From nobody Thu Oct  2 07:46:33 2025
Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com
 [209.85.210.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91DC42E54A7
	for <linux-kernel@vger.kernel.org>; Fri, 19 Sep 2025 22:33:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1758321206; cv=none;
 b=hWcS9MCnAbcxPi6H9bRBwDln9P29hSb/YCclh0j3dV53xfOSqtfoRKUAbRvNMCzKYw/1SDNjlp7u4CqHwMqQ4f0HYvLxm2C+IPRdzuOeT7+flqCarMr8hggcuAvp9+UBoaIbRVpxKDivdX0X3I8ePSSXtRbyqKsvjY5Zj1oZMww=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1758321206; c=relaxed/simple;
	bh=ciDUCwc6Ttd5ll3jH+7r+Y8U93IBsxnr6VARfiLxlTM=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=dj0AYtcEcnvcAzhpiQ05hwfQOCpJ5koiTJrtNuJ+4FQUnhFyE6M+J//pzKOjcPd+XA6aQKV6bvEx49YBwr3WFdNxHWikfKhjKqfFaktStFtCQXXtHnkdCBaqedRXCkTqapa0f+EzoNFpfo+k+kWTCj8Tycr8AIx3BpeKVZgq3h0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=hDzXy1hL; arc=none smtp.client-ip=209.85.210.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="hDzXy1hL"
Received: by mail-pf1-f201.google.com with SMTP id
 d2e1a72fcca58-76e2eb787f2so2725633b3a.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Sep 2025 15:33:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1758321204; x=1758926004;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=BaXJUvrjE2QSg/TjaJo94zJNW+Xa0oNMClFZs3SI+zE=;
        b=hDzXy1hLJIF+iwB4o6o0DBXUShQp2MhHahPhtpqWHWxKLQCz41lzFwxiHKSVAftGxn
         t4jOFEBcCFIgBZJ1bRbqK9k6QLO1PlQa28ssshToqLxROroKVbu99lBk/eiePWPga81O
         Th+J32h7D6DtEFdqof2ePvPzN09gvTvxAqZEjiqAvaIzwXu/fulCXjaYKLbf4T22zHmz
         kdqHfiFOKVa0Nox9WP+/uj58gs/GJ4Vi6z5thgSzcKcQFBHkX8tp6EbTW21Rhhl4PDY4
         aEGxjOer6c/7930yiPFWcFEECawHhM6CC9pcWycUI6J6gj5xteBJ7opUtLAKVnPdgZ1W
         dzow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758321204; x=1758926004;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=BaXJUvrjE2QSg/TjaJo94zJNW+Xa0oNMClFZs3SI+zE=;
        b=wCHMaKO+xCUsSR55d8nIpOb/tK3ZdoXuM20sygedU+zUclicItsS72nhNMUDqkD5Y9
         1zwl5RgfibeCBe8loz9P3R2yNMYHIuHtJvn7efptkHwZyxQzW2uVYUkcFFr/BXdC5h1Z
         T+41JtYF+4Q45RLTYSGY39T0gRvF1yPc+glyZpIh6JTMSBgkl3DW5BQPuir8+g0YN0em
         oUOAXXGo82sQ2wQC9ndLghEZZOnjGU4VvU09+RV0BYhJbzFFeKjb73kczWlnvCJAWD1N
         EZHYaX72oBQr4/pgqwOu1o4GD9A7qDsx1ydPfuTJrN9160DUvIj4V4cVi47gJ+w906QY
         OORw==
X-Forwarded-Encrypted: i=1;
 AJvYcCUyxTcHaN897eJPnxmNUHVJOBt0YkVd6dLtZVT89NjzWwG7tWzPblcexoEOWqsxXEQyK2FoPEWcBDte2CA=@vger.kernel.org
X-Gm-Message-State: AOJu0YyoMaQV5vWtPMd8p+DYAWZ1HQfS2bIQ+OM6cYOP9IfG+FfCGsQv
	WrRjc1/j2uAO9CwhWAm7cZjcJ2K6eABDlPCAuEPN7RygDKOj1EKGpnoW5hg9cmaT8t9b2ne1wyS
	zqNDALg==
X-Google-Smtp-Source: 
 AGHT+IEnah+2+GAywHW5F1lZBKE+4dfMBUYBPf381n9jKtr88kwm6t4eubMokF6CdTZqGqKwUCECOd2/MJ4=
X-Received: from pfbdo6.prod.google.com
 ([2002:a05:6a00:4a06:b0:776:1a98:d35d])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a00:2789:b0:772:499e:99c4
 with SMTP id d2e1a72fcca58-77e4eac71famr6442565b3a.18.1758321203756; Fri, 19
 Sep 2025 15:33:23 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 19 Sep 2025 15:32:19 -0700
In-Reply-To: <20250919223258.1604852-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250919223258.1604852-1-seanjc@google.com>
X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog
Message-ID: <20250919223258.1604852-13-seanjc@google.com>
Subject: [PATCH v16 12/51] KVM: VMX: Introduce CET VMCS fields and control
 bits
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
 Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>,
 Mathias Krause <minipli@grsecurity.net>,
	John Allen <john.allen@amd.com>, Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Chao Gao <chao.gao@intel.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Maxim Levitsky <mlevitsk@redhat.com>,
	Zhang Yi Z <yi.z.zhang@linux.intel.com>, Xin Li <xin@zytor.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yang Weijiang <weijiang.yang@intel.com>

Control-flow Enforcement Technology (CET) is a kind of CPU feature used
to prevent Return/CALL/Jump-Oriented Programming (ROP/COP/JOP) attacks.
It provides two sub-features(SHSTK,IBT) to defend against ROP/COP/JOP
style control-flow subversion attacks.

Shadow Stack (SHSTK):
  A shadow stack is a second stack used exclusively for control transfer
  operations. The shadow stack is separate from the data/normal stack and
  can be enabled individually in user and kernel mode. When shadow stack
  is enabled, CALL pushes the return address on both the data and shadow
  stack. RET pops the return address from both stacks and compares them.
  If the return addresses from the two stacks do not match, the processor
  generates a #CP.

Indirect Branch Tracking (IBT):
  IBT introduces instruction(ENDBRANCH)to mark valid target addresses of
  indirect branches (CALL, JMP etc...). If an indirect branch is executed
  and the next instruction is _not_ an ENDBRANCH, the processor generates
  a #CP. These instruction behaves as a NOP on platforms that have no CET.

Several new CET MSRs are defined to support CET:
  MSR_IA32_{U,S}_CET: CET settings for {user,supervisor} CET respectively.

  MSR_IA32_PL{0,1,2,3}_SSP: SHSTK pointer linear address for CPL{0,1,2,3}.

  MSR_IA32_INT_SSP_TAB: Linear address of SHSTK pointer table, whose entry
			is indexed by IST of interrupt gate desc.

Two XSAVES state bits are introduced for CET:
  IA32_XSS:[bit 11]: Control saving/restoring user mode CET states
  IA32_XSS:[bit 12]: Control saving/restoring supervisor mode CET states.

Six VMCS fields are introduced for CET:
  {HOST,GUEST}_S_CET: Stores CET settings for kernel mode.
  {HOST,GUEST}_SSP: Stores current active SSP.
  {HOST,GUEST}_INTR_SSP_TABLE: Stores current active MSR_IA32_INT_SSP_TAB.

On Intel platforms, two additional bits are defined in VM_EXIT and VM_ENTRY
control fields:
If VM_EXIT_LOAD_CET_STATE =3D 1, host CET states are loaded from following
VMCS fields at VM-Exit:
  HOST_S_CET
  HOST_SSP
  HOST_INTR_SSP_TABLE

If VM_ENTRY_LOAD_CET_STATE =3D 1, guest CET states are loaded from following
VMCS fields at VM-Entry:
  GUEST_S_CET
  GUEST_SSP
  GUEST_INTR_SSP_TABLE

Co-developed-by: Zhang Yi Z <yi.z.zhang@linux.intel.com>
Signed-off-by: Zhang Yi Z <yi.z.zhang@linux.intel.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/include/asm/vmx.h | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index cca7d6641287..ce10a7e2d3d9 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -106,6 +106,7 @@
 #define VM_EXIT_CLEAR_BNDCFGS                   0x00800000
 #define VM_EXIT_PT_CONCEAL_PIP			0x01000000
 #define VM_EXIT_CLEAR_IA32_RTIT_CTL		0x02000000
+#define VM_EXIT_LOAD_CET_STATE                  0x10000000
=20
 #define VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR	0x00036dff
=20
@@ -119,6 +120,7 @@
 #define VM_ENTRY_LOAD_BNDCFGS                   0x00010000
 #define VM_ENTRY_PT_CONCEAL_PIP			0x00020000
 #define VM_ENTRY_LOAD_IA32_RTIT_CTL		0x00040000
+#define VM_ENTRY_LOAD_CET_STATE                 0x00100000
=20
 #define VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR	0x000011ff
=20
@@ -369,6 +371,9 @@ enum vmcs_field {
 	GUEST_PENDING_DBG_EXCEPTIONS    =3D 0x00006822,
 	GUEST_SYSENTER_ESP              =3D 0x00006824,
 	GUEST_SYSENTER_EIP              =3D 0x00006826,
+	GUEST_S_CET                     =3D 0x00006828,
+	GUEST_SSP                       =3D 0x0000682a,
+	GUEST_INTR_SSP_TABLE            =3D 0x0000682c,
 	HOST_CR0                        =3D 0x00006c00,
 	HOST_CR3                        =3D 0x00006c02,
 	HOST_CR4                        =3D 0x00006c04,
@@ -381,6 +386,9 @@ enum vmcs_field {
 	HOST_IA32_SYSENTER_EIP          =3D 0x00006c12,
 	HOST_RSP                        =3D 0x00006c14,
 	HOST_RIP                        =3D 0x00006c16,
+	HOST_S_CET                      =3D 0x00006c18,
+	HOST_SSP                        =3D 0x00006c1a,
+	HOST_INTR_SSP_TABLE             =3D 0x00006c1c
 };
=20
 /*
--=20
2.51.0.470.ga7dc726c21-goog