git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Yang Weijiang <weijiang.yang@intel.com>
	Fri, 19 Sep 2025 22:32:30 +0000 (15:32 -0700)
committer	Sean Christopherson <seanjc@google.com>
	Tue, 23 Sep 2025 16:17:48 +0000 (09:17 -0700)
commit	b3744c59ebc5f2697d62844149c1a1c0e274ead0
tree	72531ac5474a5f9ba74921078c8f0c34075ed5f2	tree \| snapshot
parent	843af0f2e4617db197034b27a9a658a59271f19f	commit \| diff

KVM: x86: Allow setting CR4.CET if IBT or SHSTK is supported

Drop X86_CR4_CET from CR4_RESERVED_BITS and instead mark CET as reserved
if and only if IBT *and* SHSTK are unsupported, i.e. allow CR4.CET to be
set if IBT or SHSTK is supported. This creates a virtualization hole if
the CPU supports both IBT and SHSTK, but the kernel or vCPU model only
supports one of the features. However, it's entirely legal for a CPU to
have only one of IBT or SHSTK, i.e. the hole is a flaw in the architecture,
not in KVM.

More importantly, so long as KVM is careful to initialize and context
switch both IBT and SHSTK state (when supported in hardware) if either
feature is exposed to the guest, a misbehaving guest can only harm itself.
E.g. VMX initializes host CET VMCS fields based solely on hardware
capabilities.

Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
[sean: split to separate patch, write changelog]
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20250919223258.1604852-24-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

arch/x86/include/asm/kvm_host.h		diff \| blob \| blame \| history
arch/x86/kvm/x86.h		diff \| blob \| blame \| history