_CR0, host_cr0),
 	FIELD(HOST_CR3, host_cr3),
 	FIELD(HOST_CR4, host_cr4),
@@ -151,5 +154,8 @@ const unsigned short vmcs12_field_offsets[] =3D {
 	FIELD(HOST_IA32_SYSENTER_EIP, host_ia32_sysenter_eip),
 	FIELD(HOST_RSP, host_rsp),
 	FIELD(HOST_RIP, host_rip),
+	FIELD(HOST_S_CET, host_s_cet),
+	FIELD(HOST_SSP, host_ssp),
+	FIELD(HOST_INTR_SSP_TABLE, host_ssp_tbl),
 };
 const unsigned int nr_vmcs12_fields =3D ARRAY_SIZE(vmcs12_field_offsets);
diff --git a/arch/x86/kvm/vmx/vmcs12.h b/arch/x86/kvm/vmx/vmcs12.h
index 56fd150a6f24..4ad6b16525b9 100644
--- a/arch/x86/kvm/vmx/vmcs12.h
+++ b/arch/x86/kvm/vmx/vmcs12.h
@@ -117,7 +117,13 @@ struct __packed vmcs12 {
 	natural_width host_ia32_sysenter_eip;
 	natural_width host_rsp;
 	natural_width host_rip;
-	natural_width paddingl[8]; /* room for future expansion */
+	natural_width host_s_cet;
+	natural_width host_ssp;
+	natural_width host_ssp_tbl;
+	natural_width guest_s_cet;
+	natural_width guest_ssp;
+	natural_width guest_ssp_tbl;
+	natural_width paddingl[2]; /* room for future expansion */
 	u32 pin_based_vm_exec_control;
 	u32 cpu_based_vm_exec_control;
 	u32 exception_bitmap;
@@ -294,6 +300,12 @@ static inline void vmx_check_vmcs12_offsets(void)
 	CHECK_OFFSET(host_ia32_sysenter_eip, 656);
 	CHECK_OFFSET(host_rsp, 664);
 	CHECK_OFFSET(host_rip, 672);
+	CHECK_OFFSET(host_s_cet, 680);
+	CHECK_OFFSET(host_ssp, 688);
+	CHECK_OFFSET(host_ssp_tbl, 696);
+	CHECK_OFFSET(guest_s_cet, 704);
+	CHECK_OFFSET(guest_ssp, 712);
+	CHECK_OFFSET(guest_ssp_tbl, 720);
 	CHECK_OFFSET(pin_based_vm_exec_control, 744);
 	CHECK_OFFSET(cpu_based_vm_exec_control, 748);
 	CHECK_OFFSET(exception_bitmap, 752);
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 29e1bc118479..509487a1f04a 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -7748,6 +7748,8 @@ static void nested_vmx_cr_fixed1_bits_update(struct k=
vm_vcpu *vcpu)
 	cr4_fixed1_update(X86_CR4_PKE,        ecx, feature_bit(PKU));
 	cr4_fixed1_update(X86_CR4_UMIP,       ecx, feature_bit(UMIP));
 	cr4_fixed1_update(X86_CR4_LA57,       ecx, feature_bit(LA57));
+	cr4_fixed1_update(X86_CR4_CET,	      ecx, feature_bit(SHSTK));
+	cr4_fixed1_update(X86_CR4_CET,	      edx, feature_bit(IBT));
=20
 	entry =3D kvm_find_cpuid_entry_index(vcpu, 0x7, 1);
 	cr4_fixed1_update(X86_CR4_LAM_SUP,    eax, feature_bit(LAM));
diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
index af8224e074ee..ea93121029f9 100644
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -181,6 +181,9 @@ struct nested_vmx {
 	 */
 	u64 pre_vmenter_debugctl;
 	u64 pre_vmenter_bndcfgs;
+	u64 pre_vmenter_s_cet;
+	u64 pre_vmenter_ssp;
+	u64 pre_vmenter_ssp_tbl;
=20
 	/* to migrate it to L1 if L2 writes to L1's CR8 directly */
 	int l1_tpr_threshold;
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com
 [209.85.214.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 96AF02D8DA3
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321245; cv=none;
 b=c7GI6MLqs3S+pyGY9ANFNaZusyk80+2QzpSzXxrCutvYrZ7emD6y58uhEjWUgnnraWlD2dgFAc0yA9JdT/aGI9AEDhSckVDJXAMrxlbC4tN1XYTadIHeiFbqvkBJIdbviHOyIxDpt5PRdGihYrMXtRfrjViGHaif6/G+6Q0OHDc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321245; c=relaxed/simple;
	bh=liivkD2MsqpLwGCJVrNrxN8E7SwyK5C61MChMNINjOY=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=kZCAvFAEYZb7P3c8RelJ1z0PwGdf/0WCEZhRKxV2B5Yb7Wt68Gyj+fzJ5C63Ve4Hl/ZB4OrNXNvaLTfsK54KIIp3UJYnM5DFRuKvw1nRDWUen4rPQayfxCQmUQwBcQUHRwU+OVdl0ObwqqZyfXjQttihCl7rnHEJjW4Qy3aOLAI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=LKUDVmqh; arc=none smtp.client-ip=209.85.214.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="LKUDVmqh"
Received: by mail-pl1-f202.google.com with SMTP id
 d9443c01a7336-244570600a1so31401705ad.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321243; x=1758926043;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=0u2emdWv4LJCkX3/GzXPUbBO/xRx/hEuovhR41KDWCg=;
        b=LKUDVmqhRvXlDCRmgC6TkwtyjADZyB9fk6eaa1CG5da7e6BNkqUT+JGzjtIjveB9HA
         bErBq1BGZNYrPFqO2Suvxt2WmsE+G8kv4bgEmsUx+deKTuy/tB1ajkEDY0xLqr5RIeqU
         ArCP9uJm1NJpOoPE5f2Av8Ylnem09yPqJteVEuPMaYA/KjwSHhJbIvsFftIpCcUWxujC
         fOcgNd9tSu3i3+Hc/nnng5SqOtxeQm/7ZUAPLBwEvESpiQx/RibEoIJ8tTBR6F+DOmZR
         mN1cWjdtfnH6G8Xw+7StHutcsa3ynUWhn3rn90JHfIjjHfb9r8MUPJ3GCeOGZcBxRDFX
         chRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321243; x=1758926043;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=0u2emdWv4LJCkX3/GzXPUbBO/xRx/hEuovhR41KDWCg=;
        b=BdMG2D+WlHO3Ti6FL7xa0NZvQrRFcfygh5rF+/pd4RXZ/zCIK4nFuqk6dCCxRK00yJ
         Ju4lVP4x12OrFoi8K6dii+1VoU1HIZx48pT7T3wHU6pxvPGSgGt/oOpGJBV+VKq1L31u
         jMHfC7fk5Rf4JGfsggQZd4jRo82G29qaeidRKBzvIQ0OBpDoydD2KVwC9ytX5oAdzpez
         qagM0tb34HCfz3EBmCyT3uv1nFJNjltwO+mfwLeaNi2+4wPyewF8ebNclyvIhf/SrvmO
         V02y6PZgfw+DiYXs9isqsMoB9W6HjHclIaOAoGEn/1AMG+OnEIEmIhYZhEznpJE33tsy
         i1JQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCUD9HmRdXDmnDV5w1Q1PSiXf21ks1c+nkoYAhiSce5PgXR/XS+1DwjBVHWMuJY16FgUjeYzhqrJeGsYNSA=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx8B+5d3WXgK+dsWRuVTmK+PTPv19U+TChwGDYRxI3LG5tAcw9H
	m6qjTrZxMgyG8XwKvJy/dY2aenPF5p5F9xSTiM9jfTfOIa7ffDb/NZFVQW2HGolkqZholygIq+r
	197OHXg==
X-Google-Smtp-Source: 
 AGHT+IG5sdiBPwA2Lix0aE9raqNglr3WYY6sj3IuSv2sReZLDTfZVKav/7O5SaoZ8QFqPdo0OED04WXksHw=
X-Received: from plbix21.prod.google.com
 ([2002:a17:902:f815:b0:267:f10d:293d])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:902:ea91:b0:267:8b4f:df36
 with SMTP id d9443c01a7336-2697d7c0483mr83102665ad.29.1758321242906; Fri, 19
 Sep 2025 15:34:02 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:39 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-33-seanjc@google.com>
Subject: [PATCH v16 32/51] KVM: nVMX: Add consistency checks for CR0.WP and
 CR4.CET
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Chao Gao <chao.gao@intel.com>

Add consistency checks for CR4.CET and CR0.WP in guest-state or host-state
area in the VMCS12. This ensures that configurations with CR4.CET set and
CR0.WP not set result in VM-entry failure, aligning with architectural
behavior.

Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
---
 arch/x86/kvm/vmx/nested.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 11e5d3569933..51c50ce9e011 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3110,6 +3110,9 @@ static int nested_vmx_check_host_state(struct kvm_vcp=
u *vcpu,
 	    CC(!kvm_vcpu_is_legal_cr3(vcpu, vmcs12->host_cr3)))
 		return -EINVAL;
=20
+	if (CC(vmcs12->host_cr4 & X86_CR4_CET && !(vmcs12->host_cr0 & X86_CR0_WP)=
))
+		return -EINVAL;
+
 	if (CC(is_noncanonical_msr_address(vmcs12->host_ia32_sysenter_esp, vcpu))=
 ||
 	    CC(is_noncanonical_msr_address(vmcs12->host_ia32_sysenter_eip, vcpu)))
 		return -EINVAL;
@@ -3224,6 +3227,9 @@ static int nested_vmx_check_guest_state(struct kvm_vc=
pu *vcpu,
 	    CC(!nested_guest_cr4_valid(vcpu, vmcs12->guest_cr4)))
 		return -EINVAL;
=20
+	if (CC(vmcs12->guest_cr4 & X86_CR4_CET && !(vmcs12->guest_cr0 & X86_CR0_W=
P)))
+		return -EINVAL;
+
 	if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) &&
 	    (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) ||
 	     CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false))=
))
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 626CB301480
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321248; cv=none;
 b=iMD++V7AMTauwQhNFQWaGHi2X4aIBxgUckC8dKEAhCyj6wRUAyadYEPVOM1JN+U84++F5Dab9TG2jF53SLH2XxYV4ibex9OA95t70CTo3Ev2L1IXspejOvDCGzmwdPE6UDd3s46srQ4Vcj0TjrE4UlbiXMFEzxh35QUqwV8nF20=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321248; c=relaxed/simple;
	bh=t14sguRWljpbl7x4nvgbWsnJaQOC/jqzlJugxV5H0AE=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=aHKSkxSX/FE9PFjWsAz40YHMCKxPSlz97YbvAZ9Iw3DMAFJQTuiLzRRS8Z79I7mQkFyFKiQoRbU+YGN4zZtYCsm8FlbQk12k/4OVqzguY/sAgPE7L57zkrMNVtWc5q9ibl3E7QvILQV5SoKMl2oIlXTExp1MccFDpyRqSvvLNHY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=wDh+FfMy; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="wDh+FfMy"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-32ecab3865dso3457329a91.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321245; x=1758926045;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=38k12Bd4Ltq5t6WJvitV23HrIZaBz9pCtNZ8LdkHjgw=;
        b=wDh+FfMylG5pg663/rc/BA7rbgH17VADKdJMcHM+Tgrdo2kTsOB6Cw2eQTo+yxo1xY
         tbwwNyn0xBpsZgmBIQObXxZI5IA1No7I9Gsqh5/oXSxnWYDwg3sexMKeHk2dAzHWfdq5
         A6ckT43CTSQ/4rKokQlV6+dJOXWwlFHdcoFPzZ0WR9DvF7bpTYaVdCZ/mJh4BuTu/EbN
         zqaRLk9N/BnpFCUfpRNHE86VPNLOlf8caKIiuqeA73jNaY1qt1YtaSDEXr61FvGTWq72
         tutJbBAMS2KxPH0OG16Ca2Kn4R5FUN8sTMvRnFIcfu0ayQ+jGvfkqfSD3ok80ChT5cHL
         973Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321245; x=1758926045;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=38k12Bd4Ltq5t6WJvitV23HrIZaBz9pCtNZ8LdkHjgw=;
        b=TOhLsCbkDbYn3pvtT+pill2Yzf8OEum4HaQvOT0q5raIkHuki0hj2yjA7na20/e8vD
         mzqFVz3ynPoIiq7Z0mQqiFXJerwzPF4VpqwVpjb/g9jizhcIV/6jPoIeipdwOesttO2z
         tfCBGtIcuWKk3NYZCWX0QTV0UejsiLcg+LSA/XFZ0bX4vsaGpLjqDik/VxZU18qHKMIS
         rFzJJBXakrPdfwDn6KBXS3P5p1rDKQVr99AGt63pwV8qhGcaaTdJW52GmF0Su1VBNbNR
         A+XMXebfzDMV5xRiq2LokW+oXoBqOX+iDNwuYvR7cJXvTL/c7jpxEnFOdb54sSEkLMQX
         zMYw==
X-Forwarded-Encrypted: i=1;
 AJvYcCW6P92qoWnVct6FuAMZUZYJgEj+KahRDBWz1QGG3huKHnKv6umQOrUPd3r55moB7XEw2Auldi80GMm+Bc0=@vger.kernel.org
X-Gm-Message-State: AOJu0YwiFKAuK8BlQvSCJE/MWEi8FiqHes6sqpi/RKQ95KaOp9gehOCD
	kQ84p5OPEjPBWkDRBjCEeRQ7b5bH0oTPxjvMeqJRt62EBOCr9Ca/ZQCn8SR3ZzhpId4egh4EpCy
	LCyqq6Q==
X-Google-Smtp-Source: 
 AGHT+IEHgK1RX3CwRx4iZWkfe3lI1+6XS8c26tUS4D9me1aiyAiWrL58aS/PovAB1NZkX/+qh9S5p+eBL7s=
X-Received: from pjbmf6.prod.google.com ([2002:a17:90b:1846:b0:32e:bd90:3e11])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:1b11:b0:32f:98da:c38c
 with SMTP id 98e67ed59e1d1-3309835fe90mr5750041a91.26.1758321244658; Fri, 19
 Sep 2025 15:34:04 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:40 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-34-seanjc@google.com>
Subject: [PATCH v16 33/51] KVM: nVMX: Add consistency checks for CET states
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Chao Gao <chao.gao@intel.com>

Introduce consistency checks for CET states during nested VM-entry.

A VMCS contains both guest and host CET states, each comprising the
IA32_S_CET MSR, SSP, and IA32_INTERRUPT_SSP_TABLE_ADDR MSR. Various
checks are applied to CET states during VM-entry as documented in SDM
Vol3 Chapter "VM ENTRIES". Implement all these checks during nested
VM-entry to emulate the architectural behavior.

In summary, there are three kinds of checks on guest/host CET states
during VM-entry:

A. Checks applied to both guest states and host states:

 * The IA32_S_CET field must not set any reserved bits; bits 10 (SUPPRESS)
   and 11 (TRACKER) cannot both be set.
 * SSP should not have bits 1:0 set.
 * The IA32_INTERRUPT_SSP_TABLE_ADDR field must be canonical.

B. Checks applied to host states only

 * IA32_S_CET MSR and SSP must be canonical if the CPU enters 64-bit mode
   after VM-exit. Otherwise, IA32_S_CET and SSP must have their higher 32
   bits cleared.

C. Checks applied to guest states only:

 * IA32_S_CET MSR and SSP are not required to be canonical (i.e., 63:N-1
   are identical, where N is the CPU's maximum linear-address width). But,
   bits 63:N of SSP must be identical.

Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
---
 arch/x86/kvm/vmx/nested.c | 47 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 51c50ce9e011..024bfb4d3a72 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3100,6 +3100,17 @@ static bool is_l1_noncanonical_address_on_vmexit(u64=
 la, struct vmcs12 *vmcs12)
 	return !__is_canonical_address(la, l1_address_bits_on_exit);
 }
=20
+static bool is_valid_cet_state(struct kvm_vcpu *vcpu, u64 s_cet, u64 ssp, =
u64 ssp_tbl)
+{
+	if (!kvm_is_valid_u_s_cet(vcpu, s_cet) || !IS_ALIGNED(ssp, 4))
+		return false;
+
+	if (is_noncanonical_msr_address(ssp_tbl, vcpu))
+		return false;
+
+	return true;
+}
+
 static int nested_vmx_check_host_state(struct kvm_vcpu *vcpu,
 				       struct vmcs12 *vmcs12)
 {
@@ -3169,6 +3180,26 @@ static int nested_vmx_check_host_state(struct kvm_vc=
pu *vcpu,
 			return -EINVAL;
 	}
=20
+	if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_CET_STATE) {
+		if (CC(!is_valid_cet_state(vcpu, vmcs12->host_s_cet, vmcs12->host_ssp,
+					   vmcs12->host_ssp_tbl)))
+			return -EINVAL;
+
+		/*
+		 * IA32_S_CET and SSP must be canonical if the host will
+		 * enter 64-bit mode after VM-exit; otherwise, higher
+		 * 32-bits must be all 0s.
+		 */
+		if (ia32e) {
+			if (CC(is_noncanonical_msr_address(vmcs12->host_s_cet, vcpu)) ||
+			    CC(is_noncanonical_msr_address(vmcs12->host_ssp, vcpu)))
+				return -EINVAL;
+		} else {
+			if (CC(vmcs12->host_s_cet >> 32) || CC(vmcs12->host_ssp >> 32))
+				return -EINVAL;
+		}
+	}
+
 	return 0;
 }
=20
@@ -3279,6 +3310,22 @@ static int nested_vmx_check_guest_state(struct kvm_v=
cpu *vcpu,
 	     CC((vmcs12->guest_bndcfgs & MSR_IA32_BNDCFGS_RSVD))))
 		return -EINVAL;
=20
+	if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE) {
+		if (CC(!is_valid_cet_state(vcpu, vmcs12->guest_s_cet, vmcs12->guest_ssp,
+					   vmcs12->guest_ssp_tbl)))
+			return -EINVAL;
+
+		/*
+		 * Guest SSP must have 63:N bits identical, rather than
+		 * be canonical (i.e., 63:N-1 bits identical), where N is
+		 * the CPU's maximum linear-address width. Similar to
+		 * is_noncanonical_msr_address(), use the host's
+		 * linear-address width.
+		 */
+		if (CC(!__is_canonical_address(vmcs12->guest_ssp, max_host_virt_addr_bit=
s() + 1)))
+			return -EINVAL;
+	}
+
 	if (nested_check_guest_non_reg_state(vmcs12))
 		return -EINVAL;
=20
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com
 [209.85.214.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 699C73019C4
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321249; cv=none;
 b=soxTFcdQIoMRZe2emm3EWm0Vb6k4xupwPbXzVNcqyTyAU1dfP+0LJLpTD167Zsbix++K1LKSwsLdbhlkXiKHCU0fapdWX3991U09dUlGv8kIyF+aRNY07bOPFaAkgiTN22/IZWY3aNbGHie3qZ3m2KA+xYT27E3NiJu9rusVyxg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321249; c=relaxed/simple;
	bh=q6umMK6qW+JPWfNi7ZBDx+lHcmQ5ye31wZcLqFrPb/Y=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=m82frVFWBJ1AniNmSFNMZeWe/wuYIZeR9eOxx1IrADrpwDnj30tlKdtjPLSLRiIAXhh7/E47OKCP9AIBif3QIL3D/8VpypzitkCObkwgfgn2xdmAVT8/Nr4UCG4yA6U+viuyi+606YxMp9P7C78WJqKEEQRBylsWHJeGVtmqxVo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=mEjFZMh4; arc=none smtp.client-ip=209.85.214.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="mEjFZMh4"
Received: by mail-pl1-f202.google.com with SMTP id
 d9443c01a7336-269af520712so22174695ad.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321247; x=1758926047;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=jwjFFCg0dTIdXUahdn/F9Z3j7jQ6PDvcYGKOHRJDRJk=;
        b=mEjFZMh4z8PcQStuDd51JX5C8tXJiHgrgA88Ud4I6tparAeSEIMADaTr5VMvsxc4CG
         Rsg00W+iEf1pFkTRJ6logERhD1gnByxZ9Ywxjoo/5/E6M9uDCntj74Zo6uyR9UtqQgk7
         CqMhxnz5TYR8wKdgnPcOeFpY9akkxPBK+Idv+PYDdo5f/5jqPCC/MHwN3JJ7gC8mFvAG
         uTharGTBy08ukDabUhZJH1YKK7FwBMAZenVNMuWX087MufVDeonHzfIXN9gn/GY/78Wl
         2GHJXWxvKhpuos3Ekgb0DQa30BcI0dI1uU+d8KMOgmr9HoF6UsU3oZVXmP4y0GPwR6vn
         U69g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321247; x=1758926047;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=jwjFFCg0dTIdXUahdn/F9Z3j7jQ6PDvcYGKOHRJDRJk=;
        b=Vhj5NfSdX/8Jge1pVKwikKaVsQkng3npy0NuVYmd/kgaag7GG0ZIORvimgneRPUo//
         MiXwSTjJjdCktX3ZmIODjcSmWqUMOZiPRxfbDiy62cGRYhg+mYWKCQqkzeEr0iQX0AoG
         ar9uTSh/ICyx6Ttkic7MRbhDI24mf9ZNNClFCBPu7qrtzdMYnW2ETusPqGxK+dztk0Oe
         3vKP8YFcW1YBsWZUkT/MZSBIyRRahS7Drn4mEsuYShYaOePi1su7IBL1zRCxbZnY/TnP
         SmqbuFWN4QR27aOjty7CqQs7yDziX0UhWEdGgcOGVAzSXc8/S8GKIgIJRx9690J3Yjxx
         nTAA==
X-Forwarded-Encrypted: i=1;
 AJvYcCWciE4yxMRgvTNlZp4UcSfaeGF9XkIjM6CjKvqPLPosGR1hG56fbefW7WfCFTvXjGR9NGuD/MXx/mhmqQQ=@vger.kernel.org
X-Gm-Message-State: AOJu0Yydmd/+VNJ1pr2fo3IWu2F8iaCtRRVV/9kCZCKseUBieG53gGvE
	+cGTQvb53uy7GULnng15k/RaXzUNv9S+r1kU7556F+R94KmvWLqI1nQXbYuWZDbQmVkG5qiWxqV
	RGR0HTg==
X-Google-Smtp-Source: 
 AGHT+IGC4ec144TqZsVwl31X4iIc+jUWFa9rB1zY9Uxm0DUf1TDCRwL54bqXZIygdGVad++/qbIZMsJ1wFk=
X-Received: from pjoo3.prod.google.com ([2002:a17:90b:5823:b0:32d:a0b1:2b03])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:902:d50c:b0:26e:49e3:55f0
 with SMTP id d9443c01a7336-26e49e38a46mr27196105ad.16.1758321246864; Fri, 19
 Sep 2025 15:34:06 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:41 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-35-seanjc@google.com>
Subject: [PATCH v16 34/51] KVM: nVMX: Advertise new VM-Entry/Exit control bits
 for CET state
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Chao Gao <chao.gao@intel.com>

Advertise the LOAD_CET_STATE VM-Entry/Exit control bits in the nested VMX
MSRS, as all nested support for CET virtualization, including consistency
checks, is in place.

Advertise support if and only if KVM supports at least one of IBT or SHSTK.
While it's userspace's responsibility to provide a consistent CPU model to
the guest, that doesn't mean KVM should set userspace up to fail.

Note, the existing {CLEAR,LOAD}_BNDCFGS behavior predates
KVM_X86_QUIRK_STUFF_FEATURE_MSRS, i.e. KVM "solved" the inconsistent CPU
model problem by overwriting the VMX MSRs provided by userspace.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/vmx/nested.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 024bfb4d3a72..a8a421a8e766 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -7178,13 +7178,17 @@ static void nested_vmx_setup_exit_ctls(struct vmcs_=
config *vmcs_conf,
 		VM_EXIT_HOST_ADDR_SPACE_SIZE |
 #endif
 		VM_EXIT_LOAD_IA32_PAT | VM_EXIT_SAVE_IA32_PAT |
-		VM_EXIT_CLEAR_BNDCFGS;
+		VM_EXIT_CLEAR_BNDCFGS | VM_EXIT_LOAD_CET_STATE;
 	msrs->exit_ctls_high |=3D
 		VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR |
 		VM_EXIT_LOAD_IA32_EFER | VM_EXIT_SAVE_IA32_EFER |
 		VM_EXIT_SAVE_VMX_PREEMPTION_TIMER | VM_EXIT_ACK_INTR_ON_EXIT |
 		VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL;
=20
+	if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) &&
+	    !kvm_cpu_cap_has(X86_FEATURE_IBT))
+		msrs->exit_ctls_high &=3D ~VM_EXIT_LOAD_CET_STATE;
+
 	/* We support free control of debug control saving. */
 	msrs->exit_ctls_low &=3D ~VM_EXIT_SAVE_DEBUG_CONTROLS;
 }
@@ -7200,11 +7204,16 @@ static void nested_vmx_setup_entry_ctls(struct vmcs=
_config *vmcs_conf,
 #ifdef CONFIG_X86_64
 		VM_ENTRY_IA32E_MODE |
 #endif
-		VM_ENTRY_LOAD_IA32_PAT | VM_ENTRY_LOAD_BNDCFGS;
+		VM_ENTRY_LOAD_IA32_PAT | VM_ENTRY_LOAD_BNDCFGS |
+		VM_ENTRY_LOAD_CET_STATE;
 	msrs->entry_ctls_high |=3D
 		(VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR | VM_ENTRY_LOAD_IA32_EFER |
 		 VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL);
=20
+	if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) &&
+	    !kvm_cpu_cap_has(X86_FEATURE_IBT))
+		msrs->exit_ctls_high &=3D ~VM_ENTRY_LOAD_CET_STATE;
+
 	/* We support free control of debug control loading. */
 	msrs->entry_ctls_low &=3D ~VM_ENTRY_LOAD_DEBUG_CONTROLS;
 }
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com
 [209.85.210.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C477302175
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321250; cv=none;
 b=CFO5zWOm9aNDEtcUYvzW4sX72XKnu1Q9GoZVROBmh76lZVfkIYeiVyfBoQOh6SmEE+Y0sDh67OpRZP1crF9ks5k7BatEoNyS8Xv1hre8enlezVICh1Lo0wNw6eZga6HI+FL9YFqeCSSVKvXYtkydY+iI6TcYnM7BY1Yq1Xo6D1M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321250; c=relaxed/simple;
	bh=eJ+NviPvC2VBo1/TEeh/98QA5FeRA5OI+g9CJyGgcSY=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=U4Gw5Lh1zYr/Z9iu11PKr5aOKF3XFuSHu09xk4r1t0Fan6ERBJQRP53PpRRxz6+dLvhxgsgu8j260afEY/BJ1ACG8FDSjBbNMVM0ast9QfwdtqSmw9RE6L45oS/UFidtut5A+7VKINzGdHFLz1YuMW0HUsIL68GZ3xqlr7Isv/w=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=1b9lyFgP; arc=none smtp.client-ip=209.85.210.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="1b9lyFgP"
Received: by mail-pf1-f201.google.com with SMTP id
 d2e1a72fcca58-76e6e71f7c6so2465838b3a.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321248; x=1758926048;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=FxW3kEs0BxMIazulZzSPAAAeyEbA3rY5jTtxTNm7lSc=;
        b=1b9lyFgPIZZH5XCmAmCGVzqmjQYWhhXM4gkDsfmVP/lY0ToB996VHw/oUsaO2occUE
         y8otvmtGOb3Nye7HD+HqhRKDOGGkdjPVT+4uFYfZUWCZwFjyo7U2YmaV7wy6fXSpD7RU
         zf1rmvSNg09p4XrncdEMCYoN4iD34YyysXrr2lFpo2mt2p5lTMd5QT7NJEcmyqvJHDSE
         X3hxZqYJ30idmH05J6u5hszChrw112CKa5sypQDHSn4jskMPw2MI9DzP91FxjKTWbx9Y
         gtaIGyWAvzTNrXyYLrR3IUFRGCAVyQxx6gx7/V9ZnGDF1XfvdJAr9P0MNYLjwRxaxPvL
         JuJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321248; x=1758926048;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=FxW3kEs0BxMIazulZzSPAAAeyEbA3rY5jTtxTNm7lSc=;
        b=Lk1y4cQzxi2kou3zgf9sVcJOJor18Z18mUnyt9jKmyXYrqdoJz3XL1WQLw5JGq1uvU
         bhDwXRNHtaMhtyMi5P97XDZIm9Wed5edKtYV4aT1W114bqnWpc91Ia+fbgVjGreMHnDh
         UL7Nb9zUQEWuYOgBUo4RqcwZ637jDu+sr5maGUru7iFK1jdz6levebEgqFXOarphRirJ
         mtArMFAC79bSr2MBNRSVgGsAh6hnA7lUOmJybmaYCzZI4uUi+R0vJMeJ2QDSQxzGvzt5
         sopMI0hg5p/jSwwOeRNoDYvwFEhBRxehSGIQkz3Ori2YuWokA/Lv7XTXVerfI+foNa2W
         gWPA==
X-Forwarded-Encrypted: i=1;
 AJvYcCX7MEvpp4q6ax6qJa3gnNYRAo1t1fX5t7QR8dty6eKcM8bBWYDTPXHlbVyh2Xqa7TG2THNz+N/NmzLOLQs=@vger.kernel.org
X-Gm-Message-State: AOJu0YwoptNI/dKLHESz/bKb5v5t0VSzp9TBI3w6TlrJ/2dcVhQnvZvH
	65KOzQ/P5LacfsSPZWpwGS+elJWIhktPuHvjXUPx5qCn0GqS6obJeKn6rdqtLJvSmI+kgoYjH9g
	XYVJz/A==
X-Google-Smtp-Source: 
 AGHT+IE+kzZm2wI3wJsqhe11/v8urBpa1o0V7eLKMUUsTS/TrGpHSZsJlDfAudcOW7JuaCa/sws36i0ssXE=
X-Received: from pjbsv5.prod.google.com ([2002:a17:90b:5385:b0:32d:a0b1:2b14])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:19a3:b0:24c:c33e:8df0
 with SMTP id adf61e73a8af0-292727771abmr5548077637.45.1758321248405; Fri, 19
 Sep 2025 15:34:08 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:42 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-36-seanjc@google.com>
Subject: [PATCH v16 35/51] KVM: SVM: Emulate reads and writes to shadow stack
 MSRs
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: John Allen <john.allen@amd.com>

Emulate shadow stack MSR access by reading and writing to the
corresponding fields in the VMCB.

Signed-off-by: John Allen <john.allen@amd.com>
[sean: mark VMCB_CET dirty/clean as appropriate]
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/svm/svm.c | 21 +++++++++++++++++++++
 arch/x86/kvm/svm/svm.h |  3 ++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 73dde1645e46..52d2241d8188 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2767,6 +2767,15 @@ static int svm_get_msr(struct kvm_vcpu *vcpu, struct=
 msr_data *msr_info)
 		if (guest_cpuid_is_intel_compatible(vcpu))
 			msr_info->data |=3D (u64)svm->sysenter_esp_hi << 32;
 		break;
+	case MSR_IA32_S_CET:
+		msr_info->data =3D svm->vmcb->save.s_cet;
+		break;
+	case MSR_IA32_INT_SSP_TAB:
+		msr_info->data =3D svm->vmcb->save.isst_addr;
+		break;
+	case MSR_KVM_INTERNAL_GUEST_SSP:
+		msr_info->data =3D svm->vmcb->save.ssp;
+		break;
 	case MSR_TSC_AUX:
 		msr_info->data =3D svm->tsc_aux;
 		break;
@@ -2999,6 +3008,18 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct=
 msr_data *msr)
 		svm->vmcb01.ptr->save.sysenter_esp =3D (u32)data;
 		svm->sysenter_esp_hi =3D guest_cpuid_is_intel_compatible(vcpu) ? (data >=
> 32) : 0;
 		break;
+	case MSR_IA32_S_CET:
+		svm->vmcb->save.s_cet =3D data;
+		vmcb_mark_dirty(svm->vmcb01.ptr, VMCB_CET);
+		break;
+	case MSR_IA32_INT_SSP_TAB:
+		svm->vmcb->save.isst_addr =3D data;
+		vmcb_mark_dirty(svm->vmcb01.ptr, VMCB_CET);
+		break;
+	case MSR_KVM_INTERNAL_GUEST_SSP:
+		svm->vmcb->save.ssp =3D data;
+		vmcb_mark_dirty(svm->vmcb01.ptr, VMCB_CET);
+		break;
 	case MSR_TSC_AUX:
 		/*
 		 * TSC_AUX is always virtualized for SEV-ES guests when the
diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
index 5365984e82e5..e072f91045b5 100644
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -74,6 +74,7 @@ enum {
 			  * AVIC PHYSICAL_TABLE pointer,
 			  * AVIC LOGICAL_TABLE pointer
 			  */
+	VMCB_CET,	 /* S_CET, SSP, ISST_ADDR */
 	VMCB_SW =3D 31,    /* Reserved for hypervisor/software use */
 };
=20
@@ -82,7 +83,7 @@ enum {
 	(1U << VMCB_ASID) | (1U << VMCB_INTR) |			\
 	(1U << VMCB_NPT) | (1U << VMCB_CR) | (1U << VMCB_DR) |	\
 	(1U << VMCB_DT) | (1U << VMCB_SEG) | (1U << VMCB_CR2) |	\
-	(1U << VMCB_LBR) | (1U << VMCB_AVIC) |			\
+	(1U << VMCB_LBR) | (1U << VMCB_AVIC) | (1U << VMCB_CET) | \
 	(1U << VMCB_SW))
=20
 /* TPR and CR2 are always written before VMRUN */
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com
 [209.85.216.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8E0EB303A1D
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321252; cv=none;
 b=VIjWWnfdJI+FCvo8QygmdbqOcOrAHwCMwP9D2obugTW7OlfDqtqtvzrfMWKTBIbKQx0aMXSWbqL+Gcz69iUbf0orAvN3uVAotf5dUotIGvpGjwdZbbiOE+Y5iBbZLZNNHuC3tWJS/HVRAs7o3hULUmazyqjkwem7NGhh80HMJUo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321252; c=relaxed/simple;
	bh=nKZ5Q7RgK3XRxdc3o7cKqV6DWFuIWGsdh+EcSzBiSww=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=lnQ2dEzVEzeVDNlZSSyf6IhGi7MEFUY6Di8QL4QXrdW+T+VnxzCtz9cNS8HMhLu4q8WPMDrNTKO2GQWaKQEObHB7qBFBoUAaB5MYqWmdx3qvWZlTZan2kwsmq7pxO+KboVq/Gz6ZQWzh3/4Q+bSvdDcrO0dhUlG7TuiEJ9NaM94=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=ZkNcRkZV; arc=none smtp.client-ip=209.85.216.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="ZkNcRkZV"
Received: by mail-pj1-f73.google.com with SMTP id
 98e67ed59e1d1-32ea7fcddd8so4983457a91.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321250; x=1758926050;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=cYHRrx1Rwo9eQXWeqWJXpUpu9aJ7cOqVN25IkcGdX1A=;
        b=ZkNcRkZV/lVfWvgwZpfuXapRTN2IuUSGBZt5f/46+pFyf/J63unGfnM9z/hZmHnRMO
         XQGmwxb0Ix3BPmIEPO5Drl4Q63sHzRPn+C3eDFndrT7Ilz7RmrcmhBb4WE5Czwv87GhQ
         UjvINhQWdcxKsa3AQOxcpbeCIapWXZEgOcR1onzU5lM9x6VGZOLzw/3sQpa4MRl97QdT
         Agh7fIwY/bEljUWD5YD1EDYC7kuwuWS9ys4IfC62nzjBAGhGabZ9SeqJEHi2OeJDr1hb
         /HaNyv7MBr2MW3I4ldUAU5dPR17b4qpt8tTEy5g0BrrSO5KiUzv1rK2Fth7WoU7x351z
         HUnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321250; x=1758926050;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=cYHRrx1Rwo9eQXWeqWJXpUpu9aJ7cOqVN25IkcGdX1A=;
        b=LRGOw3rFMPMdSO4C5Lm9KyguXOyd6pPC+TZu+xzxhV4jaPiEl9kPkfJ09+Enldlize
         TfuzevKAbGx5D4t/0UAs9fVRkC+h0om6Kon7lDriQ47LBuxUbS3qIHOUmgoiciyKoMOp
         98ays9PSMY3YHKZDcBt3C67kMBXUFU9N9mUEuf8ufCTaVBWxRRIh6Pci/PMXjhQbPVdM
         EmPmOaxpOpxBCRfsfHixa+oAOmUJcLvTNLeElqyVTGuAzh3kpyxQhrPOQ8ZCmbDfb7xB
         HSerMhxD/ev3IPT5KASM8TkMzvq967ZmuO6bHBXeQuF/YSZEEaDeTfNRNme1uIr4mC8F
         pBDw==
X-Forwarded-Encrypted: i=1;
 AJvYcCV8Hvn27vHk0i44ps/eK181XC2cx76MWGa0Cw0eH1Rxv5slPJRpRUw4UwjVqmvSDYqYXPfl4ZVRGEMM3ZY=@vger.kernel.org
X-Gm-Message-State: AOJu0YxJddocQtInJG4TSKHA0JmeFYZ8+t5xfD/lb6ZwwnUnbkZLWAZ9
	qy/rnWQB9Z+cqOtOMurCUsS31qoI4Vw02/bGQwwmX2PmV83F/hv0ZAdLLdO/zAob+JN18ozedbI
	cX4TQOw==
X-Google-Smtp-Source: 
 AGHT+IEW7HITViOOE/8pfh1gBFeALqS2Mwkwb0jK0TfcwCqmDCr4DL2x+WvNHZBBQhSy5ImpJhKVudjl1j8=
X-Received: from pjbpd9.prod.google.com ([2002:a17:90b:1dc9:b0:32b:5548:d659])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90a:d60c:b0:32e:8c1e:1301
 with SMTP id 98e67ed59e1d1-3309838dec4mr5848473a91.34.1758321249933; Fri, 19
 Sep 2025 15:34:09 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:43 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-37-seanjc@google.com>
Subject: [PATCH v16 36/51] KVM: nSVM: Save/load CET Shadow Stack state to/from
 vmcb12/vmcb02
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Transfer the three CET Shadow Stack VMCB fields (S_CET, ISST_ADDR, and
SSP) on VMRUN, #VMEXIT, and loading nested state (saving nested state
simply copies the entire save area).  SVM doesn't provide a way to
disallow L1 from enabling Shadow Stacks for L2, i.e. KVM *must* provide
nested support before advertising SHSTK to userspace.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/svm/nested.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index 826473f2d7c7..a6443feab252 100644
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -636,6 +636,14 @@ static void nested_vmcb02_prepare_save(struct vcpu_svm=
 *svm, struct vmcb *vmcb12
 		vmcb_mark_dirty(vmcb02, VMCB_DT);
 	}
=20
+	if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK) &&
+	    (unlikely(new_vmcb12 || vmcb_is_dirty(vmcb12, VMCB_CET)))) {
+		vmcb02->save.s_cet  =3D vmcb12->save.s_cet;
+		vmcb02->save.isst_addr =3D vmcb12->save.isst_addr;
+		vmcb02->save.ssp =3D vmcb12->save.ssp;
+		vmcb_mark_dirty(vmcb02, VMCB_CET);
+	}
+
 	kvm_set_rflags(vcpu, vmcb12->save.rflags | X86_EFLAGS_FIXED);
=20
 	svm_set_efer(vcpu, svm->nested.save.efer);
@@ -1044,6 +1052,12 @@ void svm_copy_vmrun_state(struct vmcb_save_area *to_=
save,
 	to_save->rsp =3D from_save->rsp;
 	to_save->rip =3D from_save->rip;
 	to_save->cpl =3D 0;
+
+	if (kvm_cpu_cap_has(X86_FEATURE_SHSTK)) {
+		to_save->s_cet  =3D from_save->s_cet;
+		to_save->isst_addr =3D from_save->isst_addr;
+		to_save->ssp =3D from_save->ssp;
+	}
 }
=20
 void svm_copy_vmloadsave_state(struct vmcb *to_vmcb, struct vmcb *from_vmc=
b)
@@ -1111,6 +1125,12 @@ int nested_svm_vmexit(struct vcpu_svm *svm)
 	vmcb12->save.dr6    =3D svm->vcpu.arch.dr6;
 	vmcb12->save.cpl    =3D vmcb02->save.cpl;
=20
+	if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK)) {
+		vmcb12->save.s_cet	=3D vmcb02->save.s_cet;
+		vmcb12->save.isst_addr	=3D vmcb02->save.isst_addr;
+		vmcb12->save.ssp	=3D vmcb02->save.ssp;
+	}
+
 	vmcb12->control.int_state         =3D vmcb02->control.int_state;
 	vmcb12->control.exit_code         =3D vmcb02->control.exit_code;
 	vmcb12->control.exit_code_hi      =3D vmcb02->control.exit_code_hi;
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F43C3054FC
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321253; cv=none;
 b=YIvqTezNZNnSd/LmcBnGU8vqmZoNyxF+RgDLMgw1IcxGJEU4foa4oZlzMvWea5Gereni7e1xuBz2x07XYca5tIm+W2c+yq0u1S46Oyi18i3WDqlktrWwh/ZCdzqWUxVS66d78HrX09sC1bfDjdhbt72dy2N4Cu4K6G9q6bXU8Gs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321253; c=relaxed/simple;
	bh=X20sEQ+xsCLTJe7gE4Qs5AwL/wm1XuF1rIgh80JVcHA=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=mLMfnRzW8+i0BG7b7vw6r4YJoqhtFbeNBF9snvg3zp1NcUy2h3JHMueynUugV3IZltVMQBkilPE5wpch8sDOHsYIXDlJeAwfH33jLkUY6y2+m1MJaIKq6lqTYC0adWdZcjlKbESIQLxR1X2uEbeiAEz0k3WMOenI4JRBDqA6Nrk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=qyaFg7M7; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="qyaFg7M7"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-32ee4998c50so2443466a91.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321252; x=1758926052;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=eHR2NLSLCCnmrfYd7kOboVWYopKWMO4BXG1y6UT4JW8=;
        b=qyaFg7M7riU2wyKee4ZsFrB7unFBf8ILe2bJbHNx8eoIuPcwVDtVGCyosGpoR0UG/a
         hnNhMuapuhIQVU+NUE3CApxOrn6ABCfmsXUZbTTWjRqSo+0TDtUm7bxxbgiEKLcoWJKY
         r79tp6HvOo7JyLn+fKiAsJPUcFl1ZGt62+CFjgPCVA5W62zLpcahdgCLP9Qbeexgk8Zy
         kw/1+Y2ZFYz+QeZI7mo4bFpZI3TDfGZSnYrobe/yK+r42wfP1TjMb5CGvhqAatU+xrDK
         MXlixHsD29s75g1tGndXJPSunL3CsKk7V2+o67odUEhm6PaJ86lR7raOMNw+ZcnXlKad
         gCIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321252; x=1758926052;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=eHR2NLSLCCnmrfYd7kOboVWYopKWMO4BXG1y6UT4JW8=;
        b=b6YI19l5n3BZqdCj+pPzPskBBU1HuZp9MccAvse9Iha9PHf8OGCErZb/yGkV4FQFLx
         RCowm+5UJZgJIT9alodgydXBcOBmLqqLFobO6PaiBr/NYrA3wxAcwCVc++FkpzZaVHK3
         Yu+hJIwO3NrqtSBYWm15EJl3Q7PgIbWMBNeC3tatl6GvQnggU9rBkxvg0TF2+xHA4rvK
         OmK0Tu1UGDHvvKk9Fue8IaxW6QCzw5ec00kXXwgHhfI/tZ/e3iNuvgN8i6Fd0PvFp7oZ
         J34oiO4yRZSEPAQsqq+wLRzTw+42Uo1bjRlwxrRCFUdJq9D+ydfcDDMKuMsC/GcQ5sSY
         jZKg==
X-Forwarded-Encrypted: i=1;
 AJvYcCVYDFONUy9B5k1XJrBxTTjC3v3R6Gc0I8CfjjQcbQUTawGHVFKtodQZf1RsIv4gx9HQE/46PtAADCXWNEM=@vger.kernel.org
X-Gm-Message-State: AOJu0Yzvt1LiFvBiKhaHL8261uzUSGj1gVleaibFzLDb9SmYu++Xkfs2
	Fr/xJHZ2QA2M41eLQfEvchu/AHn/lg6kD05IG84IHEe6g6nHq7OqJRvnplqlER4Hk0zeurR5xuC
	YS7QYCA==
X-Google-Smtp-Source: 
 AGHT+IFifa+3ALaHZ5N/ALMtEqJi9pVMuOHdbpWekClGQnveANM6eyoR6/P/Qd3bbbMyzvhBHioRo62qYnU=
X-Received: from pjl13.prod.google.com ([2002:a17:90b:2f8d:b0:32d:def7:e60f])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:3f87:b0:32e:5d87:8abc
 with SMTP id 98e67ed59e1d1-3309838e02amr4950519a91.36.1758321251699; Fri, 19
 Sep 2025 15:34:11 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:44 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-38-seanjc@google.com>
Subject: [PATCH v16 37/51] KVM: SVM: Update dump_vmcb with shadow stack save
 area additions
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: John Allen <john.allen@amd.com>

Add shadow stack VMCB fields to dump_vmcb. PL0_SSP, PL1_SSP, PL2_SSP,
PL3_SSP, and U_CET are part of the SEV-ES save area and are encrypted,
but can be decrypted and dumped if the guest policy allows debugging.

Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Signed-off-by: John Allen <john.allen@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/svm/svm.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 52d2241d8188..e50e6847fe72 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -3410,6 +3410,10 @@ static void dump_vmcb(struct kvm_vcpu *vcpu)
 	       "rip:", save->rip, "rflags:", save->rflags);
 	pr_err("%-15s %016llx %-13s %016llx\n",
 	       "rsp:", save->rsp, "rax:", save->rax);
+	pr_err("%-15s %016llx %-13s %016llx\n",
+	       "s_cet:", save->s_cet, "ssp:", save->ssp);
+	pr_err("%-15s %016llx\n",
+	       "isst_addr:", save->isst_addr);
 	pr_err("%-15s %016llx %-13s %016llx\n",
 	       "star:", save01->star, "lstar:", save01->lstar);
 	pr_err("%-15s %016llx %-13s %016llx\n",
@@ -3434,6 +3438,13 @@ static void dump_vmcb(struct kvm_vcpu *vcpu)
 		pr_err("%-15s %016llx\n",
 		       "sev_features", vmsa->sev_features);
=20
+		pr_err("%-15s %016llx %-13s %016llx\n",
+		       "pl0_ssp:", vmsa->pl0_ssp, "pl1_ssp:", vmsa->pl1_ssp);
+		pr_err("%-15s %016llx %-13s %016llx\n",
+		       "pl2_ssp:", vmsa->pl2_ssp, "pl3_ssp:", vmsa->pl3_ssp);
+		pr_err("%-15s %016llx\n",
+		       "u_cet:", vmsa->u_cet);
+
 		pr_err("%-15s %016llx %-13s %016llx\n",
 		       "rax:", vmsa->rax, "rbx:", vmsa->rbx);
 		pr_err("%-15s %016llx %-13s %016llx\n",
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com
 [209.85.216.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 297AF3064A0
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321255; cv=none;
 b=BRzefvqAYPT0HF+GPSfNtcWCfzReKqeYKeuEOdeAdihw5OXBehHdi3QhUeVOyVpo+2wpubqs0YKKkttcWnI1gWqcWfhY+Cv2W/6fZ+VZBDw/bPIYOil+7ej/55ISiAYx6MKoh5BF25B+a+GorfQLuR+F0c/V8oIXoJVad3vOciY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321255; c=relaxed/simple;
	bh=FF0YNdYzHwSY46ksKq78ncvstuhhSVwb/Wk9sp5XIp8=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=sFipZ9najMdm8kH0604LK/SvNVzpulVE1iFkw32R44Kefv9DC3JcEpTrvMdKLhEbfoj8SpE2yXscipVg/NaQ1EgMjHxjrEUDDBPevpZHB5qiHKJUnEZrM0FcHEjIWDSD42P70mA0pRBDHExCnebSqpRMDGEfspMyEWo6WDz6cbo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=vmVo5RSh; arc=none smtp.client-ip=209.85.216.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="vmVo5RSh"
Received: by mail-pj1-f73.google.com with SMTP id
 98e67ed59e1d1-32ea7fcddd8so4983519a91.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321253; x=1758926053;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=BEmP/GsT5IlFUD0vcjfrEDepI8N6/XVRIquQ8fvmqN8=;
        b=vmVo5RSh951A2QRN3cdPwnRFhgcbOw2YRs/A1mwcmL4qdvGlFs1jo+xB/3O/qP1JYi
         JOURyBFhAr4+9a41SMRzq9vl6PLf9zjp7ErpS5U838DA3viGJiueAYCk2Gfr5G03DnFy
         ibXdJXAEJn/zUR37W6k0M0+zqtC8lUwSW4TMpm6odeHRDyxgoelRXwL9RwFJ/2p8Hv2i
         XFTUUdwGWqc6vyEEC2+FIQFaQ4dpDGS9XPHSzqqwmUTFD85Kbgo5RwSHuyyksHTTT5Fg
         GuEw48Nb8M+qB1yKc5C1TDKFRpfAPJbMZPmQv0o7YCXuT/Da8zGlM50X9eIbeDxwBiN8
         iV1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321253; x=1758926053;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=BEmP/GsT5IlFUD0vcjfrEDepI8N6/XVRIquQ8fvmqN8=;
        b=qQLY0Qqv/Ew4QUqhnGw8QYR2ffYs7XkWYRTkLf6CDFGiYgGogxziNbezO4gnm7PRLz
         umPZCDF/NkQ/NZ1nnkbP5skvVmVz5CPB88Yy40UE18onxPSRR2lmetmvtkry7PcJ1oqK
         lqv/jOEAps4Lzt9SkJ4SBz3IvsWOz3CS/v1DXUpWNnsWXpVp39lANprI7qu4TvMH0TxP
         VygPttO+yeKQam80DOjdPQAWHT0JF9ALj58RROEdhMBGtltOd+ORjlJZRZaZDqNWFbT3
         gc0CyVwMaUSKu6R52LDDHXPOCLeYBlE5UJ0vjLc1E3VG6C9saYC7tKHApJXiwNYqKaRT
         65lA==
X-Forwarded-Encrypted: i=1;
 AJvYcCURVQ2LlJ9Z/Gvb/ueIKvf6nhjfhZ85erywOhC1oKXhtJayAPzvbvJe6SsrWDOcx01qlD3XUdfht+iqWFc=@vger.kernel.org
X-Gm-Message-State: AOJu0YxbBu2a+zNF1/vFR0MDfyZ80SkQLhvDP995Mp/cqvuvKVDZX7rK
	9tX31uM3Bg02qCTc+6uy/DeypMf1r3nY+9PXT332riOM/vuFuR2bJGxbTVvtOGc2BCvakEh/BDJ
	gdi4Rhg==
X-Google-Smtp-Source: 
 AGHT+IHUbP0czKsLHdhn/rdVGDEI3g7Pp41PPUqA9A1hT7Y0EvEbP3ye/5PDQ8UzNTKswDhISKcqoKahDVw=
X-Received: from pjbsj18.prod.google.com
 ([2002:a17:90b:2d92:b0:32e:a3c3:df27])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:4d81:b0:32e:36f4:6fdc
 with SMTP id 98e67ed59e1d1-33097fdc41amr5642187a91.4.1758321253470; Fri, 19
 Sep 2025 15:34:13 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:45 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-39-seanjc@google.com>
Subject: [PATCH v16 38/51] KVM: SVM: Pass through shadow stack MSRs as
 appropriate
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: John Allen <john.allen@amd.com>

Pass through XSAVE managed CET MSRs on SVM when KVM supports shadow
stack. These cannot be intercepted without also intercepting XSAVE which
would likely cause unacceptable performance overhead.
MSR_IA32_INT_SSP_TAB is not managed by XSAVE, so it is intercepted.

Reviewed-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: John Allen <john.allen@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/svm/svm.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index e50e6847fe72..cabe1950b160 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -844,6 +844,17 @@ static void svm_recalc_msr_intercepts(struct kvm_vcpu =
*vcpu)
 		svm_disable_intercept_for_msr(vcpu, MSR_IA32_MPERF, MSR_TYPE_R);
 	}
=20
+	if (kvm_cpu_cap_has(X86_FEATURE_SHSTK)) {
+		bool shstk_enabled =3D guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK);
+
+		svm_set_intercept_for_msr(vcpu, MSR_IA32_U_CET, MSR_TYPE_RW, !shstk_enab=
led);
+		svm_set_intercept_for_msr(vcpu, MSR_IA32_S_CET, MSR_TYPE_RW, !shstk_enab=
led);
+		svm_set_intercept_for_msr(vcpu, MSR_IA32_PL0_SSP, MSR_TYPE_RW, !shstk_en=
abled);
+		svm_set_intercept_for_msr(vcpu, MSR_IA32_PL1_SSP, MSR_TYPE_RW, !shstk_en=
abled);
+		svm_set_intercept_for_msr(vcpu, MSR_IA32_PL2_SSP, MSR_TYPE_RW, !shstk_en=
abled);
+		svm_set_intercept_for_msr(vcpu, MSR_IA32_PL3_SSP, MSR_TYPE_RW, !shstk_en=
abled);
+	}
+
 	if (sev_es_guest(vcpu->kvm))
 		sev_es_recalc_msr_intercepts(vcpu);
=20
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com
 [209.85.214.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D05C30648E
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321258; cv=none;
 b=VLYnoo+ye3GdDXviFOb1GnpJRYvSEh4nvJPUa8tceGpZTWOUjvwWEhGmV3Ziz/530u4aYUjW8jecdH4h0GH1QeDz3/VEeGP5ZJ6dgsA4xWghClz9u4xaLmATz2qkikh9m/SiWA2wjmcM1VNdrNbIvoCIXPSQyB8m8KKbxqadEms=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321258; c=relaxed/simple;
	bh=8PRqVNvtJzh+ZpaClWIkz+QMaHPq9nVT+VsmB/6rcek=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=k28CWFqp5uzQyJp5Pd3SPR6OKjAnTR75dN6bIsgfWcJzM4Fv4l7MdgimUjJ8FKZdK6waEslVlQs06wipwmADtjvpJnGaPnE9aO0IPZWKBxDX9SH89Y0TtEbxcjJrAlTQYNzwTZf0lmjNmzGfjiHaWFzDLEd5XBW3PsGjB3LxH94=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=cTgbiLit; arc=none smtp.client-ip=209.85.214.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="cTgbiLit"
Received: by mail-pl1-f201.google.com with SMTP id
 d9443c01a7336-244581ce13aso48902725ad.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321255; x=1758926055;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=Lmjv7m743ORHFla75w2cvbk6s7USbNyWaxznp0sV74A=;
        b=cTgbiLitZ7g+53RLVWZSfDXiMZuXesT4yCX7/B9C/71ceUsjT7uWmSy00fr9A7tKje
         bCoefRa70RN46ww9SigiH6yaqJT+5S7qU4Y3XuxKg3VHXOGZO/WcX2Dak+bGsROEVZHF
         hZjiMQL27sy/48ugi0DEFVimk8DfoB59SGkgpbpVDL34iMu1qNIGDpoNUZSE3oRw1Sme
         0qZJz6RKwCHDswEfi8pXg5kGgRUfO4qfdMdCk7jUADf7jLlO6yN8LDhmMaVwGUDvVY8r
         MPFM+yrR6mlTN2wi5lAb2gKzifRIuHzG7CNPXGtbaiDnM0W3SDWlD0bEa0mk6p+IYvyB
         Jnzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321255; x=1758926055;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Lmjv7m743ORHFla75w2cvbk6s7USbNyWaxznp0sV74A=;
        b=kQ8B1P/Yi3VnYqJ8Za5wPasAQVhZ09UuGZxAHvhUgXI7WW4xwTgtBehH1MmP+vHzih
         UV2CvNPKHI6DU9zufQj8Pb2AbfstgHDh1D19028X0N6VB7xPA80rkAKTGerJy0rRA6mk
         0WHeCbms/EpYxwlrsSQ5WGpEuWH/QjE69l90GQATG4HiLmgLWnrfJIPZB3SqYHL9fggD
         2/VMjCXe0elsKUBNJzYdRGG75UINqNJ5eVrB5V/ByyQzuPcIFUab4vCY3tupXK+/BHFP
         cbqQaFjaHjVzyOD/IDU9XtYe15agqPEVF+lvHLlMdYWkhoR/8KOv3PJIA7LIL5QsBhCp
         D6XA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVjIcqe2A4Zy1uz4ECugCHyfdi4cgaXvXjBO4hwP+hy7WhVYhFZarAMjfnjlE/MhNaIm5SG0T6PtB2HBmc=@vger.kernel.org
X-Gm-Message-State: AOJu0YxDpRrRIuUxY9K2ToW7tmqe5W0jG7QBQeQic8jeGhFPkzvJ/WVN
	AKQYX+yGYHuNrELKsJu9NTSNRYSazXqkCCfeopt7KqJPbv0snWchK6HXX9FHu2s11aVYFBy0fmD
	YQVOGmQ==
X-Google-Smtp-Source: 
 AGHT+IHQvz8EQEYC+3Q2dR14cDca69hLVvd5EVswQ5O/zITiUduAJL+HAN0BvQ56Qn7wIX3EDQJtXUXduMQ=
X-Received: from pjbnc16.prod.google.com
 ([2002:a17:90b:37d0:b0:32e:c154:c2f6])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:903:b48:b0:24b:bbf2:4791
 with SMTP id d9443c01a7336-269ba511bd3mr67840065ad.39.1758321255488; Fri, 19
 Sep 2025 15:34:15 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:46 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-40-seanjc@google.com>
Subject: [PATCH v16 39/51] KVM: SEV: Synchronize MSR_IA32_XSS from the GHCB
 when it's valid
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Synchronize XSS from the GHCB to KVM's internal tracking if the guest
marks XSS as valid on a #VMGEXIT.  Like XCR0, KVM needs an up-to-date copy
of XSS in order to compute the required XSTATE size when emulating
CPUID.0xD.0x1 for the guest.

Treat the incoming XSS change as an emulated write, i.e. validatate the
guest-provided value, to avoid letting the guest load garbage into KVM's
tracking.  Simply ignore bad values, as either the guest managed to get an
unsupported value into hardware, or the guest is misbehaving and providing
pure garbage.  In either case, KVM can't fix the broken guest.

Explicitly allow access to XSS at all times, as KVM needs to ensure its
copy of XSS stays up-to-date.  E.g. KVM supports migration of SEV-ES guests
and so needs to allow the host to save/restore XSS, otherwise a guest
that *knows* its XSS hasn't change could get stale/bad CPUID emulation if
the guest doesn't provide XSS in the GHCB on every exit.  This creates a
hypothetical problem where a guest could request emulation of RDMSR or
WRMSR on XSS, but arguably that's not even a problem, e.g. it would be
entirely reasonable for a guest to request "emulation" as a way to inform
the hypervisor that its XSS value has been modified.

Note, emulating the change as an MSR write also takes care of side effects,
e.g. marking dynamic CPUID bits as dirty.

Suggested-by: John Allen <john.allen@amd.com>
base-commit: 14298d819d5a6b7180a4089e7d2121ca3551dc6c
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/svm/sev.c | 3 +++
 arch/x86/kvm/svm/svm.c | 4 ++--
 arch/x86/kvm/svm/svm.h | 1 +
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 85e84bb1a368..94d9acc94c9a 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3354,6 +3354,9 @@ static void sev_es_sync_from_ghcb(struct vcpu_svm *sv=
m)
 	if (kvm_ghcb_xcr0_is_valid(svm))
 		__kvm_set_xcr(vcpu, 0, kvm_ghcb_get_xcr0(svm));
=20
+	if (kvm_ghcb_xss_is_valid(svm))
+		__kvm_emulate_msr_write(vcpu, MSR_IA32_XSS, kvm_ghcb_get_xss(svm));
+
 	/* Copy the GHCB exit information into the VMCB fields */
 	exit_code =3D kvm_ghcb_get_sw_exit_code(svm);
 	control->exit_code =3D lower_32_bits(exit_code);
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index cabe1950b160..d48bf20c865b 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2721,8 +2721,8 @@ static int svm_get_feature_msr(u32 msr, u64 *data)
 static bool sev_es_prevent_msr_access(struct kvm_vcpu *vcpu,
 				      struct msr_data *msr_info)
 {
-	return sev_es_guest(vcpu->kvm) &&
-	       vcpu->arch.guest_state_protected &&
+	return sev_es_guest(vcpu->kvm) && vcpu->arch.guest_state_protected &&
+	       msr_info->index !=3D MSR_IA32_XSS &&
 	       !msr_write_intercepted(vcpu, msr_info->index);
 }
=20
diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
index e072f91045b5..a6a1daa3fc89 100644
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -941,5 +941,6 @@ DEFINE_KVM_GHCB_ACCESSORS(sw_exit_info_1)
 DEFINE_KVM_GHCB_ACCESSORS(sw_exit_info_2)
 DEFINE_KVM_GHCB_ACCESSORS(sw_scratch)
 DEFINE_KVM_GHCB_ACCESSORS(xcr0)
+DEFINE_KVM_GHCB_ACCESSORS(xss)
=20
 #endif
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com
 [209.85.210.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 12BB9314B86
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321259; cv=none;
 b=XkxK3l70zSXN8yfwWzsNoED09NpQiVRXgYBUeIiSGuZxYsxRvNqoan3wFsWZ43wwCb7pKVLUSzjdXB+SDeNlGJIp16CTBR95U10nSHCAlwlgfRpIIwCwbRLGp0R65EpjzQwsRWOF9tOVrBPmY3YRcpgedh0J3mWi785DZmNnffE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321259; c=relaxed/simple;
	bh=YWutoHj6w4COgn2+/X6HQXHVNZltIoT7LPB1tDxHCkY=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=Em4A5lutTEqJoxpC2QmRXVN9PMCHWUrmXpKJZQ2QSMDvviaGFp3XDnk9NOG4DQHz9ullOCnUQ2kF1G0FrpBJPGCdyzc8Zwo2sm3+nFM/1061jq4wKKJsQiIvdDUtbU6TJ5djuwPk3TaAMLy/8n3znszfK60dpd9BJUnnqNUnaTc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=v1+IY7lD; arc=none smtp.client-ip=209.85.210.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="v1+IY7lD"
Received: by mail-pf1-f201.google.com with SMTP id
 d2e1a72fcca58-76e2ea9366aso2448351b3a.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321257; x=1758926057;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=VYZLHKF8pF5KDs3SsZEerHn8ojDfpKPYyWB28d/RJk8=;
        b=v1+IY7lDiteZ7bMd0KONkBV5/52n6suxCbwybR9Op3oDqAC+bPCL47bDOVWCNfpzeY
         zFsSFm/DF15uhD0QX0UaHfMCXgNQSndZCpTOBNvD5E38PZPqwjz92UNMO7pobMlULKXY
         3Ory0Qi+tOx0QvUrAcp4SWl/goSjDWgrLM7bfHFhvxs2exz7Zuvcsu2QpVzzqhOyj86s
         gE2BRMCJsGW3R3D3mV6iYIY0nJtMoAijmAaidxfFOiOdUd+x8oio73el2UN2KMMjuPsQ
         gTp56EUzT8xIWkYsz3vdkrkbbPy4M7Vv/dQeK/SQsx6io3I++01XaEipcNa6T16LD+xO
         4JrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321257; x=1758926057;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=VYZLHKF8pF5KDs3SsZEerHn8ojDfpKPYyWB28d/RJk8=;
        b=Wco/OyDy2Q+/dmKUdxHyVnMtp4lDsKwgtsQ4mW/tMuLYYMczWo2W5dZPDH9nX2WzbU
         hLffxtR8K4n0GXZsEj91WRfZ8KqNtohI5uwO2Sl4Fpj0U0lry0kVn7Sl/xGrWuHQaxR4
         73LAiRZ/dzxVhhJoF5Vzv21jWuVCbN3sXDvm4oA3FJmJyLHJpbW4PV+sbf0ncBXukqlq
         aI5qs6x2KVFTeXurZ7xw0sf8Xdr/i2m8u4Z1dqgyoYjVQe7k2JigmU8qSXExyDaXglya
         2R7qvH5V+IwUBgB0wrAnF3m/z1IINhoABpHng2kF93QqWYF0uGBMCE2ec+BntNIURF9j
         qZxw==
X-Forwarded-Encrypted: i=1;
 AJvYcCXVC2790SlxR5Atdf8mFHrL+zMATtO8VqcWfCejcWx8nlZnsz2VPjaio11UeO/VbztkilWAvVQVUAmW3C0=@vger.kernel.org
X-Gm-Message-State: AOJu0YzPfT2ZQEMy05zp7H+LxHP7A6lPGmHpum/+UXHsTzFxPmhCZV1U
	nlyxACvmjfLG9qBa5OuzBl2OQ3Tb9CETKDgAaJqJn0h5ZLT+2gd6TvOMrpRjhY9vTu9PSftDbdP
	KWaAi4w==
X-Google-Smtp-Source: 
 AGHT+IHtxklkKMMTcCO+WLaxD30r3xUhNsd0DkrdB/jDO3hy+P4nkad/sYddyvamMtLnm9uHw94OGdFNKz4=
X-Received: from pfbg17.prod.google.com
 ([2002:a05:6a00:ae11:b0:77f:138f:8b8f])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a00:3e13:b0:77c:ddd1:749e
 with SMTP id d2e1a72fcca58-77e4eab77fdmr5276946b3a.19.1758321257328; Fri, 19
 Sep 2025 15:34:17 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:47 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-41-seanjc@google.com>
Subject: [PATCH v16 40/51] KVM: SVM: Enable shadow stack virtualization for
 SVM
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: John Allen <john.allen@amd.com>

Remove the explicit clearing of shadow stack CPU capabilities.

Reviewed-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: John Allen <john.allen@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/svm/svm.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index d48bf20c865b..54ca0ec5ea57 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -5262,10 +5262,7 @@ static __init void svm_set_cpu_caps(void)
 	kvm_set_cpu_caps();
=20
 	kvm_caps.supported_perf_cap =3D 0;
-	kvm_caps.supported_xss =3D 0;
=20
-	/* KVM doesn't yet support CET virtualization for SVM. */
-	kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
 	kvm_cpu_cap_clear(X86_FEATURE_IBT);
=20
 	/* CPUID 0x80000001 and 0x8000000A (SVM features) */
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com
 [209.85.216.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 86A1F320391
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321261; cv=none;
 b=ungWfumxSG99jYj144Eg6EryN3KYr9ymAwt2rTdQS/flcmOijvUXUTI6fYT+Sp+zwuMSE5RKx1rjSb/+qb2u1VEjwXlrFznimSvGALPLssJ6bnq/YCAh6991cxhTjAxkT4QUj3gwk9bYGgVd2F3ucqTx+cmGP2BaEVPUQPFdsCI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321261; c=relaxed/simple;
	bh=CYruM6/nLA6BHSIVAXqcCI2n0dhqEb8nlIv2iRzLL/I=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=RzKd+Kmekv0SMME7IbEaEalF34u5AN5VXEitU3EJ6XomBxHkR27wUd8kmN7ZZqe8Fd+X8kO5MgEfdreIoIn9vrUJHn3ofFufqAXPpNASf7wHBBM7gBoK0nX0GSjW/9Oa2EAzQBvigXI/YtevafOedAGMGDlXyOqaTYCvj8VtQvQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=m2ZhzMXN; arc=none smtp.client-ip=209.85.216.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="m2ZhzMXN"
Received: by mail-pj1-f73.google.com with SMTP id
 98e67ed59e1d1-3307af9b595so1557962a91.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321259; x=1758926059;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=v3/gIRcH16msBI7YOF0B/Y3P7fFolZGAQR2AF4CuYpQ=;
        b=m2ZhzMXNaXXOdK2+NX/JSpzmFGLN+8Uqlfv1yF9MSRs9/se4Ewft4HfPCpFx/TOo+W
         HLCJKjBtUoMPiMlpb7U2mvO7jkNNsbGmdg628kOMxfjC1ZZJFtWoNRRsAQ/ejfq+oBGJ
         PxDwKeTRi3o3GOJOdgaYsaUnSIH+xzt/U6PRtH0RVc+zktSLyyRTxlQjaPqPxTE0dmvu
         iNn6OPn0PZuW9sJyshWBNKjW2vbO/fNrUNEV6H7rfIZ4Vx0QUzHLyrHyWKgPqI5gVzB1
         uTrQy7qBejjQ6Qrj8HSeDwqSDu24HQQGzXd3LrWREOeUjPhGzblnFtO7zFsTdMM+eo4d
         9w9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321259; x=1758926059;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=v3/gIRcH16msBI7YOF0B/Y3P7fFolZGAQR2AF4CuYpQ=;
        b=xRby9qzO3bBiQBs6euGtO0jmd4UDM5FV7QH7IhSOomObca0TtdYhSH6V7jx07IPt3O
         3tfZUH+/twosM6n90izhwHYbLLDV8Fd483u9u1DTc6HbrdayzZTXNJoHzbQ4ocpjrc+l
         nVPG5HVm4G9KqCVnLxjMcyFRg8OiAJ3Gt7xMo2brvMs8e3feKhiTuZ+eD2TkS6DF8rsh
         vHqBLiJmWMubzwyUwOy3O2t/sg3Z7vtLPugUmEHio/iNImAUotMfmWYEbSM29Q3QR1uG
         7hlEiCTYD38p4jlB/nSCRU6d0rcJpXLy1j+UyTHyRh2dZ1C4tVdw7qr4toueoh70srKw
         4P4g==
X-Forwarded-Encrypted: i=1;
 AJvYcCW22jHZb+70QT2VgmTzOj386RVIg/E8d4NSauV+8v5+8X7ZYLorubgGNknmFaJeCDYNNlQE1Pia7qmilHA=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz2E8Pu1s6TsSr+VBKCZzAWp1ixWhT+Gwzq/aK1eEe67anZn3Wv
	qEq8JAnpaK3n0mMxMmwICNF6yiii0TEjr2w73uUk/e+ofTVKmPY95YU3GsdfnGQxw8gGigj45Kn
	8R8CGnA==
X-Google-Smtp-Source: 
 AGHT+IEpSlLooVqKUswOjccVv6JWUDP6SUs5HYzHzopl1fOGKza6IACwwFb/k/4itYpqFLBy5elmXgRTGmw=
X-Received: from pjes22.prod.google.com ([2002:a17:90a:756:b0:330:acc9:302c])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:3dc7:b0:32e:5cba:ae11
 with SMTP id 98e67ed59e1d1-3309836d2cemr5015556a91.28.1758321258948; Fri, 19
 Sep 2025 15:34:18 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:48 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-42-seanjc@google.com>
Subject: [PATCH v16 41/51] KVM: x86: Add human friendly formatting for #XM,
 and #VE
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add XM_VECTOR and VE_VECTOR pretty-printing for
trace_kvm_inj_exception().

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
---
 arch/x86/kvm/trace.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h
index 57d79fd31df0..06da19b370c5 100644
--- a/arch/x86/kvm/trace.h
+++ b/arch/x86/kvm/trace.h
@@ -461,8 +461,8 @@ TRACE_EVENT(kvm_inj_virq,
=20
 #define kvm_trace_sym_exc						\
 	EXS(DE), EXS(DB), EXS(BP), EXS(OF), EXS(BR), EXS(UD), EXS(NM),	\
-	EXS(DF), EXS(TS), EXS(NP), EXS(SS), EXS(GP), EXS(PF),		\
-	EXS(MF), EXS(AC), EXS(MC)
+	EXS(DF), EXS(TS), EXS(NP), EXS(SS), EXS(GP), EXS(PF), EXS(MF),	\
+	EXS(AC), EXS(MC), EXS(XM), EXS(VE)
=20
 /*
  * Tracepoint for kvm interrupt injection:
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com
 [209.85.215.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1532032255F
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321262; cv=none;
 b=atPlEOFJF5DcESzIhGLN4ClV8vXTdD3ogU+jDKYxKaXADj2ieSaFxA7EEtG/3oMnpGFe374VUe5N1f5UtobSog7OJ1cEHtVqrEBMuBrMP1EMGLDGTPi18bHYtkURUpA+rV9B0UnJstQDi4/vlqjMCr5b3tR+EkWsHMakuW/g2TA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321262; c=relaxed/simple;
	bh=ru0JYVAV3Ct14PRo0yhkc1rw1XsBhg8lkiA/37/obr4=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=FKoq3NU/6CjaH9KuzGvYb1rFEk6H4Adkbc8b1kaDZuITDWT99pCThl3/6QrI+Ri59DnccyDYq9ToST77apdj3PQO4StZlUI9dYeUz+1fAXKocsZakUzKekEzSUSUBElBCIf7QL5BxafvB5wkgrQRQR7oQatObWzKmCKQC0RX+Xs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=ltguSTa8; arc=none smtp.client-ip=209.85.215.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="ltguSTa8"
Received: by mail-pg1-f201.google.com with SMTP id
 41be03b00d2f7-b54d0ffd16eso1950546a12.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321260; x=1758926060;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=3UrLhaFh6L8swjF0/uDrtKirTcJvKRN2dByplhxwnKQ=;
        b=ltguSTa8ZRV+fOUTjbV5DoiXTic2stvcJq0y/6Nx18hCXNsf1l7r2OOwmhuG3WT9hA
         4SmKExqGC5NEyNpJkrtRF/Al4M2hlPh8ASF2MNodJq9F6kIbFHeUxIjp7cl41RdgLsRr
         E6xknr+B939k17qOfWkyVnfRV9JO0rvKQU6Ay9aW1cEImeIY/QrnackBv1A2A4uf8gD7
         NgCYf82STlDt0L9LsPKn1qTjbz98BpxY7f3q/o2ZDfRxUQuPAI1ucJuu2i9Ucr06sNBJ
         0ZsqsKCdUeU4ev0BV+TYdrG26knGmNrVsF/aAx/UD2qo6rtp+7lDuHjHDHcSwY22R+8k
         AV5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321260; x=1758926060;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=3UrLhaFh6L8swjF0/uDrtKirTcJvKRN2dByplhxwnKQ=;
        b=rLrQpDLbIkibHxyvbPEIjr0wBePE7cjc9eK8KdGhWE7U8Z2DfMHAII5knSxlsMGh82
         KXimGvDnkmUwftYfyqVMjRVZvXFZvTxaVKwXgtt5u3eSJLClmtV+0e/CZu6gALdzLaOZ
         lFE8qHIoLokgDjsWbv72/oaqkx9tS2ExGtneLIg9LurXFN9S4iJUhWMxpYjSNOfOI3M0
         fYGD1l7pNGIJhT7HYoWgRqoQZuQkI+LB1XXC/7+vobbPJTgMTGCCltzwQM0ydJhECFgP
         86nORux/W3VpMdr2qrOS/5gZxDl4bORwCLRn7YmlaxPTMNARW/pNcOOKgtECAc+kXWXr
         Cd1A==
X-Forwarded-Encrypted: i=1;
 AJvYcCU5GbpgEZmiL240KCzSpag3ebi0c49T42OSQZZLmbpnPTz8VU22k+NthZcsrLhatmGMUTXMaU6oa0OVsZg=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw7vQEKkA5qEfkoZ0SBeEabjZGEtBkU9/zkWy2AzjOH2aVEBji2
	Gn+uakRJG9DSmCx1HGyhnCF1Jhg30taTYhy8Xfnmu9pZGddDPPyizMi1Wh4DE8aG6kX7tdNYQ5X
	COnPlCQ==
X-Google-Smtp-Source: 
 AGHT+IEaCcswr+wNDrCLZXoy3UJxuDgsEZXAQm7svZ+GG2IWwDAE0RmNO1dN0FbIfLE202MemYISNotcQxw=
X-Received: from pji3.prod.google.com ([2002:a17:90b:3fc3:b0:32d:e4c6:7410])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:6a24:b0:24e:7336:dac2
 with SMTP id adf61e73a8af0-2926e378a00mr7751493637.29.1758321260450; Fri, 19
 Sep 2025 15:34:20 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:49 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-43-seanjc@google.com>
Subject: [PATCH v16 42/51] KVM: x86: Define Control Protection Exception (#CP)
 vector
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add a CP_VECTOR definition for CET's Control Protection Exception (#CP),
along with human friendly formatting for trace_kvm_inj_exception().

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
---
 arch/x86/include/uapi/asm/kvm.h | 1 +
 arch/x86/kvm/trace.h            | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kv=
m.h
index 467116186e71..73e0e88a0a54 100644
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -35,6 +35,7 @@
 #define MC_VECTOR 18
 #define XM_VECTOR 19
 #define VE_VECTOR 20
+#define CP_VECTOR 21
=20
 /* Select x86 specific features in <linux/kvm.h> */
 #define __KVM_HAVE_PIT
diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h
index 06da19b370c5..322913dda626 100644
--- a/arch/x86/kvm/trace.h
+++ b/arch/x86/kvm/trace.h
@@ -462,7 +462,7 @@ TRACE_EVENT(kvm_inj_virq,
 #define kvm_trace_sym_exc						\
 	EXS(DE), EXS(DB), EXS(BP), EXS(OF), EXS(BR), EXS(UD), EXS(NM),	\
 	EXS(DF), EXS(TS), EXS(NP), EXS(SS), EXS(GP), EXS(PF), EXS(MF),	\
-	EXS(AC), EXS(MC), EXS(XM), EXS(VE)
+	EXS(AC), EXS(MC), EXS(XM), EXS(VE), EXS(CP)
=20
 /*
  * Tracepoint for kvm interrupt injection:
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com
 [209.85.216.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D9C40322C80
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321264; cv=none;
 b=XtIXymmFsPj5ozi41v9PrLNc4myIE4G76FHLOP9rZlqxcKFGvDkepeoYbYWlELE3kSMWTEmpFbXj3x1mBrrpoVepYkjB+Irer+1sGmcBR+C+zyW0590FCvUPiE544ZfTa7hQ+ntVA9EG0hbb8lClug43IY0F0qyZUcgHgYzXq3Q=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321264; c=relaxed/simple;
	bh=BbYLHsW3csiw0LbMWNeOkvxFuLyf4OEeq83xGXs4iQ4=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=l1o4fBlHjIinB5sNRPcDi5Apvox0QWR5mopqukp36xXMt1+y9HuA8LapD/JLSFkGnBps7bzQ75E1PYOVKKYOPCm/QAJOdeJuuYGuSOd+Awc+FzTexv52krsNpl/IP7B8k/FWf708VWp8Gugim4wCxaC0ffbcz+NLNYmouuAPdB0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=r9G6/JBu; arc=none smtp.client-ip=209.85.216.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="r9G6/JBu"
Received: by mail-pj1-f73.google.com with SMTP id
 98e67ed59e1d1-3234811cab3so2617588a91.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321262; x=1758926062;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=t9DiljcP0iTsaWICOGxOjswc6G6x9bV2xRiGmEu6SDs=;
        b=r9G6/JButLJxj5VBT6Rq1GCPjyjZzg2j3A97/8bQJPKX00CWn8+I2SKLpXJaAMXlIs
         mhnY8ZIc4bfw0wEguHCWksisq2t1jLiVrZkv3xe73ILPfUkjrpuBSXZSSDFTApjwH0Vj
         Z5GajIKH/SoXnwcafy6kMOL9Df1n8r29vXKG+sedxyiR6X8QBu1YRsgLMcOlzHh0WUAt
         cFyns0/63SwiRf0bRjfUCfScU3qwDh22Cne91LO33KJRHPa+LQdtVX1b1SbXjAA2kllw
         aJADrNwzImqYofhLBUTs2B+qo1g1QRx7/i7NuiLr4WDvhBZminL5HFrLzyxjFVtwkXn2
         lvsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321262; x=1758926062;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=t9DiljcP0iTsaWICOGxOjswc6G6x9bV2xRiGmEu6SDs=;
        b=WptJ0vaih5/ja0T+PaIaShsAZKCI99WehTwqHTo2iSk4wCx6BzIMalD5QdN3zAearU
         f6eRoM0EInh5vg38/JX2JutfLyFVaXdmR2Gr9tfaP8RpYS2MUXrnDOxCeOchTmjXWv6N
         EWF+ctKHP4p9SxMqqUOTSr9ghKZfP6sH769ImP9jcf0GG2uIaqjykx5hZ30uzEss/ywS
         0FcIbrzS9R3RxspNcVHGgsPdSVzmr5Z+mvBwKIoPyasrIyBPCQYGUILdGuMtyi4UgC+h
         Feq62FtAYiYb4TeHdjleQcHHi3XGD6S5Fopf7gR/D1SrN2l5QNA1PaSHdXP0BgjkYpLO
         /6gA==
X-Forwarded-Encrypted: i=1;
 AJvYcCW75l08uA1BcGwUyl9wJDZTuOzryP0lBtN93GCfKhVawGMzvYG5tUf84a/8RP+dP3if/Bss6ovi5tWBYms=@vger.kernel.org
X-Gm-Message-State: AOJu0YyvWmywQ+/SPbd/PF0Ix/jZelknKzJKtfcLpXxDme75phqnYkff
	hebOlWNOvB0gV1V0VR/WWCv5s68HA6lBDXnfTXjCJAYvaxDGR4ZUtdSyVF+RhVP1GZyAxGD2vhU
	vougZcA==
X-Google-Smtp-Source: 
 AGHT+IHbcuByYXlBMV424SmqxMjHViwJqwoLzp1O5KgSUSR2+NGgWTc1kN8NGOa0VSs5WkDSkAONWXGTqVw=
X-Received: from pjoo3.prod.google.com ([2002:a17:90b:5823:b0:32d:a0b1:2b03])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:540d:b0:330:bdfb:674
 with SMTP id 98e67ed59e1d1-330bdfb0910mr2400342a91.16.1758321262279; Fri, 19
 Sep 2025 15:34:22 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:50 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-44-seanjc@google.com>
Subject: [PATCH v16 43/51] KVM: x86: Define AMD's #HV, #VC,
 and #SX exception vectors
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add {HV,CP,SX}_VECTOR definitions for AMD's Hypervisor Injection Exception,
VMM Communication Exception, and SVM Security Exception vectors, along with
human friendly formatting for trace_kvm_inj_exception().

Note, KVM is all but guaranteed to never observe or inject #SX, and #HV is
also unlikely to go unused.  Add the architectural collateral mostly for
completeness, and on the off chance that hardware goes off the rails.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/include/uapi/asm/kvm.h | 4 ++++
 arch/x86/kvm/trace.h            | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kv=
m.h
index 73e0e88a0a54..d420c9c066d4 100644
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -37,6 +37,10 @@
 #define VE_VECTOR 20
 #define CP_VECTOR 21
=20
+#define HV_VECTOR 28
+#define VC_VECTOR 29
+#define SX_VECTOR 30
+
 /* Select x86 specific features in <linux/kvm.h> */
 #define __KVM_HAVE_PIT
 #define __KVM_HAVE_IOAPIC
diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h
index 322913dda626..e79bc9cb7162 100644
--- a/arch/x86/kvm/trace.h
+++ b/arch/x86/kvm/trace.h
@@ -462,7 +462,8 @@ TRACE_EVENT(kvm_inj_virq,
 #define kvm_trace_sym_exc						\
 	EXS(DE), EXS(DB), EXS(BP), EXS(OF), EXS(BR), EXS(UD), EXS(NM),	\
 	EXS(DF), EXS(TS), EXS(NP), EXS(SS), EXS(GP), EXS(PF), EXS(MF),	\
-	EXS(AC), EXS(MC), EXS(XM), EXS(VE), EXS(CP)
+	EXS(AC), EXS(MC), EXS(XM), EXS(VE), EXS(CP),			\
+	EXS(HV), EXS(VC), EXS(SX)
=20
 /*
  * Tracepoint for kvm interrupt injection:
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65711322757
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321266; cv=none;
 b=YQKSLzO0Nh74fP0P8BS0kAnyoHRYEFGqzO0NycVC1DT2ALD5cF5Tm91X+Oq73iOl8DyOFH2ieM45QNasy/NlKBuVgdWZOhMhk3jN94Sxi/1iZiPR8U1vf4rW5xpeHAUZNH9Xkb/zwZNylK6zbQKkcAlvHreRh6apL4oElEuXmrI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321266; c=relaxed/simple;
	bh=0RiErcI8FDtLgr3FwfUpR8gYIzgU2r/zww9pDcLYU/Q=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=SYOawBvJbJ0Eepemrx9h7Hf5KU3X7DldBRtXzYs8+8TlFqKzuf9JqUPS0YPrkS+nmcdPXsdzOzSHUHbjJuDTg+KbikS7hPwpE/+hijm7iBPLwmjrUkhbALgdfhtYDr8jA6nrvaG7YQkKqUmfkrWAWLDak2v0/UR6gaIC6zLZ06c=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=Y208+KtJ; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="Y208+KtJ"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-32d4e8fe166so3333121a91.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321264; x=1758926064;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=ZspBnxEuwikP8ZIZtV9+9DQHM/dWGvJThvyQZ8JPEq8=;
        b=Y208+KtJDC10qWetTUUEmSnejhwTCfBXAd384Fia79zOorG6wNyuchrcS2m4rTbV2A
         dHkPw/WdOSgNoKs6M8sZzCwtn3K4qP7MYQvTHLGAOypsm8PK9cpZPJ++mrioDI6/vLcY
         y/lRmi2yhgSBTM0MNzAFmDY7C9q53dS8NWa/KNKy1i5S/sAsibBPMyyTt+pPppjC5JbZ
         4JuWMTdaglhM1BUed9ZPgJ2e/B8JoyvjxICijd34e0xkW6sMqVerfSmMK/YXKZ2SMRPd
         Qf7bZ4vPQgyW9MYRZJ+kR/xT5Ei8Br7YZA8YtZykFxToqn8ViGwxPl+4Eo6Pvtvc8ErZ
         Bvfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321264; x=1758926064;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=ZspBnxEuwikP8ZIZtV9+9DQHM/dWGvJThvyQZ8JPEq8=;
        b=s7S5vccjIGJhk77sN8BOFiLzhzyM+ex4kMieyV6yJ4iLHAcWOqlUWkZ/vBjJ7iZo13
         NxMF/7Vgu/frE1UjzinbaNNRVCdiIU+hJjLmcgtiYrsJ5MgfLUZwIqhaJtapQEiXSyR2
         n9oW7qEXQXE/w5yCaJuiNlvPFcV28g/3hgnn99DKGPYaUg5KLxtx3oFSjg6oZRHFbQU8
         icaAdgdUWEvv+M5n6MHXX9p0H0eyUbP3TGYptd+m/vHNz4w+HuYH3ePlXL41RcehtS2W
         y7kA7iZOcpjM/aHxoRiMGCA1fHmmY7ezNiPdaJGlMXAUQsBGqvHglBnu/HlafF+beo+M
         74DA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVp0uPcaqcxBV4KEnTlYCux/iBpni2lNhZ1fYIKucLxeAAnVG7KalLIeajYGYcrI7P2JMHjRMIlgDFgjT4=@vger.kernel.org
X-Gm-Message-State: AOJu0YzLG20btq3g91zd4CneTa3/1z90bis9pT+jcf9lGl1OSJmnkdEy
	Mka5jfOrtIPTquTVzPRL0mYzgHzWdKlhIg9AGAFADs/AA3IqZ1qtTu8vnuwKP1pXBETL9ZfiVNx
	24DJCjg==
X-Google-Smtp-Source: 
 AGHT+IGFqt8MF81EQPW7BGCnPdLfrXLZaEUWAadhj/2BJFplX7TmryXjGuHvUknv3czIUkBX7tsHCAMl6Qk=
X-Received: from pjh8.prod.google.com ([2002:a17:90b:3f88:b0:32e:e4e6:ecfe])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:1e53:b0:32e:6fae:ba53
 with SMTP id 98e67ed59e1d1-33097fd571dmr5828821a91.8.1758321263742; Fri, 19
 Sep 2025 15:34:23 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:51 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-45-seanjc@google.com>
Subject: [PATCH v16 44/51] KVM: selftests: Add ex_str() to print human
 friendly name of exception vectors
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Steal exception_mnemonic() from KVM-Unit-Tests as ex_str() (to keep line
lengths reasonable) and use it in assert messages that currently print the
raw vector number.

Co-developed-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 .../selftests/kvm/include/x86/processor.h     |  2 ++
 .../testing/selftests/kvm/lib/x86/processor.c | 33 +++++++++++++++++++
 .../selftests/kvm/x86/hyperv_features.c       | 16 ++++-----
 .../selftests/kvm/x86/monitor_mwait_test.c    |  8 ++---
 .../selftests/kvm/x86/pmu_counters_test.c     |  4 +--
 .../selftests/kvm/x86/vmx_pmu_caps_test.c     |  4 +--
 .../selftests/kvm/x86/xcr0_cpuid_test.c       | 12 +++----
 7 files changed, 57 insertions(+), 22 deletions(-)

diff --git a/tools/testing/selftests/kvm/include/x86/processor.h b/tools/te=
sting/selftests/kvm/include/x86/processor.h
index efcc4b1de523..2ad84f3809e8 100644
--- a/tools/testing/selftests/kvm/include/x86/processor.h
+++ b/tools/testing/selftests/kvm/include/x86/processor.h
@@ -34,6 +34,8 @@ extern uint64_t guest_tsc_khz;
=20
 #define NMI_VECTOR		0x02
=20
+const char *ex_str(int vector);
+
 #define X86_EFLAGS_FIXED	 (1u << 1)
=20
 #define X86_CR4_VME		(1ul << 0)
diff --git a/tools/testing/selftests/kvm/lib/x86/processor.c b/tools/testin=
g/selftests/kvm/lib/x86/processor.c
index 3b63c99f7b96..f9182dbd07f2 100644
--- a/tools/testing/selftests/kvm/lib/x86/processor.c
+++ b/tools/testing/selftests/kvm/lib/x86/processor.c
@@ -23,6 +23,39 @@ bool host_cpu_is_intel;
 bool is_forced_emulation_enabled;
 uint64_t guest_tsc_khz;
=20
+const char *ex_str(int vector)
+{
+	switch (vector) {
+#define VEC_STR(v) case v##_VECTOR: return "#" #v
+	case DE_VECTOR: return "no exception";
+	case KVM_MAGIC_DE_VECTOR: return "#DE";
+	VEC_STR(DB);
+	VEC_STR(NMI);
+	VEC_STR(BP);
+	VEC_STR(OF);
+	VEC_STR(BR);
+	VEC_STR(UD);
+	VEC_STR(NM);
+	VEC_STR(DF);
+	VEC_STR(TS);
+	VEC_STR(NP);
+	VEC_STR(SS);
+	VEC_STR(GP);
+	VEC_STR(PF);
+	VEC_STR(MF);
+	VEC_STR(AC);
+	VEC_STR(MC);
+	VEC_STR(XM);
+	VEC_STR(VE);
+	VEC_STR(CP);
+	VEC_STR(HV);
+	VEC_STR(VC);
+	VEC_STR(SX);
+	default: return "#??";
+#undef VEC_STR
+	}
+}
+
 static void regs_dump(FILE *stream, struct kvm_regs *regs, uint8_t indent)
 {
 	fprintf(stream, "%*srax: 0x%.16llx rbx: 0x%.16llx "
diff --git a/tools/testing/selftests/kvm/x86/hyperv_features.c b/tools/test=
ing/selftests/kvm/x86/hyperv_features.c
index 068e9c69710d..99d327084172 100644
--- a/tools/testing/selftests/kvm/x86/hyperv_features.c
+++ b/tools/testing/selftests/kvm/x86/hyperv_features.c
@@ -54,12 +54,12 @@ static void guest_msr(struct msr_data *msr)
=20
 	if (msr->fault_expected)
 		__GUEST_ASSERT(vector =3D=3D GP_VECTOR,
-			       "Expected #GP on %sMSR(0x%x), got vector '0x%x'",
-			       msr->write ? "WR" : "RD", msr->idx, vector);
+			       "Expected #GP on %sMSR(0x%x), got %s",
+			       msr->write ? "WR" : "RD", msr->idx, ex_str(vector));
 	else
 		__GUEST_ASSERT(!vector,
-			       "Expected success on %sMSR(0x%x), got vector '0x%x'",
-			       msr->write ? "WR" : "RD", msr->idx, vector);
+			       "Expected success on %sMSR(0x%x), got %s",
+			       msr->write ? "WR" : "RD", msr->idx, ex_str(vector));
=20
 	if (vector || is_write_only_msr(msr->idx))
 		goto done;
@@ -102,12 +102,12 @@ static void guest_hcall(vm_vaddr_t pgs_gpa, struct hc=
all_data *hcall)
 	vector =3D __hyperv_hypercall(hcall->control, input, output, &res);
 	if (hcall->ud_expected) {
 		__GUEST_ASSERT(vector =3D=3D UD_VECTOR,
-			       "Expected #UD for control '%lu', got vector '0x%x'",
-			       hcall->control, vector);
+			       "Expected #UD for control '%lu', got %s",
+			       hcall->control, ex_str(vector));
 	} else {
 		__GUEST_ASSERT(!vector,
-			       "Expected no exception for control '%lu', got vector '0x%x'",
-			       hcall->control, vector);
+			       "Expected no exception for control '%lu', got %s",
+			       hcall->control, ex_str(vector));
 		GUEST_ASSERT_EQ(res, hcall->expect);
 	}
=20
diff --git a/tools/testing/selftests/kvm/x86/monitor_mwait_test.c b/tools/t=
esting/selftests/kvm/x86/monitor_mwait_test.c
index 0eb371c62ab8..e45c028d2a7e 100644
--- a/tools/testing/selftests/kvm/x86/monitor_mwait_test.c
+++ b/tools/testing/selftests/kvm/x86/monitor_mwait_test.c
@@ -30,12 +30,12 @@ do {									\
 									\
 	if (fault_wanted)						\
 		__GUEST_ASSERT((vector) =3D=3D UD_VECTOR,			\
-			       "Expected #UD on " insn " for testcase '0x%x', got '0x%x'", \
-			       testcase, vector);			\
+			       "Expected #UD on " insn " for testcase '0x%x', got %s", \
+			       testcase, ex_str(vector));		\
 	else								\
 		__GUEST_ASSERT(!(vector),				\
-			       "Expected success on " insn " for testcase '0x%x', got '0x%x'", \
-			       testcase, vector);			\
+			       "Expected success on " insn " for testcase '0x%x', got %s", \
+			       testcase, ex_str(vector));		\
 } while (0)
=20
 static void guest_monitor_wait(void *arg)
diff --git a/tools/testing/selftests/kvm/x86/pmu_counters_test.c b/tools/te=
sting/selftests/kvm/x86/pmu_counters_test.c
index 89c1e462cd1c..24288b460636 100644
--- a/tools/testing/selftests/kvm/x86/pmu_counters_test.c
+++ b/tools/testing/selftests/kvm/x86/pmu_counters_test.c
@@ -346,8 +346,8 @@ static void test_arch_events(uint8_t pmu_version, uint6=
4_t perf_capabilities,
=20
 #define GUEST_ASSERT_PMC_MSR_ACCESS(insn, msr, expect_gp, vector)		\
 __GUEST_ASSERT(expect_gp ? vector =3D=3D GP_VECTOR : !vector,			\
-	       "Expected %s on " #insn "(0x%x), got vector %u",			\
-	       expect_gp ? "#GP" : "no fault", msr, vector)			\
+	       "Expected %s on " #insn "(0x%x), got %s",			\
+	       expect_gp ? "#GP" : "no fault", msr, ex_str(vector))		\
=20
 #define GUEST_ASSERT_PMC_VALUE(insn, msr, val, expected)			\
 	__GUEST_ASSERT(val =3D=3D expected,					\
diff --git a/tools/testing/selftests/kvm/x86/vmx_pmu_caps_test.c b/tools/te=
sting/selftests/kvm/x86/vmx_pmu_caps_test.c
index a1f5ff45d518..7d37f0cd4eb9 100644
--- a/tools/testing/selftests/kvm/x86/vmx_pmu_caps_test.c
+++ b/tools/testing/selftests/kvm/x86/vmx_pmu_caps_test.c
@@ -56,8 +56,8 @@ static void guest_test_perf_capabilities_gp(uint64_t val)
 	uint8_t vector =3D wrmsr_safe(MSR_IA32_PERF_CAPABILITIES, val);
=20
 	__GUEST_ASSERT(vector =3D=3D GP_VECTOR,
-		       "Expected #GP for value '0x%lx', got vector '0x%x'",
-		       val, vector);
+		       "Expected #GP for value '0x%lx', got %s",
+		       val, ex_str(vector));
 }
=20
 static void guest_code(uint64_t current_val)
diff --git a/tools/testing/selftests/kvm/x86/xcr0_cpuid_test.c b/tools/test=
ing/selftests/kvm/x86/xcr0_cpuid_test.c
index c8a5c5e51661..d038c1571729 100644
--- a/tools/testing/selftests/kvm/x86/xcr0_cpuid_test.c
+++ b/tools/testing/selftests/kvm/x86/xcr0_cpuid_test.c
@@ -81,13 +81,13 @@ static void guest_code(void)
=20
 	vector =3D xsetbv_safe(0, XFEATURE_MASK_FP);
 	__GUEST_ASSERT(!vector,
-		       "Expected success on XSETBV(FP), got vector '0x%x'",
-		       vector);
+		       "Expected success on XSETBV(FP), got %s",
+		       ex_str(vector));
=20
 	vector =3D xsetbv_safe(0, supported_xcr0);
 	__GUEST_ASSERT(!vector,
-		       "Expected success on XSETBV(0x%lx), got vector '0x%x'",
-		       supported_xcr0, vector);
+		       "Expected success on XSETBV(0x%lx), got %s",
+		       supported_xcr0, ex_str(vector));
=20
 	for (i =3D 0; i < 64; i++) {
 		if (supported_xcr0 & BIT_ULL(i))
@@ -95,8 +95,8 @@ static void guest_code(void)
=20
 		vector =3D xsetbv_safe(0, supported_xcr0 | BIT_ULL(i));
 		__GUEST_ASSERT(vector =3D=3D GP_VECTOR,
-			       "Expected #GP on XSETBV(0x%llx), supported XCR0 =3D %lx, got vec=
tor '0x%x'",
-			       BIT_ULL(i), supported_xcr0, vector);
+			       "Expected #GP on XSETBV(0x%llx), supported XCR0 =3D %lx, got %s",
+			       BIT_ULL(i), supported_xcr0, ex_str(vector));
 	}
=20
 	GUEST_DONE();
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 381CB323412
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321268; cv=none;
 b=RXt8mgXaPvJFKdLvzMTqofPwv7qf1f0+JNEoHfGRSVJ7kcNyp+Pm1fMUfzNDV4EqtOcvECq9yxhz/aQNEQbBB7FNusXXPBMWuUmINQ/IYLLex6FEBTIxVitzTKRFlF6UGpp3aYJcn/9fBifKy4uso672U9bOHvmfkIrGUMP5nJo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321268; c=relaxed/simple;
	bh=739sFd75JbfTZd2JQ/f88NIygvMkSAvVwIAhM+keCYA=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=gN4HycetkgFeh9msmb5LYOiZxSEPqSQQTIKVy+1aIrZ6nPPKu8h62PCB7IF410SU8xJze6ojwFsIwb0zvC328yfxhDm1Pp/L3EFMSrK56N0wjP6BIRcznTpdk9OjckxAqijlyZbBi9FOkZ7h0ujpNyU/SLScfwXLqlki7MyM/2w=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=KvjLt6uT; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="KvjLt6uT"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-32edda89a37so2552351a91.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321266; x=1758926066;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=Uz5WbVdGFOKFFG8geSidlTTPBbGKijNVu8RT00a9O10=;
        b=KvjLt6uTxn7cvJFLtD2Z1LoASY57kYQEc3BKyAuYBDWhuHoyXaOSfxO0qWcub/i7ik
         zAWKYpfsWUiqdp2yF8UZ1jwCc15lAmQj/3MslaYiuiWgYiytRb8yyuteSB8rs/mpBISL
         SWTFRab/KO8Obdn+h0aN5oHR81N7l+nMnNdKf5F21HFIC4f7gRpgxbcfxMRS/MSL5bys
         z7t4Asz3e2zkzlBhHoYvzc/EXRYmR+3QETJKnE5BaExAhjZseh3LvFxTQmrIkawVyLGL
         eLqqr4EsE4JgM7ImzWLQPDJIkwEDYm0+Noi1kKqMhi4I4ZoR0XpsBWsvWUMiH/kQRKUP
         xeuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321266; x=1758926066;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Uz5WbVdGFOKFFG8geSidlTTPBbGKijNVu8RT00a9O10=;
        b=Mxg8PN/S0cmWCWXJrRotCD8nCpvD/NTSNweoUEr9a0DsxsspHvg52jisiMXl1bMSpS
         V8+4FrOtJ/MBKQn5Ko3xJO3ztgbs45Fyvfkddd430krt7Yc4EHYg5X3UerwFJ0GzaSwd
         rhZOVhBb330OfwSkNPyqoiS3aY+nMenSI0iZgTMEX+fFbq33N7+4Wik3EsYT1qg87dc3
         +Jm/FNRkXBhNwjTfQQ1l1IDMNvSU5kli89ZBshNolpHZnGbwXjNPHmidJ+cF4vCFDqcE
         pOhJsw+EvL3M4fDkUnE64tKjodtLqABZJnFV2Q+I8gyPRtTay4/uR/ySje4Az61eg0MS
         XZ2A==
X-Forwarded-Encrypted: i=1;
 AJvYcCXOfUyXPJXrcQ7dV8TtbeeUFqmwAFfCvMey/w+rPVnNo+vC9Fli3gjKghSpM+qwQCva2TC543RziaM7cA0=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy0WmHWtd5+Zqo1uH+bzA0C1DxR49dIzVGMkiD3fB1v4NVhwe8H
	/JOpQr5X21604KQ2IfypGN1eEfbd6eapKKuQzffoxG7mm7THs+LJz3WTh57Igv3u8aUJUGaDuxz
	mmCfEvw==
X-Google-Smtp-Source: 
 AGHT+IEFOYMZwCDxA0dNp9/IIIzI57FK/zoTxKYkQHdd9WyTyHR3Zg6sxzYC/nh0qQBdtiC68BiAVy8cwbk=
X-Received: from pjwx15.prod.google.com ([2002:a17:90a:c2cf:b0:329:6ac4:ea2e])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:1b50:b0:32e:859:c79
 with SMTP id 98e67ed59e1d1-33097c2d656mr6382353a91.0.1758321265630; Fri, 19
 Sep 2025 15:34:25 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:52 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-46-seanjc@google.com>
Subject: [PATCH v16 45/51] KVM: selftests: Add an MSR test to exercise
 guest/host and read/write
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add a selftest to verify reads and writes to various MSRs, from both the
guest and host, and expect success/failure based on whether or not the
vCPU supports the MSR according to supported CPUID.

Note, this test is extremely similar to KVM-Unit-Test's "msr" test, but
provides more coverage with respect to host accesses, and will be extended
to provide addition testing of CPUID-based features, save/restore lists,
and KVM_{G,S}ET_ONE_REG, all which are extremely difficult to validate in
KUT.

If kvm.ignore_msrs=3Dtrue, skip the unsupported and reserved testcases as
KVM's ABI is a mess; what exactly is supposed to be ignored, and when,
varies wildly.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
---
 tools/testing/selftests/kvm/Makefile.kvm      |   1 +
 .../selftests/kvm/include/x86/processor.h     |   5 +
 tools/testing/selftests/kvm/x86/msrs_test.c   | 315 ++++++++++++++++++
 3 files changed, 321 insertions(+)
 create mode 100644 tools/testing/selftests/kvm/x86/msrs_test.c

diff --git a/tools/testing/selftests/kvm/Makefile.kvm b/tools/testing/selft=
ests/kvm/Makefile.kvm
index 66c82f51837b..1d1b77dabb36 100644
--- a/tools/testing/selftests/kvm/Makefile.kvm
+++ b/tools/testing/selftests/kvm/Makefile.kvm
@@ -87,6 +87,7 @@ TEST_GEN_PROGS_x86 +=3D x86/kvm_clock_test
 TEST_GEN_PROGS_x86 +=3D x86/kvm_pv_test
 TEST_GEN_PROGS_x86 +=3D x86/kvm_buslock_test
 TEST_GEN_PROGS_x86 +=3D x86/monitor_mwait_test
+TEST_GEN_PROGS_x86 +=3D x86/msrs_test
 TEST_GEN_PROGS_x86 +=3D x86/nested_emulation_test
 TEST_GEN_PROGS_x86 +=3D x86/nested_exceptions_test
 TEST_GEN_PROGS_x86 +=3D x86/platform_info_test
diff --git a/tools/testing/selftests/kvm/include/x86/processor.h b/tools/te=
sting/selftests/kvm/include/x86/processor.h
index 2ad84f3809e8..fb3e6ab81a80 100644
--- a/tools/testing/selftests/kvm/include/x86/processor.h
+++ b/tools/testing/selftests/kvm/include/x86/processor.h
@@ -1357,6 +1357,11 @@ static inline bool kvm_is_unrestricted_guest_enabled=
(void)
 	return get_kvm_intel_param_bool("unrestricted_guest");
 }
=20
+static inline bool kvm_is_ignore_msrs(void)
+{
+	return get_kvm_param_bool("ignore_msrs");
+}
+
 uint64_t *__vm_get_page_table_entry(struct kvm_vm *vm, uint64_t vaddr,
 				    int *level);
 uint64_t *vm_get_page_table_entry(struct kvm_vm *vm, uint64_t vaddr);
diff --git a/tools/testing/selftests/kvm/x86/msrs_test.c b/tools/testing/se=
lftests/kvm/x86/msrs_test.c
new file mode 100644
index 000000000000..9285cf51ef75
--- /dev/null
+++ b/tools/testing/selftests/kvm/x86/msrs_test.c
@@ -0,0 +1,315 @@
+// SPDX-License-Identifier: GPL-2.0-only
+#include <asm/msr-index.h>
+
+#include <stdint.h>
+
+#include "kvm_util.h"
+#include "processor.h"
+
+/* Use HYPERVISOR for MSRs that are emulated unconditionally (as is HYPERV=
ISOR). */
+#define X86_FEATURE_NONE X86_FEATURE_HYPERVISOR
+
+struct kvm_msr {
+	const struct kvm_x86_cpu_feature feature;
+	const struct kvm_x86_cpu_feature feature2;
+	const char *name;
+	const u64 reset_val;
+	const u64 write_val;
+	const u64 rsvd_val;
+	const u32 index;
+};
+
+#define ____MSR_TEST(msr, str, val, rsvd, reset, feat, f2)		\
+{									\
+	.index =3D msr,							\
+	.name =3D str,							\
+	.write_val =3D val,						\
+	.rsvd_val =3D rsvd,						\
+	.reset_val =3D reset,						\
+	.feature =3D X86_FEATURE_ ##feat,					\
+	.feature2 =3D X86_FEATURE_ ##f2,					\
+}
+
+#define __MSR_TEST(msr, str, val, rsvd, reset, feat)			\
+	____MSR_TEST(msr, str, val, rsvd, reset, feat, feat)
+
+#define MSR_TEST_NON_ZERO(msr, val, rsvd, reset, feat)			\
+	__MSR_TEST(msr, #msr, val, rsvd, reset, feat)
+
+#define MSR_TEST(msr, val, rsvd, feat)					\
+	__MSR_TEST(msr, #msr, val, rsvd, 0, feat)
+
+#define MSR_TEST2(msr, val, rsvd, feat, f2)				\
+	____MSR_TEST(msr, #msr, val, rsvd, 0, feat, f2)
+
+/*
+ * Note, use a page aligned value for the canonical value so that the value
+ * is compatible with MSRs that use bits 11:0 for things other than addres=
ses.
+ */
+static const u64 canonical_val =3D 0x123456789000ull;
+
+#define MSR_TEST_CANONICAL(msr, feat)					\
+	__MSR_TEST(msr, #msr, canonical_val, NONCANONICAL, 0, feat)
+
+/*
+ * The main struct must be scoped to a function due to the use of structur=
es to
+ * define features.  For the global structure, allocate enough space for t=
he
+ * foreseeable future without getting too ridiculous, to minimize maintena=
nce
+ * costs (bumping the array size every time an MSR is added is really anno=
ying).
+ */
+static struct kvm_msr msrs[128];
+static int idx;
+
+static bool ignore_unsupported_msrs;
+
+static u64 fixup_rdmsr_val(u32 msr, u64 want)
+{
+	/*
+	 * AMD CPUs drop bits 63:32 on some MSRs that Intel CPUs support.  KVM
+	 * is supposed to emulate that behavior based on guest vendor model
+	 * (which is the same as the host vendor model for this test).
+	 */
+	if (!host_cpu_is_amd)
+		return want;
+
+	switch (msr) {
+	case MSR_IA32_SYSENTER_ESP:
+	case MSR_IA32_SYSENTER_EIP:
+	case MSR_TSC_AUX:
+		return want & GENMASK_ULL(31, 0);
+	default:
+		return want;
+	}
+}
+
+static void __rdmsr(u32 msr, u64 want)
+{
+	u64 val;
+	u8 vec;
+
+	vec =3D rdmsr_safe(msr, &val);
+	__GUEST_ASSERT(!vec, "Unexpected %s on RDMSR(0x%x)", ex_str(vec), msr);
+
+	__GUEST_ASSERT(val =3D=3D want, "Wanted 0x%lx from RDMSR(0x%x), got 0x%lx=
",
+		       want, msr, val);
+}
+
+static void __wrmsr(u32 msr, u64 val)
+{
+	u8 vec;
+
+	vec =3D wrmsr_safe(msr, val);
+	__GUEST_ASSERT(!vec, "Unexpected %s on WRMSR(0x%x, 0x%lx)",
+		       ex_str(vec), msr, val);
+	__rdmsr(msr, fixup_rdmsr_val(msr, val));
+}
+
+static void guest_test_supported_msr(const struct kvm_msr *msr)
+{
+	__rdmsr(msr->index, msr->reset_val);
+	__wrmsr(msr->index, msr->write_val);
+	GUEST_SYNC(fixup_rdmsr_val(msr->index, msr->write_val));
+
+	__rdmsr(msr->index, msr->reset_val);
+}
+
+static void guest_test_unsupported_msr(const struct kvm_msr *msr)
+{
+	u64 val;
+	u8 vec;
+
+	/*
+	 * KVM's ABI with respect to ignore_msrs is a mess and largely beyond
+	 * repair, just skip the unsupported MSR tests.
+	 */
+	if (ignore_unsupported_msrs)
+		goto skip_wrmsr_gp;
+
+	if (this_cpu_has(msr->feature2))
+		goto skip_wrmsr_gp;
+
+	vec =3D rdmsr_safe(msr->index, &val);
+	__GUEST_ASSERT(vec =3D=3D GP_VECTOR, "Wanted #GP on RDMSR(0x%x), got %s",
+		       msr->index, ex_str(vec));
+
+	vec =3D wrmsr_safe(msr->index, msr->write_val);
+	__GUEST_ASSERT(vec =3D=3D GP_VECTOR, "Wanted #GP on WRMSR(0x%x, 0x%lx), g=
ot %s",
+		       msr->index, msr->write_val, ex_str(vec));
+
+skip_wrmsr_gp:
+	GUEST_SYNC(0);
+}
+
+void guest_test_reserved_val(const struct kvm_msr *msr)
+{
+	/* Skip reserved value checks as well, ignore_msrs is trully a mess. */
+	if (ignore_unsupported_msrs)
+		return;
+
+	/*
+	 * If the CPU will truncate the written value (e.g. SYSENTER on AMD),
+	 * expect success and a truncated value, not #GP.
+	 */
+	if (!this_cpu_has(msr->feature) ||
+	    msr->rsvd_val =3D=3D fixup_rdmsr_val(msr->index, msr->rsvd_val)) {
+		u8 vec =3D wrmsr_safe(msr->index, msr->rsvd_val);
+
+		__GUEST_ASSERT(vec =3D=3D GP_VECTOR,
+			       "Wanted #GP on WRMSR(0x%x, 0x%lx), got %s",
+			       msr->index, msr->rsvd_val, ex_str(vec));
+	} else {
+		__wrmsr(msr->index, msr->rsvd_val);
+		__wrmsr(msr->index, msr->reset_val);
+	}
+}
+
+static void guest_main(void)
+{
+	for (;;) {
+		const struct kvm_msr *msr =3D &msrs[READ_ONCE(idx)];
+
+		if (this_cpu_has(msr->feature))
+			guest_test_supported_msr(msr);
+		else
+			guest_test_unsupported_msr(msr);
+
+		if (msr->rsvd_val)
+			guest_test_reserved_val(msr);
+
+		GUEST_SYNC(msr->reset_val);
+	}
+}
+
+static void host_test_msr(struct kvm_vcpu *vcpu, u64 guest_val)
+{
+	u64 reset_val =3D msrs[idx].reset_val;
+	u32 msr =3D msrs[idx].index;
+	u64 val;
+
+	if (!kvm_cpu_has(msrs[idx].feature))
+		return;
+
+	val =3D vcpu_get_msr(vcpu, msr);
+	TEST_ASSERT(val =3D=3D guest_val, "Wanted 0x%lx from get_msr(0x%x), got 0=
x%lx",
+		    guest_val, msr, val);
+
+	vcpu_set_msr(vcpu, msr, reset_val);
+
+	val =3D vcpu_get_msr(vcpu, msr);
+	TEST_ASSERT(val =3D=3D reset_val, "Wanted 0x%lx from get_msr(0x%x), got 0=
x%lx",
+		    reset_val, msr, val);
+}
+
+static void do_vcpu_run(struct kvm_vcpu *vcpu)
+{
+	struct ucall uc;
+
+	for (;;) {
+		vcpu_run(vcpu);
+
+		switch (get_ucall(vcpu, &uc)) {
+		case UCALL_SYNC:
+			host_test_msr(vcpu, uc.args[1]);
+			return;
+		case UCALL_PRINTF:
+			pr_info("%s", uc.buffer);
+			break;
+		case UCALL_ABORT:
+			REPORT_GUEST_ASSERT(uc);
+		case UCALL_DONE:
+			TEST_FAIL("Unexpected UCALL_DONE");
+		default:
+			TEST_FAIL("Unexpected ucall: %lu", uc.cmd);
+		}
+	}
+}
+
+static void vcpus_run(struct kvm_vcpu **vcpus, const int NR_VCPUS)
+{
+	int i;
+
+	for (i =3D 0; i < NR_VCPUS; i++)
+		do_vcpu_run(vcpus[i]);
+}
+
+#define MISC_ENABLES_RESET_VAL (MSR_IA32_MISC_ENABLE_PEBS_UNAVAIL | MSR_IA=
32_MISC_ENABLE_BTS_UNAVAIL)
+
+static void test_msrs(void)
+{
+	const struct kvm_msr __msrs[] =3D {
+		MSR_TEST_NON_ZERO(MSR_IA32_MISC_ENABLE,
+				  MISC_ENABLES_RESET_VAL | MSR_IA32_MISC_ENABLE_FAST_STRING,
+				  MSR_IA32_MISC_ENABLE_FAST_STRING, MISC_ENABLES_RESET_VAL, NONE),
+		MSR_TEST_NON_ZERO(MSR_IA32_CR_PAT, 0x07070707, 0, 0x7040600070406, NONE),
+
+		/*
+		 * TSC_AUX is supported if RDTSCP *or* RDPID is supported.  Add
+		 * entries for each features so that TSC_AUX doesn't exists for
+		 * the "unsupported" vCPU, and obviously to test both cases.
+		 */
+		MSR_TEST2(MSR_TSC_AUX, 0x12345678, canonical_val, RDTSCP, RDPID),
+		MSR_TEST2(MSR_TSC_AUX, 0x12345678, canonical_val, RDPID, RDTSCP),
+
+		MSR_TEST(MSR_IA32_SYSENTER_CS, 0x1234, 0, NONE),
+		/*
+		 * SYSENTER_{ESP,EIP} are technically non-canonical on Intel,
+		 * but KVM doesn't emulate that behavior on emulated writes,
+		 * i.e. this test will observe different behavior if the MSR
+		 * writes are handed by hardware vs. KVM.  KVM's behavior is
+		 * intended (though far from ideal), so don't bother testing
+		 * non-canonical values.
+		 */
+		MSR_TEST(MSR_IA32_SYSENTER_ESP, canonical_val, 0, NONE),
+		MSR_TEST(MSR_IA32_SYSENTER_EIP, canonical_val, 0, NONE),
+
+		MSR_TEST_CANONICAL(MSR_FS_BASE, LM),
+		MSR_TEST_CANONICAL(MSR_GS_BASE, LM),
+		MSR_TEST_CANONICAL(MSR_KERNEL_GS_BASE, LM),
+		MSR_TEST_CANONICAL(MSR_LSTAR, LM),
+		MSR_TEST_CANONICAL(MSR_CSTAR, LM),
+		MSR_TEST(MSR_SYSCALL_MASK, 0xffffffff, 0, LM),
+
+		MSR_TEST_CANONICAL(MSR_IA32_PL0_SSP, SHSTK),
+		MSR_TEST(MSR_IA32_PL0_SSP, canonical_val, canonical_val | 1, SHSTK),
+		MSR_TEST_CANONICAL(MSR_IA32_PL1_SSP, SHSTK),
+		MSR_TEST(MSR_IA32_PL1_SSP, canonical_val, canonical_val | 1, SHSTK),
+		MSR_TEST_CANONICAL(MSR_IA32_PL2_SSP, SHSTK),
+		MSR_TEST(MSR_IA32_PL2_SSP, canonical_val, canonical_val | 1, SHSTK),
+		MSR_TEST_CANONICAL(MSR_IA32_PL3_SSP, SHSTK),
+		MSR_TEST(MSR_IA32_PL3_SSP, canonical_val, canonical_val | 1, SHSTK),
+	};
+
+	/*
+	 * Create two vCPUs, but run them on the same task, to validate KVM's
+	 * context switching of MSR state.  Don't pin the task to a pCPU to
+	 * also validate KVM's handling of cross-pCPU migration.
+	 */
+	const int NR_VCPUS =3D 2;
+	struct kvm_vcpu *vcpus[NR_VCPUS];
+	struct kvm_vm *vm;
+
+	kvm_static_assert(sizeof(__msrs) <=3D sizeof(msrs));
+	kvm_static_assert(ARRAY_SIZE(__msrs) <=3D ARRAY_SIZE(msrs));
+	memcpy(msrs, __msrs, sizeof(__msrs));
+
+	ignore_unsupported_msrs =3D kvm_is_ignore_msrs();
+
+	vm =3D vm_create_with_vcpus(NR_VCPUS, guest_main, vcpus);
+
+	sync_global_to_guest(vm, msrs);
+	sync_global_to_guest(vm, ignore_unsupported_msrs);
+
+	for (idx =3D 0; idx < ARRAY_SIZE(__msrs); idx++) {
+		sync_global_to_guest(vm, idx);
+
+		vcpus_run(vcpus, NR_VCPUS);
+		vcpus_run(vcpus, NR_VCPUS);
+	}
+
+	kvm_vm_free(vm);
+}
+
+int main(void)
+{
+	test_msrs();
+}
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B8636322C68
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321269; cv=none;
 b=XouhRwy/WFiSt7JN0rQoScbodbT3H1KTDP4K5tzpsWrSRLB9OtE7A+7lKAfKXqkRy5jORz6hvjKA46l1LPVdpC3l+4ZVE5d70pISorVEuJ5vQMHC5mD6ZAe367C9f/0HJ63+AT9+h3k/RGa4TXTmsh/LCjBPVpWQjVrPZwU2ky4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321269; c=relaxed/simple;
	bh=7F8fN07uyjWFGboVpo4jm1M7dMFGNTEcptEI2FyoK3A=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=jSvCahDxGYJwnMgWyIRnnN+VWSh8pfwSKYoGneAP9gciZ3y6uxoXCj4urL6FMr6lkd2gw7nxY4UQ2k1hffA/zRn7/V3nc8jHrsNu9ZmrApWLXBUp+/1kNiASUw9jlvT6H+RtiXdaNY1z7BhJ8JBruG2165Edqf8f/rxAj0rFXjU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=HEsY+tG3; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="HEsY+tG3"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-32ec2211659so2566683a91.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321267; x=1758926067;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=B1JPKZr/jTuAErNJp4ougx6N14MoHm3l7BWFYlNmRME=;
        b=HEsY+tG325u7pbsrruBzKIQvAU7qdYBysdTWefGktBzN9QjLmbqxgRI9bMN4pJS8l5
         18YAkuS1bz1o/YG3c4/5i7aIj46rIZ0Ali527cczNydS5XjEgle9XZa6GCSMmKY8e4Be
         fi1YAY9NlXwpfG87qJbOwk/4DkGoUAqoZUOmJlzpevDAJ6hUGwFNrYj9MkSG+lRZVGps
         P6fENV/9qgNPN+TBqKepzAPntQwbubhd5LdKnBUCTTcp64qNoj6GqoP58XI49MdyS2Dh
         anXY2T7ACAsTimXDjLZ/BPZhQNIZS8ujC3h1/dyW/1hSOsdn3xOZV7xfmBrN3LmUtNye
         aYTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321267; x=1758926067;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=B1JPKZr/jTuAErNJp4ougx6N14MoHm3l7BWFYlNmRME=;
        b=X4Dey6uF+h+se00hbVFvVqr44rzq0sui9LDaMgxi0O5qSJbOQUI81/fiG2AFW9ZQnV
         1Pmw5OSy/SNiHDiI1W0VLfg8vxmP7MSwO/45DWYOrjhcVHbMcNzoTkPn+/xuPT+ZJ1Os
         qc25tlWb0iWmqzJKzVHgcmrqKsiA/Zp/BODmn3xYje8wjk1oZq83kSoetoPuf09Eh2lZ
         LF3RUafhg9+uvMeGRkBCBA6nySe9xDFpa5WY5Kyw6y/Eb8scWayQCHej9vKBU+/5NfyI
         q2BHNGEfMmWBBNQqwR9iIicFNvLSkFE6a8NEaYFeyeoFIP7teZh/WQjggOc5PwOPiMaB
         OU4Q==
X-Forwarded-Encrypted: i=1;
 AJvYcCWJfRSuW30yxl7kiQRrXOQL+82iVdVtsdwc8ubNHiJhOp6ylKCKzBLJ7iLApUddRzQQwDuku7VDW/lG5Bc=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx816P75IiXC9AgRC7ebIK1EOBtU6P/5AOfkcQq64pq6t8olQFR
	a0mqjd0NcDyKOmRmOGYRokZhJ+lGVSjUo7fojNrQ+aLhs3gqiUeYLCV8A5R8wXggAwrQw+vBziT
	G8TSJgA==
X-Google-Smtp-Source: 
 AGHT+IEovExhDx5hnbXORvzp1QLyu6LtfldPEwLB0DBYtoIAmSkBGzXcV/s/m8mBz72RwM/ijt8PskoZ3Ew=
X-Received: from pjbpw13.prod.google.com
 ([2002:a17:90b:278d:b0:327:50fa:eff9])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90a:e703:b0:32e:7270:94a1
 with SMTP id 98e67ed59e1d1-33098356f85mr6790607a91.17.1758321267159; Fri, 19
 Sep 2025 15:34:27 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:53 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-47-seanjc@google.com>
Subject: [PATCH v16 46/51] KVM: selftests: Add support for MSR_IA32_{S,U}_CET
 to MSRs test
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Extend the MSRs test to support {S,U}_CET, which are a bit of a pain to
handled due to the MSRs existing if IBT *or* SHSTK is supported.  To deal
with Intel's wonderful decision to bundle IBT and SHSTK under CET, track
the second feature, but skip only RDMSR #GP tests to avoid false failures
when running on a CPU with only one of IBT or SHSTK (the WRMSR #GP tests
are still valid since the enable bits are per-feature).

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
---
 tools/testing/selftests/kvm/x86/msrs_test.c | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/kvm/x86/msrs_test.c b/tools/testing/se=
lftests/kvm/x86/msrs_test.c
index 9285cf51ef75..952439e0c754 100644
--- a/tools/testing/selftests/kvm/x86/msrs_test.c
+++ b/tools/testing/selftests/kvm/x86/msrs_test.c
@@ -125,13 +125,26 @@ static void guest_test_unsupported_msr(const struct k=
vm_msr *msr)
 	if (ignore_unsupported_msrs)
 		goto skip_wrmsr_gp;
=20
-	if (this_cpu_has(msr->feature2))
-		goto skip_wrmsr_gp;
+	/*
+	 * {S,U}_CET exist if IBT or SHSTK is supported, but with bits that are
+	 * writable only if their associated feature is supported.  Skip the
+	 * RDMSR #GP test if the secondary feature is supported, but perform
+	 * the WRMSR #GP test as the to-be-written value is tied to the primary
+	 * feature.  For all other MSRs, simply do nothing.
+	 */
+	if (this_cpu_has(msr->feature2)) {
+		if  (msr->index !=3D MSR_IA32_U_CET &&
+		     msr->index !=3D MSR_IA32_S_CET)
+			goto skip_wrmsr_gp;
+
+		goto skip_rdmsr_gp;
+	}
=20
 	vec =3D rdmsr_safe(msr->index, &val);
 	__GUEST_ASSERT(vec =3D=3D GP_VECTOR, "Wanted #GP on RDMSR(0x%x), got %s",
 		       msr->index, ex_str(vec));
=20
+skip_rdmsr_gp:
 	vec =3D wrmsr_safe(msr->index, msr->write_val);
 	__GUEST_ASSERT(vec =3D=3D GP_VECTOR, "Wanted #GP on WRMSR(0x%x, 0x%lx), g=
ot %s",
 		       msr->index, msr->write_val, ex_str(vec));
@@ -269,6 +282,10 @@ static void test_msrs(void)
 		MSR_TEST_CANONICAL(MSR_CSTAR, LM),
 		MSR_TEST(MSR_SYSCALL_MASK, 0xffffffff, 0, LM),
=20
+		MSR_TEST2(MSR_IA32_S_CET, CET_SHSTK_EN, CET_RESERVED, SHSTK, IBT),
+		MSR_TEST2(MSR_IA32_S_CET, CET_ENDBR_EN, CET_RESERVED, IBT, SHSTK),
+		MSR_TEST2(MSR_IA32_U_CET, CET_SHSTK_EN, CET_RESERVED, SHSTK, IBT),
+		MSR_TEST2(MSR_IA32_U_CET, CET_ENDBR_EN, CET_RESERVED, IBT, SHSTK),
 		MSR_TEST_CANONICAL(MSR_IA32_PL0_SSP, SHSTK),
 		MSR_TEST(MSR_IA32_PL0_SSP, canonical_val, canonical_val | 1, SHSTK),
 		MSR_TEST_CANONICAL(MSR_IA32_PL1_SSP, SHSTK),
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com
 [209.85.214.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 423D5324B1E
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321270; cv=none;
 b=RFvJsL6AHzurKXEdP53VwhtwTtuDaYJx9FNKi2t3A0fvmduv0sB+vA3DaLkjcbtYce/tyjuMZRnhtAEvrHIHX0IoiF/JjgcjonsgbPbTCLM11pVFvbUKopP3ehP4q4MeT7US5imJeH09dqCtjbE8OrtsHbZesD1wyBmrWAhz9oE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321270; c=relaxed/simple;
	bh=9j7eMRNZfnKaut1MLIO4jNPk4U8qe/HJIqhBM9DKwnw=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=sCKESOmWv5hX0+d1uwEyxB/EhnBlNb3JbCeXaGTiOV5lkKP6FCU05e1eDUTCS68Rn67kwianwq5tuB/3yWQk5wibHyNO1tUs1fz9Vfh52vpKBC3nc+3zTWmnfOuTq51rubNDmUi1RnZA4zcZF/iqQsRjBRAA5b3a1p1VaNiAFEw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=EaJaKQdF; arc=none smtp.client-ip=209.85.214.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="EaJaKQdF"
Received: by mail-pl1-f201.google.com with SMTP id
 d9443c01a7336-244581ce13aso48903905ad.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321268; x=1758926068;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=7eTiTbmyW2tvaAMI1jt358bJAngHDTuuFupNysw0qX0=;
        b=EaJaKQdF4WuNznfKYQKa4ELsJXge54W03s/NBuR84gP4LCOkKFlTv3KydLnNpUIgKW
         vGex3LQzo8yi6wGUJJYif0n0ItOeCUPiejS3uaIeNMgTERzzowo+IWrUIwFMZydX+FVj
         V3RkNqhr8+fc/JQM5P7Md9Pb5gItsQMalexvxwAAJkQbhhK99LTy1tyi23I7CDpvjOAl
         xFmStVdEPhoTuEvAJVJE2ZLnwdp+fDG4a5Ahs5UsunjFaPgKVVLEKXO6N1f/FjE6cwps
         3MX31xDx/hJ1/rc7yLXzdRmMKn2aNBcaUamitYTJ1ghBYi+7IGcNVaB23LavF6mz880i
         5tVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321268; x=1758926068;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=7eTiTbmyW2tvaAMI1jt358bJAngHDTuuFupNysw0qX0=;
        b=ipCFNuh4OREUpFXag6eicKITV42wCEGB4NhrS7GvyvWShocNR4pb6KM7Bhd3nMicN4
         7XtaHlvNU0BEX+jo7uqQC9rIRLm2QyPo7Bo8KgxBzbePJXfECB/Lm0+Bmi2h6PUcwLs9
         M8sh6+ug767PJnXGhUOTQcQHVutpF69W/nPABvijZvc9Qnr1Z9CyBYcG4hLIvyTw12Bd
         SxGrlBu60kxba7feZlHG9ssgKTv8TkcaBtjJcUPXUhXAHtgIh+X2N685198uWdgevQj9
         9mOiCp0qWfApHWxzOVsUx2gAtTl8lEeWx7w4kz+ExK94K7+z790JhjrVm85hzWMWTvg8
         SOIQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCUIlVPZRVj73PkgxcmgyNQGaJMCKs2NBZAoKD0qxsE2+oLE0rBcKAp3toTRsjwOPnVUWM/Of07O+LwJt/4=@vger.kernel.org
X-Gm-Message-State: AOJu0YxEKSMgkcsz0pnjIqnuPLeKcc+5ZpOk3Rdy8HmzfNoq0ueZM008
	xvojT8VZBjBLkOCMAhqh4HOPLFhqf0iw+mAHYXV/IihjYzPAQ5W6T4vvKgKTFHDkywP1ReA+Kux
	mVhMV2w==
X-Google-Smtp-Source: 
 AGHT+IFXr8IRlLneO+WHx4jAfFZ2ebYEf5el1Mwif7m5GTJpYT1UbPToxu4FsdBBTNwL71GOUqmmaGJ/v64=
X-Received: from pjbsd13.prod.google.com ([2002:a17:90b:514d:b0:325:a8d:a485])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:903:2285:b0:268:f83a:835a
 with SMTP id d9443c01a7336-269ba575f3emr58130475ad.60.1758321268664; Fri, 19
 Sep 2025 15:34:28 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:54 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-48-seanjc@google.com>
Subject: [PATCH v16 47/51] KVM: selftests: Extend MSRs test to validate vCPUs
 without supported features
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add a third vCPUs to the MSRs test that runs with all features disabled in
the vCPU's CPUID model, to verify that KVM does the right thing with
respect to emulating accesses to MSRs that shouldn't exist.  Use the same
VM to verify that KVM is honoring the vCPU model, e.g. isn't looking at
per-VM state when emulating MSR accesses.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 tools/testing/selftests/kvm/x86/msrs_test.c | 28 ++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/kvm/x86/msrs_test.c b/tools/testing/se=
lftests/kvm/x86/msrs_test.c
index 952439e0c754..f69091ebd270 100644
--- a/tools/testing/selftests/kvm/x86/msrs_test.c
+++ b/tools/testing/selftests/kvm/x86/msrs_test.c
@@ -296,12 +296,17 @@ static void test_msrs(void)
 		MSR_TEST(MSR_IA32_PL3_SSP, canonical_val, canonical_val | 1, SHSTK),
 	};
=20
+	const struct kvm_x86_cpu_feature feat_none =3D X86_FEATURE_NONE;
+	const struct kvm_x86_cpu_feature feat_lm =3D X86_FEATURE_LM;
+
 	/*
-	 * Create two vCPUs, but run them on the same task, to validate KVM's
+	 * Create three vCPUs, but run them on the same task, to validate KVM's
 	 * context switching of MSR state.  Don't pin the task to a pCPU to
-	 * also validate KVM's handling of cross-pCPU migration.
+	 * also validate KVM's handling of cross-pCPU migration.  Use the full
+	 * set of features for the first two vCPUs, but clear all features in
+	 * third vCPU in order to test both positive and negative paths.
 	 */
-	const int NR_VCPUS =3D 2;
+	const int NR_VCPUS =3D 3;
 	struct kvm_vcpu *vcpus[NR_VCPUS];
 	struct kvm_vm *vm;
=20
@@ -316,6 +321,23 @@ static void test_msrs(void)
 	sync_global_to_guest(vm, msrs);
 	sync_global_to_guest(vm, ignore_unsupported_msrs);
=20
+	/*
+	 * Clear features in the "unsupported features" vCPU.  This needs to be
+	 * done before the first vCPU run as KVM's ABI is that guest CPUID is
+	 * immutable once the vCPU has been run.
+	 */
+	for (idx =3D 0; idx < ARRAY_SIZE(__msrs); idx++) {
+		/*
+		 * Don't clear LM; selftests are 64-bit only, and KVM doesn't
+		 * honor LM=3D0 for MSRs that are supposed to exist if and only
+		 * if the vCPU is a 64-bit model.  Ditto for NONE; clearing a
+		 * fake feature flag will result in false failures.
+		 */
+		if (memcmp(&msrs[idx].feature, &feat_lm, sizeof(feat_lm)) &&
+		    memcmp(&msrs[idx].feature, &feat_none, sizeof(feat_none)))
+			vcpu_clear_cpuid_feature(vcpus[2], msrs[idx].feature);
+	}
+
 	for (idx =3D 0; idx < ARRAY_SIZE(__msrs); idx++) {
 		sync_global_to_guest(vm, idx);
=20
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com
 [209.85.215.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9ACF4327798
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321272; cv=none;
 b=g78iqyPVsmyLxfZ7SM6HpiwBOLMRYcmZJMF3xmYQkR64qyqN7ZBC26qvWwRITnriVsowm1jI+oDS8EinjuGCy/HAgA38OTyURHHBJ2dXG+2LnxsNPo/eFiDKWfFmF0J4faBwbLjKuNmQY3cidrPObUnNPkaE6PMBNQh/3X5hqk4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321272; c=relaxed/simple;
	bh=dJruaGQ3F05Ma5fn/i7vIuVZEHwh1UZEyHwAWIgomQc=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=qWZf6ltvNmO093N6RLmTslWxRQwq++4LU/qrI/pOaZcjVB55MT2+lETcWNZZ2FfKHq0SdzkEbSrff+04C+pVQBiY2MhNbilcpetbH/yKj/10PnduEw87CZj9DGfvqj59ToWI8XhXmhJmPkjtfv5FsapFjcw29KEwYTFpx6J94Us=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=Huc7i+D5; arc=none smtp.client-ip=209.85.215.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="Huc7i+D5"
Received: by mail-pg1-f201.google.com with SMTP id
 41be03b00d2f7-b552f91033cso530061a12.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321270; x=1758926070;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=FM9v8UgMu6POlYV9dQiPZ5KwLlKlosNQEUVBs5xJtT8=;
        b=Huc7i+D5vwO61fIXimSomNh2i7DBgjBfd5D1i5mIWAMNLSPsvaQboL3D96kh78xTBe
         gCZWqo0NAGmq21sgKPsHwrVzH2ej/UeXroLua7R6mUw8BiTyoOMZpHtyCYs68zIvY9Ya
         wIKxftRNjYtDnn3K9aT6VpGl2KzZALDBVcGxC0m1i6zHD9yq1/D/pJnztecZRc6J40n0
         Di0EG21CeMvutIMxmEkQz6AkRdMis0Zcelxbf6KFrNDy46WbWOzFXrI5LwiWCS2jKjbR
         CcrpeojfSsGTChSh0GQ+je83nxdcv4G//YH673zvgJOXkbPs1oBbFttKX8t7KOUzeaC/
         dalg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321270; x=1758926070;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=FM9v8UgMu6POlYV9dQiPZ5KwLlKlosNQEUVBs5xJtT8=;
        b=J4le6EYuCklzYu1Rr0J+69nT661RceLW8hd4SqZ+ApZkhANjJJLj6DRzcXI5KSTjwH
         KVRykjke7u1Rjn0IVmFYZGnn4l6/F4+rMJGVrS9XtiMZu6AiD4ZHwkcr7TO3F2nNclEX
         X/dJ/QoMkPmRKahDDzotvK161bJsapx8eD0oCzsVPcG/bd54PuAEywuL2bIeEt532rra
         3ewncF32cvXKp/soP1L1HY1kCqMC/8Lqv1GOZ7V31Uq2X/9B0m1P5WdFyyR3BrZ1ZAgL
         WpQoz9KLDZM/hjxdmHe43AbT0SIWk0rPys10dejyOb9m2LwsUwJyJxJNhkYerNDgi6Xd
         Zx8Q==
X-Forwarded-Encrypted: i=1;
 AJvYcCX1u60HsE5nKH0/qFMILB1LKB2Hsaxkmq1NOaPDM60+AmUOrlWHixYvc07f2ueHJBgWgPLfq2PPlhsgR2A=@vger.kernel.org
X-Gm-Message-State: AOJu0Yyz52ZKkbLdDNmr8BhnrJLPwlcJrGj9D/thw9FCFjmYRHSUcnsf
	s4C5SlMoHgF4OpAaDDUDPSzf0L4a334/Sm3lVRS7RrGRzq6nhG+XFJ6J6gFttR9Lmubo/ircScs
	35RFgsQ==
X-Google-Smtp-Source: 
 AGHT+IGz3iwZbuHnPd1skP5ZnQqIFSyE3922dFoUWfjAGRfr0Zq2zpTrmmvMDiu/w+L/FmceX1nx623YreY=
X-Received: from pjh11.prod.google.com ([2002:a17:90b:3f8b:b0:32b:65c6:661a])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a21:33a9:b0:261:ed47:c9cf
 with SMTP id adf61e73a8af0-2926d9d9bcbmr7790088637.34.1758321270192; Fri, 19
 Sep 2025 15:34:30 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:55 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-49-seanjc@google.com>
Subject: [PATCH v16 48/51] KVM: selftests: Add KVM_{G,S}ET_ONE_REG coverage to
 MSRs test
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

When KVM_{G,S}ET_ONE_REG are supported, verify that MSRs can be accessed
via ONE_REG and through the dedicated MSR ioctls.  For simplicity, run
the test twice, e.g. instead of trying to get MSR values into the exact
right state when switching write methods.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
---
 tools/testing/selftests/kvm/x86/msrs_test.c | 22 ++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/kvm/x86/msrs_test.c b/tools/testing/se=
lftests/kvm/x86/msrs_test.c
index f69091ebd270..2dc4017072c6 100644
--- a/tools/testing/selftests/kvm/x86/msrs_test.c
+++ b/tools/testing/selftests/kvm/x86/msrs_test.c
@@ -193,6 +193,9 @@ static void guest_main(void)
 	}
 }
=20
+static bool has_one_reg;
+static bool use_one_reg;
+
 static void host_test_msr(struct kvm_vcpu *vcpu, u64 guest_val)
 {
 	u64 reset_val =3D msrs[idx].reset_val;
@@ -206,11 +209,21 @@ static void host_test_msr(struct kvm_vcpu *vcpu, u64 =
guest_val)
 	TEST_ASSERT(val =3D=3D guest_val, "Wanted 0x%lx from get_msr(0x%x), got 0=
x%lx",
 		    guest_val, msr, val);
=20
-	vcpu_set_msr(vcpu, msr, reset_val);
+	if (use_one_reg)
+		vcpu_set_reg(vcpu, KVM_X86_REG_MSR(msr), reset_val);
+	else
+		vcpu_set_msr(vcpu, msr, reset_val);
=20
 	val =3D vcpu_get_msr(vcpu, msr);
 	TEST_ASSERT(val =3D=3D reset_val, "Wanted 0x%lx from get_msr(0x%x), got 0=
x%lx",
 		    reset_val, msr, val);
+
+	if (!has_one_reg)
+		return;
+
+	val =3D vcpu_get_reg(vcpu, KVM_X86_REG_MSR(msr));
+	TEST_ASSERT(val =3D=3D reset_val, "Wanted 0x%lx from get_reg(0x%x), got 0=
x%lx",
+		    reset_val, msr, val);
 }
=20
 static void do_vcpu_run(struct kvm_vcpu *vcpu)
@@ -350,5 +363,12 @@ static void test_msrs(void)
=20
 int main(void)
 {
+	has_one_reg =3D kvm_has_cap(KVM_CAP_ONE_REG);
+
 	test_msrs();
+
+	if (has_one_reg) {
+		use_one_reg =3D true;
+		test_msrs();
+	}
 }
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com
 [209.85.210.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6DCDD327A33
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321274; cv=none;
 b=hSlvBCjnK39LTdeqI5nCoPINcD817CE3pjGvJQ8Gp64w+mhl3xybHxrAbE5i/Gy220A28D+UCFnvOtlG60FD+p0bGYio95t2woyL1ogC6hUBm0UOUs3pF4a4Il119vfkJLEHNGGWmun+iJMn1KXkVz/8ueJfmRocit2u2jbaUTI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321274; c=relaxed/simple;
	bh=zXUCflLvKluP1zF9WIp817wuaYNkbYuD/HRi92+09So=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=BRru4G1d7ABwmpR0t8liwOrJZW1dg/dkfkHq+O0B8GJrKNgp62jOCNuwrb2P0As0TLBwS646zEhFLxDfiZempvArJyEuWW8sNemI6yeB1BdWJhIOroGFKnoAHVxh2LgDgB8+lqS1Y9YRyCAQ1/WAk4PRc7EmLMM3Z8Otx2aykQE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=YLCqfCok; arc=none smtp.client-ip=209.85.210.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="YLCqfCok"
Received: by mail-pf1-f202.google.com with SMTP id
 d2e1a72fcca58-77e7d9ed351so1045544b3a.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321272; x=1758926072;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=H3KhwAXGCg9rKxJxoAW+12RZeBY1x3h4wsMtr8e6qdQ=;
        b=YLCqfCok5zDiQV/BiJ8hTCZutyAlmBaybg5aq5HZT12B1fqW80wyzaLt9/kCsnfvTA
         wD/ypFNkMHBN36FJWLMypX0xiqWGI84cG4Nvi0DqvMu+HvorkKsbSX/rKpGmrT4NuPRR
         0UgtPqDHhpmsH4/6ZcfehTUAysUm4SHP4KNMTt2fTXtaBs4No3uYGjIXRj2AhMGJYGXO
         wCisQjWnFvkOGRFSVSNcqWRk+1AwtSyN5qFVvMp9SdErKG9Jdkc7PT8OzaX6I1t4pNL6
         p3AlnNvza8QTZOOxFl5X5ZvuAMJAQbXSRigS7Krkj2x83nEVrOscjBb1eYxg+WI/2vbQ
         Ak9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321272; x=1758926072;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=H3KhwAXGCg9rKxJxoAW+12RZeBY1x3h4wsMtr8e6qdQ=;
        b=ERNvIRm+UNhd2ji+vVUieL/z/JoJWht8PdFCSC7me/x0yRy7minhT8+YunuD2t/706
         0Zj/L7z3zkaB3xCkkqwPyc4jWPW/+2EGfSvQSqYI1FRH1RoK+sdYWQORKucGLLRja6S5
         jDgnDl/3AN72a+N+cSuD3JMf6I0KXsJJbGKojznZvT2LqhsJNyehm7wImq96ZZAB41rz
         5U0gw2HIVzusMtMnTl8+S+Bp/bxjRwsmWGKhnqvBtwX6p8dZPxhXULvVJPZSrTGRYqXj
         ikFOws2AvTaTW+msFUw6WK2Kh12YhcDrDOlF5NzmW0XPm7Okojqsx9GRK8dAylYeMskG
         oAdw==
X-Forwarded-Encrypted: i=1;
 AJvYcCV9h5H0kP0VXvNpRBjb6LMO/NTGhwqRL1skamp5fXIwBApO5/SvyQiFyWHZrw8p/AFmNyuaGMMnCk447KE=@vger.kernel.org
X-Gm-Message-State: AOJu0YweaWkxJGKytNN4Gy3RDovrf7KS+ATM7eJoX5AvLFdYyLKStre0
	QAZujspBxV+A6WeaXOJHgZiMIFbpbfDSPBvIOohwKVnPqh+PjksP2A/raMKQxhaB3Jnzl8v2dF4
	a6Ew9gQ==
X-Google-Smtp-Source: 
 AGHT+IHohAotE94JIjhFtq/fDdBAuAd0XmX8bdDaDDk/cKRcWFEXbXoMj3aSKmcC+wF2XVwlXIo7arLeWJI=
X-Received: from pjbmf16.prod.google.com ([2002:a17:90b:1850:b0:32b:95bb:dbc])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:4323:b0:262:4378:9dfb
 with SMTP id adf61e73a8af0-292588a2fa7mr7007753637.7.1758321271830; Fri, 19
 Sep 2025 15:34:31 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:56 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-50-seanjc@google.com>
Subject: [PATCH v16 49/51] KVM: selftests: Add coverate for KVM-defined
 registers in MSRs test
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add test coverage for the KVM-defined GUEST_SSP "register" in the MSRs
test.  While _KVM's_ goal is to not tie the uAPI of KVM-defined registers
to any particular internal implementation, i.e. to not commit in uAPI to
handling GUEST_SSP as an MSR, treating GUEST_SSP as an MSR for testing
purposes is a-ok and is a naturally fit given the semantics of SSP.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
---
 tools/testing/selftests/kvm/x86/msrs_test.c | 97 ++++++++++++++++++++-
 1 file changed, 94 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/kvm/x86/msrs_test.c b/tools/testing/se=
lftests/kvm/x86/msrs_test.c
index 2dc4017072c6..7c6d846e42dd 100644
--- a/tools/testing/selftests/kvm/x86/msrs_test.c
+++ b/tools/testing/selftests/kvm/x86/msrs_test.c
@@ -17,9 +17,10 @@ struct kvm_msr {
 	const u64 write_val;
 	const u64 rsvd_val;
 	const u32 index;
+	const bool is_kvm_defined;
 };
=20
-#define ____MSR_TEST(msr, str, val, rsvd, reset, feat, f2)		\
+#define ____MSR_TEST(msr, str, val, rsvd, reset, feat, f2, is_kvm)	\
 {									\
 	.index =3D msr,							\
 	.name =3D str,							\
@@ -28,10 +29,11 @@ struct kvm_msr {
 	.reset_val =3D reset,						\
 	.feature =3D X86_FEATURE_ ##feat,					\
 	.feature2 =3D X86_FEATURE_ ##f2,					\
+	.is_kvm_defined =3D is_kvm,					\
 }
=20
 #define __MSR_TEST(msr, str, val, rsvd, reset, feat)			\
-	____MSR_TEST(msr, str, val, rsvd, reset, feat, feat)
+	____MSR_TEST(msr, str, val, rsvd, reset, feat, feat, false)
=20
 #define MSR_TEST_NON_ZERO(msr, val, rsvd, reset, feat)			\
 	__MSR_TEST(msr, #msr, val, rsvd, reset, feat)
@@ -40,7 +42,7 @@ struct kvm_msr {
 	__MSR_TEST(msr, #msr, val, rsvd, 0, feat)
=20
 #define MSR_TEST2(msr, val, rsvd, feat, f2)				\
-	____MSR_TEST(msr, #msr, val, rsvd, 0, feat, f2)
+	____MSR_TEST(msr, #msr, val, rsvd, 0, feat, f2, false)
=20
 /*
  * Note, use a page aligned value for the canonical value so that the value
@@ -51,6 +53,9 @@ static const u64 canonical_val =3D 0x123456789000ull;
 #define MSR_TEST_CANONICAL(msr, feat)					\
 	__MSR_TEST(msr, #msr, canonical_val, NONCANONICAL, 0, feat)
=20
+#define MSR_TEST_KVM(msr, val, rsvd, feat)				\
+	____MSR_TEST(KVM_REG_ ##msr, #msr, val, rsvd, 0, feat, feat, true)
+
 /*
  * The main struct must be scoped to a function due to the use of structur=
es to
  * define features.  For the global structure, allocate enough space for t=
he
@@ -196,6 +201,83 @@ static void guest_main(void)
 static bool has_one_reg;
 static bool use_one_reg;
=20
+#define KVM_X86_MAX_NR_REGS	1
+
+static bool vcpu_has_reg(struct kvm_vcpu *vcpu, u64 reg)
+{
+	struct {
+		struct kvm_reg_list list;
+		u64 regs[KVM_X86_MAX_NR_REGS];
+	} regs =3D {};
+	int r, i;
+
+	/*
+	 * If KVM_GET_REG_LIST succeeds with n=3D0, i.e. there are no supported
+	 * regs, then the vCPU obviously doesn't support the reg.
+	 */
+	r =3D __vcpu_ioctl(vcpu, KVM_GET_REG_LIST, &regs.list.n);
+	if (!r)
+		return false;
+
+	TEST_ASSERT_EQ(errno, E2BIG);
+
+	/*
+	 * KVM x86 is expected to support enumerating a relative small number
+	 * of regs.  The majority of registers supported by KVM_{G,S}ET_ONE_REG
+	 * are enumerated via other ioctls, e.g. KVM_GET_MSR_INDEX_LIST.  For
+	 * simplicity, hardcode the maximum number of regs and manually update
+	 * the test as necessary.
+	 */
+	TEST_ASSERT(regs.list.n <=3D KVM_X86_MAX_NR_REGS,
+		    "KVM reports %llu regs, test expects at most %u regs, stale test?",
+		    regs.list.n, KVM_X86_MAX_NR_REGS);
+
+	vcpu_ioctl(vcpu, KVM_GET_REG_LIST, &regs.list.n);
+	for (i =3D 0; i < regs.list.n; i++) {
+		if (regs.regs[i] =3D=3D reg)
+			return true;
+	}
+
+	return false;
+}
+
+static void host_test_kvm_reg(struct kvm_vcpu *vcpu)
+{
+	bool has_reg =3D vcpu_cpuid_has(vcpu, msrs[idx].feature);
+	u64 reset_val =3D msrs[idx].reset_val;
+	u64 write_val =3D msrs[idx].write_val;
+	u64 rsvd_val =3D msrs[idx].rsvd_val;
+	u32 reg =3D msrs[idx].index;
+	u64 val;
+	int r;
+
+	if (!use_one_reg)
+		return;
+
+	TEST_ASSERT_EQ(vcpu_has_reg(vcpu, KVM_X86_REG_KVM(reg)), has_reg);
+
+	if (!has_reg) {
+		r =3D __vcpu_get_reg(vcpu, KVM_X86_REG_KVM(reg), &val);
+		TEST_ASSERT(r && errno =3D=3D EINVAL,
+			    "Expected failure on get_reg(0x%x)", reg);
+		rsvd_val =3D 0;
+		goto out;
+	}
+
+	val =3D vcpu_get_reg(vcpu, KVM_X86_REG_KVM(reg));
+	TEST_ASSERT(val =3D=3D reset_val, "Wanted 0x%lx from get_reg(0x%x), got 0=
x%lx",
+		    reset_val, reg, val);
+
+	vcpu_set_reg(vcpu, KVM_X86_REG_KVM(reg), write_val);
+	val =3D vcpu_get_reg(vcpu, KVM_X86_REG_KVM(reg));
+	TEST_ASSERT(val =3D=3D write_val, "Wanted 0x%lx from get_reg(0x%x), got 0=
x%lx",
+		    write_val, reg, val);
+
+out:
+	r =3D __vcpu_set_reg(vcpu, KVM_X86_REG_KVM(reg), rsvd_val);
+	TEST_ASSERT(r, "Expected failure on set_reg(0x%x, 0x%lx)", reg, rsvd_val);
+}
+
 static void host_test_msr(struct kvm_vcpu *vcpu, u64 guest_val)
 {
 	u64 reset_val =3D msrs[idx].reset_val;
@@ -307,6 +389,8 @@ static void test_msrs(void)
 		MSR_TEST(MSR_IA32_PL2_SSP, canonical_val, canonical_val | 1, SHSTK),
 		MSR_TEST_CANONICAL(MSR_IA32_PL3_SSP, SHSTK),
 		MSR_TEST(MSR_IA32_PL3_SSP, canonical_val, canonical_val | 1, SHSTK),
+
+		MSR_TEST_KVM(GUEST_SSP, canonical_val, NONCANONICAL, SHSTK),
 	};
=20
 	const struct kvm_x86_cpu_feature feat_none =3D X86_FEATURE_NONE;
@@ -322,6 +406,7 @@ static void test_msrs(void)
 	const int NR_VCPUS =3D 3;
 	struct kvm_vcpu *vcpus[NR_VCPUS];
 	struct kvm_vm *vm;
+	int i;
=20
 	kvm_static_assert(sizeof(__msrs) <=3D sizeof(msrs));
 	kvm_static_assert(ARRAY_SIZE(__msrs) <=3D ARRAY_SIZE(msrs));
@@ -352,6 +437,12 @@ static void test_msrs(void)
 	}
=20
 	for (idx =3D 0; idx < ARRAY_SIZE(__msrs); idx++) {
+		if (msrs[idx].is_kvm_defined) {
+			for (i =3D 0; i < NR_VCPUS; i++)
+				host_test_kvm_reg(vcpus[i]);
+			continue;
+		}
+
 		sync_global_to_guest(vm, idx);
=20
 		vcpus_run(vcpus, NR_VCPUS);
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1A8A832858B
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321275; cv=none;
 b=NIKWTJkGr/gW5CSy8A1dMkYtL86Fb0hnKxJHSUu9BagDR8hVxBkLGDCPnf0Sa8cOPJ1p9ChFu/8k4TKyMSnt1BjA3Dl0FYP9QgYGdTAkuhjpm7J/CJTlTXt7tadGB/JcLqbz5aN6Aa+4/roQnKkeLDRZYOgFjQSzpG4Ppkvi0lY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321275; c=relaxed/simple;
	bh=BYRT6ZOJgxVoRTyU9dJltefO+Nu0RiMFOROWzouBG/o=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=k9B7K5eYFBs6j9C03oE5WPOOWlFdFrqOlX4RXXNVLDxhf8N6oD8YPwMMfaScmwZlYFu9/K5rvY12BqlS5fTj1M/IHrAgWvsZF61uywfO/Xqf/wC8O7817H9VtE3bj2GkxHyVdU1Qelz42oJqPgOmBJjt3kwrVl1bUzY26mDiGd8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=doX8oIKK; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="doX8oIKK"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-32eb864fe90so3804233a91.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321273; x=1758926073;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=WRthGNaMlgYVSEMFE28oT2jZ0xOGZ+MRICHgk9Q9l8Q=;
        b=doX8oIKKl/lvpG52WAwnlezr+N5Q9DBWUP+hlRPDhOXUl/HKq10EnichzpscHYqQyo
         06EYdQx6p8SeAwUoA3oW3BgzJsFCFPdI6WiCeDv1q00EeZz6OIoxUyNwGdreiB2uVoDS
         ivd1p4I6pj8x1F/1KZvB5CT5re4aRkyr2w1zj5iE//8YrQMOd8M4fqSlSGzGZcN13U+a
         B5k/S8v33kfk6I0jGZSsoOB1CWz5SIkh/WA/eq1lDJPMwHfuZvC+JmEBXcLu+R30ABUu
         zFp8NSxRQQdtQZtjrrhQcXKfKuWVoGiqiJIRgJdoN1TsPUDxBZ9E43NPQZutoaYeenhl
         70gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321273; x=1758926073;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=WRthGNaMlgYVSEMFE28oT2jZ0xOGZ+MRICHgk9Q9l8Q=;
        b=lJiKr89hko1j7rd01278qQZZQqQnPXbRJmwOMVWzC5UhhZBg3uAwfVtEd0xyscKumi
         2F6SurV5QNh2+n7AcIWf++fyKUY2Nda+yENcAYRsiQHqkD9WeDT+meC5M3g9uDnQjwRj
         q0kUhrBes+TUtXYE5/3ukIB/ddZFCbQl+171ACACsEhe1Er+IEX7CxQglq94QkqzUDhA
         7imSpTF+5qog69xO9M+jP+kPhzr+SetpR/5jtHJWXbhQGClxKMceaCnXWZ+sNgBSLtoq
         L8OocVEo/iGVCKG6cdS3yaNwwql6AjEMMpAAUmvXF06iZLGe5Jbyyc1cxGZdwhlTqDVV
         o3cg==
X-Forwarded-Encrypted: i=1;
 AJvYcCVqKnw6AEnFEV+M/cIelSl646tWwYPiMcKxfDxRkcZRxDZj8YcEi1/EH6lPfVnVJVAnh60iQPBH9lmFqL8=@vger.kernel.org
X-Gm-Message-State: AOJu0YzJiRNG+RAocIhbessE2zwrXzX+P+KoK/avahmY+Xmjveh1KHFk
	tk9jGIEN2GnFQZy50DOhgpZsgBbyuGa10B0qDu/ur8ZJmWO1ZIK/VlGalYvAT0Z/hrsIaMeAife
	UmQq1hg==
X-Google-Smtp-Source: 
 AGHT+IE7WzB+APSm9EHWokWDmwal9l0HANadXjRbGIgyuws7oyp+YYlkQWafkY7rMhgPfMi2ql9eNVL/ya0=
X-Received: from pjbee4.prod.google.com ([2002:a17:90a:fc44:b0:32f:3fab:c9e7])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:3d8f:b0:32e:d600:4fe9
 with SMTP id 98e67ed59e1d1-33097fd4f7dmr6238048a91.4.1758321273512; Fri, 19
 Sep 2025 15:34:33 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:57 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-51-seanjc@google.com>
Subject: [PATCH v16 50/51] KVM: selftests: Verify MSRs are (not) in
 save/restore list when (un)supported
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add a check in the MSRs test to verify that KVM's reported support for
MSRs with feature bits is consistent between KVM's MSR save/restore lists
and KVM's supported CPUID.

To deal with Intel's wonderful decision to bundle IBT and SHSTK under CET,
track the "second" feature to avoid false failures when running on a CPU
with only one of IBT or SHSTK.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
---
 tools/testing/selftests/kvm/x86/msrs_test.c | 22 ++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/kvm/x86/msrs_test.c b/tools/testing/se=
lftests/kvm/x86/msrs_test.c
index 7c6d846e42dd..91dc66bfdac2 100644
--- a/tools/testing/selftests/kvm/x86/msrs_test.c
+++ b/tools/testing/selftests/kvm/x86/msrs_test.c
@@ -437,12 +437,32 @@ static void test_msrs(void)
 	}
=20
 	for (idx =3D 0; idx < ARRAY_SIZE(__msrs); idx++) {
-		if (msrs[idx].is_kvm_defined) {
+		struct kvm_msr *msr =3D &msrs[idx];
+
+		if (msr->is_kvm_defined) {
 			for (i =3D 0; i < NR_VCPUS; i++)
 				host_test_kvm_reg(vcpus[i]);
 			continue;
 		}
=20
+		/*
+		 * Verify KVM_GET_SUPPORTED_CPUID and KVM_GET_MSR_INDEX_LIST
+		 * are consistent with respect to MSRs whose existence is
+		 * enumerated via CPUID.  Note, using LM as a dummy feature
+		 * is a-ok here as well, as all MSRs that abuse LM should be
+		 * unconditionally reported in the save/restore list (and
+		 * selftests are 64-bit only).  Note #2, skip the check for
+		 * FS/GS.base MSRs, as they aren't reported in the save/restore
+		 * list since their state is managed via SREGS.
+		 */
+		TEST_ASSERT(msr->index =3D=3D MSR_FS_BASE || msr->index =3D=3D MSR_GS_BA=
SE ||
+			    kvm_msr_is_in_save_restore_list(msr->index) =3D=3D
+			    (kvm_cpu_has(msr->feature) || kvm_cpu_has(msr->feature2)),
+			    "%s %s save/restore list, but %s according to CPUID", msr->name,
+			    kvm_msr_is_in_save_restore_list(msr->index) ? "is" : "isn't",
+			    (kvm_cpu_has(msr->feature) || kvm_cpu_has(msr->feature2)) ?
+			    "supported" : "unsupported");
+
 		sync_global_to_guest(vm, idx);
=20
 		vcpus_run(vcpus, NR_VCPUS);
--=20
2.51.0.470.ga7dc726c21-goog
From nobody Thu Oct  2 06:18:00 2025
Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com
 [209.85.215.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D80832859F
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:34:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321277; cv=none;
 b=LU7czYAo5jzAzPzH0MA5/ulQd0JmTId83ybclOSVWWn6mAp/Jt3xDDir48UgqzWuCPPqXF04TaU9WDO19LpqL+6+wa4UkfhW9p81vHW2zY6osxy15JzbKid1QPInyu5fpAgDRwsl3IwIcV2Ka/PZcjl9ugu1OWB/k5xPu5iPYe8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321277; c=relaxed/simple;
	bh=1fL7wRWEPZHd8pnmUHNV19lmd4QIuene6PbtmX/XRSM=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=IJbhSbPYlQJwmf+udkmQPA/ZqzKCTucOkJsGS7hgCq6lGiWyGfS0Oz04nH4w2BMlCGSm7KeqLE3zZ1Ce5ge94Y587ve+6w7A6n/wHie76dSPcQmCY2iMDpfFGeQF92aGHCWmTCg1+npqxMXvKqcTt1Z0ZAFJjC048M7Vty/+KTo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=ERmfosvB; arc=none smtp.client-ip=209.85.215.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="ERmfosvB"
Received: by mail-pg1-f202.google.com with SMTP id
 41be03b00d2f7-b52435ee30cso1722112a12.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:34:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321275; x=1758926075;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=JQSH/c/8VdNhmUGrSGxQbnKeu17eb9RfSKjkJ+x4hXo=;
        b=ERmfosvB4+YICvzg8ydLp4lV6iuwkzrTOrJ+9klHoW1bPTuepGEVpzdxXqIYKMrEX0
         r4pXiCcTLYjuEQux16EaAcYTEJdrWcMbsSB0VvEfVlhmUsWdFuOQKIEJAL+8iJMAwns3
         sYSubhV0V1jm8/IldSNTygm26XD7KFENyB+v2QwoCV2M58tK6wKsLf/a46WNh+ujw6a0
         9kP8D1Sn+InQRMxlWeEXVs4/6xFDRe9mvnAVGvccTCBpOLiZAe/jUClgPxty7E8Ogs14
         IguGc1Rw5cdeFeGiEjQRNKPdaLQCZ7lGgLWXUB4lJrIWWOl8XfOXXe+px1SJ8ryToIZv
         jACA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321275; x=1758926075;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=JQSH/c/8VdNhmUGrSGxQbnKeu17eb9RfSKjkJ+x4hXo=;
        b=i0y2Hb4Lp1m0/7RHjdS0zvOEjRrC0otGyBkkd3/HftAgL4SLcj64AH58mWh5dBrtqM
         HICzSNhJM8IZfx19EjiiuYft8z3sxWG91xTi3wY+lLeFj2T7CLKc1ErhSc15S/pjGQoi
         9ZZKmc4pvKIuPuJfqqSotqGWW4RRsUEmg9Tdghsnohm0KlJTTY0S6gUX/m89DRjmd+mm
         clhVDI+yfq/acozWr6mFKR/l8oa9Ogzf7evtLg4Tdo5WzCZ77UyjggZ9OJ8GL2SaERhd
         Ep08cZ4KxPHxKZJjnfaB0bn+rKz03ONtq2z4Dzf+R30Br2gjeIURPJPnBhoZdYXDAa14
         JP8g==
X-Forwarded-Encrypted: i=1;
 AJvYcCXm+FiOXSlScn0YpQFPKKaoQ/8SFewCECBj3Yzno+eR1VuI30DmneCydlwH/A2f/GMkRgJZh6v5UiyRyIA=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw1l0J+/Oeopu1GkzOzZQkMj/FGGGSVZjIoZPDWWuEe69G+cuks
	UaoLBWZs6hydVK4nn3uJRenhgElp8r7gw1g9osF8i0VhU+pWkD0J/ykooKg7f/xi3JeO75l+2Py
	19TtNkA==
X-Google-Smtp-Source: 
 AGHT+IGoYT2HZpEdAlhZx5r/ucYzX6YQNn5sfl4TsQNztPyoD3+rQERQ2+y8rcMk9gZnGPsyJg3CNYiaXsU=
X-Received: from pjbpd9.prod.google.com ([2002:a17:90b:1dc9:b0:31f:b2f:aeed])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:a127:b0:262:d265:a3c
 with SMTP id adf61e73a8af0-29270bb8175mr7218066637.32.1758321275014; Fri, 19
 Sep 2025 15:34:35 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:58 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-52-seanjc@google.com>
Subject: [PATCH v16 51/51] KVM: VMX: Make CR4.CET a guest owned bit
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Mathias Krause <minipli@grsecurity.net>

Make CR4.CET a guest-owned bit under VMX by extending
KVM_POSSIBLE_CR4_GUEST_BITS accordingly.

There's no need to intercept changes to CR4.CET, as it's neither
included in KVM's MMU role bits, nor does KVM specifically care about
the actual value of a (nested) guest's CR4.CET value, beside for
enforcing architectural constraints, i.e. make sure that CR0.WP=3D1 if
CR4.CET=3D1.

Intercepting writes to CR4.CET is particularly bad for grsecurity
kernels with KERNEXEC or, even worse, KERNSEAL enabled. These features
heavily make use of read-only kernel objects and use a cpu-local CR0.WP
toggle to override it, when needed. Under a CET-enabled kernel, this
also requires toggling CR4.CET, hence the motivation to make it
guest-owned.

Using the old test from [1] gives the following runtime numbers (perf
stat -r 5 ssdd 10 50000):

* grsec guest on linux-6.16-rc5 + cet patches:
  2.4647 +- 0.0706 seconds time elapsed  ( +-  2.86% )

* grsec guest on linux-6.16-rc5 + cet patches + CR4.CET guest-owned:
  1.5648 +- 0.0240 seconds time elapsed  ( +-  1.53% )

Not only does not intercepting CR4.CET make the test run ~35% faster,
it's also more stable with less fluctuation due to fewer VMEXITs.

Therefore, make CR4.CET a guest-owned bit where possible.

This change is VMX-specific, as SVM has no such fine-grained control
register intercept control.

If KVM's assumptions regarding MMU role handling wrt. a guest's CR4.CET
value ever change, the BUILD_BUG_ON()s related to KVM_MMU_CR4_ROLE_BITS
and KVM_POSSIBLE_CR4_GUEST_BITS will catch that early.

Link: https://lore.kernel.org/kvm/20230322013731.102955-1-minipli@grsecurit=
y.net/ [1]
Reviewed-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
---
 arch/x86/kvm/kvm_cache_regs.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/kvm_cache_regs.h b/arch/x86/kvm/kvm_cache_regs.h
index 36a8786db291..8ddb01191d6f 100644
--- a/arch/x86/kvm/kvm_cache_regs.h
+++ b/arch/x86/kvm/kvm_cache_regs.h
@@ -7,7 +7,8 @@
 #define KVM_POSSIBLE_CR0_GUEST_BITS	(X86_CR0_TS | X86_CR0_WP)
 #define KVM_POSSIBLE_CR4_GUEST_BITS				  \
 	(X86_CR4_PVI | X86_CR4_DE | X86_CR4_PCE | X86_CR4_OSFXSR  \
-	 | X86_CR4_OSXMMEXCPT | X86_CR4_PGE | X86_CR4_TSD | X86_CR4_FSGSBASE)
+	 | X86_CR4_OSXMMEXCPT | X86_CR4_PGE | X86_CR4_TSD | X86_CR4_FSGSBASE \
+	 | X86_CR4_CET)
=20
 #define X86_CR0_PDPTR_BITS    (X86_CR0_CD | X86_CR0_NW | X86_CR0_PG)
 #define X86_CR4_TLBFLUSH_BITS (X86_CR4_PGE | X86_CR4_PCIDE | X86_CR4_PAE |=
 X86_CR4_SMEP)
--=20
2.51.0.470.ga7dc726c21-goog