git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Yang Weijiang <weijiang.yang@intel.com>
	Fri, 19 Sep 2025 22:32:23 +0000 (15:32 -0700)
committer	Sean Christopherson <seanjc@google.com>
	Tue, 23 Sep 2025 16:11:26 +0000 (09:11 -0700)
commit	25f3840483e6c69e4d1a689cf3edc70f93604f2a
tree	2046a78b4ba7bf104ab7a1a8d5430e4cb53a0b0e	tree \| snapshot
parent	1a61bd0d126abbf01c384c44b46bcdd4ef495850	commit \| diff

KVM: VMX: Set up interception for CET MSRs

Disable interception for CET MSRs that can be accessed via XSAVES/XRSTORS,
and exist accordingly to CPUID, as accesses through XSTATE aren't subject
to MSR interception checks, i.e. can't be intercepted without intercepting
and emulating XSAVES/XRSTORS, and KVM doesn't support emulating
XSAVE/XRSTOR instructions.

Don't condition interception on the guest actually having XSAVES as there
is no benefit to intercepting the accesses (when the MSRs exist). The
MSRs in question are either context switched by the CPU on VM-Enter/VM-Exit
or by KVM via XSAVES/XRSTORS (KVM requires XSAVES to virtualization SHSTK),
i.e. KVM is going to load guest values into hardware irrespective of guest
XSAVES support.

Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by: Xin Li (Intel) <xin@zytor.com>
Link: https://lore.kernel.org/r/20250919223258.1604852-17-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>