KVM: nVMX: Add consistency checks for CET states

Introduce consistency checks for CET states during nested VM-entry.

A VMCS contains both guest and host CET states, each comprising the
IA32_S_CET MSR, SSP, and IA32_INTERRUPT_SSP_TABLE_ADDR MSR. Various
checks are applied to CET states during VM-entry as documented in SDM
Vol3 Chapter "VM ENTRIES". Implement all these checks during nested
VM-entry to emulate the architectural behavior.

In summary, there are three kinds of checks on guest/host CET states
during VM-entry:

A. Checks applied to both guest states and host states:

 * The IA32_S_CET field must not set any reserved bits; bits 10 (SUPPRESS)
   and 11 (TRACKER) cannot both be set.
 * SSP should not have bits 1:0 set.
 * The IA32_INTERRUPT_SSP_TABLE_ADDR field must be canonical.

B. Checks applied to host states only

 * IA32_S_CET MSR and SSP must be canonical if the CPU enters 64-bit mode
   after VM-exit. Otherwise, IA32_S_CET and SSP must have their higher 32
   bits cleared.

C. Checks applied to guest states only:

 * IA32_S_CET MSR and SSP are not required to be canonical (i.e., 63:N-1
   are identical, where N is the CPU's maximum linear-address width). But,
   bits 63:N of SSP must be identical.

Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Link: https://lore.kernel.org/r/20250919223258.1604852-34-seanjc@google.com
[sean: have common helper return 0/-EINVAL, not true/false]
Signed-off-by: Sean Christopherson <seanjc@google.com>

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 51c50ce9e011301740c970b7305b6d780df703a7..a7bd6fc950575557ab2c70df2527c400882f3274 100644 (file)
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3100,6 +3100,16 @@ static bool is_l1_noncanonical_address_on_vmexit(u64 la, struct vmcs12 *vmcs12)
        return !__is_canonical_address(la, l1_address_bits_on_exit);
 }
 
+static int nested_vmx_check_cet_state_common(struct kvm_vcpu *vcpu, u64 s_cet,
+                                            u64 ssp, u64 ssp_tbl)
+{
+       if (CC(!kvm_is_valid_u_s_cet(vcpu, s_cet)) || CC(!IS_ALIGNED(ssp, 4)) ||
+           CC(is_noncanonical_msr_address(ssp_tbl, vcpu)))
+               return -EINVAL;
+
+       return 0;
+}
+
 static int nested_vmx_check_host_state(struct kvm_vcpu *vcpu,
                                       struct vmcs12 *vmcs12)
 {
@@ -3169,6 +3179,27 @@ static int nested_vmx_check_host_state(struct kvm_vcpu *vcpu,
                        return -EINVAL;
        }
 
+       if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_CET_STATE) {
+               if (nested_vmx_check_cet_state_common(vcpu, vmcs12->host_s_cet,
+                                                     vmcs12->host_ssp,
+                                                     vmcs12->host_ssp_tbl))
+                       return -EINVAL;
+
+               /*
+                * IA32_S_CET and SSP must be canonical if the host will
+                * enter 64-bit mode after VM-exit; otherwise, higher
+                * 32-bits must be all 0s.
+                */
+               if (ia32e) {
+                       if (CC(is_noncanonical_msr_address(vmcs12->host_s_cet, vcpu)) ||
+                           CC(is_noncanonical_msr_address(vmcs12->host_ssp, vcpu)))
+                               return -EINVAL;
+               } else {
+                       if (CC(vmcs12->host_s_cet >> 32) || CC(vmcs12->host_ssp >> 32))
+                               return -EINVAL;
+               }
+       }
+
        return 0;
 }
 
@@ -3279,6 +3310,23 @@ static int nested_vmx_check_guest_state(struct kvm_vcpu *vcpu,
             CC((vmcs12->guest_bndcfgs & MSR_IA32_BNDCFGS_RSVD))))
                return -EINVAL;
 
+       if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE) {
+               if (nested_vmx_check_cet_state_common(vcpu, vmcs12->guest_s_cet,
+                                                     vmcs12->guest_ssp,
+                                                     vmcs12->guest_ssp_tbl))
+                       return -EINVAL;
+
+               /*
+                * Guest SSP must have 63:N bits identical, rather than
+                * be canonical (i.e., 63:N-1 bits identical), where N is
+                * the CPU's maximum linear-address width. Similar to
+                * is_noncanonical_msr_address(), use the host's
+                * linear-address width.
+                */
+               if (CC(!__is_canonical_address(vmcs12->guest_ssp, max_host_virt_addr_bits() + 1)))
+                       return -EINVAL;
+       }
+
        if (nested_check_guest_non_reg_state(vmcs12))
                return -EINVAL;