hv: Hide CET feature from guest VM

Return-oriented programming (ROP), and similarly CALL/JMP-oriented programming (COP/JOP), have been the prevalent attack methodologies for stealth exploit writers targeting vulnerabilities in programs. CET (Control-flow Enforcement Technology) provides the following capabilities to defend against ROP/COP/JOP style control-flow subversion attacks: * Shadow stack: Return address protection to defend against ROP. * Indirect branch tracking: Free branch protection to defend against COP/JOP The full support of CET for Linux kernel has not been merged yet. As the first stage, hide CET from guest VM. Tracked-On: #5074 Signed-off-by: Shuo A Liu <shuo.a.liu@intel.com> Reviewed-by: Jason Chen CJ <jason.cj.chen@intel.com>
2025-09-22 17:27:53 +00:00 · 2020-07-08 19:39:07 +08:00
parent 5e605e0daf
commit ac598b0856
6 changed files with 55 additions and 7 deletions
--- a/hypervisor/include/arch/x86/cpu.h
+++ b/hypervisor/include/arch/x86/cpu.h
@@ -84,6 +84,7 @@
 #define CR4_SMEP                (1UL<<20U)
 #define CR4_SMAP                (1UL<<21U)
 #define CR4_PKE                 (1UL<<22U)	/* Protect-key-enable */
+#define CR4_CET                 (1UL<<23U)	/* Control-flow Enforcement Technology enable */

 /* XCR0_SSE */
 #define XCR0_SSE		(1UL<<1U)
--- a/hypervisor/include/arch/x86/cpuid.h
+++ b/hypervisor/include/arch/x86/cpuid.h
@@ -78,8 +78,12 @@
 #define CPUID_EBX_SGX           (1U<<2U)
 /* CPUID.07H:EBX.MPX */
 #define CPUID_EBX_MPX           (1U<<14U)
+/* CPUID.07H:ECX.CET_SS */
+#define CPUID_ECX_CET_SS        (1U<<7U)
 /* CPUID.07H:ECX.SGX_LC*/
 #define CPUID_ECX_SGX_LC        (1U<<30U)
+/* CPUID.07H:EDX.CET_IBT */
+#define CPUID_EDX_CET_IBT       (1U<<20U)
 /* CPUID.07H:EDX.IBRS_IBPB*/
 #define CPUID_EDX_IBRS_IBPB     (1U<<26U)
 /* CPUID.07H:EDX.STIBP*/
@@ -100,6 +104,10 @@
 #define CPUID_EAX_XCR0_BNDREGS  (1U<<3U)
 /* CPUID.0DH.EAX.XCR0_BNDCSR */
 #define CPUID_EAX_XCR0_BNDCSR   (1U<<4U)
+/* CPUID.0DH.ECX.CET_U_STATE */
+#define CPUID_ECX_CET_U_STATE   (1U<<11U)
+/* CPUID.0DH.ECX.CET_S_STATE */
+#define CPUID_ECX_CET_S_STATE   (1U<<12U)
 /* CPUID.12H.EAX.SGX1 */
 #define CPUID_EAX_SGX1          (1U<<0U)
 /* CPUID.12H.EAX.SGX2 */
--- a/hypervisor/include/arch/x86/msr.h
+++ b/hypervisor/include/arch/x86/msr.h
@@ -278,6 +278,13 @@
 #define MSR_IA32_RTIT_ADDR3_A			0x00000586U
 #define MSR_IA32_RTIT_ADDR3_B			0x00000587U
 #define MSR_IA32_DS_AREA			0x00000600U
+#define MSR_IA32_U_CET				0x000006A0U
+#define MSR_IA32_S_CET				0x000006A2U
+#define MSR_IA32_PL0_SSP			0x000006A4U
+#define MSR_IA32_PL1_SSP			0x000006A5U
+#define MSR_IA32_PL2_SSP			0x000006A6U
+#define MSR_IA32_PL3_SSP			0x000006A7U
+#define MSR_IA32_INTERRUPT_SSP_TABLE_ADDR	0x000006A8U
 #define MSR_IA32_TSC_DEADLINE			0x000006E0U
 #define MSR_IA32_PM_ENABLE			0x00000770U
 #define MSR_IA32_HWP_CAPABILITIES		0x00000771U