| Message ID | 20200506082110.25441-1-weijiang.yang@intel.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Introduce support for guest CET feature | expand |
On Wed, May 06, 2020 at 04:20:59PM +0800, Yang Weijiang wrote: > Control-flow Enforcement Technology (CET) provides protection against > Return/Jump-Oriented Programming (ROP/JOP) attack. There're two CET > sub-features: Shadow Stack (SHSTK) and Indirect Branch Tracking (IBT). > SHSTK is to prevent ROP programming and IBT is to prevent JOP programming. > > Several parts in KVM have been updated to provide VM CET support, including: > CPUID/XSAVES config, MSR pass-through, user space MSR access interface, > vmentry/vmexit config, nested VM etc. These patches have dependency on CET > kernel patches for xsaves support and CET definitions, e.g., MSR and related > feature flags. > > CET kernel patches are here: > https://lkml.kernel.org/r/20200429220732.31602-1-yu-cheng.yu@intel.com > > v12: > - Fixed a few issues per Sean and Paolo's review feeback. > - Refactored patches to make them properly arranged. > - Removed unnecessary hard-coded CET states for host/guest. > - Added compile-time assertions for vmcs_field_to_offset_table to detect > mismatch of the field type and field encoding number. > - Added a custom MSR MSR_KVM_GUEST_SSP for guest active SSP save/restore. > - Rebased patches to 5.7-rc3. > ping... Sean and Paolo, Could you review v12 at your convenience? Thank you!
On Mon, May 18, 2020 at 04:42:32PM +0800, Yang Weijiang wrote: > On Wed, May 06, 2020 at 04:20:59PM +0800, Yang Weijiang wrote: > > Control-flow Enforcement Technology (CET) provides protection against > > Return/Jump-Oriented Programming (ROP/JOP) attack. There're two CET > > sub-features: Shadow Stack (SHSTK) and Indirect Branch Tracking (IBT). > > SHSTK is to prevent ROP programming and IBT is to prevent JOP programming. > > > > Several parts in KVM have been updated to provide VM CET support, including: > > CPUID/XSAVES config, MSR pass-through, user space MSR access interface, > > vmentry/vmexit config, nested VM etc. These patches have dependency on CET > > kernel patches for xsaves support and CET definitions, e.g., MSR and related > > feature flags. > > > > CET kernel patches are here: > > https://lkml.kernel.org/r/20200429220732.31602-1-yu-cheng.yu@intel.com > > > > v12: > > - Fixed a few issues per Sean and Paolo's review feeback. > > - Refactored patches to make them properly arranged. > > - Removed unnecessary hard-coded CET states for host/guest. > > - Added compile-time assertions for vmcs_field_to_offset_table to detect > > mismatch of the field type and field encoding number. > > - Added a custom MSR MSR_KVM_GUEST_SSP for guest active SSP save/restore. > > - Rebased patches to 5.7-rc3. > > > ping... > > Sean and Paolo, > Could you review v12 at your convenience? Thank you! Through no fault of your own, it'll probably be a few weeks before I get back to your CET series. The kernel enabling doesn't seem like it's going to be merged anytime soon, certainly not for 5.8, so unfortunately your series got put on the backburner. Sorry :-(.
On Wed, May 06, 2020 at 04:20:59PM +0800, Yang Weijiang wrote: > Several parts in KVM have been updated to provide VM CET support, including: > CPUID/XSAVES config, MSR pass-through, user space MSR access interface, > vmentry/vmexit config, nested VM etc. These patches have dependency on CET > kernel patches for xsaves support and CET definitions, e.g., MSR and related > feature flags. Other than the MSR and cpufeatures flags definitions, is there any direct dependency on kernel CET support? I.e. if/when XSAVES support is merged, is there anything beyond the architectural definitions that are required to merge KVM CET virtualization?
On Wed, Jun 10, 2020 at 09:56:36AM -0700, Sean Christopherson wrote: > On Wed, May 06, 2020 at 04:20:59PM +0800, Yang Weijiang wrote: > > Several parts in KVM have been updated to provide VM CET support, including: > > CPUID/XSAVES config, MSR pass-through, user space MSR access interface, > > vmentry/vmexit config, nested VM etc. These patches have dependency on CET > > kernel patches for xsaves support and CET definitions, e.g., MSR and related > > feature flags. > > Other than the MSR and cpufeatures flags definitions, is there any direct > dependency on kernel CET support? I.e. if/when XSAVES support is merged, > is there anything beyond the architectural definitions that are required to > merge KVM CET virtualization? No, KVM CET patches only depend on kernel CET related definitions and XSAVES support now. But to make guest CET work, we need CET patches for QEMU.
On Thu, Jun 11, 2020 at 09:29:13AM +0800, Yang Weijiang wrote: > On Wed, Jun 10, 2020 at 09:56:36AM -0700, Sean Christopherson wrote: > > On Wed, May 06, 2020 at 04:20:59PM +0800, Yang Weijiang wrote: > > > Several parts in KVM have been updated to provide VM CET support, including: > > > CPUID/XSAVES config, MSR pass-through, user space MSR access interface, > > > vmentry/vmexit config, nested VM etc. These patches have dependency on CET > > > kernel patches for xsaves support and CET definitions, e.g., MSR and related > > > feature flags. > > > > Other than the MSR and cpufeatures flags definitions, is there any direct > > dependency on kernel CET support? I.e. if/when XSAVES support is merged, > > is there anything beyond the architectural definitions that are required to > > merge KVM CET virtualization? > No, KVM CET patches only depend on kernel CET related definitions and XSAVES > support now. Neato. > But to make guest CET work, we need CET patches for QEMU. Ya, but we don't need to wait for host kernel support, which was the crux of my question. Can you please respin this series with the CET definition patches included? The XSAVES support has been queued to tip/x86/fpu. Assuming that lands in kernel 5.9, I _think_ KVM support for CET can land in 5.10. Base your series on kvm/queue, i.e. don't worry about the XSAVES patches, I'll merge them in from tip/x86/fpu for testing. Thanks!
On Tue, Jun 23, 2020 at 11:39:19AM -0700, Sean Christopherson wrote: > On Thu, Jun 11, 2020 at 09:29:13AM +0800, Yang Weijiang wrote: > > On Wed, Jun 10, 2020 at 09:56:36AM -0700, Sean Christopherson wrote: > > > On Wed, May 06, 2020 at 04:20:59PM +0800, Yang Weijiang wrote: > > > > Several parts in KVM have been updated to provide VM CET support, including: > > > > CPUID/XSAVES config, MSR pass-through, user space MSR access interface, > > > > vmentry/vmexit config, nested VM etc. These patches have dependency on CET > > > > kernel patches for xsaves support and CET definitions, e.g., MSR and related > > > > feature flags. > > > > > > Other than the MSR and cpufeatures flags definitions, is there any direct > > > dependency on kernel CET support? I.e. if/when XSAVES support is merged, > > > is there anything beyond the architectural definitions that are required to > > > merge KVM CET virtualization? > > No, KVM CET patches only depend on kernel CET related definitions and XSAVES > > support now. > > Neato. > > > But to make guest CET work, we need CET patches for QEMU. > > Ya, but we don't need to wait for host kernel support, which was the crux of > my question. > > > Can you please respin this series with the CET definition patches included? > The XSAVES support has been queued to tip/x86/fpu. Assuming that lands in > kernel 5.9, I _think_ KVM support for CET can land in 5.10. Sure. Besides this change and the unrestricted guest case change, any other changes I should do to v12 patch? Thanks for review! > > Base your series on kvm/queue, i.e. don't worry about the XSAVES patches, > I'll merge them in from tip/x86/fpu for testing. > > Thanks!
Control-flow Enforcement Technology (CET) provides protection against Return/Jump-Oriented Programming (ROP/JOP) attack. There're two CET sub-features: Shadow Stack (SHSTK) and Indirect Branch Tracking (IBT). SHSTK is to prevent ROP programming and IBT is to prevent JOP programming. Several parts in KVM have been updated to provide VM CET support, including: CPUID/XSAVES config, MSR pass-through, user space MSR access interface, vmentry/vmexit config, nested VM etc. These patches have dependency on CET kernel patches for xsaves support and CET definitions, e.g., MSR and related feature flags. CET kernel patches are here: https://lkml.kernel.org/r/20200429220732.31602-1-yu-cheng.yu@intel.com v12: - Fixed a few issues per Sean and Paolo's review feeback. - Refactored patches to make them properly arranged. - Removed unnecessary hard-coded CET states for host/guest. - Added compile-time assertions for vmcs_field_to_offset_table to detect mismatch of the field type and field encoding number. - Added a custom MSR MSR_KVM_GUEST_SSP for guest active SSP save/restore. - Rebased patches to 5.7-rc3. v11: - Fixed a guest vmentry failure issue when guest reboots. - Used vm_xxx_control_{set, clear}bit() to avoid side effect, it'll clear cached data instead of pure VMCS field bits. - Added vcpu->arch.guest_supported_xss dedidated for guest runtime mask, this avoids supported_xss overwritten issue caused by an old qemu. - Separated vmentry/vmexit state setting with CR0/CR4 dependency check to make the patch more clear. - Added CET VMCS states in dump_vmcs() for debugging purpose. - Other refactor based on testing. - This patch serial is built on top of below branch and CET kernel patches for seeking xsaves support: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/log/?h=cpu-caps v10: - Refactored code per Sean's review feedback. - Added CET support for nested VM. - Removed fix-patch for CPUID(0xd,N) enumeration as this part is done by Paolo and Sean. - This new patchset is based on Paolo's queued cpu_caps branch. - Modified patch per XSAVES related change. - Consolidated KVM unit-test patch with KVM patches. v9: - Refactored msr-check functions per Sean's feedback. - Fixed a few issues per Sean's suggestion. - Rebased patch to kernel-v5.4. - Moved CET CPUID feature bits and CR4.CET to last patch. v8: - Addressed Jim and Sean's feedback on: 1) CPUID(0xD,i) enumeration. 2) sanity check when configure guest CET. 3) function improvement. - Added more sanity check functions. - Set host vmexit default status so that guest won't leak CET status to host when vmexit. - Added CR0.WP vs. CR4.CET mutual constrains. v7: - Rebased patch to kernel v5.3 - Sean suggested to change CPUID(0xd, n) enumeration code as alined with existing one, and I think it's better to make the fix as an independent patch since XSS MSR are being used widely on X86 platforms. - Check more host and guest status before configure guest CET per Sean's feedback. - Add error-check before guest accesses CET MSRs per Sean's feedback. - Other minor fixes suggested by Sean. v6: - Rebase patch to kernel v5.2. - Move CPUID(0xD, n>=1) helper to a seperate patch. - Merge xsave size fix with other patch. - Other minor fixes per community feedback. v5: - Rebase patch to kernel v5.1. - Wrap CPUID(0xD, n>=1) code to a helper function. - Pass through MSR_IA32_PL1_SSP and MSR_IA32_PL2_SSP to Guest. - Add Co-developed-by expression in patch description. - Refine patch description. v4: - Add Sean's patch for loading Guest fpu state before access XSAVES managed CET MSRs. - Melt down CET bits setting into CPUID configuration patch. - Add VMX interface to query Host XSS. - Check Host and Guest XSS support bits before set Guest XSS. - Make Guest SHSTK and IBT feature enabling independent. - Do not report CET support to Guest when Host CET feature is Disabled. v3: - Modified patches to make Guest CET independent to Host enabling. - Added patch 8 to add user space access for Guest CET MSR access. - Modified code comments and patch description to reflect changes. v2: - Re-ordered patch sequence, combined one patch. - Added more description for CET related VMCS fields. - Added Host CET capability check while enabling Guest CET loading bit. - Added Host CET capability check while reporting Guest CPUID(EAX=7, EXC=0). - Modified code in reporting Guest CPUID(EAX=D,ECX>=1), make it clearer. - Added Host and Guest XSS mask check while setting bits for Guest XSS. Sean Christopherson (1): KVM: x86: Load guest fpu state when access MSRs managed by XSAVES Yang Weijiang (9): KVM: VMX: Introduce CET VMCS fields and flags KVM: VMX: Set guest CET MSRs per KVM and host configuration KVM: VMX: Configure CET settings upon guest CR0/4 changing KVM: x86: Refresh CPUID once guest changes XSS bits KVM: x86: Add userspace access interface for CET MSRs KVM: VMX: Enable CET support for nested VM KVM: VMX: Add VMCS dump and sanity check for CET states KVM: x86: Add #CP support in guest exception dispatch KVM: x86: Enable CET virtualization and advertise CET to userspace arch/x86/include/asm/kvm_host.h | 4 +- arch/x86/include/asm/vmx.h | 8 + arch/x86/include/uapi/asm/kvm.h | 1 + arch/x86/include/uapi/asm/kvm_para.h | 7 +- arch/x86/kvm/cpuid.c | 28 ++- arch/x86/kvm/vmx/capabilities.h | 5 + arch/x86/kvm/vmx/nested.c | 34 ++++ arch/x86/kvm/vmx/vmcs12.c | 275 ++++++++++++++++----------- arch/x86/kvm/vmx/vmcs12.h | 14 +- arch/x86/kvm/vmx/vmx.c | 257 ++++++++++++++++++++++++- arch/x86/kvm/x86.c | 42 +++- arch/x86/kvm/x86.h | 2 +- 12 files changed, 546 insertions(+), 131 deletions(-)