Re: [PATCH v10 27/27] KVM: x86: Don't emulate instructions guarded by CET

From: Yang, Weijiang
Date: Mon May 06 2024 - 05:26:56 EST

Next message: Christian Brauner: "Re: [PATCH] epoll: try to be a _bit_ better about file lifetimes"
Previous message: Yang, Weijiang: "Re: [PATCH v10 26/27] KVM: nVMX: Enable CET support for nested guest"
In reply to: Sean Christopherson: "Re: [PATCH v10 27/27] KVM: x86: Don't emulate instructions guarded by CET"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/2/2024 7:24 AM, Sean Christopherson wrote:

On Sun, Feb 18, 2024, Yang Weijiang wrote:

Don't emulate the branch instructions, e.g., CALL/RET/JMP etc., when CET
is active in guest, return KVM_INTERNAL_ERROR_EMULATION to userspace to
handle it.

KVM doesn't emulate CPU behaviors to check CET protected stuffs while
emulating guest instructions, instead it stops emulation on detecting
the instructions in process are CET protected. By doing so, it can avoid
generating bogus #CP in guest and preventing CET protected execution flow
subversion from guest side.

Suggested-by: Chao Gao <chao.gao@xxxxxxxxx>
Signed-off-by: Yang Weijiang <weijiang.yang@xxxxxxxxx>
---

This should be ordered before CET is exposed to userspace, e.g. so that KVM's
ABI is well defined when CET support because usable.

Sure, thanks!

Next message: Christian Brauner: "Re: [PATCH] epoll: try to be a _bit_ better about file lifetimes"
Previous message: Yang, Weijiang: "Re: [PATCH v10 26/27] KVM: nVMX: Enable CET support for nested guest"
In reply to: Sean Christopherson: "Re: [PATCH v10 27/27] KVM: x86: Don't emulate instructions guarded by CET"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]