Re: [PATCH v10 00/26] Control-flow Enforcement: Shadow Stack

[Dave Hansen]

On 7/23/20 9:25 AM, Sean Christopherson wrote:
> How would people feel about taking the above two patches (02 and 03 in the
> series) through the KVM tree to enable KVM virtualization of CET before the
> kernel itself gains CET support?  I.e. add the MSR and feature bits, along
> with the XSAVES context switching.  The feature definitons could use "" to
> suppress displaying them in /proc/cpuinfo to avoid falsely advertising CET
> to userspace.
> 
> AIUI, there are ABI issues that need to be sorted out, and that is likely
> going to drag on for some time. 
> 
> Is this a "hell no" sort of idea, or something that would be feasible if we
> can show that there are no negative impacts to the kernel?

Negative impacts like bloating every task->fpu with XSAVE state that
will never get used? ;)

I thought KVM had its own vcpu->arch.guest_fpu buffers which mirrored
the size and format of task->fpu.  Can we have KVM support today without
task->fpu support?  I see some XSS munging in the KVM code so I think
this might be *possible*, but I don't see all of the plumbing that would
make it actually work.