Message ID | 20230524155339.415820-5-john.allen@amd.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp25196vqr; Wed, 24 May 2023 09:16:57 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7Q/fyaYFq05URqqZ/CUQpJ4GiFo2PRcpdkJp65hU3h2iWEPWXCbKf7rgMqyFyKFYFomfAL X-Received: by 2002:aa7:88d1:0:b0:649:93a7:571b with SMTP id k17-20020aa788d1000000b0064993a7571bmr3906243pff.13.1684945016839; Wed, 24 May 2023 09:16:56 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1684945016; cv=pass; d=google.com; s=arc-20160816; b=BgkVbIsWXCtwR8ukQn1OkVmCyIjjEKClPxe0ATXi4S/Xg/7XfP3Y7ZA7RIxJs6SF74 RabcU14j8cUjVyCz5QRM5Yo5DVCT3dOQ4Ub1QOJPGzz0j/VTsoi7rxfrU+sUShUcQB+/ Q/Kx2RHnLqwZpIZrvmEVq3OPiqObaNASCnhjhCV5hXy7reTxcMgcRhzKmXr59JH0xSr3 kzCsL0J7PqJUX6cMk/HYfRoIcYIxkufkhOBU9ugWWk+6CuFLjhyhK5iNkg3cvtgSrJG0 6/LooxOsZ1U9TbHLqoANQNtw2Lce1p9Rx6Fmz5WWDohuPwMypgMdqhiVvfkSfY+BlYVz ogBQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=tMnY52pgZAV7LxEzaa5TurP4B844esvfFWyoXxyzGrY=; b=AQcmptItIrO92vFRVHt9erFww294dCA+jo8MzhvkTBznPNMPILlqXfldpbMYCkJdtk C4IN3+XxpVodTuRDQa3r1bFh/tAOxOOu71+8Jacf3cpJIrKZmlYXdDGx4s9kbmFl6GJI OicXO6eTP2So2SPGVsL658hxfdOd8YqYvNnSRNGu7+8MFUv850+GOMAinZHHzt7m4yf9 oPRXqsm6zIgpQjSYswRjHxlj1dt+Mb+x1cvwB9LE9mRi5EqGGMAP1XXGo+YKDbj0xk/V kercFSkcQGNYHZcwryj2D5hwy2PVs94OVga044xpIolg2uWWeadHpeRDl1sdnd+oozVw CY5g== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@amd.com header.s=selector1 header.b=FflzG1NI; arc=pass (i=1 spf=pass spfdomain=amd.com dmarc=pass fromdomain=amd.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amd.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i28-20020aa796fc000000b00640d9c06df3si8578551pfq.329.2023.05.24.09.16.41; Wed, 24 May 2023 09:16:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@amd.com header.s=selector1 header.b=FflzG1NI; arc=pass (i=1 spf=pass spfdomain=amd.com dmarc=pass fromdomain=amd.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amd.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237630AbjEXPyr (ORCPT <rfc822;ahmedalshaiji.dev@gmail.com> + 99 others); Wed, 24 May 2023 11:54:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51450 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237559AbjEXPyk (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Wed, 24 May 2023 11:54:40 -0400 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2052.outbound.protection.outlook.com [40.107.94.52]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 227E8123; Wed, 24 May 2023 08:54:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LcqegUALGSMSe1JrUaqq2iHxD+vko1qVMaLH97QLz4/swUnKY+mLVIlnJFOEilt4NkYa7eLAhtsPSvSVGW32XwFN6IgFNgu6NuxEVN6BfH7+foynQGUi3xRTZT2+hNzwzwG18Zobtxg9A6yPdFSxlRAigFYOqLIjNaPPmP4uYUdxFz/nB5Az9QQ+3E8afiyWWvleSEUj3hZSoJr6UxI36JI2IHQDwVGXICEac/EhfJXuQlYUwcBLR3Blldep1+paq/6FyUYHOzPAsqFoDl3J3CBnE4EEUMn82hmKBOiY/5SJFoTrHlqCbcHdYpisiOGoPLUwvt4rIyUkljUDaWVc+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tMnY52pgZAV7LxEzaa5TurP4B844esvfFWyoXxyzGrY=; b=WmvI+zLqaa+vHtLOW9QTtg1MBqjGgAKzJnB6Q3cTAZ3RwHrF/6KipL3D/M6jTRChPexX644afwDrvbqI287NTSXURahgqQqCaivIXD5ZkjOtfHD6apj/Nhdi1eO/xsWHtVtmJ1nQhz0VKrHFi1X9p00XaUG1cU8NyBCWYH1ffFaOki5qeAYlIKP2btX3YGYZbkQobxFdUClL0f6TcfBQv5+D4rqh/uAUvpnJsHx72syFB1Ye26ThQ+rozBzvOccz8Cdk/DAQiDNWwrhehlv0nNg6IIWEW+ybv1mE7ZZJ8xDn0FM6ptXVqfRslpFGR6cOXgBxfOBDLxyFGCqAMM4kBw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tMnY52pgZAV7LxEzaa5TurP4B844esvfFWyoXxyzGrY=; b=FflzG1NIhGllM/6saZ3fYIejiuUf/NFIb5CuzPM3g0OPX7uhovRBACM9rm1VGnQnFNdrKK+7X6nyY9XGJIqvz82iGFU/BkF625t7wXxlqyAObnagr+MUZrthSoLmtX7zHJxlg03I+tkr4Zd8XDzJ9CaLcxfIM2hrmRyFqP/Y4Mg= Received: from BN0PR03CA0014.namprd03.prod.outlook.com (2603:10b6:408:e6::19) by SJ2PR12MB8739.namprd12.prod.outlook.com (2603:10b6:a03:549::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.28; Wed, 24 May 2023 15:54:36 +0000 Received: from BN8NAM11FT077.eop-nam11.prod.protection.outlook.com (2603:10b6:408:e6:cafe::94) by BN0PR03CA0014.outlook.office365.com (2603:10b6:408:e6::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6433.15 via Frontend Transport; Wed, 24 May 2023 15:54:36 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by BN8NAM11FT077.mail.protection.outlook.com (10.13.177.232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.6411.30 via Frontend Transport; Wed, 24 May 2023 15:54:36 +0000 Received: from jallen-jump-host.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.34; Wed, 24 May 2023 10:54:35 -0500 From: John Allen <john.allen@amd.com> To: <kvm@vger.kernel.org> CC: <linux-kernel@vger.kernel.org>, <pbonzini@redhat.com>, <weijiang.yang@intel.com>, <rick.p.edgecombe@intel.com>, <seanjc@google.com>, <x86@kernel.org>, <thomas.lendacky@amd.com>, <bp@alien8.de>, John Allen <john.allen@amd.com> Subject: [RFC PATCH v2 4/6] KVM: SVM: Save shadow stack host state on VMRUN Date: Wed, 24 May 2023 15:53:37 +0000 Message-ID: <20230524155339.415820-5-john.allen@amd.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230524155339.415820-1-john.allen@amd.com> References: <20230524155339.415820-1-john.allen@amd.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT077:EE_|SJ2PR12MB8739:EE_ X-MS-Office365-Filtering-Correlation-Id: 436d93b4-7e98-4f71-fce4-08db5c6f2cc5 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 6r+uBJ8XUUE5T1wpPmEVoVQjXls9ES2RWV/UyDDTulzmNSiVnbk5LGiEi9CN6XX4s0LhqbxhHGDxqxGvc2UCIZCAA5AUdpgKgX9t1Bct5r5vCrIZNINP2AIKSdAMDXoTXz0Bzd6glxk2byULhMtVf/kG+cCdsKlbfX93rvfvVe7De16Tdsj920OIlryGW8qY7vTntPwGrFdxJ0W1gDmpaddkI+JIj2mimc5v8epHwpoMQQiqQHFRoFl4UndUUw968CDBTldhVRsFdIMEaCyfgZ5bbODIUB0Vkku0QSdWAGIUsQ9DQKQEftiPpyxZABC/wrPYSN9Wj2Y1Vb2IBF4nDlqaTXnKOBUILN2Nwv1iM9VdHMSAbZiJO5ktD+LkE3MV1lA2f9Iyg7xNgQFDT8mLpKjQed5XoRd2BS1r2IlXfRYf3xVuHKCv+YJ23IOsNrloYhBSTBIWTq3OY1fEU1pyvE8cjWh4M2ZG9r+1rnYADwdBwEpFvmYPiUHKsB9r20AlvNe7A4LgonAmobX9SVA0DYmaMWGBkC9RSVeCipaY03jAQ1I1Ryu7Jeav10Ms+X5aynyGU8lUHCG0DhZdLmLWkao7khl0R4XyiEqbzLqH+Ca0osGnzgtuMxLK0i7jCxtQ52nNER7Cns81Z9P6GJfFqXC4bHigUxNTI676jfCwiv/D5CZjWqYhfRWl9ExRECLknd6CDApNYK7LOvp6S8nkfHc/HlmGbCz0q6x2Ibji4UkoNv9tCryvoX4oBfGm+9NU9MZqCxvcZ2yaOxh5DAyg5g== X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(136003)(346002)(376002)(39860400002)(396003)(451199021)(46966006)(40470700004)(36840700001)(40460700003)(70586007)(4326008)(70206006)(478600001)(316002)(6916009)(54906003)(36756003)(83380400001)(47076005)(5660300002)(26005)(426003)(2616005)(336012)(16526019)(186003)(36860700001)(1076003)(41300700001)(8676002)(8936002)(44832011)(2906002)(7696005)(82310400005)(40480700001)(86362001)(81166007)(82740400003)(356005)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 May 2023 15:54:36.4886 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 436d93b4-7e98-4f71-fce4-08db5c6f2cc5 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT077.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR12MB8739 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1766792905852552851?= X-GMAIL-MSGID: =?utf-8?q?1766792905852552851?= |
Series |
[RFC,v2,1/6] KVM: x86: SVM: Emulate reads and writes to shadow stack MSRs
|
|
Commit Message
John Allen
May 24, 2023, 3:53 p.m. UTC
When running as an SEV-ES guest, the PL0_SSP, PL1_SSP, PL2_SSP, PL3_SSP,
and U_CET fields in the VMCB save area are type B, meaning the host
state is automatically loaded on a VMEXIT, but is not saved on a VMRUN.
The other shadow stack MSRs, S_CET, SSP, and ISST_ADDR are type A,
meaning they are loaded on VMEXIT and saved on VMRUN. Manually save the
type B host MSR values before VMRUN.
Signed-off-by: John Allen <john.allen@amd.com>
---
arch/x86/kvm/svm/sev.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
Comments
On Wed, May 24, 2023, John Allen wrote: > When running as an SEV-ES guest, the PL0_SSP, PL1_SSP, PL2_SSP, PL3_SSP, > and U_CET fields in the VMCB save area are type B, meaning the host > state is automatically loaded on a VMEXIT, but is not saved on a VMRUN. > The other shadow stack MSRs, S_CET, SSP, and ISST_ADDR are type A, > meaning they are loaded on VMEXIT and saved on VMRUN. Manually save the > type B host MSR values before VMRUN. > > Signed-off-by: John Allen <john.allen@amd.com> > --- > arch/x86/kvm/svm/sev.c | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c > index c25aeb550cd9..03dd68bddd51 100644 > --- a/arch/x86/kvm/svm/sev.c > +++ b/arch/x86/kvm/svm/sev.c > @@ -3028,6 +3028,19 @@ void sev_es_prepare_switch_to_guest(struct sev_es_save_area *hostsa) > > /* MSR_IA32_XSS is restored on VMEXIT, save the currnet host value */ > hostsa->xss = host_xss; > + > + if (boot_cpu_has(X86_FEATURE_SHSTK)) { > + /* > + * MSR_IA32_U_CET, MSR_IA32_PL0_SSP, MSR_IA32_PL1_SSP, > + * MSR_IA32_PL2_SSP, and MSR_IA32_PL3_SSP are restored on > + * VMEXIT, save the current host values. > + */ > + rdmsrl(MSR_IA32_U_CET, hostsa->u_cet); > + rdmsrl(MSR_IA32_PL0_SSP, hostsa->vmpl0_ssp); > + rdmsrl(MSR_IA32_PL1_SSP, hostsa->vmpl1_ssp); > + rdmsrl(MSR_IA32_PL2_SSP, hostsa->vmpl2_ssp); > + rdmsrl(MSR_IA32_PL3_SSP, hostsa->vmpl3_ssp); Heh, can you send a patch to fix the names for the PLx_SSP fields? They should be ->plN_ssp, not ->vmplN_ssp. As for the values themselves, the kernel doesn't support Supervisor Shadow Stacks (SSS), so PL0-2_SSP are guaranteed to be zero. And if/when SSS support is added, I doubt the kernel will ever use PL1_SSP or PL2_SSP, so those can probably be ignored entirely, and PL0_SSP might be constant per task? In other words, I don't see any reason to try and track the host values for support that doesn't exist, just do what VMX does for BNDCFGS and yell if the MSRs are non-zero. Though for SSS it probably makes sense for KVM to refuse to load (KVM continues on for BNDCFGS because it's a pretty safe assumption that the kernel won't regain MPX supported). E.g. in rough pseudocode if (boot_cpu_has(X86_FEATURE_SHSTK)) { rdmsrl(MSR_IA32_PLx_SSP, host_plx_ssp); if (WARN_ON_ONCE(host_pl0_ssp || host_pl1_ssp || host_pl2_ssp)) return -EIO; }
On Fri, Jun 23, 2023 at 02:11:46PM -0700, Sean Christopherson wrote: > On Wed, May 24, 2023, John Allen wrote: > > When running as an SEV-ES guest, the PL0_SSP, PL1_SSP, PL2_SSP, PL3_SSP, > > and U_CET fields in the VMCB save area are type B, meaning the host > > state is automatically loaded on a VMEXIT, but is not saved on a VMRUN. > > The other shadow stack MSRs, S_CET, SSP, and ISST_ADDR are type A, > > meaning they are loaded on VMEXIT and saved on VMRUN. Manually save the > > type B host MSR values before VMRUN. > > > > Signed-off-by: John Allen <john.allen@amd.com> > > --- > > arch/x86/kvm/svm/sev.c | 13 +++++++++++++ > > 1 file changed, 13 insertions(+) > > > > diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c > > index c25aeb550cd9..03dd68bddd51 100644 > > --- a/arch/x86/kvm/svm/sev.c > > +++ b/arch/x86/kvm/svm/sev.c > > @@ -3028,6 +3028,19 @@ void sev_es_prepare_switch_to_guest(struct sev_es_save_area *hostsa) > > > > /* MSR_IA32_XSS is restored on VMEXIT, save the currnet host value */ > > hostsa->xss = host_xss; > > + > > + if (boot_cpu_has(X86_FEATURE_SHSTK)) { > > + /* > > + * MSR_IA32_U_CET, MSR_IA32_PL0_SSP, MSR_IA32_PL1_SSP, > > + * MSR_IA32_PL2_SSP, and MSR_IA32_PL3_SSP are restored on > > + * VMEXIT, save the current host values. > > + */ > > + rdmsrl(MSR_IA32_U_CET, hostsa->u_cet); > > + rdmsrl(MSR_IA32_PL0_SSP, hostsa->vmpl0_ssp); > > + rdmsrl(MSR_IA32_PL1_SSP, hostsa->vmpl1_ssp); > > + rdmsrl(MSR_IA32_PL2_SSP, hostsa->vmpl2_ssp); > > + rdmsrl(MSR_IA32_PL3_SSP, hostsa->vmpl3_ssp); > > Heh, can you send a patch to fix the names for the PLx_SSP fields? They should > be ->plN_ssp, not ->vmplN_ssp. Yes, I will include a patch to address this in the next version of the series. > > As for the values themselves, the kernel doesn't support Supervisor Shadow Stacks > (SSS), so PL0-2_SSP are guaranteed to be zero. And if/when SSS support is added, > I doubt the kernel will ever use PL1_SSP or PL2_SSP, so those can probably be > ignored entirely, and PL0_SSP might be constant per task? In other words, I don't > see any reason to try and track the host values for support that doesn't exist, > just do what VMX does for BNDCFGS and yell if the MSRs are non-zero. Though for > SSS it probably makes sense for KVM to refuse to load (KVM continues on for BNDCFGS > because it's a pretty safe assumption that the kernel won't regain MPX supported). > > E.g. in rough pseudocode > > if (boot_cpu_has(X86_FEATURE_SHSTK)) { > rdmsrl(MSR_IA32_PLx_SSP, host_plx_ssp); > > if (WARN_ON_ONCE(host_pl0_ssp || host_pl1_ssp || host_pl2_ssp)) > return -EIO; > } The function in question returns void and wouldn't be able to return a failure code to callers. We would have to rework this path in order to fail in this way. Is it sufficient to just WARN_ON_ONCE here or is there some other way we can cause KVM to fail to load here?
On Tue, Aug 01, 2023, John Allen wrote: > On Fri, Jun 23, 2023 at 02:11:46PM -0700, Sean Christopherson wrote: > > On Wed, May 24, 2023, John Allen wrote: > > As for the values themselves, the kernel doesn't support Supervisor Shadow Stacks > > (SSS), so PL0-2_SSP are guaranteed to be zero. And if/when SSS support is added, > > I doubt the kernel will ever use PL1_SSP or PL2_SSP, so those can probably be > > ignored entirely, and PL0_SSP might be constant per task? In other words, I don't > > see any reason to try and track the host values for support that doesn't exist, > > just do what VMX does for BNDCFGS and yell if the MSRs are non-zero. Though for > > SSS it probably makes sense for KVM to refuse to load (KVM continues on for BNDCFGS > > because it's a pretty safe assumption that the kernel won't regain MPX supported). > > > > E.g. in rough pseudocode > > > > if (boot_cpu_has(X86_FEATURE_SHSTK)) { > > rdmsrl(MSR_IA32_PLx_SSP, host_plx_ssp); > > > > if (WARN_ON_ONCE(host_pl0_ssp || host_pl1_ssp || host_pl2_ssp)) > > return -EIO; > > } > > The function in question returns void and wouldn't be able to return a > failure code to callers. We would have to rework this path in order to > fail in this way. Is it sufficient to just WARN_ON_ONCE here or is there > some other way we can cause KVM to fail to load here? Sorry, I should have been more explicit than "it probably make sense for KVM to refuse to load". The above would go somewhere in __kvm_x86_vendor_init().
On Tue, Aug 01, 2023 at 09:28:11AM -0700, Sean Christopherson wrote: > On Tue, Aug 01, 2023, John Allen wrote: > > On Fri, Jun 23, 2023 at 02:11:46PM -0700, Sean Christopherson wrote: > > > On Wed, May 24, 2023, John Allen wrote: > > > As for the values themselves, the kernel doesn't support Supervisor Shadow Stacks > > > (SSS), so PL0-2_SSP are guaranteed to be zero. And if/when SSS support is added, > > > I doubt the kernel will ever use PL1_SSP or PL2_SSP, so those can probably be > > > ignored entirely, and PL0_SSP might be constant per task? In other words, I don't > > > see any reason to try and track the host values for support that doesn't exist, > > > just do what VMX does for BNDCFGS and yell if the MSRs are non-zero. Though for > > > SSS it probably makes sense for KVM to refuse to load (KVM continues on for BNDCFGS > > > because it's a pretty safe assumption that the kernel won't regain MPX supported). > > > > > > E.g. in rough pseudocode > > > > > > if (boot_cpu_has(X86_FEATURE_SHSTK)) { > > > rdmsrl(MSR_IA32_PLx_SSP, host_plx_ssp); > > > > > > if (WARN_ON_ONCE(host_pl0_ssp || host_pl1_ssp || host_pl2_ssp)) > > > return -EIO; > > > } > > > > The function in question returns void and wouldn't be able to return a > > failure code to callers. We would have to rework this path in order to > > fail in this way. Is it sufficient to just WARN_ON_ONCE here or is there > > some other way we can cause KVM to fail to load here? > > Sorry, I should have been more explicit than "it probably make sense for KVM to > refuse to load". The above would go somewhere in __kvm_x86_vendor_init(). I see, in that case that change should probably go up with: "KVM:x86: Enable CET virtualization for VMX and advertise to userspace" in Weijiang Yang's series with the rest of the changes to __kvm_x86_vendor_init(). Though I can tack it on in my series if needed.
On 8/2/2023 1:03 AM, John Allen wrote: > On Tue, Aug 01, 2023 at 09:28:11AM -0700, Sean Christopherson wrote: >> On Tue, Aug 01, 2023, John Allen wrote: >>> On Fri, Jun 23, 2023 at 02:11:46PM -0700, Sean Christopherson wrote: >>>> On Wed, May 24, 2023, John Allen wrote: >>>> As for the values themselves, the kernel doesn't support Supervisor Shadow Stacks >>>> (SSS), so PL0-2_SSP are guaranteed to be zero. And if/when SSS support is added, >>>> I doubt the kernel will ever use PL1_SSP or PL2_SSP, so those can probably be >>>> ignored entirely, and PL0_SSP might be constant per task? In other words, I don't >>>> see any reason to try and track the host values for support that doesn't exist, >>>> just do what VMX does for BNDCFGS and yell if the MSRs are non-zero. Though for >>>> SSS it probably makes sense for KVM to refuse to load (KVM continues on for BNDCFGS >>>> because it's a pretty safe assumption that the kernel won't regain MPX supported). >>>> >>>> E.g. in rough pseudocode >>>> >>>> if (boot_cpu_has(X86_FEATURE_SHSTK)) { >>>> rdmsrl(MSR_IA32_PLx_SSP, host_plx_ssp); >>>> >>>> if (WARN_ON_ONCE(host_pl0_ssp || host_pl1_ssp || host_pl2_ssp)) >>>> return -EIO; >>>> } >>> The function in question returns void and wouldn't be able to return a >>> failure code to callers. We would have to rework this path in order to >>> fail in this way. Is it sufficient to just WARN_ON_ONCE here or is there >>> some other way we can cause KVM to fail to load here? >> Sorry, I should have been more explicit than "it probably make sense for KVM to >> refuse to load". The above would go somewhere in __kvm_x86_vendor_init(). > I see, in that case that change should probably go up with: > "KVM:x86: Enable CET virtualization for VMX and advertise to userspace" > in Weijiang Yang's series with the rest of the changes to > __kvm_x86_vendor_init(). Though I can tack it on in my series if > needed. The downside with above WARN_ON check is, KVM has to clear PL{0,1,2}_SSP for all CPUs when SVM/VMX module is unloaded given guest would use them, otherwise, it may hit the check next time the module is reloaded. Can we add check as below to make it easier? @@ -9616,6 +9618,24 @@ static int __kvm_x86_vendor_init(struct kvm_x86_init_ops *ops) return -EIO; } + if (boot_cpu_has(X86_FEATURE_SHSTK)) { + rdmsrl(MSR_IA32_S_CET, host_s_cet); + if (host_s_cet & CET_SHSTK_EN) { + /* + * Current CET KVM solution assumes host supervisor + * shadow stack is always disable. If it's enabled + * on host side, the guest supervisor states would + * conflict with that of host's. When host supervisor + * shadow stack is enabled one day, part of guest CET + * enabling code should be refined to make both parties + * work properly. Right now stop KVM module loading + * once host supervisor shadow stack is detected on. + */ + pr_err("Host supervisor shadow stack is not compatible with KVM!\n"); + return -EIO; + } + } + x86_emulator_cache = kvm_alloc_emulator_cache(); if (!x86_emulator_cache) { pr_err("failed to allocate cache for x86 emulator\n"); Anyway, these PLx_SSP only takes effect when SSS is enabled on host, otherwise, they can used as scratch registers when SHSTK is available.
On Wed, Aug 02, 2023, Weijiang Yang wrote: > > On 8/2/2023 1:03 AM, John Allen wrote: > > On Tue, Aug 01, 2023 at 09:28:11AM -0700, Sean Christopherson wrote: > > > On Tue, Aug 01, 2023, John Allen wrote: > > > > On Fri, Jun 23, 2023 at 02:11:46PM -0700, Sean Christopherson wrote: > > > > > On Wed, May 24, 2023, John Allen wrote: > > > > > As for the values themselves, the kernel doesn't support Supervisor Shadow Stacks > > > > > (SSS), so PL0-2_SSP are guaranteed to be zero. And if/when SSS support is added, > > > > > I doubt the kernel will ever use PL1_SSP or PL2_SSP, so those can probably be > > > > > ignored entirely, and PL0_SSP might be constant per task? In other words, I don't > > > > > see any reason to try and track the host values for support that doesn't exist, > > > > > just do what VMX does for BNDCFGS and yell if the MSRs are non-zero. Though for > > > > > SSS it probably makes sense for KVM to refuse to load (KVM continues on for BNDCFGS > > > > > because it's a pretty safe assumption that the kernel won't regain MPX supported). > > > > > > > > > > E.g. in rough pseudocode > > > > > > > > > > if (boot_cpu_has(X86_FEATURE_SHSTK)) { > > > > > rdmsrl(MSR_IA32_PLx_SSP, host_plx_ssp); > > > > > > > > > > if (WARN_ON_ONCE(host_pl0_ssp || host_pl1_ssp || host_pl2_ssp)) > > > > > return -EIO; > > > > > } > > > > The function in question returns void and wouldn't be able to return a > > > > failure code to callers. We would have to rework this path in order to > > > > fail in this way. Is it sufficient to just WARN_ON_ONCE here or is there > > > > some other way we can cause KVM to fail to load here? > > > Sorry, I should have been more explicit than "it probably make sense for KVM to > > > refuse to load". The above would go somewhere in __kvm_x86_vendor_init(). > > I see, in that case that change should probably go up with: > > "KVM:x86: Enable CET virtualization for VMX and advertise to userspace" > > in Weijiang Yang's series with the rest of the changes to > > __kvm_x86_vendor_init(). Though I can tack it on in my series if > > needed. > > The downside with above WARN_ON check is, KVM has to clear PL{0,1,2}_SSP for > all CPUs when SVM/VMX module is unloaded given guest would use them, otherwise, > it may hit the check next time the module is reloaded. Off topic, can you please try to fix your mail client? Almost of your replies have extra newlines. I'm guessing something is auto-wrapping at 80 chars, and doing it poorly. > Can we add check as below to make it easier? Hmm, yeah, that makes sense. I based my suggestion off of what KVM does for MPX, but I forgot that KVM clears MSR_IA32_BNDCFGS on VM-Exit via the VMCS, i.e. effectively does preserve the host value so long as the host value is zero. Not clearing the MSRs on module exit is a bit uncouth, but this is more or less the same situation/argument for not doing INVEPT on module exit. It's unsafe for a module to assume that there aren't TLB entries for a given EP4TA, because even if all sources of EPTPs (hypervisor/KVM modules) are well-intentioned and *try* to clean up after themselves, it's always possible that a module crashed or was buggy. I.e. asserting the the PLx_SSP MSRs are zero is simply wrong, whereas asserting that SSS is not enabled is correct. > @@ -9616,6 +9618,24 @@ static int __kvm_x86_vendor_init(struct > kvm_x86_init_ops *ops) > return -EIO; > } > > + if (boot_cpu_has(X86_FEATURE_SHSTK)) { > + rdmsrl(MSR_IA32_S_CET, host_s_cet); > + if (host_s_cet & CET_SHSTK_EN) { Make this a WARN_ON_ONCE() and drop the pr_err(). Hitting this would very much be a kernel bug, e.g. either someone added SSS support and neglected to update KVM, or the kernel's MSR_IA32_S_CET is corrupted. > + /* > + * Current CET KVM solution assumes host supervisor > + * shadow stack is always disable. If it's enabled > + * on host side, the guest supervisor states would > + * conflict with that of host's. When host > supervisor > + * shadow stack is enabled one day, part of guest > CET > + * enabling code should be refined to make both > parties > + * work properly. Right now stop KVM module loading > + * once host supervisor shadow stack is detected on. I don't think we need to have a super elaborate comment, stating that SSS isn't support and so KVM doesn't save/restore PLx_SSP MSRs should suffice. > + */ Put the comment above the if-statment that has the WARN. That reduces the indentation, and avoids the question of whether or not a comment above a single line is supposed to have curly braces. E.g. something like this, though I think even the below comment is probably unnecessarily verbose. /* * Linux doesn't yet support supervisor shadow stacks (SSS), so * so KVM doesn't save/restore the associated MSRs, i.e. KVM * may clobber the host values. Yell and refuse to load if SSS * is unexpectedly enabled, e.g. to avoid crashing the host. */ if (WARN_ON_ONCE(host_s_cet & CET_SHSTK_EN)) Thanks!
On 8/3/2023 12:38 AM, Sean Christopherson wrote: > On Wed, Aug 02, 2023, Weijiang Yang wrote: >> On 8/2/2023 1:03 AM, John Allen wrote: >>> On Tue, Aug 01, 2023 at 09:28:11AM -0700, Sean Christopherson wrote: >>>> On Tue, Aug 01, 2023, John Allen wrote: >>>>> On Fri, Jun 23, 2023 at 02:11:46PM -0700, Sean Christopherson wrote: >>>>>> On Wed, May 24, 2023, John Allen wrote: >>>>>> As for the values themselves, the kernel doesn't support Supervisor Shadow Stacks >>>>>> (SSS), so PL0-2_SSP are guaranteed to be zero. And if/when SSS support is added, >>>>>> I doubt the kernel will ever use PL1_SSP or PL2_SSP, so those can probably be >>>>>> ignored entirely, and PL0_SSP might be constant per task? In other words, I don't >>>>>> see any reason to try and track the host values for support that doesn't exist, >>>>>> just do what VMX does for BNDCFGS and yell if the MSRs are non-zero. Though for >>>>>> SSS it probably makes sense for KVM to refuse to load (KVM continues on for BNDCFGS >>>>>> because it's a pretty safe assumption that the kernel won't regain MPX supported). >>>>>> >>>>>> E.g. in rough pseudocode >>>>>> >>>>>> if (boot_cpu_has(X86_FEATURE_SHSTK)) { >>>>>> rdmsrl(MSR_IA32_PLx_SSP, host_plx_ssp); >>>>>> >>>>>> if (WARN_ON_ONCE(host_pl0_ssp || host_pl1_ssp || host_pl2_ssp)) >>>>>> return -EIO; >>>>>> } >>>>> The function in question returns void and wouldn't be able to return a >>>>> failure code to callers. We would have to rework this path in order to >>>>> fail in this way. Is it sufficient to just WARN_ON_ONCE here or is there >>>>> some other way we can cause KVM to fail to load here? >>>> Sorry, I should have been more explicit than "it probably make sense for KVM to >>>> refuse to load". The above would go somewhere in __kvm_x86_vendor_init(). >>> I see, in that case that change should probably go up with: >>> "KVM:x86: Enable CET virtualization for VMX and advertise to userspace" >>> in Weijiang Yang's series with the rest of the changes to >>> __kvm_x86_vendor_init(). Though I can tack it on in my series if >>> needed. >> The downside with above WARN_ON check is, KVM has to clear PL{0,1,2}_SSP for >> all CPUs when SVM/VMX module is unloaded given guest would use them, otherwise, >> it may hit the check next time the module is reloaded. > Off topic, can you please try to fix your mail client? Almost of your replies > have extra newlines. I'm guessing something is auto-wrapping at 80 chars, and > doing it poorly. Sorry for that. Some of the blank lines are added by me, and some are auto-added by the editor. I changed the settings and will avoid to do so. >> Can we add check as below to make it easier? > Hmm, yeah, that makes sense. I based my suggestion off of what KVM does for MPX, > but I forgot that KVM clears MSR_IA32_BNDCFGS on VM-Exit via the VMCS, i.e. > effectively does preserve the host value so long as the host value is zero. > > Not clearing the MSRs on module exit is a bit uncouth, but this is more or less > the same situation/argument for not doing INVEPT on module exit. It's unsafe for > a module to assume that there aren't TLB entries for a given EP4TA, because even > if all sources of EPTPs (hypervisor/KVM modules) are well-intentioned and *try* > to clean up after themselves, it's always possible that a module crashed or was > buggy. I.e. asserting the the PLx_SSP MSRs are zero is simply wrong, whereas > asserting that SSS is not enabled is correct. OK. >> @@ -9616,6 +9618,24 @@ static int __kvm_x86_vendor_init(struct >> kvm_x86_init_ops *ops) >> return -EIO; >> } >> >> + if (boot_cpu_has(X86_FEATURE_SHSTK)) { >> + rdmsrl(MSR_IA32_S_CET, host_s_cet); >> + if (host_s_cet & CET_SHSTK_EN) { > Make this a WARN_ON_ONCE() and drop the pr_err(). Hitting this would very much > be a kernel bug, e.g. either someone added SSS support and neglected to update > KVM, or the kernel's MSR_IA32_S_CET is corrupted. OK, will change it. >> + /* >> + * Current CET KVM solution assumes host supervisor >> + * shadow stack is always disable. If it's enabled >> + * on host side, the guest supervisor states would >> + * conflict with that of host's. When host >> supervisor >> + * shadow stack is enabled one day, part of guest >> CET >> + * enabling code should be refined to make both >> parties >> + * work properly. Right now stop KVM module loading >> + * once host supervisor shadow stack is detected on. > I don't think we need to have a super elaborate comment, stating that SSS isn't > support and so KVM doesn't save/restore PLx_SSP MSRs should suffice. > >> + */ > Put the comment above the if-statment that has the WARN. That reduces the > indentation, and avoids the question of whether or not a comment above a single > line is supposed to have curly braces. > > E.g. something like this, though I think even the below comment is probably > unnecessarily verbose. > > /* > * Linux doesn't yet support supervisor shadow stacks (SSS), so > * so KVM doesn't save/restore the associated MSRs, i.e. KVM > * may clobber the host values. Yell and refuse to load if SSS > * is unexpectedly enabled, e.g. to avoid crashing the host. > */ > if (WARN_ON_ONCE(host_s_cet & CET_SHSTK_EN)) I will keep these comments as some hints to end users when something unexpected happens! Thanks a lot!
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index c25aeb550cd9..03dd68bddd51 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3028,6 +3028,19 @@ void sev_es_prepare_switch_to_guest(struct sev_es_save_area *hostsa) /* MSR_IA32_XSS is restored on VMEXIT, save the currnet host value */ hostsa->xss = host_xss; + + if (boot_cpu_has(X86_FEATURE_SHSTK)) { + /* + * MSR_IA32_U_CET, MSR_IA32_PL0_SSP, MSR_IA32_PL1_SSP, + * MSR_IA32_PL2_SSP, and MSR_IA32_PL3_SSP are restored on + * VMEXIT, save the current host values. + */ + rdmsrl(MSR_IA32_U_CET, hostsa->u_cet); + rdmsrl(MSR_IA32_PL0_SSP, hostsa->vmpl0_ssp); + rdmsrl(MSR_IA32_PL1_SSP, hostsa->vmpl1_ssp); + rdmsrl(MSR_IA32_PL2_SSP, hostsa->vmpl2_ssp); + rdmsrl(MSR_IA32_PL3_SSP, hostsa->vmpl3_ssp); + } } void sev_vcpu_deliver_sipi_vector(struct kvm_vcpu *vcpu, u8 vector)