Re: [PATCH v14 00/13] Introduce support for guest CET feature

From: Paolo Bonzini
Date: Thu Jan 28 2021 - 13:12:11 EST


On 28/01/21 19:04, Sean Christopherson wrote:
On Thu, Jan 28, 2021, Paolo Bonzini wrote:
On 06/11/20 02:16, Yang Weijiang wrote:
Control-flow Enforcement Technology (CET) provides protection against
Return/Jump-Oriented Programming (ROP/JOP) attack. There're two CET
sub-features: Shadow Stack (SHSTK) and Indirect Branch Tracking (IBT).
SHSTK is to prevent ROP programming and IBT is to prevent JOP programming.

...

I reviewed the patch and it is mostly okay. However, if I understand it
correctly, it will not do anything until host support materializes, because
otherwise XSS will be 0.

IIRC, it won't even compile due to the X86_FEATURE_SHSTK and X86_FEATURE_IBT
dependencies.

Of course, but if that was the only issue I would sort it out with Boris as usual. OTOH if it is dead code I won't push it to Linus.

Paolo

If this is the case, I plan to apply locally v15 and hold on it until the
host code is committed.

Paolo