On 11/18/25 04:42, Zhao Liu wrote:
Hi,
This the v4 series to support CET (CET-SHSTK & CET-IBT) in QEMU, which
is based on the master branch at the commit 9febfa94b69b ("Merge tag
'for-upstream' of https://repo.or.cz/qemu/kevin into staging"). And you
can also find the code here:
https://gitlab.com/zhao.liu/qemu/-/tree/i386-all-for-dmr-v1.1-11-17-2025
Compared to v3 [1], v4 mainly considers pl0 SSP MSR for FRED, and fixes
migratable_flags for FEAT_XSAVE_XSS_LO. More details, pls refer Change
Log in the following.
Thanks for your review!
Just very few comments, thanks to everyone who helped reviewing so far.
The bigger comment is whether kvm_cpu_xsave_init() could be moved just
after x86_cpu_enable_xsave_components(). I think it should be okay
looking at the users of ExtSaveArea:
- xsave_area_size is only used from cpu_x86_cpuid
- x86_cpu_feature_name does not check size or offset
- cpu_x86_cpuid only runs from kvm_x86_build_cpuid
- x86_cpu_reset_hold is only for user-mode emulation and anyway runs
afterwards
Thanks,
Paolo
Overview
========
Control-flow enforcement technology includes 2 x86-architectural
features:
- CET shadow stack (CET-SHSTK or CET-SS).
- CET indirect branch tracking (CET-IBT).
Intel has implemented both 2 features since Sapphire Rapids (P-core) &
Sierra Forest (E-core).
AMD also implemented shadow stack since Zen3 [2] - this series has
considerred only-shstk case and is supposed to work on AMD platform, but
I hasn't tested this on AMD.
The basic CET support (patch 12-20) includes:
* CET-S & CET-U supervisor xstates support.
* CET CPUIDs enumeration.
* CET MSRs save & load.
* CET guest SSP register (KVM treats this as a special internal
register - KVM_REG_GUEST_SSP) save & load.
* Vmstates for MSRs & guest SSP.
But before CET support, there's a lot of cleanup work needed for
supervisor xstate.
Before CET-S/CET-U, QEMU has already supports arch lbr as the 1st
supervisor xstate. Although arch LBR has not yet been merged into KVM
(still planned), this series cleans up supervisor state-related support
and avoids breaking the current arch LBR in QEMU - that's what patch
2-11 are doing.
Additionally, besides KVM, this series also supports CET for TDX.
Change Log
==========
Changes Since v3:
- Fill CPUID 0xD subleaves from KVM CPUID instead of host CPUID for
non-dynamic xstates (i.e., except AMX xstates for now).
- Save/restore/migrate MSR_IA32_PL0_SSP for FRED.
- Fix migratable_flags for FEAT_XSAVE_XSS_LO.
- Refine commit message for CET TDX support.
[1]:
https://lore.kernel.org/qemu-devel/[email protected]/
[2]: https://lore.kernel.org/all/[email protected]/
Thanks and Best Regards,
Zhao
---
Chao Gao (1):
i386/cpu: Fix supervisor xstate initialization
Chenyi Qiang (1):
i386/tdx: Add CET SHSTK/IBT into the supported CPUID by XFAM
Xin Li (Intel) (2):
i386/cpu: Save/restore SSP0 MSR for FRED
i386/cpu: Migrate MSR_IA32_PL0_SSP for FRED and CET-SHSTK
Yang Weijiang (5):
i386/cpu: Enable xsave support for CET states
i386/kvm: Add save/restore support for CET MSRs
i386/kvm: Add save/restore support for KVM_REG_GUEST_SSP
i386/machine: Add vmstate for cet-shstk and cet-ibt
i386/cpu: Advertise CET related flags in feature words
Zhao Liu (14):
i386/cpu: Clean up indent style of x86_ext_save_areas[]
i386/cpu: Clean up arch lbr xsave struct and comment
i386/cpu: Reorganize arch lbr structure definitions
i386/cpu: Make ExtSaveArea store an array of dependencies
i386/cpu: Add avx10 dependency for Opmask/ZMM_Hi256/Hi16_ZMM
i386/kvm: Initialize x86_ext_save_areas[] based on KVM support
i386/cpu: Use x86_ext_save_areas[] for CPUID.0XD subleaves
i386/cpu: Reorganize dependency check for arch lbr state
i386/cpu: Drop pmu check in CPUID 0x1C encoding
i386/cpu: Add missing migratable xsave features
i386/cpu: Add CET support in CR4
i386/cpu: Mark cet-u & cet-s xstates as migratable
i386/cpu: Enable cet-ss & cet-ibt for supported CPU models
i386/tdx: Fix missing spaces in tdx_xfam_deps[]
target/i386/cpu.c | 256 +++++++++++++++++++++++++++-----------
target/i386/cpu.h | 110 ++++++++++++----
target/i386/helper.c | 12 ++
target/i386/kvm/kvm-cpu.c | 23 +++-
target/i386/kvm/kvm.c | 117 +++++++++++++++++
target/i386/kvm/tdx.c | 20 +--
target/i386/machine.c | 78 ++++++++++++
7 files changed, 501 insertions(+), 115 deletions(-)
