| Message ID | 20231124055330.138870-4-weijiang.yang@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Enable CET Virtualization | expand |
On Fri, Nov 24, 2023 at 12:53:07AM -0500, Yang Weijiang wrote: > Note, in KVM case, guest CET supervisor state i.e., IA32_PL{0,1,2}_MSRs, > are preserved after VM-Exit until host/guest fpstates are swapped, but > since host supervisor shadow stack is disabled, the preserved MSRs won't > hurt host. Just to be clear, with FRED all this changes, right? Then we get more VMCS fields for SSS state.
On 11/24/2023 5:45 PM, Peter Zijlstra wrote: > On Fri, Nov 24, 2023 at 12:53:07AM -0500, Yang Weijiang wrote: > >> Note, in KVM case, guest CET supervisor state i.e., IA32_PL{0,1,2}_MSRs, >> are preserved after VM-Exit until host/guest fpstates are swapped, but >> since host supervisor shadow stack is disabled, the preserved MSRs won't >> hurt host. > Just to be clear, with FRED all this changes, right? Then we get more > VMCS fields for SSS state. Yes, I think so, KVM needs to properly handle guest SSS state and host FRED states. Thanks!
On Fri, 2023-11-24 at 00:53 -0500, Yang Weijiang wrote: > Add supervisor mode state support within FPU xstate management > framework. > Although supervisor shadow stack is not enabled/used today in > kernel,KVM > requires the support because when KVM advertises shadow stack feature > to > guest, architecturally it claims the support for both user and > supervisor > modes for guest OSes(Linux or non-Linux). > > CET supervisor states not only includes PL{0,1,2}_SSP but also > IA32_S_CET > MSR, but the latter is not xsave-managed. In virtualization world, > guest > IA32_S_CET is saved/stored into/from VM control structure. With > supervisor > xstate support, guest supervisor mode shadow stack state can be > properly > saved/restored when 1) guest/host FPU context is swapped 2) vCPU > thread is sched out/in. > > The alternative is to enable it in KVM domain, but KVM maintainers > NAKed > the solution. The external discussion can be found at [*], it ended > up > with adding the support in kernel instead of KVM domain. > > Note, in KVM case, guest CET supervisor state i.e., > IA32_PL{0,1,2}_MSRs, > are preserved after VM-Exit until host/guest fpstates are swapped, > but > since host supervisor shadow stack is disabled, the preserved MSRs > won't > hurt host. > > [*]: > https://lore.kernel.org/all/806e26c2-8d21-9cc9-a0b7-7787dd231729@intel.com/ > > Signed-off-by: Yang Weijiang <weijiang.yang@intel.com> Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> > Note, in KVM case, guest CET supervisor state i.e., > > IA32_PL{0,1,2}_MSRs, are preserved after VM-Exit until host/guest > > fpstates are swapped, but since host supervisor shadow stack is > > disabled, the preserved MSRs won't hurt host. > > Just to be clear, with FRED all this changes, right? Then we get more VMCS fields > for SSS state. The FRED spec 5.0 adds new VMCS fields for SSS state. As a result, minimal changes are required to enable FRED for KVM regarding SSS. The FRED spec 5.0 defines 4 MSRs related to SSS: IA32_FRED_SSP[0123] ( the numbers 0-3 in the MSR names refer to the corresponding stack level and not to privilege level). IA32_FRED_SSP0 is just an alias of IA32_PL0_SSP, while IA32_FRED_SSP[123] are new. IA32_FRED_SSP0 is referenced during user level (ring 3) event delivery only with FRED, thus it's fine to run KVM with guest IA32_FRED_SSP0. And I think this is what the change log of this patch tries to clarify. However, with FRED, because IA32_FRED_SSP[123] could be referenced right after VM entry/exit when SSS is enabled, VMX adds new VMCS fields for the 3 MSRs in both guest and host state areas, and does the IA32_FRED_SSP[123] context switch between host and guest during VM entry/exit. Got to mention, there is no additional VMX controls to have CPU save/load IA32_FRED_SSP[123], they share the same controls for IA32_FRED_RSP[123]. So I would say, regarding SSS, *logiclly* FRED enabling for KVM needs no change besides what are done in this patch set.
On Fri, 2023-11-24 at 00:53 -0500, Yang Weijiang wrote: > Add supervisor mode state support within FPU xstate management framework. > Although supervisor shadow stack is not enabled/used today in kernel,KVM > requires the support because when KVM advertises shadow stack feature to > guest, architecturally it claims the support for both user and supervisor > modes for guest OSes(Linux or non-Linux). > > CET supervisor states not only includes PL{0,1,2}_SSP but also IA32_S_CET > MSR, but the latter is not xsave-managed. In virtualization world, guest > IA32_S_CET is saved/stored into/from VM control structure. With supervisor > xstate support, guest supervisor mode shadow stack state can be properly > saved/restored when 1) guest/host FPU context is swapped 2) vCPU > thread is sched out/in. > > The alternative is to enable it in KVM domain, but KVM maintainers NAKed > the solution. The external discussion can be found at [*], it ended up > with adding the support in kernel instead of KVM domain. > > Note, in KVM case, guest CET supervisor state i.e., IA32_PL{0,1,2}_MSRs, > are preserved after VM-Exit until host/guest fpstates are swapped, but > since host supervisor shadow stack is disabled, the preserved MSRs won't > hurt host. > > [*]: https://lore.kernel.org/all/806e26c2-8d21-9cc9-a0b7-7787dd231729@intel.com/ > > Signed-off-by: Yang Weijiang <weijiang.yang@intel.com> > --- > arch/x86/include/asm/fpu/types.h | 14 ++++++++++++-- > arch/x86/include/asm/fpu/xstate.h | 6 +++--- > arch/x86/kernel/fpu/xstate.c | 6 +++++- > 3 files changed, 20 insertions(+), 6 deletions(-) > > diff --git a/arch/x86/include/asm/fpu/types.h b/arch/x86/include/asm/fpu/types.h > index eb810074f1e7..c6fd13a17205 100644 > --- a/arch/x86/include/asm/fpu/types.h > +++ b/arch/x86/include/asm/fpu/types.h > @@ -116,7 +116,7 @@ enum xfeature { > XFEATURE_PKRU, > XFEATURE_PASID, > XFEATURE_CET_USER, > - XFEATURE_CET_KERNEL_UNUSED, > + XFEATURE_CET_KERNEL, > XFEATURE_RSRVD_COMP_13, > XFEATURE_RSRVD_COMP_14, > XFEATURE_LBR, > @@ -139,7 +139,7 @@ enum xfeature { > #define XFEATURE_MASK_PKRU (1 << XFEATURE_PKRU) > #define XFEATURE_MASK_PASID (1 << XFEATURE_PASID) > #define XFEATURE_MASK_CET_USER (1 << XFEATURE_CET_USER) > -#define XFEATURE_MASK_CET_KERNEL (1 << XFEATURE_CET_KERNEL_UNUSED) > +#define XFEATURE_MASK_CET_KERNEL (1 << XFEATURE_CET_KERNEL) > #define XFEATURE_MASK_LBR (1 << XFEATURE_LBR) > #define XFEATURE_MASK_XTILE_CFG (1 << XFEATURE_XTILE_CFG) > #define XFEATURE_MASK_XTILE_DATA (1 << XFEATURE_XTILE_DATA) > @@ -264,6 +264,16 @@ struct cet_user_state { > u64 user_ssp; > }; > > +/* > + * State component 12 is Control-flow Enforcement supervisor states > + */ > +struct cet_supervisor_state { > + /* supervisor ssp pointers */ > + u64 pl0_ssp; > + u64 pl1_ssp; > + u64 pl2_ssp; > +}; > + > /* > * State component 15: Architectural LBR configuration state. > * The size of Arch LBR state depends on the number of LBRs (lbr_depth). > diff --git a/arch/x86/include/asm/fpu/xstate.h b/arch/x86/include/asm/fpu/xstate.h > index d4427b88ee12..3b4a038d3c57 100644 > --- a/arch/x86/include/asm/fpu/xstate.h > +++ b/arch/x86/include/asm/fpu/xstate.h > @@ -51,7 +51,8 @@ > > /* All currently supported supervisor features */ > #define XFEATURE_MASK_SUPERVISOR_SUPPORTED (XFEATURE_MASK_PASID | \ > - XFEATURE_MASK_CET_USER) > + XFEATURE_MASK_CET_USER | \ > + XFEATURE_MASK_CET_KERNEL) > > /* > * A supervisor state component may not always contain valuable information, > @@ -78,8 +79,7 @@ > * Unsupported supervisor features. When a supervisor feature in this mask is > * supported in the future, move it to the supported supervisor feature mask. > */ > -#define XFEATURE_MASK_SUPERVISOR_UNSUPPORTED (XFEATURE_MASK_PT | \ > - XFEATURE_MASK_CET_KERNEL) > +#define XFEATURE_MASK_SUPERVISOR_UNSUPPORTED (XFEATURE_MASK_PT) > > /* All supervisor states including supported and unsupported states. */ > #define XFEATURE_MASK_SUPERVISOR_ALL (XFEATURE_MASK_SUPERVISOR_SUPPORTED | \ > diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c > index 6e50a4251e2b..b57d909facca 100644 > --- a/arch/x86/kernel/fpu/xstate.c > +++ b/arch/x86/kernel/fpu/xstate.c > @@ -51,7 +51,7 @@ static const char *xfeature_names[] = > "Protection Keys User registers", > "PASID state", > "Control-flow User registers", > - "Control-flow Kernel registers (unused)", > + "Control-flow Kernel registers", > "unknown xstate feature", > "unknown xstate feature", > "unknown xstate feature", > @@ -73,6 +73,7 @@ static unsigned short xsave_cpuid_features[] __initdata = { > [XFEATURE_PT_UNIMPLEMENTED_SO_FAR] = X86_FEATURE_INTEL_PT, > [XFEATURE_PKRU] = X86_FEATURE_OSPKE, > [XFEATURE_PASID] = X86_FEATURE_ENQCMD, > + [XFEATURE_CET_KERNEL] = X86_FEATURE_SHSTK, > [XFEATURE_XTILE_CFG] = X86_FEATURE_AMX_TILE, > [XFEATURE_XTILE_DATA] = X86_FEATURE_AMX_TILE, > }; > @@ -277,6 +278,7 @@ static void __init print_xstate_features(void) > print_xstate_feature(XFEATURE_MASK_PKRU); > print_xstate_feature(XFEATURE_MASK_PASID); > print_xstate_feature(XFEATURE_MASK_CET_USER); > + print_xstate_feature(XFEATURE_MASK_CET_KERNEL); > print_xstate_feature(XFEATURE_MASK_XTILE_CFG); > print_xstate_feature(XFEATURE_MASK_XTILE_DATA); > } > @@ -346,6 +348,7 @@ static __init void os_xrstor_booting(struct xregs_state *xstate) > XFEATURE_MASK_BNDCSR | \ > XFEATURE_MASK_PASID | \ > XFEATURE_MASK_CET_USER | \ > + XFEATURE_MASK_CET_KERNEL | \ > XFEATURE_MASK_XTILE) > > /* > @@ -546,6 +549,7 @@ static bool __init check_xstate_against_struct(int nr) > case XFEATURE_PASID: return XCHECK_SZ(sz, nr, struct ia32_pasid_state); > case XFEATURE_XTILE_CFG: return XCHECK_SZ(sz, nr, struct xtile_cfg); > case XFEATURE_CET_USER: return XCHECK_SZ(sz, nr, struct cet_user_state); > + case XFEATURE_CET_KERNEL: return XCHECK_SZ(sz, nr, struct cet_supervisor_state); > case XFEATURE_XTILE_DATA: check_xtile_data_against_struct(sz); return true; > default: > XSTATE_WARN_ON(1, "No structure for xstate: %d\n", nr); Any reason why my reviewed-by was not added to this patch? Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com> Best regards, Maxim Levitsky
On 12/1/2023 1:27 AM, Maxim Levitsky wrote: > On Fri, 2023-11-24 at 00:53 -0500, Yang Weijiang wrote: >> Add supervisor mode state support within FPU xstate management framework. >> Although supervisor shadow stack is not enabled/used today in kernel,KVM >> requires the support because when KVM advertises shadow stack feature to >> guest, architecturally it claims the support for both user and supervisor >> modes for guest OSes(Linux or non-Linux). >> >> CET supervisor states not only includes PL{0,1,2}_SSP but also IA32_S_CET >> MSR, but the latter is not xsave-managed. In virtualization world, guest >> IA32_S_CET is saved/stored into/from VM control structure. With supervisor >> xstate support, guest supervisor mode shadow stack state can be properly >> saved/restored when 1) guest/host FPU context is swapped 2) vCPU >> thread is sched out/in. >> >> The alternative is to enable it in KVM domain, but KVM maintainers NAKed >> the solution. The external discussion can be found at [*], it ended up >> with adding the support in kernel instead of KVM domain. >> >> Note, in KVM case, guest CET supervisor state i.e., IA32_PL{0,1,2}_MSRs, >> are preserved after VM-Exit until host/guest fpstates are swapped, but >> since host supervisor shadow stack is disabled, the preserved MSRs won't >> hurt host. >> >> [*]: https://lore.kernel.org/all/806e26c2-8d21-9cc9-a0b7-7787dd231729@intel.com/ >> >> Signed-off-by: Yang Weijiang <weijiang.yang@intel.com> >> --- >> arch/x86/include/asm/fpu/types.h | 14 ++++++++++++-- >> arch/x86/include/asm/fpu/xstate.h | 6 +++--- >> arch/x86/kernel/fpu/xstate.c | 6 +++++- >> 3 files changed, 20 insertions(+), 6 deletions(-) >> >> diff --git a/arch/x86/include/asm/fpu/types.h b/arch/x86/include/asm/fpu/types.h >> index eb810074f1e7..c6fd13a17205 100644 >> --- a/arch/x86/include/asm/fpu/types.h >> +++ b/arch/x86/include/asm/fpu/types.h >> @@ -116,7 +116,7 @@ enum xfeature { >> XFEATURE_PKRU, >> XFEATURE_PASID, >> XFEATURE_CET_USER, >> - XFEATURE_CET_KERNEL_UNUSED, >> + XFEATURE_CET_KERNEL, >> XFEATURE_RSRVD_COMP_13, >> XFEATURE_RSRVD_COMP_14, >> XFEATURE_LBR, >> @@ -139,7 +139,7 @@ enum xfeature { >> #define XFEATURE_MASK_PKRU (1 << XFEATURE_PKRU) >> #define XFEATURE_MASK_PASID (1 << XFEATURE_PASID) >> #define XFEATURE_MASK_CET_USER (1 << XFEATURE_CET_USER) >> -#define XFEATURE_MASK_CET_KERNEL (1 << XFEATURE_CET_KERNEL_UNUSED) >> +#define XFEATURE_MASK_CET_KERNEL (1 << XFEATURE_CET_KERNEL) >> #define XFEATURE_MASK_LBR (1 << XFEATURE_LBR) >> #define XFEATURE_MASK_XTILE_CFG (1 << XFEATURE_XTILE_CFG) >> #define XFEATURE_MASK_XTILE_DATA (1 << XFEATURE_XTILE_DATA) >> @@ -264,6 +264,16 @@ struct cet_user_state { >> u64 user_ssp; >> }; >> >> +/* >> + * State component 12 is Control-flow Enforcement supervisor states >> + */ >> +struct cet_supervisor_state { >> + /* supervisor ssp pointers */ >> + u64 pl0_ssp; >> + u64 pl1_ssp; >> + u64 pl2_ssp; >> +}; >> + >> /* >> * State component 15: Architectural LBR configuration state. >> * The size of Arch LBR state depends on the number of LBRs (lbr_depth). >> diff --git a/arch/x86/include/asm/fpu/xstate.h b/arch/x86/include/asm/fpu/xstate.h >> index d4427b88ee12..3b4a038d3c57 100644 >> --- a/arch/x86/include/asm/fpu/xstate.h >> +++ b/arch/x86/include/asm/fpu/xstate.h >> @@ -51,7 +51,8 @@ >> >> /* All currently supported supervisor features */ >> #define XFEATURE_MASK_SUPERVISOR_SUPPORTED (XFEATURE_MASK_PASID | \ >> - XFEATURE_MASK_CET_USER) >> + XFEATURE_MASK_CET_USER | \ >> + XFEATURE_MASK_CET_KERNEL) >> >> /* >> * A supervisor state component may not always contain valuable information, >> @@ -78,8 +79,7 @@ >> * Unsupported supervisor features. When a supervisor feature in this mask is >> * supported in the future, move it to the supported supervisor feature mask. >> */ >> -#define XFEATURE_MASK_SUPERVISOR_UNSUPPORTED (XFEATURE_MASK_PT | \ >> - XFEATURE_MASK_CET_KERNEL) >> +#define XFEATURE_MASK_SUPERVISOR_UNSUPPORTED (XFEATURE_MASK_PT) >> >> /* All supervisor states including supported and unsupported states. */ >> #define XFEATURE_MASK_SUPERVISOR_ALL (XFEATURE_MASK_SUPERVISOR_SUPPORTED | \ >> diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c >> index 6e50a4251e2b..b57d909facca 100644 >> --- a/arch/x86/kernel/fpu/xstate.c >> +++ b/arch/x86/kernel/fpu/xstate.c >> @@ -51,7 +51,7 @@ static const char *xfeature_names[] = >> "Protection Keys User registers", >> "PASID state", >> "Control-flow User registers", >> - "Control-flow Kernel registers (unused)", >> + "Control-flow Kernel registers", >> "unknown xstate feature", >> "unknown xstate feature", >> "unknown xstate feature", >> @@ -73,6 +73,7 @@ static unsigned short xsave_cpuid_features[] __initdata = { >> [XFEATURE_PT_UNIMPLEMENTED_SO_FAR] = X86_FEATURE_INTEL_PT, >> [XFEATURE_PKRU] = X86_FEATURE_OSPKE, >> [XFEATURE_PASID] = X86_FEATURE_ENQCMD, >> + [XFEATURE_CET_KERNEL] = X86_FEATURE_SHSTK, >> [XFEATURE_XTILE_CFG] = X86_FEATURE_AMX_TILE, >> [XFEATURE_XTILE_DATA] = X86_FEATURE_AMX_TILE, >> }; >> @@ -277,6 +278,7 @@ static void __init print_xstate_features(void) >> print_xstate_feature(XFEATURE_MASK_PKRU); >> print_xstate_feature(XFEATURE_MASK_PASID); >> print_xstate_feature(XFEATURE_MASK_CET_USER); >> + print_xstate_feature(XFEATURE_MASK_CET_KERNEL); >> print_xstate_feature(XFEATURE_MASK_XTILE_CFG); >> print_xstate_feature(XFEATURE_MASK_XTILE_DATA); >> } >> @@ -346,6 +348,7 @@ static __init void os_xrstor_booting(struct xregs_state *xstate) >> XFEATURE_MASK_BNDCSR | \ >> XFEATURE_MASK_PASID | \ >> XFEATURE_MASK_CET_USER | \ >> + XFEATURE_MASK_CET_KERNEL | \ >> XFEATURE_MASK_XTILE) >> >> /* >> @@ -546,6 +549,7 @@ static bool __init check_xstate_against_struct(int nr) >> case XFEATURE_PASID: return XCHECK_SZ(sz, nr, struct ia32_pasid_state); >> case XFEATURE_XTILE_CFG: return XCHECK_SZ(sz, nr, struct xtile_cfg); >> case XFEATURE_CET_USER: return XCHECK_SZ(sz, nr, struct cet_user_state); >> + case XFEATURE_CET_KERNEL: return XCHECK_SZ(sz, nr, struct cet_supervisor_state); >> case XFEATURE_XTILE_DATA: check_xtile_data_against_struct(sz); return true; >> default: >> XSTATE_WARN_ON(1, "No structure for xstate: %d\n", nr); > Any reason why my reviewed-by was not added to this patch? My apology again! I missed the Reviewed-by tag for this patch! Appreciated for your careful review for this series! > Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com> > > Best regards, > Maxim Levitsky > > >
On Fri, 2023-12-01 at 15:01 +0800, Yang, Weijiang wrote: > On 12/1/2023 1:27 AM, Maxim Levitsky wrote: > > On Fri, 2023-11-24 at 00:53 -0500, Yang Weijiang wrote: > > > Add supervisor mode state support within FPU xstate management framework. > > > Although supervisor shadow stack is not enabled/used today in kernel,KVM > > > requires the support because when KVM advertises shadow stack feature to > > > guest, architecturally it claims the support for both user and supervisor > > > modes for guest OSes(Linux or non-Linux). > > > > > > CET supervisor states not only includes PL{0,1,2}_SSP but also IA32_S_CET > > > MSR, but the latter is not xsave-managed. In virtualization world, guest > > > IA32_S_CET is saved/stored into/from VM control structure. With supervisor > > > xstate support, guest supervisor mode shadow stack state can be properly > > > saved/restored when 1) guest/host FPU context is swapped 2) vCPU > > > thread is sched out/in. > > > > > > The alternative is to enable it in KVM domain, but KVM maintainers NAKed > > > the solution. The external discussion can be found at [*], it ended up > > > with adding the support in kernel instead of KVM domain. > > > > > > Note, in KVM case, guest CET supervisor state i.e., IA32_PL{0,1,2}_MSRs, > > > are preserved after VM-Exit until host/guest fpstates are swapped, but > > > since host supervisor shadow stack is disabled, the preserved MSRs won't > > > hurt host. > > > > > > [*]: https://lore.kernel.org/all/806e26c2-8d21-9cc9-a0b7-7787dd231729@intel.com/ > > > > > > Signed-off-by: Yang Weijiang <weijiang.yang@intel.com> > > > --- > > > arch/x86/include/asm/fpu/types.h | 14 ++++++++++++-- > > > arch/x86/include/asm/fpu/xstate.h | 6 +++--- > > > arch/x86/kernel/fpu/xstate.c | 6 +++++- > > > 3 files changed, 20 insertions(+), 6 deletions(-) > > > > > > diff --git a/arch/x86/include/asm/fpu/types.h b/arch/x86/include/asm/fpu/types.h > > > index eb810074f1e7..c6fd13a17205 100644 > > > --- a/arch/x86/include/asm/fpu/types.h > > > +++ b/arch/x86/include/asm/fpu/types.h > > > @@ -116,7 +116,7 @@ enum xfeature { > > > XFEATURE_PKRU, > > > XFEATURE_PASID, > > > XFEATURE_CET_USER, > > > - XFEATURE_CET_KERNEL_UNUSED, > > > + XFEATURE_CET_KERNEL, > > > XFEATURE_RSRVD_COMP_13, > > > XFEATURE_RSRVD_COMP_14, > > > XFEATURE_LBR, > > > @@ -139,7 +139,7 @@ enum xfeature { > > > #define XFEATURE_MASK_PKRU (1 << XFEATURE_PKRU) > > > #define XFEATURE_MASK_PASID (1 << XFEATURE_PASID) > > > #define XFEATURE_MASK_CET_USER (1 << XFEATURE_CET_USER) > > > -#define XFEATURE_MASK_CET_KERNEL (1 << XFEATURE_CET_KERNEL_UNUSED) > > > +#define XFEATURE_MASK_CET_KERNEL (1 << XFEATURE_CET_KERNEL) > > > #define XFEATURE_MASK_LBR (1 << XFEATURE_LBR) > > > #define XFEATURE_MASK_XTILE_CFG (1 << XFEATURE_XTILE_CFG) > > > #define XFEATURE_MASK_XTILE_DATA (1 << XFEATURE_XTILE_DATA) > > > @@ -264,6 +264,16 @@ struct cet_user_state { > > > u64 user_ssp; > > > }; > > > > > > +/* > > > + * State component 12 is Control-flow Enforcement supervisor states > > > + */ > > > +struct cet_supervisor_state { > > > + /* supervisor ssp pointers */ > > > + u64 pl0_ssp; > > > + u64 pl1_ssp; > > > + u64 pl2_ssp; > > > +}; > > > + > > > /* > > > * State component 15: Architectural LBR configuration state. > > > * The size of Arch LBR state depends on the number of LBRs (lbr_depth). > > > diff --git a/arch/x86/include/asm/fpu/xstate.h b/arch/x86/include/asm/fpu/xstate.h > > > index d4427b88ee12..3b4a038d3c57 100644 > > > --- a/arch/x86/include/asm/fpu/xstate.h > > > +++ b/arch/x86/include/asm/fpu/xstate.h > > > @@ -51,7 +51,8 @@ > > > > > > /* All currently supported supervisor features */ > > > #define XFEATURE_MASK_SUPERVISOR_SUPPORTED (XFEATURE_MASK_PASID | \ > > > - XFEATURE_MASK_CET_USER) > > > + XFEATURE_MASK_CET_USER | \ > > > + XFEATURE_MASK_CET_KERNEL) > > > > > > /* > > > * A supervisor state component may not always contain valuable information, > > > @@ -78,8 +79,7 @@ > > > * Unsupported supervisor features. When a supervisor feature in this mask is > > > * supported in the future, move it to the supported supervisor feature mask. > > > */ > > > -#define XFEATURE_MASK_SUPERVISOR_UNSUPPORTED (XFEATURE_MASK_PT | \ > > > - XFEATURE_MASK_CET_KERNEL) > > > +#define XFEATURE_MASK_SUPERVISOR_UNSUPPORTED (XFEATURE_MASK_PT) > > > > > > /* All supervisor states including supported and unsupported states. */ > > > #define XFEATURE_MASK_SUPERVISOR_ALL (XFEATURE_MASK_SUPERVISOR_SUPPORTED | \ > > > diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c > > > index 6e50a4251e2b..b57d909facca 100644 > > > --- a/arch/x86/kernel/fpu/xstate.c > > > +++ b/arch/x86/kernel/fpu/xstate.c > > > @@ -51,7 +51,7 @@ static const char *xfeature_names[] = > > > "Protection Keys User registers", > > > "PASID state", > > > "Control-flow User registers", > > > - "Control-flow Kernel registers (unused)", > > > + "Control-flow Kernel registers", > > > "unknown xstate feature", > > > "unknown xstate feature", > > > "unknown xstate feature", > > > @@ -73,6 +73,7 @@ static unsigned short xsave_cpuid_features[] __initdata = { > > > [XFEATURE_PT_UNIMPLEMENTED_SO_FAR] = X86_FEATURE_INTEL_PT, > > > [XFEATURE_PKRU] = X86_FEATURE_OSPKE, > > > [XFEATURE_PASID] = X86_FEATURE_ENQCMD, > > > + [XFEATURE_CET_KERNEL] = X86_FEATURE_SHSTK, > > > [XFEATURE_XTILE_CFG] = X86_FEATURE_AMX_TILE, > > > [XFEATURE_XTILE_DATA] = X86_FEATURE_AMX_TILE, > > > }; > > > @@ -277,6 +278,7 @@ static void __init print_xstate_features(void) > > > print_xstate_feature(XFEATURE_MASK_PKRU); > > > print_xstate_feature(XFEATURE_MASK_PASID); > > > print_xstate_feature(XFEATURE_MASK_CET_USER); > > > + print_xstate_feature(XFEATURE_MASK_CET_KERNEL); > > > print_xstate_feature(XFEATURE_MASK_XTILE_CFG); > > > print_xstate_feature(XFEATURE_MASK_XTILE_DATA); > > > } > > > @@ -346,6 +348,7 @@ static __init void os_xrstor_booting(struct xregs_state *xstate) > > > XFEATURE_MASK_BNDCSR | \ > > > XFEATURE_MASK_PASID | \ > > > XFEATURE_MASK_CET_USER | \ > > > + XFEATURE_MASK_CET_KERNEL | \ > > > XFEATURE_MASK_XTILE) > > > > > > /* > > > @@ -546,6 +549,7 @@ static bool __init check_xstate_against_struct(int nr) > > > case XFEATURE_PASID: return XCHECK_SZ(sz, nr, struct ia32_pasid_state); > > > case XFEATURE_XTILE_CFG: return XCHECK_SZ(sz, nr, struct xtile_cfg); > > > case XFEATURE_CET_USER: return XCHECK_SZ(sz, nr, struct cet_user_state); > > > + case XFEATURE_CET_KERNEL: return XCHECK_SZ(sz, nr, struct cet_supervisor_state); > > > case XFEATURE_XTILE_DATA: check_xtile_data_against_struct(sz); return true; > > > default: > > > XSTATE_WARN_ON(1, "No structure for xstate: %d\n", nr); > > Any reason why my reviewed-by was not added to this patch? > > My apology again! I missed the Reviewed-by tag for this patch! > > Appreciated for your careful review for this series! Thank you very much! Best regards, Maxim Levitsky > > > Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com> > > > > Best regards, > > Maxim Levitsky > > > > > >
diff --git a/arch/x86/include/asm/fpu/types.h b/arch/x86/include/asm/fpu/types.h index eb810074f1e7..c6fd13a17205 100644 --- a/arch/x86/include/asm/fpu/types.h +++ b/arch/x86/include/asm/fpu/types.h @@ -116,7 +116,7 @@ enum xfeature { XFEATURE_PKRU, XFEATURE_PASID, XFEATURE_CET_USER, - XFEATURE_CET_KERNEL_UNUSED, + XFEATURE_CET_KERNEL, XFEATURE_RSRVD_COMP_13, XFEATURE_RSRVD_COMP_14, XFEATURE_LBR, @@ -139,7 +139,7 @@ enum xfeature { #define XFEATURE_MASK_PKRU (1 << XFEATURE_PKRU) #define XFEATURE_MASK_PASID (1 << XFEATURE_PASID) #define XFEATURE_MASK_CET_USER (1 << XFEATURE_CET_USER) -#define XFEATURE_MASK_CET_KERNEL (1 << XFEATURE_CET_KERNEL_UNUSED) +#define XFEATURE_MASK_CET_KERNEL (1 << XFEATURE_CET_KERNEL) #define XFEATURE_MASK_LBR (1 << XFEATURE_LBR) #define XFEATURE_MASK_XTILE_CFG (1 << XFEATURE_XTILE_CFG) #define XFEATURE_MASK_XTILE_DATA (1 << XFEATURE_XTILE_DATA) @@ -264,6 +264,16 @@ struct cet_user_state { u64 user_ssp; }; +/* + * State component 12 is Control-flow Enforcement supervisor states + */ +struct cet_supervisor_state { + /* supervisor ssp pointers */ + u64 pl0_ssp; + u64 pl1_ssp; + u64 pl2_ssp; +}; + /* * State component 15: Architectural LBR configuration state. * The size of Arch LBR state depends on the number of LBRs (lbr_depth). diff --git a/arch/x86/include/asm/fpu/xstate.h b/arch/x86/include/asm/fpu/xstate.h index d4427b88ee12..3b4a038d3c57 100644 --- a/arch/x86/include/asm/fpu/xstate.h +++ b/arch/x86/include/asm/fpu/xstate.h @@ -51,7 +51,8 @@ /* All currently supported supervisor features */ #define XFEATURE_MASK_SUPERVISOR_SUPPORTED (XFEATURE_MASK_PASID | \ - XFEATURE_MASK_CET_USER) + XFEATURE_MASK_CET_USER | \ + XFEATURE_MASK_CET_KERNEL) /* * A supervisor state component may not always contain valuable information, @@ -78,8 +79,7 @@ * Unsupported supervisor features. When a supervisor feature in this mask is * supported in the future, move it to the supported supervisor feature mask. */ -#define XFEATURE_MASK_SUPERVISOR_UNSUPPORTED (XFEATURE_MASK_PT | \ - XFEATURE_MASK_CET_KERNEL) +#define XFEATURE_MASK_SUPERVISOR_UNSUPPORTED (XFEATURE_MASK_PT) /* All supervisor states including supported and unsupported states. */ #define XFEATURE_MASK_SUPERVISOR_ALL (XFEATURE_MASK_SUPERVISOR_SUPPORTED | \ diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c index 6e50a4251e2b..b57d909facca 100644 --- a/arch/x86/kernel/fpu/xstate.c +++ b/arch/x86/kernel/fpu/xstate.c @@ -51,7 +51,7 @@ static const char *xfeature_names[] = "Protection Keys User registers", "PASID state", "Control-flow User registers", - "Control-flow Kernel registers (unused)", + "Control-flow Kernel registers", "unknown xstate feature", "unknown xstate feature", "unknown xstate feature", @@ -73,6 +73,7 @@ static unsigned short xsave_cpuid_features[] __initdata = { [XFEATURE_PT_UNIMPLEMENTED_SO_FAR] = X86_FEATURE_INTEL_PT, [XFEATURE_PKRU] = X86_FEATURE_OSPKE, [XFEATURE_PASID] = X86_FEATURE_ENQCMD, + [XFEATURE_CET_KERNEL] = X86_FEATURE_SHSTK, [XFEATURE_XTILE_CFG] = X86_FEATURE_AMX_TILE, [XFEATURE_XTILE_DATA] = X86_FEATURE_AMX_TILE, }; @@ -277,6 +278,7 @@ static void __init print_xstate_features(void) print_xstate_feature(XFEATURE_MASK_PKRU); print_xstate_feature(XFEATURE_MASK_PASID); print_xstate_feature(XFEATURE_MASK_CET_USER); + print_xstate_feature(XFEATURE_MASK_CET_KERNEL); print_xstate_feature(XFEATURE_MASK_XTILE_CFG); print_xstate_feature(XFEATURE_MASK_XTILE_DATA); } @@ -346,6 +348,7 @@ static __init void os_xrstor_booting(struct xregs_state *xstate) XFEATURE_MASK_BNDCSR | \ XFEATURE_MASK_PASID | \ XFEATURE_MASK_CET_USER | \ + XFEATURE_MASK_CET_KERNEL | \ XFEATURE_MASK_XTILE) /* @@ -546,6 +549,7 @@ static bool __init check_xstate_against_struct(int nr) case XFEATURE_PASID: return XCHECK_SZ(sz, nr, struct ia32_pasid_state); case XFEATURE_XTILE_CFG: return XCHECK_SZ(sz, nr, struct xtile_cfg); case XFEATURE_CET_USER: return XCHECK_SZ(sz, nr, struct cet_user_state); + case XFEATURE_CET_KERNEL: return XCHECK_SZ(sz, nr, struct cet_supervisor_state); case XFEATURE_XTILE_DATA: check_xtile_data_against_struct(sz); return true; default: XSTATE_WARN_ON(1, "No structure for xstate: %d\n", nr);
Add supervisor mode state support within FPU xstate management framework. Although supervisor shadow stack is not enabled/used today in kernel,KVM requires the support because when KVM advertises shadow stack feature to guest, architecturally it claims the support for both user and supervisor modes for guest OSes(Linux or non-Linux). CET supervisor states not only includes PL{0,1,2}_SSP but also IA32_S_CET MSR, but the latter is not xsave-managed. In virtualization world, guest IA32_S_CET is saved/stored into/from VM control structure. With supervisor xstate support, guest supervisor mode shadow stack state can be properly saved/restored when 1) guest/host FPU context is swapped 2) vCPU thread is sched out/in. The alternative is to enable it in KVM domain, but KVM maintainers NAKed the solution. The external discussion can be found at [*], it ended up with adding the support in kernel instead of KVM domain. Note, in KVM case, guest CET supervisor state i.e., IA32_PL{0,1,2}_MSRs, are preserved after VM-Exit until host/guest fpstates are swapped, but since host supervisor shadow stack is disabled, the preserved MSRs won't hurt host. [*]: https://lore.kernel.org/all/806e26c2-8d21-9cc9-a0b7-7787dd231729@intel.com/ Signed-off-by: Yang Weijiang <weijiang.yang@intel.com> --- arch/x86/include/asm/fpu/types.h | 14 ++++++++++++-- arch/x86/include/asm/fpu/xstate.h | 6 +++--- arch/x86/kernel/fpu/xstate.c | 6 +++++- 3 files changed, 20 insertions(+), 6 deletions(-)