KVM: x86: Emulate SSP[63:32]!=0 #GP(0) for FAR JMP to 32-bit mode

Emulate the Shadow Stack restriction that the current SSP must be a 32-bit
value on a FAR JMP from 64-bit mode to compatibility mode.  From the SDM's
pseudocode for FAR JMP:

  IF ShadowStackEnabled(CPL)
    IF (IA32_EFER.LMA and DEST(segment selector).L) = 0
      (* If target is legacy or compatibility mode then the SSP must be in low 4GB *)
      IF (SSP & 0xFFFFFFFF00000000 != 0); THEN
        #GP(0);
      FI;
    FI;
  FI;

Note, only the current CPL needs to be considered, as FAR JMP can't be
used for inter-privilege level transfers, and KVM rejects emulation of all
other far branch instructions when Shadow Stacks are enabled.

To give the emulator access to GUEST_SSP, special case handling
MSR_KVM_INTERNAL_GUEST_SSP in emulator_get_msr() to treat the access as a
host access (KVM doesn't allow guest accesses to internal "MSRs").  The
->get_msr() API is only used for implicit accesses from the emulator, i.e.
is only used with hardcoded MSR indices, and so any access to
MSR_KVM_INTERNAL_GUEST_SSP is guaranteed to be from KVM, i.e. not from the
guest via RDMSR.

Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20250919223258.1604852-21-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 48b067b179e026ad061f27f8cb3770e6d4e91dd5..59f93f68718a0a77716378424e5ed104afe6bd58 100644 (file)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1554,6 +1554,37 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
        return linear_write_system(ctxt, addr, desc, sizeof(*desc));
 }
 
+static bool emulator_is_ssp_invalid(struct x86_emulate_ctxt *ctxt, u8 cpl)
+{
+       const u32 MSR_IA32_X_CET = cpl == 3 ? MSR_IA32_U_CET : MSR_IA32_S_CET;
+       u64 efer = 0, cet = 0, ssp = 0;
+
+       if (!(ctxt->ops->get_cr(ctxt, 4) & X86_CR4_CET))
+               return false;
+
+       if (ctxt->ops->get_msr(ctxt, MSR_EFER, &efer))
+               return true;
+
+       /* SSP is guaranteed to be valid if the vCPU was already in 32-bit mode. */
+       if (!(efer & EFER_LMA))
+               return false;
+
+       if (ctxt->ops->get_msr(ctxt, MSR_IA32_X_CET, &cet))
+               return true;
+
+       if (!(cet & CET_SHSTK_EN))
+               return false;
+
+       if (ctxt->ops->get_msr(ctxt, MSR_KVM_INTERNAL_GUEST_SSP, &ssp))
+               return true;
+
+       /*
+        * On transfer from 64-bit mode to compatibility mode, SSP[63:32] must
+        * be 0, i.e. SSP must be a 32-bit value outside of 64-bit mode.
+        */
+       return ssp >> 32;
+}
+
 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
                                     u16 selector, int seg, u8 cpl,
                                     enum x86_transfer_type transfer,
@@ -1694,6 +1725,10 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
                        if (efer & EFER_LMA)
                                goto exception;
                }
+               if (!seg_desc.l && emulator_is_ssp_invalid(ctxt, cpl)) {
+                       err_code = 0;
+                       goto exception;
+               }
 
                /* CS(RPL) <- CPL */
                selector = (selector & 0xfffc) | cpl;

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 31aaff9db083df67bb9c5dd22719e5ef74dbc562..0a4e58dddf36ec8fd967150c41f80873a8dc40a9 100644 (file)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -8741,6 +8741,15 @@ static int emulator_set_msr_with_filter(struct x86_emulate_ctxt *ctxt,
 static int emulator_get_msr(struct x86_emulate_ctxt *ctxt,
                            u32 msr_index, u64 *pdata)
 {
+       /*
+        * Treat emulator accesses to the current shadow stack pointer as host-
+        * initiated, as they aren't true MSR accesses (SSP is a "just a reg"),
+        * and this API is used only for implicit accesses, i.e. not RDMSR, and
+        * so the index is fully KVM-controlled.
+        */
+       if (unlikely(msr_index == MSR_KVM_INTERNAL_GUEST_SSP))
+               return kvm_msr_read(emul_to_vcpu(ctxt), msr_index, pdata);
+
        return __kvm_emulate_msr_read(emul_to_vcpu(ctxt), msr_index, pdata);
 }