Public bug reported:
Control-Flow Enforcement Tech (CET)
What is Intel CET:
Control-flow Enforcement Technology (CET) provides protection against
return/jump-oriented programming (ROP) attacks. It can be implemented
to protect both the kernel and applications. In the first phase,
only the user-mode protection is implemented on the 64-bit kernel.
However, 32-bit applications are supported under the compatibility
mode.
CET includes shadow stack (SHSTK) and indirect branch tracking (IBT).
The SHSTK is a secondary stack allocated from memory. The processor
automatically pushes/pops a secure copy to the SHSTK every return
address and, by comparing the secure copy to the program stack copy,
verifies function returns are as intended. The IBT verifies all
indirect CALL/JMP targets are intended and marked by the compiler with
'ENDBR' op codes.
Why need this technology(CET VMX):
CET also can provide ROP attack in guest OS with VMX HW support. This will
enhance platform security in Cloud computing, it's meaningful for Cloud service
providers.
Key change in kvm:
To enable KVM based CET feature for guest OS, we need to :
1) Expose the features(CET SHSTK/IBT) to guest OS via CPUID report.
2) Enable xsaves/xrstors support for guest OS.
3) Fix xsaves/xrstors issue in existing KVM code.
4) Enabled CET states loading in guest entry/exit.
5) Add CET VMX related definitions.
Key change in Qemu-kvm:
expose CET related CPUID and xsaves/xrstors support to guest.
Target Linux 5.18
** Affects: kvm (Ubuntu)
Importance: Undecided
Status: New
** Package changed: xen (Ubuntu) => kvm (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954463
Title:
KVM ROP Control-Flow Enforcement Tech (CET)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kvm/+bug/1954463/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
