Commit d4c03f63 authored by Sean Christopherson's avatar Sean Christopherson
Browse files

KVM: x86: Emulate SSP[63:32]!=0 #GP(0) for FAR JMP to 32-bit mode 



Emulate the Shadow Stack restriction that the current SSP must be a 32-bit
value on a FAR JMP from 64-bit mode to compatibility mode.  From the SDM's
pseudocode for FAR JMP:

  IF ShadowStackEnabled(CPL)
    IF (IA32_EFER.LMA and DEST(segment selector).L) = 0
      (* If target is legacy or compatibility mode then the SSP must be in low 4GB *)
      IF (SSP & 0xFFFFFFFF00000000 != 0); THEN
        #GP(0);
      FI;
    FI;
  FI;

Note, only the current CPL needs to be considered, as FAR JMP can't be
used for inter-privilege level transfers, and KVM rejects emulation of all
other far branch instructions when Shadow Stacks are enabled.

To give the emulator access to GUEST_SSP, special case handling
MSR_KVM_INTERNAL_GUEST_SSP in emulator_get_msr() to treat the access as a
host access (KVM doesn't allow guest accesses to internal "MSRs").  The
->get_msr() API is only used for implicit accesses from the emulator, i.e.
is only used with hardcoded MSR indices, and so any access to
MSR_KVM_INTERNAL_GUEST_SSP is guaranteed to be from KVM, i.e. not from the
guest via RDMSR.

Reviewed-by: default avatarBinbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: default avatarXiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20250919223258.1604852-21-seanjc@google.com


Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
parent 82c0ec02

arch/x86/kvm/emulate.c

+35 −0
Original line number Diff line number Diff line
@@ -1554,6 +1554,37 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt, 
	return linear_write_system(ctxt, addr, desc, sizeof(*desc));

}



static bool emulator_is_ssp_invalid(struct x86_emulate_ctxt *ctxt, u8 cpl)

{

	const u32 MSR_IA32_X_CET = cpl == 3 ? MSR_IA32_U_CET : MSR_IA32_S_CET;

	u64 efer = 0, cet = 0, ssp = 0;



	if (!(ctxt->ops->get_cr(ctxt, 4) & X86_CR4_CET))

		return false;



	if (ctxt->ops->get_msr(ctxt, MSR_EFER, &efer))

		return true;



	/* SSP is guaranteed to be valid if the vCPU was already in 32-bit mode. */

	if (!(efer & EFER_LMA))

		return false;



	if (ctxt->ops->get_msr(ctxt, MSR_IA32_X_CET, &cet))

		return true;



	if (!(cet & CET_SHSTK_EN))

		return false;



	if (ctxt->ops->get_msr(ctxt, MSR_KVM_INTERNAL_GUEST_SSP, &ssp))

		return true;



	/*

	 * On transfer from 64-bit mode to compatibility mode, SSP[63:32] must

	 * be 0, i.e. SSP must be a 32-bit value outside of 64-bit mode.

	 */

	return ssp >> 32;

}



static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,

				     u16 selector, int seg, u8 cpl,

				     enum x86_transfer_type transfer,
@@ -1694,6 +1725,10 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, 
			if (efer & EFER_LMA)

				goto exception;

		}

		if (!seg_desc.l && emulator_is_ssp_invalid(ctxt, cpl)) {

			err_code = 0;

			goto exception;

		}



		/* CS(RPL) <- CPL */

		selector = (selector & 0xfffc) | cpl;

arch/x86/kvm/x86.c

+9 −0
Original line number Diff line number Diff line
@@ -8741,6 +8741,15 @@ static int emulator_set_msr_with_filter(struct x86_emulate_ctxt *ctxt, 
static int emulator_get_msr(struct x86_emulate_ctxt *ctxt,

			    u32 msr_index, u64 *pdata)

{

	/*

	 * Treat emulator accesses to the current shadow stack pointer as host-

	 * initiated, as they aren't true MSR accesses (SSP is a "just a reg"),

	 * and this API is used only for implicit accesses, i.e. not RDMSR, and

	 * so the index is fully KVM-controlled.

	 */

	if (unlikely(msr_index == MSR_KVM_INTERNAL_GUEST_SSP))

		return kvm_msr_read(emul_to_vcpu(ctxt), msr_index, pdata);



	return __kvm_emulate_msr_read(emul_to_vcpu(ctxt), msr_index, pdata);

}