On 10/03/19 14:35, Yang Weijiang wrote:
>>>> - if (data != 0)
>>>> + if (data & ~kvm_supported_xss())
>>>> return 1;
>>> You should instead check this against CPUID[0xD, 1].EDX:ECX. If CET is
>>> disabled in CPUID, the guest should not be able to set it in MSR_IA32_CSS.
>>>
>>> Paolo
>> Thanks, OK, will change it.
> Hi, Paolo,
> How about change kvm_supported_xss() as below so that CPUID[0xd,1] check
> is implied in host_xss contents, vmx_supported_xss() now just returns host_xss
> in vmx.c. The purpose of this change is to make XSS data check
> common for other XSS based features.
>
> +u64 kvm_supported_xss(void)
> +{
> + return KVM_SUPPORTED_XSS & kvm_x86_ops->vmx_supported_xss();
> +}
> +
>
This is correct; however, you should also check against the *guest*'s
CPUID[0xD, 1].EDX:ECX.
One possibility is to add a field kvm->guest_supported_xss and update it
in kvm_update_cpuid, then here you do
if (data & ~kvm->guest_supported_xss)
return 1;
Thanks,
Paolo
