[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] XSA-60 solutions

Hi, All

Any comments/suggestions?


Liu, Jinsong wrote:
> Liu, Jinsong wrote:
>> Hi, All
>> This email provides 2 solutions for XSA-60 issue found by Konrad
>> (refer attached email for XSA-60 please).
>> Basically it involves how to emulate guest setting cr0.cd. For
>> shadow, as Jan pointed out in earlier email Xen drop all shadows so
>> that any new ones would be created with UC memory type, _not_
>> involving iteration over the whole address space. For EPT, currently
>> Xen traverse all ept entries via problematic set_uc_mode, resulting
>> in DOS-like behavior, so this email focus on Intel EPT case.
>> Solution 1 is Dual-EPT tables: When guest setting cr0.cd trapped,
>> stop using normal EPT, switch to a temp EPT table and populate new
>> EPT entries w/ UC type on demand at later EPT violation. When guest
>> clearing cr0.cd, switch back to normal EPT. In this way, _no_
>> unbounded loop involved and hence security hole avoided.
>> Some concerns for Dual-EPT: the 1st concern comes from cachablity
>> confliction between guest and Xen memory type point of view, though
>> it also exists in current implementation. The 2nd concern comes from
>> Dual EPT tables inconsistency/sync issue: things become complicated
>> when p2m modifying, PoD populating, and super page spliting, etc.
>> Solution 2 is via PAT emulation: For guest w/o VT-d, and for guest
>> with VT-d but snooped, Xen need do nothing, just simply ignore guest
>> setting cr0.cd, since hardware snoop mechanism has ensured cache
>> coherency (under these cases currently Xen has set EPT iPAT bit,
>> ignore guest's memory type opinion); For guest with VT-d but
>> non-snooped, cache coherency can not be guaranteed by h/w snoop so
>> guest's memory type opinion must be considered (under this case Xen
>> set iPAT bit combining guest and host memory type opinion). Only
> Sorry, under this case Xen _clear_ iPAT, combining guest and host
> memory type opinion. 
> Thanks,
> Jinsong
>> under this case PAT emulation need set all IA32_PAT fields as UC so
>> that guest memory type are all UC.
>> Concern for PAT solution still comes from cachablity confliction
>> between guest and Xen. 
>> Thoughts?
>> BTW, today is Chinese National day, I will have several days travel
>> with no email access, but your comments/suggestions are highly
>> appreciated and I will reply ASAP after I come back.
>> Thanks,
>> Jinsong

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.