This bug is missing log files that will aid in diagnosing the problem.
While running an Ubuntu kernel (not a mainline or third-party kernel)
please enter the following command in a terminal window:
apport-collect 1954463
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable
to run this command, please add a comment stating that fact and change
the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.
** Changed in: linux (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1954463
Title:
KVM ROP Control-Flow Enforcement Tech (CET)
Status in linux package in Ubuntu:
Incomplete
Status in qemu package in Ubuntu:
Incomplete
Bug description:
Control-Flow Enforcement Tech (CET)
What is Intel CET:
Control-flow Enforcement Technology (CET) provides protection against
return/jump-oriented programming (ROP) attacks. It can be implemented
to protect both the kernel and applications. In the first phase,
only the user-mode protection is implemented on the 64-bit kernel.
However, 32-bit applications are supported under the compatibility
mode.
CET includes shadow stack (SHSTK) and indirect branch tracking (IBT).
The SHSTK is a secondary stack allocated from memory. The processor
automatically pushes/pops a secure copy to the SHSTK every return
address and, by comparing the secure copy to the program stack copy,
verifies function returns are as intended. The IBT verifies all
indirect CALL/JMP targets are intended and marked by the compiler with
'ENDBR' op codes.
Why need this technology(CET VMX):
CET also can provide ROP attack in guest OS with VMX HW support. This will
enhance platform security in Cloud computing, it's meaningful for Cloud service
providers.
Key change in kvm:
To enable KVM based CET feature for guest OS, we need to :
1) Expose the features(CET SHSTK/IBT) to guest OS via CPUID report.
2) Enable xsaves/xrstors support for guest OS.
3) Fix xsaves/xrstors issue in existing KVM code.
4) Enabled CET states loading in guest entry/exit.
5) Add CET VMX related definitions.
Key change in Qemu-kvm:
expose CET related CPUID and xsaves/xrstors support to guest.
Target Linux 5.18
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1954463/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
