[PATCH v1 0/8] This patch-set is to enable kvm Guest OS CET support.

From: Yang Weijiang
Date: Wed Dec 26 2018 - 03:12:44 EST


Control-flow Enforcement Technology (CET) provides protection against
return/jump-oriented programming (ROP) attacks. To make kvm Guest OS
own the capability, this patch-set is required. It enables CET related
CPUID report, xsaves/xrstors, vmx entry configuration etc for Guest OS.

PATCH 1/3/4: Enable CET support in VMCS.
PATCH 2 : Define CR4.CET master enable bit.
PATCH 5 : Enable xsave components for CET in XSS.
PATCH 6/7/8: Report CET feature support in CPUID.

Yang Weijiang (8):
kvm:vmx Introduce CET related VMCS field definitions.
kvm: Define CR4.CET[bit 23] (master enable bit) for guest OS.
kvm:vmx Enable loading CET state bit while guest CR4.CET is being
set.
kvm:vmx Pass through host CET related MSRs to Guest.
kvm:x86 Enable MSR_IA32_XSS bit 11 and 12 for CET xsaves/xrstors.
kvm:cpuid Add CPUID support for CET xsaves component query.
kvm:cpuid Fix xsaves area size calculation for CPUID.(EAX=0xD,ECX=1).
kvm:cpuid Report CET SHSTK and IBT support in CPUID.(EAX=0x7,ECX=0).

arch/x86/include/asm/kvm_host.h | 3 ++-
arch/x86/include/asm/vmx.h | 8 +++++++
arch/x86/kvm/cpuid.c | 23 +++++++++++++-------
arch/x86/kvm/vmx.c | 37 ++++++++++++++++++++++++++++++---
4 files changed, 60 insertions(+), 11 deletions(-)

--
2.17.1