[Kernel-packages] [Bug 1954463] Re: KVM ROP Control-Flow Enforcement Tech (CET)
[Expired for linux (Ubuntu) because there has been no activity for 60 days.] ** Changed in: linux (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1954463 Title: KVM ROP Control-Flow Enforcement Tech (CET) Status in linux package in Ubuntu: Expired Status in qemu package in Ubuntu: Expired Bug description: Control-Flow Enforcement Tech (CET) What is Intel CET: Control-flow Enforcement Technology (CET) provides protection against return/jump-oriented programming (ROP) attacks. It can be implemented to protect both the kernel and applications. In the first phase, only the user-mode protection is implemented on the 64-bit kernel. However, 32-bit applications are supported under the compatibility mode. CET includes shadow stack (SHSTK) and indirect branch tracking (IBT). The SHSTK is a secondary stack allocated from memory. The processor automatically pushes/pops a secure copy to the SHSTK every return address and, by comparing the secure copy to the program stack copy, verifies function returns are as intended. The IBT verifies all indirect CALL/JMP targets are intended and marked by the compiler with 'ENDBR' op codes. Why need this technology(CET VMX): CET also can provide ROP attack in guest OS with VMX HW support. This will enhance platform security in Cloud computing, it's meaningful for Cloud service providers. Key change in kvm: To enable KVM based CET feature for guest OS, we need to : 1) Expose the features(CET SHSTK/IBT) to guest OS via CPUID report. 2) Enable xsaves/xrstors support for guest OS. 3) Fix xsaves/xrstors issue in existing KVM code. 4) Enabled CET states loading in guest entry/exit. 5) Add CET VMX related definitions. Key change in Qemu-kvm: expose CET related CPUID and xsaves/xrstors support to guest. Target Linux 5.18 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1954463/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1954463] Re: KVM ROP Control-Flow Enforcement Tech (CET)
[Expired for qemu (Ubuntu) because there has been no activity for 60 days.] ** Changed in: qemu (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1954463 Title: KVM ROP Control-Flow Enforcement Tech (CET) Status in linux package in Ubuntu: Expired Status in qemu package in Ubuntu: Expired Bug description: Control-Flow Enforcement Tech (CET) What is Intel CET: Control-flow Enforcement Technology (CET) provides protection against return/jump-oriented programming (ROP) attacks. It can be implemented to protect both the kernel and applications. In the first phase, only the user-mode protection is implemented on the 64-bit kernel. However, 32-bit applications are supported under the compatibility mode. CET includes shadow stack (SHSTK) and indirect branch tracking (IBT). The SHSTK is a secondary stack allocated from memory. The processor automatically pushes/pops a secure copy to the SHSTK every return address and, by comparing the secure copy to the program stack copy, verifies function returns are as intended. The IBT verifies all indirect CALL/JMP targets are intended and marked by the compiler with 'ENDBR' op codes. Why need this technology(CET VMX): CET also can provide ROP attack in guest OS with VMX HW support. This will enhance platform security in Cloud computing, it's meaningful for Cloud service providers. Key change in kvm: To enable KVM based CET feature for guest OS, we need to : 1) Expose the features(CET SHSTK/IBT) to guest OS via CPUID report. 2) Enable xsaves/xrstors support for guest OS. 3) Fix xsaves/xrstors issue in existing KVM code. 4) Enabled CET states loading in guest entry/exit. 5) Add CET VMX related definitions. Key change in Qemu-kvm: expose CET related CPUID and xsaves/xrstors support to guest. Target Linux 5.18 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1954463/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1954463] Re: KVM ROP Control-Flow Enforcement Tech (CET)
Thanks for correcting pkg names. No upstream commits yet. Target Linux 5.18 timeframe. Target Ubuntu 22.10. Platform is Sapphire Rapids. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1954463 Title: KVM ROP Control-Flow Enforcement Tech (CET) Status in linux package in Ubuntu: Incomplete Status in qemu package in Ubuntu: Incomplete Bug description: Control-Flow Enforcement Tech (CET) What is Intel CET: Control-flow Enforcement Technology (CET) provides protection against return/jump-oriented programming (ROP) attacks. It can be implemented to protect both the kernel and applications. In the first phase, only the user-mode protection is implemented on the 64-bit kernel. However, 32-bit applications are supported under the compatibility mode. CET includes shadow stack (SHSTK) and indirect branch tracking (IBT). The SHSTK is a secondary stack allocated from memory. The processor automatically pushes/pops a secure copy to the SHSTK every return address and, by comparing the secure copy to the program stack copy, verifies function returns are as intended. The IBT verifies all indirect CALL/JMP targets are intended and marked by the compiler with 'ENDBR' op codes. Why need this technology(CET VMX): CET also can provide ROP attack in guest OS with VMX HW support. This will enhance platform security in Cloud computing, it's meaningful for Cloud service providers. Key change in kvm: To enable KVM based CET feature for guest OS, we need to : 1) Expose the features(CET SHSTK/IBT) to guest OS via CPUID report. 2) Enable xsaves/xrstors support for guest OS. 3) Fix xsaves/xrstors issue in existing KVM code. 4) Enabled CET states loading in guest entry/exit. 5) Add CET VMX related definitions. Key change in Qemu-kvm: expose CET related CPUID and xsaves/xrstors support to guest. Target Linux 5.18 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1954463/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1954463] Re: KVM ROP Control-Flow Enforcement Tech (CET)
Hi Paul, Bugs in launchpad are filed against source packages, and "src:kvm" doesn't exist for more than 8 years now :-) Instead you'd want to file it against the package the code is in, in your case most likely src:qemu [1] or src:linux [2]. Also you should talk about the target Ubuntu release you want the fix to be in. I assume from the type of bug that you want to feature request for the coming LTS Ubuntu 22.04 - but please clarify to be sure. Finally referencing to features/commits works much better if you could please include the hashes of the commits. Please consider doing so once they exist upstream. If they are not existing there someone needs to provide the patches upfront and convince the team that they are stable enough to be picked up. The referred kernel version is in the future, so that might be a normal bug for a new feature. I'll re-assign this to src:linux for now as your bug indicates that is the target. You opened a range of bugs in the same pass, other than most others - this one also contains a reference to qemu changes. Therefore I'll add a src:qemu bug task. I have not found an upstream commit for "expose CET related CPUID and xsaves/xrstors support to guest" - the same as with the kernel changes, please refer to an upstream commit including the hash. There are a few xsaves changes in qemu 6.1 but none with your title, did you mean those? [1]: https://bugs.launchpad.net/ubuntu/+source/qemu [2]: https://bugs.launchpad.net/ubuntu/+source/linux ** Package changed: kvm (Ubuntu) => linux (Ubuntu) ** Also affects: qemu (Ubuntu) Importance: Undecided Status: New ** Changed in: qemu (Ubuntu) Status: New => Incomplete ** Tags added: intel-bug-december-2021 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1954463 Title: KVM ROP Control-Flow Enforcement Tech (CET) Status in linux package in Ubuntu: New Status in qemu package in Ubuntu: Incomplete Bug description: Control-Flow Enforcement Tech (CET) What is Intel CET: Control-flow Enforcement Technology (CET) provides protection against return/jump-oriented programming (ROP) attacks. It can be implemented to protect both the kernel and applications. In the first phase, only the user-mode protection is implemented on the 64-bit kernel. However, 32-bit applications are supported under the compatibility mode. CET includes shadow stack (SHSTK) and indirect branch tracking (IBT). The SHSTK is a secondary stack allocated from memory. The processor automatically pushes/pops a secure copy to the SHSTK every return address and, by comparing the secure copy to the program stack copy, verifies function returns are as intended. The IBT verifies all indirect CALL/JMP targets are intended and marked by the compiler with 'ENDBR' op codes. Why need this technology(CET VMX): CET also can provide ROP attack in guest OS with VMX HW support. This will enhance platform security in Cloud computing, it's meaningful for Cloud service providers. Key change in kvm: To enable KVM based CET feature for guest OS, we need to : 1) Expose the features(CET SHSTK/IBT) to guest OS via CPUID report. 2) Enable xsaves/xrstors support for guest OS. 3) Fix xsaves/xrstors issue in existing KVM code. 4) Enabled CET states loading in guest entry/exit. 5) Add CET VMX related definitions. Key change in Qemu-kvm: expose CET related CPUID and xsaves/xrstors support to guest. Target Linux 5.18 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1954463/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
