shadow_stack: determine support at runtime

Trusted CPUID values are hard to come by, so let's just try to enable
CET in CR4 and handle failure gracefully.

Signed-off-by: Tom Dohrmann <[email protected]>

kernel/src/cpu/idt/common.rs

@@ -11,6 +11,7 @@ use crate::cpu::control_regs::{read_cr0, read_cr4};
 use crate::cpu::efer::read_efer;
 use crate::cpu::gdt::gdt;
 use crate::cpu::registers::{X86GeneralRegs, X86InterruptFrame};
+use crate::cpu::shadow_stack::is_cet_ss_supported;
 use crate::insn_decode::{InsnError, InsnMachineCtx, InsnMachineMem, Register, SegRegister};
 use crate::locking::{RWLock, ReadLockGuard, WriteLockGuard};
 use crate::mm::GuestPtr;
@@ -75,7 +76,7 @@ impl X86ExceptionContext {
     pub fn set_rip(&mut self, new_rip: usize) {
         self.frame.rip = new_rip;
 
-        if cfg!(feature = "shadow-stacks") {
+        if is_cet_ss_supported() {
             // Update the instruction pointer on the shadow stack.
             let return_on_stack = (self.ssp + 8) as *const usize;
             let return_on_stack_val = new_rip;

kernel/src/cpu/idt/entry.S

@@ -108,8 +108,11 @@ asm_entry_hv:
 	movq	%rbx, 0x20(%rsp)
 	.if CFG_SHADOW_STACKS
 	// Update RIP on the shadow stack to the cancel point.
+	cmpb    $0, {IS_CET_SUPPORTED}(%rip)
+        je 2f
 	rdsspq  %rax
         wrssq	%rbx, 8(%rax)
+    2:
 	.endif
 	// Defer any further processing until interrupts can be processed.
 	jmp	postpone_hv
@@ -205,8 +208,11 @@ restart_hv:
         .if CFG_SHADOW_STACKS
 	// Pop the current stack frame, so that the previous stack frame sits
 	// on top of the shadow stack.
+	cmpb	$0, {IS_CET_SUPPORTED}(%rip)
+        je	2f
 	movl	$3, %eax
-        incsspq	%rax
+	incsspq	%rax
+    2:
 	.endif
 
 continue_hv:

kernel/src/cpu/idt/svsm.rs

@@ -16,6 +16,7 @@ use super::common::{
     VC_VECTOR, XF_VECTOR,
 };
 use crate::address::VirtAddr;
+use crate::cpu::shadow_stack::IS_CET_SUPPORTED;
 use crate::cpu::X86ExceptionContext;
 use crate::debug::gdbstub::svsm_gdbstub::handle_debug_exception;
 use crate::mm::GuestPtr;
@@ -318,5 +319,6 @@ global_asm!(
     ),
     // Include the assembly.
     include_str!("entry.S"),
+    IS_CET_SUPPORTED = sym IS_CET_SUPPORTED,
     options(att_syntax)
 );

kernel/src/cpu/percpu.rs

@@ -9,7 +9,7 @@ extern crate alloc;
 use super::gdt_mut;
 use super::isst::Isst;
 use super::msr::write_msr;
-use super::shadow_stack::ISST_ADDR;
+use super::shadow_stack::{is_cet_ss_supported, ISST_ADDR};
 use super::tss::{X86Tss, IST_DF};
 use crate::address::{Address, PhysAddr, VirtAddr};
 use crate::cpu::idt::common::INT_INJ_VECTOR;
@@ -642,14 +642,14 @@ impl PerCpu {
         // Allocate per-cpu init stack
         self.allocate_init_stack()?;
 
-        if cfg!(feature = "shadow-stacks") {
+        if is_cet_ss_supported() {
             self.allocate_init_shadow_stack()?;
         }
 
         // Allocate per-cpu context switch stack
         self.allocate_context_switch_stack()?;
 
-        if cfg!(feature = "shadow-stacks") {
+        if is_cet_ss_supported() {
             self.allocate_context_switch_shadow_stack()?;
         }
 
@@ -659,7 +659,7 @@ impl PerCpu {
         // Setup TSS
         self.setup_tss();
 
-        if cfg!(feature = "shadow-stacks") {
+        if is_cet_ss_supported() {
             // Allocate ISST shadow stacks
             self.allocate_isst_shadow_stacks()?;
 
@@ -712,7 +712,7 @@ impl PerCpu {
     pub fn load(&self) {
         self.load_pgtable();
         self.load_tss();
-        if cfg!(feature = "shadow-stacks") {
+        if is_cet_ss_supported() {
             self.load_isst();
         }
     }
@@ -745,7 +745,7 @@ impl PerCpu {
         vmsa.tr = self.vmsa_tr_segment();
         vmsa.rip = start_rip;
         vmsa.rsp = self.get_top_of_stack().into();
-        if cfg!(feature = "shadow-stacks") {
+        if is_cet_ss_supported() {
             vmsa.ssp = self.get_top_of_shadow_stack().into();
         }
         vmsa.cr3 = self.get_pgtable().cr3_value().into();

kernel/src/cpu/shadow_stack.rs

@@ -1,5 +1,10 @@
 // SPDX-License-Identifier: MIT OR Apache-2.0
 
+use core::{
+    arch::asm,
+    sync::atomic::{AtomicBool, Ordering},
+};
+
 use bitflags::bitflags;
 
 use super::msr::read_msr;
@@ -10,6 +15,44 @@ pub const ISST_ADDR: u32 = 0x6a8;
 
 pub const MODE_64BIT: usize = 1;
 
+pub static IS_CET_SUPPORTED: AtomicBool = AtomicBool::new(false);
+
+// Try to enable the CET feature in CR4 and set `IS_CET_SUPPORTED` if successful.
+pub fn determine_cet_support() {
+    // Don't try to determine support if the shadow-stacks feature is not enabled.
+    if !cfg!(feature = "shadow-stacks") {
+        return;
+    }
+
+    let rcx: u64;
+    unsafe {
+        asm!(// Try to enable CET in CR4.
+             "   mov %cr4, %rax",
+             "   or $1<<23, %rax",
+             "1: mov %rax, %cr4",
+             "   xorq %rcx, %rcx",
+             "2:",
+             ".pushsection \"__exception_table\",\"a\"",
+             ".balign 16",
+             ".quad (1b)",
+             ".quad (2b)",
+             ".popsection",
+             out("rax") _,
+             out("rcx") rcx,
+             options(att_syntax, nostack, nomem, pure, preserves_flags));
+    }
+
+    IS_CET_SUPPORTED.store(rcx == 0, Ordering::Relaxed);
+}
+
+/// Returns whether shadow stacks are supported by the CPU and the kernel.
+#[inline(always)]
+pub fn is_cet_ss_supported() -> bool {
+    // In theory CPUs can have support for CET, but not CET_SS, but in practice
+    // no such CPUs exist. Treat CET being supported as CET_SS being supported.
+    cfg!(feature = "shadow-stacks") && IS_CET_SUPPORTED.load(Ordering::Relaxed)
+}
+
 /// Enable shadow stacks.
 ///
 /// This code is placed in a macro instead of a function so that we don't have
@@ -18,19 +61,11 @@ pub const MODE_64BIT: usize = 1;
 macro_rules! enable_shadow_stacks {
     ($bsp_percpu:ident) => {{
         use core::arch::asm;
-        use core::assert;
         use svsm::address::Address;
-        use svsm::cpu::control_regs::{read_cr4, write_cr4, CR4Flags};
         use svsm::cpu::shadow_stack::{SCetFlags, MODE_64BIT, S_CET};
 
         let token_addr = $bsp_percpu.get_top_of_shadow_stack();
 
-        // Enable CET in CR4.
-        let mut cr4 = read_cr4();
-        assert!(!cr4.contains(CR4Flags::CET), "CET is already enabled");
-        cr4 |= CR4Flags::CET;
-        write_cr4(cr4);
-
         unsafe {
             asm!(
                 // Enable shadow stacks.

kernel/src/cpu/vmsa.rs

@@ -13,7 +13,7 @@ use super::control_regs::{read_cr0, read_cr3, read_cr4};
 use super::efer::read_efer;
 use super::gdt;
 use super::idt::common::idt;
-use super::shadow_stack::read_s_cet;
+use super::shadow_stack::{is_cet_ss_supported, read_s_cet};
 
 fn svsm_code_segment() -> VMSASegment {
     VMSASegment {
@@ -67,7 +67,7 @@ pub fn init_svsm_vmsa(vmsa: &mut VMSA, vtom: u64) {
     vmsa.cr3 = read_cr3().bits() as u64;
     vmsa.cr4 = read_cr4().bits();
     vmsa.efer = read_efer().bits();
-    if cfg!(feature = "shadow-stacks") {
+    if is_cet_ss_supported() {
         vmsa.s_cet = read_s_cet().bits();
     }
 

kernel/src/svsm.rs

@@ -7,6 +7,7 @@
 #![cfg_attr(not(test), no_std)]
 #![cfg_attr(not(test), no_main)]
 
+use svsm::cpu::shadow_stack::{determine_cet_support, is_cet_ss_supported};
 use svsm::enable_shadow_stacks;
 use svsm::fw_meta::{print_fw_meta, validate_fw_memory, SevFWMetaData};
 
@@ -312,6 +313,7 @@ pub extern "C" fn svsm_start(li: &KernelLaunchInfo, vb_addr: usize) {
 
     cr0_init();
     cr4_init(platform);
+    determine_cet_support();
     efer_init(platform);
     install_console_logger("SVSM").expect("Console logger already initialized");
     platform
@@ -349,7 +351,7 @@ pub extern "C" fn svsm_start(li: &KernelLaunchInfo, vb_addr: usize) {
         .expect("Failed to run percpu.setup_on_cpu()");
     bsp_percpu.load();
 
-    if cfg!(feature = "shadow-stacks") {
+    if is_cet_ss_supported() {
         enable_shadow_stacks!(bsp_percpu);
     }
 

kernel/src/task/schedule.rs

@@ -35,7 +35,7 @@ use super::{Task, TaskListAdapter, TaskPointer, TaskRunListAdapter};
 use crate::address::{Address, VirtAddr};
 use crate::cpu::msr::write_msr;
 use crate::cpu::percpu::{irq_nesting_count, this_cpu};
-use crate::cpu::shadow_stack::PL0_SSP;
+use crate::cpu::shadow_stack::{is_cet_ss_supported, IS_CET_SUPPORTED, PL0_SSP};
 use crate::cpu::IrqGuard;
 use crate::error::SvsmError;
 use crate::locking::SpinLock;
@@ -351,7 +351,7 @@ pub fn schedule() {
         }
 
         this_cpu().set_tss_rsp0(next.stack_bounds.end());
-        if cfg!(feature = "shadow-stacks") {
+        if is_cet_ss_supported() {
             write_msr(PL0_SSP, next.exception_shadow_stack.bits() as u64);
         }
 
@@ -420,6 +420,8 @@ global_asm!(
         mov {CONTEXT_SWITCH_STACK}(%rip), %rsp
 
         .if CFG_SHADOW_STACKS
+	cmpb $0, {IS_CET_SUPPORTED}(%rip)
+        je 1f
         // Save the current shadow stack pointer
         rdssp   %rax
         sub $8, %rax
@@ -438,11 +440,14 @@ global_asm!(
         mov     %rdx, %cr3
 
         .if CFG_SHADOW_STACKS
+	cmpb $0, {IS_CET_SUPPORTED}(%rip)
+        je 2f
         // Switch to the new task shadow stack and move the "shadow stack
         // restore token" back.
         mov     8(%rdi), %rdx
         rstorssp (%rdx)
         saveprevssp
+    2:
         .endif
 
         // Switch to the new task stack
@@ -471,6 +476,7 @@ global_asm!(
 
         ret
     "#,
+    IS_CET_SUPPORTED = sym IS_CET_SUPPORTED,
     // TODO: Replace these with `const` operands once we upgrade the MSRV to 1.82.
     CONTEXT_SWITCH_STACK = sym CONTEXT_SWITCH_STACK,
     CONTEXT_SWITCH_RESTORE_TOKEN = sym CONTEXT_SWITCH_RESTORE_TOKEN,

kernel/src/task/tasks.rs

@@ -16,6 +16,7 @@ use crate::address::{Address, VirtAddr};
 use crate::cpu::idt::svsm::return_new_task;
 use crate::cpu::msr::read_flags;
 use crate::cpu::percpu::PerCpu;
+use crate::cpu::shadow_stack::is_cet_ss_supported;
 use crate::cpu::X86ExceptionContext;
 use crate::cpu::{irqs_enable, X86GeneralRegs};
 use crate::error::SvsmError;
@@ -190,7 +191,7 @@ impl Task {
 
         let mut shadow_stack_offset = VirtAddr::null();
         let mut exception_shadow_stack = VirtAddr::null();
-        if cfg!(feature = "shadow-stacks") {
+        if is_cet_ss_supported() {
             let shadow_stack;
             (shadow_stack, shadow_stack_offset) = VMKernelShadowStack::new(
                 SVSM_PERTASK_SHADOW_STACK_BASE,
@@ -259,7 +260,7 @@ impl Task {
 
         let mut shadow_stack_offset = VirtAddr::null();
         let mut exception_shadow_stack = VirtAddr::null();
-        if cfg!(feature = "shadow-stacks") {
+        if is_cet_ss_supported() {
             let shadow_stack;
             (shadow_stack, shadow_stack_offset) = VMKernelShadowStack::new(
                 SVSM_PERTASK_SHADOW_STACK_BASE,