[v2,9/9] KVM: SVM: Add CET features to supported_xss

Message ID	20240226213244.18441-10-john.allen@amd.com (mailing list archive)
State	New, archived
Headers	show Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2078.outbound.protection.outlook.com [40.107.237.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3D341353E9; Mon, 26 Feb 2024 21:33:43 +0000 (UTC) Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C From: John Allen <john.allen@amd.com> To: <kvm@vger.kernel.org> CC: <weijiang.yang@intel.com>, <rick.p.edgecombe@intel.com>, <seanjc@google.com>, <thomas.lendacky@amd.com>, <bp@alien8.de>, <pbonzini@redhat.com>, <mlevitsk@redhat.com>, <linux-kernel@vger.kernel.org>, <x86@kernel.org>, John Allen <john.allen@amd.com> Subject: [PATCH v2 9/9] KVM: SVM: Add CET features to supported_xss Date: Mon, 26 Feb 2024 21:32:44 +0000 Message-ID: <20240226213244.18441-10-john.allen@amd.com> In-Reply-To: <20240226213244.18441-1-john.allen@amd.com> References: <20240226213244.18441-1-john.allen@amd.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	SVM guest shadow stack support \| expand [v2,0/9] SVM guest shadow stack support [v2,1/9] x86/boot: Move boot_*msr helpers to asm/shared/msr.h [v2,2/9] KVM: x86: SVM: Emulate reads and writes to shadow stack MSRs [v2,3/9] KVM: x86: SVM: Update dump_vmcb with shadow stack save area additions [v2,4/9] KVM: x86: SVM: Pass through shadow stack MSRs [v2,5/9] KVM: SVM: Rename vmplX_ssp -> plX_ssp [v2,6/9] KVM: SVM: Add MSR_IA32_XSS to the GHCB for hypervisor kernel [v2,7/9] x86/sev-es: Include XSS value in GHCB CPUID request [v2,8/9] KVM: SVM: Use KVM-governed features to track SHSTK [v2,9/9] KVM: SVM: Add CET features to supported_xss

Message ID

20240226213244.18441-10-john.allen@amd.com (mailing list archive)

State

New, archived

Headers

Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
 165.204.84.17 as permitted sender) receiver=protection.outlook.com;
 client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C
From: John Allen <john.allen@amd.com>
To: <kvm@vger.kernel.org>
CC: <weijiang.yang@intel.com>, <rick.p.edgecombe@intel.com>,
	<seanjc@google.com>, <thomas.lendacky@amd.com>, <bp@alien8.de>,
	<pbonzini@redhat.com>, <mlevitsk@redhat.com>, <linux-kernel@vger.kernel.org>,
	<x86@kernel.org>, John Allen <john.allen@amd.com>
Subject: [PATCH v2 9/9] KVM: SVM: Add CET features to supported_xss
Date: Mon, 26 Feb 2024 21:32:44 +0000
Message-ID: <20240226213244.18441-10-john.allen@amd.com>
In-Reply-To: <20240226213244.18441-1-john.allen@amd.com>
References: <20240226213244.18441-1-john.allen@amd.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Feb 2024 21:33:40.2182
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 dab00498-e7f7-4965-a835-08dc3712996d
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	CH3PEPF00000010.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW6PR12MB7087

Series

SVM guest shadow stack support | expand

Comments

Sean Christopherson May 1, 2024, 11:47 p.m. UTC | #1

On Mon, Feb 26, 2024, John Allen wrote:
> If the CPU supports CET, add CET XSAVES feature bits to the
> supported_xss mask.
> 
> Signed-off-by: John Allen <john.allen@amd.com>
> ---
>  arch/x86/kvm/svm/svm.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
> index 1181f017c173..d97d82ebec4a 100644
> --- a/arch/x86/kvm/svm/svm.c
> +++ b/arch/x86/kvm/svm/svm.c
> @@ -5177,6 +5177,10 @@ static __init void svm_set_cpu_caps(void)
>  	    boot_cpu_has(X86_FEATURE_AMD_SSBD))
>  		kvm_cpu_cap_set(X86_FEATURE_VIRT_SSBD);
>  
> +	if (kvm_cpu_cap_has(X86_FEATURE_SHSTK))
> +		kvm_caps.supported_xss |= XFEATURE_MASK_CET_USER |
> +					  XFEATURE_MASK_CET_KERNEL;

Based on Weijiang's series, I believe this is unnecessary.  Common x86 code will
both set supported_xss, and clear bits if their associated features are unsupported.

I also asked Weijiang to modify the "advertise to userspace" patch to explicitly
clear SHSTK and IBT in svm_set_cpu_caps()[*], so if the stars align as I think they
will, this patch should simply need to delete the

	kvm_cpu_cap_clear(X86_FEATURE_SHSTK);

that will be added by the VMX series.

[*] https://lore.kernel.org/all/ZjLRnisdUgeYgg8i@google.com

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 1181f017c173..d97d82ebec4a 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -5177,6 +5177,10 @@  static __init void svm_set_cpu_caps(void)
 	    boot_cpu_has(X86_FEATURE_AMD_SSBD))
 		kvm_cpu_cap_set(X86_FEATURE_VIRT_SSBD);
 
+	if (kvm_cpu_cap_has(X86_FEATURE_SHSTK))
+		kvm_caps.supported_xss |= XFEATURE_MASK_CET_USER |
+					  XFEATURE_MASK_CET_KERNEL;
+
 	if (enable_pmu) {
 		/*
 		 * Enumerate support for PERFCTR_CORE if and only if KVM has

[v2,9/9] KVM: SVM: Add CET features to supported_xss

Commit Message

Comments

Patch