From nobody Thu Oct 2 07:48:31 2025 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8E4332FBE01 for ; Fri, 19 Sep 2025 22:33:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758321235; cv=none; b=WM7SEW2whny6tu0H8MbCp7+kZt0xOhcRE/Uod/u84ES/azM4q1VPlEAjETpxzHfJFdvHL4IwS1SzfgHEMyZ30uF1avWC1oGXy2LcZWyvF4KcoDBg25qgo2fodQCv896fVQZtZ9PZIoaqCKStFdqxE0hq17TcXQs+0qTDjOcUHCI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758321235; c=relaxed/simple; bh=2gM7Uop8vPVEXUGMYiag2AvONubl/l+I+/souHg70aw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=EO06LL6S86vQItLW1n3I8g73MGrGbDqeSEF3EdL3tv1TPyiyegXRBHM4CaxfzCbRqt700Yd0kBj680oeG1O2/AHs6Bee0Wm+1FK0SABWup+1c1k8uyS8gljqrDIN1JF6gUUFjmPPST4nbf8A41Gh8mHg91assFx9CNrfWxEvDcM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=xtJH13b7; arc=none smtp.client-ip=209.85.215.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="xtJH13b7" Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-b551ca103d8so756918a12.1 for ; Fri, 19 Sep 2025 15:33:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1758321233; x=1758926033; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=23qlWqf4oRLqIZNu0WNA2q5Vhl7DiLF7Tw6OyPY4Ueg=; b=xtJH13b7xTbSjKYicpoSCk7twmXeU8gZ8/+EEw5wi7IGbEeMb2sZJuFNidq/6kQa93 X7ULUE5pX4VgF0aa8bcJu8wn7xgHC6ahltko3X/CMpkPVhLFMlwe5cdtz5IxPeenJjv2 6zS8EoWXjCYzETUJ0qNFe0Ft1263glGWXh1DTDlYIpXAdAKPOrFRMQrpjNIRAXKpL1mU dwlDs4juHaj7e8ymfLgraHRb+PUq/JqLHNritCYLrVxGFRcVC+3PFzDcJ1+8tyHsY0b0 8rlsgK9V4PWjdFz+ChiDTrfMgWG28APedAeIYFc5ftxDcCRri5d3ib+VN5CS+Uuo4bCW UtZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758321233; x=1758926033; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=23qlWqf4oRLqIZNu0WNA2q5Vhl7DiLF7Tw6OyPY4Ueg=; b=dj5gCeJbneLyMEHp4DWEjrlFwMi1iuWfF3xhRWX6VEf7KL4bdyG4ltEzxholI6C8/C QA9ur6DmPnsvMO6B9t8mqlEQFajRCWjZPgICivt8mPABwdOllFvaHo3+4zz2w4QjoVjI DAb8/Dn55ht3mCL/P08m9nFN2aWnoJH4RZVyuxJwbdIaKLHxalLw3SL6PobTN3S/eEIS Ur1lyFMIy2g20xcKfS6BonVBbk6ouv/q2dU/04lrKkBsI+2bbWD06273BakcjK1Bo+57 wH6aUccOOAuDoQLU5cpi99VU9r27Oc8lIBaLc3fLL3McyswLp8+/4krgWEyN8dz3XKEC HMEQ== X-Forwarded-Encrypted: i=1; AJvYcCVfhGjI8CAhzgFYexzlRKNzB4p6uHzt8kIFNfjMXVxYf3uI+U4YNYjRWFhAgXIVsvKTR2A7wFKzu0xcUbg=@vger.kernel.org X-Gm-Message-State: AOJu0YxfIbqzOAZVrJdFd1KVDhoutKiPQQh4jUwnWGAEZfbslJlM2NNq jPWzDcTX9JX2CiFIv5oq5ZTScskRSn1BZZknB0nvOS0PjhJqxIHaXumeNlGo2on7W2dUU1NgvSh 8Q5+Gqw== X-Google-Smtp-Source: AGHT+IHttAp5meToldAIyK6UP8vRXnlxncg/zpxLk/f31AwWxs8t6p1klk35VhoiSoa10kmYsFy/XIQ3Pjg= X-Received: from pjbsd13.prod.google.com ([2002:a17:90b:514d:b0:325:a8d:a485]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a21:e083:b0:262:cc1a:abdd with SMTP id adf61e73a8af0-2927689e7admr7584917637.60.1758321232887; Fri, 19 Sep 2025 15:33:52 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 19 Sep 2025 15:32:34 -0700 In-Reply-To: <20250919223258.1604852-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250919223258.1604852-1-seanjc@google.com> X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog Message-ID: <20250919223258.1604852-28-seanjc@google.com> Subject: [PATCH v16 27/51] KVM: x86: Disable support for IBT and SHSTK if allow_smaller_maxphyaddr is true From: Sean Christopherson To: Paolo Bonzini , Sean Christopherson Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky , Mathias Krause , John Allen , Rick Edgecombe , Chao Gao , Binbin Wu , Xiaoyao Li , Maxim Levitsky , Zhang Yi Z , Xin Li Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Make IBT and SHSTK virtualization mutually exclusive with "officially" supporting setups with guest.MAXPHYADDR < host.MAXPHYADDR, i.e. if the allow_smaller_maxphyaddr module param is set. Running a guest with a smaller MAXPHYADDR requires intercepting #PF, and can also trigger emulation of arbitrary instructions. Intercepting and reacting to #PFs doesn't play nice with SHSTK, as KVM's MMU hasn't been taught to handle Shadow Stack accesses, and emulating arbitrary instructions doesn't play nice with IBT or SHSTK, as KVM's emulator doesn't handle the various side effects, e.g. doesn't enforce end-branch markers or model Shadow Stack updates. Note, hiding IBT and SHSTK based solely on allow_smaller_maxphyaddr is overkill, as allow_smaller_maxphyaddr is only problematic if the guest is actually configured to have a smaller MAXPHYADDR. However, KVM's ABI doesn't provide a way to express that IBT and SHSTK may break if enabled in conjunction with guest.MAXPHYADDR < host.MAXPHYADDR. I.e. the alternative is to do nothing in KVM and instead update documentation and hope KVM users are thorough readers. Go with the conservative-but-correct approach; worst case scenario, this restriction can be dropped if there's a strong use case for enabling CET on hosts with allow_smaller_maxphyaddr. Signed-off-by: Sean Christopherson Reviewed-by: Binbin Wu --- arch/x86/kvm/cpuid.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index 499c86bd457e..b5c4cb13630c 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -963,6 +963,16 @@ void kvm_set_cpu_caps(void) if (!tdp_enabled) kvm_cpu_cap_clear(X86_FEATURE_SHSTK); =20 + /* + * Disable support for IBT and SHSTK if KVM is configured to emulate + * accesses to reserved GPAs, as KVM's emulator doesn't support IBT or + * SHSTK, nor does KVM handle Shadow Stack #PFs (see above). + */ + if (allow_smaller_maxphyaddr) { + kvm_cpu_cap_clear(X86_FEATURE_SHSTK); + kvm_cpu_cap_clear(X86_FEATURE_IBT); + } + kvm_cpu_cap_init(CPUID_7_EDX, F(AVX512_4VNNIW), F(AVX512_4FMAPS), --=20 2.51.0.470.ga7dc726c21-goog