Linux 6.18 Preps KVM x86 CET Virtualization For AMD & Intel CPUs
Control-Flow Enforcement Technology "CET" is coming to the virtualized world with support for running within KVM guest VMs on Linux 6.18+. This CET virtualization support works for both AMD and Intel processors.
Sean Christopherson of Google sent in the KVM x86 CET virtualization support ahead of the Linux 6.18 merge window for queuing as part of the KVM changes. While Linux has supported Control-Flow Enforcement Technology for a while, this is the first time CET is being supported in the context of virtualization. Control-Flow Enforcement Technology is able to provide control flow integrity protection by detecting compromises via indirect branch tracking and a shadow stack.
The CET KVM virtualization support on Intel CPUs is using both Indirect Branch Tracking and Shadow Stacks while AMD is using Shadow Stacks. IBT support for AMD CPUs with KVM will require more changes to the Kernel-based Virtual Machine code. The pull request explains:
A nice improvement for helping further enhance security for Intel/AMD guest VMs.
Sean Christopherson of Google sent in the KVM x86 CET virtualization support ahead of the Linux 6.18 merge window for queuing as part of the KVM changes. While Linux has supported Control-Flow Enforcement Technology for a while, this is the first time CET is being supported in the context of virtualization. Control-Flow Enforcement Technology is able to provide control flow integrity protection by detecting compromises via indirect branch tracking and a shadow stack.
The CET KVM virtualization support on Intel CPUs is using both Indirect Branch Tracking and Shadow Stacks while AMD is using Shadow Stacks. IBT support for AMD CPUs with KVM will require more changes to the Kernel-based Virtual Machine code. The pull request explains:
"Add support for virtualizing Control-flow Enforcement Technology (CET) on Intel (Shadow Stacks and Indirect Branch Tracking) and AMD (Shadow Stacks).
CET is comprised of two distinct features, Shadow Stacks (SHSTK) and Indirect Branch Tracking (IBT), that can be utilized by software to help provide Control-flow integrity (CFI). SHSTK defends against backward-edge attacks (a.k.a. Return-oriented programming (ROP)), while IBT defends against forward-edge attacks (a.k.a. similarly CALL/JMP-oriented programming (COP/JOP)).
Attackers commonly use ROP and COP/JOP methodologies to redirect the control-flow to unauthorized targets in order to execute small snippets of code, a.k.a. gadgets, of the attackers choice. By chaining together several gadgets, an attacker can perform arbitrary operations and circumvent the system's defenses.
...
Note, AMD CPUs currently only support SHSTK. Explicitly disable IBT support so that KVM doesn't over-advertise if AMD CPUs add IBT, and virtualizing IBT in SVM requires KVM modifications."
A nice improvement for helping further enhance security for Intel/AMD guest VMs.