On Tue, Aug 26, 2025, Xin Li wrote:
>
> > > Hi Sean,
> > >
> > > I'd like to bring up an issue concerning MSR_IA32_PL0_SSP.
> > >
> > > The FRED spec claims:
> > >
> > > The FRED SSP MSRs are supported by any processor that enumerates
> > > CPUID.(EAX=7,ECX=1):EAX.FRED[bit 17] as 1. If such a processor does not
> > > support CET, FRED transitions will not use the MSRs (because shadow stacks
> > > are not enabled), but the MSRs would still be accessible using MSR-access
> > > instructions (e.g., RDMSR, WRMSR).
> > >
> > > It means KVM needs to handle MSR_IA32_PL0_SSP even when FRED is supported
> > > but CET is not. And this can be broken down into two subtasks:
> > >
> > > 1) Allow such a guest to access MSR_IA32_PL0_SSP w/o triggering #GP. And
> > > this behavior is already implemented in patch 8 of this series.
> > >
> > > 2) Save and restore MSR_IA32_PL0_SSP in both KVM and Qemu for such a guest.
> >
> > What novel work needs to be done in KVM? For QEMU, I assume it's just adding an
> > "or FRED" somewhere. For KVM, I'm missing what additional work would be required
> > that wouldn't be naturally covered by patch 8 (assuming patch 8 is bug-free).
>
> Extra patches:
>
> 1) A patch to save/restore guest MSR_IA32_PL0_SSP (i.e., FRED SSP0), as
> what we have done for RSP0, following is the patch on top of the patch
> saving/restoring RSP0:
>
> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> index 449a5e02c7de..0bf684342a71 100644
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
> @@ -1294,8 +1294,13 @@ void vmx_prepare_switch_to_guest(struct kvm_vcpu *vcpu)
>
> wrmsrq(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
>
> - if (guest_cpu_cap_has(vcpu, X86_FEATURE_FRED))
> + if (guest_cpu_cap_has(vcpu, X86_FEATURE_FRED)) {
> wrmsrns(MSR_IA32_FRED_RSP0, vmx->msr_guest_fred_rsp0);
> +
> + /* XSAVES/XRSTORS do not cover SSP MSRs */
Eww. I'm with Andrew, fix the SDM. This is silly.
> + if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK))
> + wrmsrns(MSR_IA32_FRED_SSP0, vmx->msr_guest_fred_ssp0);
FWIW, if we can't get an SDM change, don't bother with RDMSR/WRMSRNS, just
configure KVM to intercept accesses. Then in kvm_set_msr_common(), pivot on
X86_FEATURE_SHSTK, e.g.
case MSR_IA32_U_CET:
case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP:
if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK)) {
WARN_ON_ONCE(msr != MSR_IA32_FRED_SSP0);
vcpu->arch.fred_rsp0_fallback = data;
break;
}
kvm_set_xstate_msr(vcpu, msr_info);
break;
and
case MSR_IA32_U_CET:
case MSR_IA32_PL0_SSP ... MSR_IA32_PL3_SSP:
if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK)) {
WARN_ON_ONCE(msr_info->index != MSR_IA32_FRED_SSP0);
vcpu->arch.fred_rsp0_fallback = msr_info->data;
break;
}
kvm_get_xstate_msr(vcpu, msr_info);
break;
