Re: [PATCH v8 00/26] Enable CET Virtualization

From: Jim Mattson
Date: Thu Jan 04 2024 - 19:44:52 EST

Next message: Vanshidhar Konda: "Re: [PATCH] cpufreq: CPPC: Resolve the large frequency discrepancy from cpuinfo_cur_freq"
Previous message: pr-tracker-bot: "Re: [GIT PULL] Networking for v6.7-rc9"
In reply to: Edgecombe, Rick P: "Re: [PATCH v8 00/26] Enable CET Virtualization"
Next in thread: Sean Christopherson: "Re: [PATCH v8 00/26] Enable CET Virtualization"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 4, 2024 at 4:34 PM Edgecombe, Rick P
<rick.p.edgecombe@xxxxxxxxx> wrote:
>
> On Thu, 2024-01-04 at 16:22 -0800, Sean Christopherson wrote:
> > No, the days of KVM making shit up from are done. IIUC, you're
> > advocating that
> > it's ok for KVM to induce a #CP that architecturally should not
> > happen. That is
> > not acceptable, full stop.
>
> Nope, not advocating that at all. I'm noticing that in this series KVM
> has special emulator behavior that doesn't match the HW when CET is
> enabled. That it *skips* emitting #CPs (and other CET behaviors SW
> depends on), and wondering if it is a problem.
>
> I'm worried that there is some way attackers will induce the host to
> emulate an instruction and skip CET enforcement that the HW would
> normally do.
>
> >
> > Retrying the instruction in the guest, exiting to userspace, and even
> > terminating
> > the VM are all perfectly acceptable behaviors if KVM encounters
> > something it can't
> > *correctly* emulate. But clobbering the shadow stack or not
> > detecting a CFI
> > violation, even if the guest is misbehaving, is not ok.
> >
> [snip]
> > Yeah, I don't even know what the TRACKER bit does (I don't feel like
> > reading the
> > SDM right now), let alone if what KVM does or doesn't do in response
> > is remotely
> > correct.
> >
> > For CALL/RET (and presumably any branch instructions with IBT?) other
> > instructions
> > that are directly affected by CET, the simplest thing would probably
> > be to disable
> > those in KVM's emulator if shadow stacks and/or IBT are enabled, and
> > let KVM's
> > failure paths take it from there.
>
> Right, that is what I was wondering might be the normal solution for
> situations like this.

On AMD CPUs and on Intel CPUs with "unrestricted guest," I don't think
there is any need to emulate an instruction that doesn't either (a)
cause a VM-exit by opcode (e.g. CPUID) or (b) access memory. I think
we should probably disable emulation of anything else, for both
security and sanity.

> >
> > Then, *if* a use case comes along where the guest is utilizing CET
> > and "needs"
> > KVM to emulate affected instructions, we can add the necessary
> > support the emulator.
> >
> > Alternatively, if teaching KVM's emulator to play nice with shadow
> > stacks and IBT
> > is easy-ish, just do that.
>
> I think it will not be very easy.

Next message: Vanshidhar Konda: "Re: [PATCH] cpufreq: CPPC: Resolve the large frequency discrepancy from cpuinfo_cur_freq"
Previous message: pr-tracker-bot: "Re: [GIT PULL] Networking for v6.7-rc9"
In reply to: Edgecombe, Rick P: "Re: [PATCH v8 00/26] Enable CET Virtualization"
Next in thread: Sean Christopherson: "Re: [PATCH v8 00/26] Enable CET Virtualization"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]