On 25/08/2025 3:51 am, Xin Li wrote:
> On 8/21/2025 3:36 PM, Xin Li (Intel) wrote:
>> + /*
>> + * MSR_IA32_FRED_RSP0 and MSR_IA32_PL0_SSP (aka
>> MSR_IA32_FRED_SSP0) are
>> + * designated for event delivery while executing in userspace.
>> Since
>> + * KVM operates exclusively in kernel mode (the CPL is always 0
>> after
>> + * any VM exit), KVM can safely retain and operate with the
>> guest-defined
>> + * values for MSR_IA32_FRED_RSP0 and MSR_IA32_PL0_SSP.
>> + *
>> + * Therefore, interception of MSR_IA32_FRED_RSP0 and
>> MSR_IA32_PL0_SSP
>> + * is not required.
>> + *
>> + * Note, save and restore of MSR_IA32_PL0_SSP belong to CET
>> supervisor
>> + * context management. However the FRED SSP MSRs, including
>> + * MSR_IA32_PL0_SSP, are supported by any processor that
>> enumerates FRED.
>> + * If such a processor does not support CET, FRED transitions
>> will not
>> + * use the MSRs, but the MSRs would still be accessible using
>> MSR-access
>> + * instructions (e.g., RDMSR, WRMSR).
>> + */
>> + vmx_set_intercept_for_msr(vcpu, MSR_IA32_FRED_RSP0, MSR_TYPE_RW,
>> intercept);
>> + vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL0_SSP, MSR_TYPE_RW,
>> intercept);
>
> Hi Sean,
>
> I'd like to bring up an issue concerning MSR_IA32_PL0_SSP.
>
> The FRED spec claims:
>
> The FRED SSP MSRs are supported by any processor that enumerates
> CPUID.(EAX=7,ECX=1):EAX.FRED[bit 17] as 1. If such a processor does not
> support CET, FRED transitions will not use the MSRs (because shadow
> stacks
> are not enabled), but the MSRs would still be accessible using MSR-access
> instructions (e.g., RDMSR, WRMSR).
This is silly. AIUI, all CPUs that have FRED also have CET-SS, so in
practice they all have these MSRs.
But from an architectural point of view, if CET-SS isn't available,
these MSRs shouldn't be either. A guest which can't use CET-SS has no
reason to touch these MSRs at all.
MSR_PL0_SSP (== MSR_FRED_SSP_SL0) is gated on CET-SS alone (it already
exists in CPUs), while MSR_FRED_SSP_SL{1..3} should be gated on CET-SS
&& FRED, and should be reserved[1] otherwise.
This distinction only matters for guests, and adding the CET-SS
precondition makes things simpler overall for both VMMs and guests. So
can't this just be fixed up before being integrated into the SDM?
~Andrew
[1] I have a sneaking suspicion there's a SKU reason why the spec is
written that way, and "Reserved" is still the right behaviour to have
for !CET-SS || !FRED.
