[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH V3 1/6] x86/xsaves: enable xsaves/xrstors for pv guest

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: Shuai Ruan <shuai.ruan@xxxxxxxxxxxxxxx>
Date: Wed, 12 Aug 2015 11:01:02 +0800
Cc: kevin.tian@xxxxxxxxx, wei.liu2@xxxxxxxxxx, Ian.Campbell@xxxxxxxxxx, stefano.stabellini@xxxxxxxxxxxxx, jun.nakajima@xxxxxxxxx, eddie.dong@xxxxxxxxx, ian.jackson@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, jbeulich@xxxxxxxx, keir@xxxxxxx
Delivery-date: Wed, 12 Aug 2015 02:59:51 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Tue, Aug 11, 2015 at 11:24:24AM +0100, Andrew Cooper wrote:
> On 11/08/15 08:50, Shuai Ruan wrote:
> > On Fri, Aug 07, 2015 at 01:44:41PM +0100, Andrew Cooper wrote:
> >> On 07/08/15 09:00, Shuai Ruan wrote:
> >>>>> +                    goto skip;
> >>>>> +                }
> >>>>> +
> >>>>> +                if ( !guest_kernel_mode(v, regs) || (regs->edi & 0x3f) 
> >>>>> )
> >>>> What does edi have to do with xsaves?  only edx:eax are special
> >>>> according to the manual.
> >>>>
> >>> regs->edi is the guest_linear_address
> >> Whyso?  xsaves takes an unconditional memory parameter,  not a pointer
> >> in %rdi.  (regs->edi is only correct for ins/outs because the pointer is
> >> architecturally required to be in %rdi.)
> > You are right. The linear_address should be decoded from the instruction.
> >> There is nothing currently in emulate_privileged_op() which does ModRM
> >> decoding for memory references, nor SIB decoding.  xsaves/xrstors would
> >> be the first such operations.
> >>
> >> I am also not sure that adding arbitrary memory decode here is sensible.
> >>
> >> In an ideal world, we would have what is currently x86_emulate() split
> >> in 3 stages.
> >>
> >> Stage 1 does straight instruction decode to some internal representation.
> >>
> >> Stage 2 does an audit to see whether the decoded instruction is
> >> plausible for the reason why an emulation was needed.  We have had a
> >> number of security issues with emulation in the past where guests cause
> >> one instruction to trap for emulation, then rewrite the instruction to
> >> be something else, and exploit a bug in the emulator.
> >>
> >> Stage 3 performs the actions required for emulation.
> >>
> >> Currently, x86_emulate() is limited to instructions which might
> >> legitimately fault for emulation, but with the advent of VM
> >> introspection, this is proving to be insufficient.  With my x86
> >> maintainers hat on, I would like to avoid the current situation we have
> >> with multiple bits of code doing x86 instruction decode and emulation
> >> (which are all different).
> >>
> >> I think the 3-step approach above caters suitably to all usecases, but
> >> it is a large project itself.  It allows the introspection people to
> >> have a full and complete x86 emulation infrastructure, while also
> >> preventing areas like the shadow paging from being opened up to
> >> potential vulnerabilities in unrelated areas of the x86 architecture.
> >>
> >> I would even go so far as to say that it is probably ok not to support
> >> xsaves/xrestors in PV guests until something along the above lines is
> >> sorted.  The first feature in XSS is processor trace which a PV guest
> >> couldn't use anyway.  I suspect the same applies to most of the other
> > Why PV guest couldn't use precessor trace?
> 
> After more consideration, Xen should not expose xsaves/xrstors to PV
> guests at all.
> 
OK. In next version, I will follow your suggestion not to add support for PV 
guest.
> >> XSS features, or they wouldn't need to be privileged in the first place.
> >>
> > Thanks for your such detail suggestions.
> > For xsaves/xrstors would also bring other benefits for PV guest such as
> > saving memory of XSAVE area. If we do not support xsaves/xrstors in PV , 
> > PV guest would lose these benefits. What's your opinions toward this?
> 
> PV guests running under Xen are exactly the same as regular user
> processes running under Linux.
> 
> There is a reason everything covered by xsaves/xrstors is restricted to
> ring0; it would be a security hole to allow guests to configure the
> features themselves.
> 
> Features such as Processor Trace would need a hypercall interface for
> guests to use.
> 
Ok. Thanks. 
> ~Andrew
Thnaks for your review ,Andrew
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> http://lists.xen.org/xen-devel
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH V3 0/6] add xsaves/xrstors support
  - From: Shuai Ruan
- [Xen-devel] [PATCH V3 1/6] x86/xsaves: enable xsaves/xrstors for pv guest
  - From: Shuai Ruan
- Re: [Xen-devel] [PATCH V3 1/6] x86/xsaves: enable xsaves/xrstors for pv guest
  - From: Andrew Cooper
- Re: [Xen-devel] [PATCH V3 1/6] x86/xsaves: enable xsaves/xrstors for pv guest
  - From: Shuai Ruan
- Re: [Xen-devel] [PATCH V3 1/6] x86/xsaves: enable xsaves/xrstors for pv guest
  - From: Andrew Cooper
- Re: [Xen-devel] [PATCH V3 1/6] x86/xsaves: enable xsaves/xrstors for pv guest
  - From: Shuai Ruan
- Re: [Xen-devel] [PATCH V3 1/6] x86/xsaves: enable xsaves/xrstors for pv guest
  - From: Andrew Cooper

Prev by Date: [Xen-devel] [PATCH v5 17/17] Add a command line parameter for VT-d posted-interrupts
Next by Date: Re: [Xen-devel] Design doc of adding ACPI support for arm64 on Xen - version 2
Previous by thread: Re: [Xen-devel] [PATCH V3 1/6] x86/xsaves: enable xsaves/xrstors for pv guest
Next by thread: [Xen-devel] [PATCH V3 2/6] x86/xsaves: enable xsaves/xrstors in xen
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.