On 8/19/2025 9:11 AM, Sean Christopherson wrote:
On Mon, Aug 11, 2025, Chao Gao wrote:
From: Yang Weijiang <weijiang.yang@xxxxxxxxx>
Enable/disable CET MSRs interception per associated feature configuration.
Shadow Stack feature requires all CET MSRs passed through to guest to make
it supported in user and supervisor mode
I doubt that SS _requires_ CET MSRs to be passed through. IIRC, the actual
reason for passing through most of the MSRs is that they are managed via XSAVE,
i.e. _can't_ be intercepted without also intercepting XRSTOR.
while IBT feature only depends on
MSR_IA32_{U,S}_CETS_CET to enable user and supervisor IBT.
Note, this MSR design introduced an architectural limitation of SHSTK and
IBT control for guest, i.e., when SHSTK is exposed, IBT is also available
to guest from architectural perspective since IBT relies on subset of SHSTK
relevant MSRs.
Suggested-by: Sean Christopherson <seanjc@xxxxxxxxxx>
Signed-off-by: Yang Weijiang <weijiang.yang@xxxxxxxxx>
Tested-by: Mathias Krause <minipli@xxxxxxxxxxxxxx>
Tested-by: John Allen <john.allen@xxxxxxx>
Signed-off-by: Chao Gao <chao.gao@xxxxxxxxx>
---
arch/x86/kvm/vmx/vmx.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index bd572c8c7bc3..130ffbe7dc1a 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4088,6 +4088,8 @@ void pt_update_intercept_for_msr(struct kvm_vcpu *vcpu)
void vmx_recalc_msr_intercepts(struct kvm_vcpu *vcpu)
{
+ bool set;
s/set/intercept
Maybe because you asked me to change "flag" to "set" when reviewing FRED
patches, however "intercept" does sound better, and I just changed it :)
+
if (!cpu_has_vmx_msr_bitmap())
return;
@@ -4133,6 +4135,24 @@ void vmx_recalc_msr_intercepts(struct kvm_vcpu *vcpu)
vmx_set_intercept_for_msr(vcpu, MSR_IA32_FLUSH_CMD, MSR_TYPE_W,
!guest_cpu_cap_has(vcpu, X86_FEATURE_FLUSH_L1D));
+ if (kvm_cpu_cap_has(X86_FEATURE_SHSTK)) {
+ set = !guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK);
+
+ vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL0_SSP, MSR_TYPE_RW, set);
+ vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL1_SSP, MSR_TYPE_RW, set);
+ vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL2_SSP, MSR_TYPE_RW, set);
+ vmx_set_intercept_for_msr(vcpu, MSR_IA32_PL3_SSP, MSR_TYPE_RW, set);
+ vmx_set_intercept_for_msr(vcpu, MSR_IA32_INT_SSP_TAB, MSR_TYPE_RW, set);
MSR_IA32_INT_SSP_TAB isn't managed via XSAVE, so why is it being passed through?
It's managed in VMCS host and guest areas, i.e. HOST_INTR_SSP_TABLE and
GUEST_INTR_SSP_TABLE, if the "load CET" bits are set in both VM entry
and exit controls.
FRED MSRs are also passed through to guest in such cases.
no?
