vmm: serialize IA32_XSS and CET MSRs#10
Merged
saleemrashid merged 1 commit intov1.14.4-flyfrom Apr 23, 2026
Merged
Conversation
Kernel v6.18 enables shadow stack virtualization for AMD SVM guests (commit
8db428fd5229b, "KVM: SVM: Enable shadow stack virtualization for SVM"). SHSTK
and the CET_USER supervisor xstate are both advertised in the guest's CPUID.
Linux enables every supervisor xstate the CPU enumerates (regardless of whether
CONFIG_X86_USER_SHADOW_STACK is enabled), so guests set MSR_IA32_XSS.CET_USER at
boot.
Firecracker's SERIALIZABLE_MSR_RANGES does not include MSR_IA32_XSS, so it's 0
on resume from snapshot. If MSR_IA32_XSS isn't round-tripped, the first XRSTORS
instruction after resume faults: the processor refuses to restore a buffer whose
XCOMP_BV references CET_USER while IA32_XSS.CET_USER is unset.
Kernel commit c0a5f29891222 ("KVM: x86: Report XSS as to-be-saved if there are
supported features") added MSR_IA32_XSS to KVM's msrs_to_save_base[] for this
reason. Also save the related CET MSRs from the same kernel patch series
(6a11c860d8a4a, "KVM: x86: Report KVM supported CET MSRs as to-be-saved"):
U_CET, S_CET, PL0_SSP..PL3_SSP, INT_SSP_TAB.
Safe on older kernels: get_msrs_to_save() intersects SERIALIZABLE_MSR_RANGES
with KVM_GET_MSR_INDEX_LIST, and pre-v6.18 kernels don't report these MSRs.
saleemrashid
force-pushed
the
rm/guest-shstk
branch
from
574f615 to
5148fd6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Kernel v6.18 enables shadow stack virtualization for AMD SVM guests (commit 8db428fd5229b, "KVM: SVM: Enable shadow stack virtualization for SVM"). SHSTK and the CET_USER supervisor xstate are both advertised in the guest's CPUID.
Linux enables every supervisor xstate the CPU enumerates (regardless of whether CONFIG_X86_USER_SHADOW_STACK is enabled), so guests set MSR_IA32_XSS.CET_USER at boot.
Firecracker's SERIALIZABLE_MSR_RANGES does not include MSR_IA32_XSS, so it's 0 on resume from snapshot. If MSR_IA32_XSS isn't round-tripped, the first XRSTORS instruction after resume faults: the processor refuses to restore a buffer whose XCOMP_BV references CET_USER while IA32_XSS.CET_USER is unset.
Kernel commit c0a5f29891222 ("KVM: x86: Report XSS as to-be-saved if there are supported features") added MSR_IA32_XSS to KVM's msrs_to_save_base[] for this reason. Also save the related CET MSRs from the same kernel patch series (6a11c860d8a4a, "KVM: x86: Report KVM supported CET MSRs as to-be-saved"): U_CET, S_CET, PL0_SSP..PL3_SSP, INT_SSP_TAB.
Safe on older kernels: get_msrs_to_save() intersects SERIALIZABLE_MSR_RANGES with KVM_GET_MSR_INDEX_LIST, and pre-v6.18 kernels don't report these MSRs.