git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Yang Weijiang <weijiang.yang@intel.com>
	Fri, 19 Sep 2025 22:32:32 +0000 (15:32 -0700)
committer	Sean Christopherson <seanjc@google.com>
	Tue, 23 Sep 2025 16:18:54 +0000 (09:18 -0700)
commit	69cc3e886582891f9c4d5830f18a2664a7f7cf7c
tree	7f4597134e31f46f44739f67aa2567618c56f9d5	tree \| snapshot
parent	19e6e083f3f9e4ac1794273d72dfb59d19a0fc69	commit \| diff

KVM: x86: Add XSS support for CET_KERNEL and CET_USER

Add CET_KERNEL and CET_USER to KVM's set of supported XSS bits when IBT
*or* SHSTK is supported. Like CR4.CET, XFEATURE support for IBT and SHSTK
are bundle together under the CET umbrella, and thus prone to
virtualization holes if KVM or the guest supports only one of IBT or SHSTK,
but hardware supports both. However, again like CR4.CET, such
virtualization holes are benign from the host's perspective so long as KVM
takes care to always honor the "or" logic.

Require CET_KERNEL and CET_USER to come as a pair, and refuse to support
IBT or SHSTK if one (or both) features is missing, as the (host) kernel
expects them to come as a pair, i.e. may get confused and corrupt state if
only one of CET_KERNEL or CET_USER is supported.

Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
[sean: split to separate patch, write changelog, add XFEATURE_MASK_CET_ALL]
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20250919223258.1604852-26-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>