From: "Yang, Weijiang" <weijiang.yang@intel.com>
To: Sean Christopherson <seanjc@google.com>
Cc: <pbonzini@redhat.com>, <dave.hansen@intel.com>, <x86@kernel.org>,
<kvm@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<peterz@infradead.org>, <chao.gao@intel.com>,
<rick.p.edgecombe@intel.com>, <mlevitsk@redhat.com>,
<john.allen@amd.com>
Subject: Re: [PATCH v10 24/27] KVM: x86: Enable CET virtualization for VMX and advertise to userspace
Date: Fri, 17 May 2024 16:04:38 +0800 [thread overview]
Message-ID: <f80b1b68-fd29-4fbe-bcbd-782932432937@intel.com> (raw)
In-Reply-To: <ZkYbdaW-2p9wHwEL@google.com>
On 5/16/2024 10:43 PM, Sean Christopherson wrote:
> On Thu, May 16, 2024, Weijiang Yang wrote:
>> On 5/6/2024 5:41 PM, Yang, Weijiang wrote:
>>> On 5/2/2024 7:34 AM, Sean Christopherson wrote:
>>>> On Sun, Feb 18, 2024, Yang Weijiang wrote:
>>>>> @@ -665,7 +665,7 @@ void kvm_set_cpu_caps(void)
>>>>> F(AVX512_VPOPCNTDQ) | F(UMIP) | F(AVX512_VBMI2) | F(GFNI) |
>>>>> F(VAES) | F(VPCLMULQDQ) | F(AVX512_VNNI) | F(AVX512_BITALG) |
>>>>> F(CLDEMOTE) | F(MOVDIRI) | F(MOVDIR64B) | 0 /*WAITPKG*/ |
>>>>> - F(SGX_LC) | F(BUS_LOCK_DETECT)
>>>>> + F(SGX_LC) | F(BUS_LOCK_DETECT) | F(SHSTK)
>>>>> );
>>>>> /* Set LA57 based on hardware capability. */
>>>>> if (cpuid_ecx(7) & F(LA57))
>>>>> @@ -683,7 +683,8 @@ void kvm_set_cpu_caps(void)
>>>>> F(SPEC_CTRL_SSBD) | F(ARCH_CAPABILITIES) | F(INTEL_STIBP) |
>>>>> F(MD_CLEAR) | F(AVX512_VP2INTERSECT) | F(FSRM) |
>>>>> F(SERIALIZE) | F(TSXLDTRK) | F(AVX512_FP16) |
>>>>> - F(AMX_TILE) | F(AMX_INT8) | F(AMX_BF16) | F(FLUSH_L1D)
>>>>> + F(AMX_TILE) | F(AMX_INT8) | F(AMX_BF16) | F(FLUSH_L1D) |
>>>>> + F(IBT)
>>>>> );
>>>> ...
>>>>
>>>>> @@ -7977,6 +7993,18 @@ static __init void vmx_set_cpu_caps(void)
>>>>> if (cpu_has_vmx_waitpkg())
>>>>> kvm_cpu_cap_check_and_set(X86_FEATURE_WAITPKG);
>>>>> +
>>>>> + /*
>>>>> + * Disable CET if unrestricted_guest is unsupported as KVM doesn't
>>>>> + * enforce CET HW behaviors in emulator. On platforms with
>>>>> + * VMX_BASIC[bit56] == 0, inject #CP at VMX entry with error code
>>>>> + * fails, so disable CET in this case too.
>>>>> + */
>>>>> + if (!cpu_has_load_cet_ctrl() || !enable_unrestricted_guest ||
>>>>> + !cpu_has_vmx_basic_no_hw_errcode()) {
>>>>> + kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
>>>>> + kvm_cpu_cap_clear(X86_FEATURE_IBT);
>>>>> + }
>>>> Oh! Almost missed it. This patch should explicitly kvm_cpu_cap_clear()
>>>> X86_FEATURE_SHSTK and X86_FEATURE_IBT. We *know* there are upcoming AMD CPUs
>>>> that support at least SHSTK, so enumerating support for common code would yield
>>>> a version of KVM that incorrectly advertises support for SHSTK.
>>>>
>>>> I hope to land both Intel and AMD virtualization in the same kernel release, but
>>>> there are no guarantees that will happen. And explicitly clearing both SHSTK and
>>>> IBT would guard against IBT showing up in some future AMD CPU in advance of KVM
>>>> gaining full support.
>>> Let me be clear on this, you want me to disable SHSTK/IBT with
>>> kvm_cpu_cap_clear() unconditionally for now in this patch, and wait until
>>> both AMD's SVM patches and this series are ready for guest CET, then remove
>>> the disabling code in this patch for final merge, am I right?
> No, allow it to be enabled for VMX, but explicitly disable it for SVM, i.e.
>
> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
> index 4aaffbf22531..b3df12af4ee6 100644
> --- a/arch/x86/kvm/svm/svm.c
> +++ b/arch/x86/kvm/svm/svm.c
> @@ -5125,6 +5125,10 @@ static __init void svm_set_cpu_caps(void)
> kvm_caps.supported_perf_cap = 0;
> kvm_caps.supported_xss = 0;
>
> + /* KVM doesn't yet support CET virtualization for SVM. */
> + kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
> + kvm_cpu_cap_clear(X86_FEATURE_IBT);
> +
> /* CPUID 0x80000001 and 0x8000000A (SVM features) */
> if (nested) {
> kvm_cpu_cap_set(X86_FEATURE_SVM);
>
> Then the SVM series can simply delete those lines when all is ready.
Understood, thanks!
next prev parent reply other threads:[~2024-05-17 8:04 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-19 7:47 [PATCH v10 00/27] Enable CET Virtualization Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 01/27] x86/fpu/xstate: Always preserve non-user xfeatures/flags in __state_perm Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 02/27] x86/fpu/xstate: Refine CET user xstate bit enabling Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 03/27] x86/fpu/xstate: Add CET supervisor mode state support Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 04/27] x86/fpu/xstate: Introduce XFEATURE_MASK_KERNEL_DYNAMIC xfeature set Yang Weijiang
2024-05-01 18:45 ` Sean Christopherson
2024-05-02 17:46 ` Dave Hansen
2024-05-07 22:57 ` Sean Christopherson
2024-05-07 23:17 ` Dave Hansen
2024-05-08 1:19 ` Yang, Weijiang
2024-02-19 7:47 ` [PATCH v10 05/27] x86/fpu/xstate: Introduce fpu_guest_cfg for guest FPU configuration Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 06/27] x86/fpu/xstate: Create guest fpstate with guest specific config Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 07/27] x86/fpu/xstate: Warn if kernel dynamic xfeatures detected in normal fpstate Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 08/27] KVM: x86: Rework cpuid_get_supported_xcr0() to operate on vCPU data Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 09/27] KVM: x86: Rename kvm_{g,s}et_msr()* to menifest emulation operations Yang Weijiang
2024-05-01 18:54 ` Sean Christopherson
2024-05-06 5:58 ` Yang, Weijiang
2024-02-19 7:47 ` [PATCH v10 10/27] KVM: x86: Refine xsave-managed guest register/MSR reset handling Yang Weijiang
2024-02-20 3:04 ` Chao Gao
2024-02-20 13:23 ` Yang, Weijiang
2024-05-01 20:40 ` Sean Christopherson
2024-05-06 7:26 ` Yang, Weijiang
2024-02-19 7:47 ` [PATCH v10 11/27] KVM: x86: Add kvm_msr_{read,write}() helpers Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 12/27] KVM: x86: Report XSS as to-be-saved if there are supported features Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 13/27] KVM: x86: Refresh CPUID on write to guest MSR_IA32_XSS Yang Weijiang
2024-02-20 8:51 ` Chao Gao
2024-05-01 20:43 ` Sean Christopherson
2024-05-06 7:30 ` Yang, Weijiang
2024-02-19 7:47 ` [PATCH v10 14/27] KVM: x86: Initialize kvm_caps.supported_xss Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 15/27] KVM: x86: Load guest FPU state when access XSAVE-managed MSRs Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 16/27] KVM: x86: Add fault checks for guest CR4.CET setting Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 17/27] KVM: x86: Report KVM supported CET MSRs as to-be-saved Yang Weijiang
2024-05-01 22:40 ` Sean Christopherson
2024-05-06 8:31 ` Yang, Weijiang
2024-05-07 17:27 ` Sean Christopherson
2024-05-08 7:00 ` Yang, Weijiang
2024-02-19 7:47 ` [PATCH v10 18/27] KVM: VMX: Introduce CET VMCS fields and control bits Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 19/27] KVM: x86: Use KVM-governed feature framework to track "SHSTK/IBT enabled" Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 20/27] KVM: VMX: Emulate read and write to CET MSRs Yang Weijiang
2024-03-12 22:55 ` Sean Christopherson
2024-03-13 9:43 ` Yang, Weijiang
2024-03-13 16:00 ` Sean Christopherson
2024-02-19 7:47 ` [PATCH v10 21/27] KVM: x86: Save and reload SSP to/from SMRAM Yang Weijiang
2024-05-01 22:50 ` Sean Christopherson
2024-05-06 8:41 ` Yang, Weijiang
2024-02-19 7:47 ` [PATCH v10 22/27] KVM: VMX: Set up interception for CET MSRs Yang Weijiang
2024-05-01 23:07 ` Sean Christopherson
2024-05-06 8:48 ` Yang, Weijiang
2024-02-19 7:47 ` [PATCH v10 23/27] KVM: VMX: Set host constant supervisor states to VMCS fields Yang Weijiang
2024-02-19 7:47 ` [PATCH v10 24/27] KVM: x86: Enable CET virtualization for VMX and advertise to userspace Yang Weijiang
2024-05-01 23:15 ` Sean Christopherson
2024-05-01 23:24 ` Edgecombe, Rick P
2024-05-06 9:19 ` Yang, Weijiang
2024-05-06 16:54 ` Sean Christopherson
2024-05-07 2:37 ` Yang, Weijiang
2024-05-06 17:05 ` Edgecombe, Rick P
2024-05-06 23:33 ` Sean Christopherson
2024-05-06 23:53 ` Edgecombe, Rick P
2024-05-07 14:21 ` Sean Christopherson
2024-05-07 14:45 ` Edgecombe, Rick P
2024-05-07 15:08 ` Sean Christopherson
2024-05-07 15:33 ` Edgecombe, Rick P
2024-05-16 7:13 ` Yang, Weijiang
2024-05-16 14:39 ` Sean Christopherson
2024-05-16 15:36 ` Dave Hansen
2024-05-16 16:58 ` Sean Christopherson
2024-05-17 8:27 ` Yang, Weijiang
2024-05-17 8:57 ` Thomas Gleixner
2024-05-17 14:26 ` Sean Christopherson
2024-05-20 9:43 ` Yang, Weijiang
2024-05-20 17:09 ` Sean Christopherson
2024-05-20 17:15 ` Dave Hansen
2024-05-22 9:03 ` Yang, Weijiang
2024-05-22 15:06 ` Edgecombe, Rick P
2024-05-23 10:07 ` Yang, Weijiang
2024-05-22 8:41 ` Yang, Weijiang
2024-05-27 9:05 ` Yang, Weijiang
2024-05-01 23:34 ` Sean Christopherson
2024-05-06 9:41 ` Yang, Weijiang
2024-05-16 7:20 ` Yang, Weijiang
2024-05-16 14:43 ` Sean Christopherson
2024-05-17 8:04 ` Yang, Weijiang [this message]
2024-02-19 7:47 ` [PATCH v10 25/27] KVM: nVMX: Introduce new VMX_BASIC bit for event error_code delivery to L1 Yang Weijiang
2024-05-01 23:19 ` Sean Christopherson
2024-05-06 9:19 ` Yang, Weijiang
2024-02-19 7:47 ` [PATCH v10 26/27] KVM: nVMX: Enable CET support for nested guest Yang Weijiang
2024-05-01 23:23 ` Sean Christopherson
2024-05-06 9:25 ` Yang, Weijiang
2024-02-19 7:47 ` [PATCH v10 27/27] KVM: x86: Don't emulate instructions guarded by CET Yang Weijiang
2024-05-01 23:24 ` Sean Christopherson
2024-05-06 9:26 ` Yang, Weijiang
2024-03-06 14:44 ` [PATCH v10 00/27] Enable CET Virtualization Yang, Weijiang
2024-05-01 23:27 ` Sean Christopherson
2024-05-06 9:31 ` Yang, Weijiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f80b1b68-fd29-4fbe-bcbd-782932432937@intel.com \
--to=weijiang.yang@intel.com \
--cc=chao.gao@intel.com \
--cc=dave.hansen@intel.com \
--cc=john.allen@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mlevitsk@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).