[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2 3/3] x86: Make the GDT remapping read-only on 64 bit

To: Thomas Garnier <thgarnie@xxxxxxxxxx>
From: Ingo Molnar <mingo@xxxxxxxxxx>
Date: Wed, 1 Feb 2017 10:15:34 +0100
Cc: x86@xxxxxxxxxx, Stanislaw Gruszka <sgruszka@xxxxxxxxxx>, kvm@xxxxxxxxxxxxxxx, Fenghua Yu <fenghua.yu@xxxxxxxxx>, Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx>, Paul Gortmaker <paul.gortmaker@xxxxxxxxxxxxx>, Radim Krčmář <rkrcmar@xxxxxxxxxx>, linux-efi@xxxxxxxxxxxxxxx, Alexander Potapenko <glider@xxxxxxxxxx>, Pavel Machek <pavel@xxxxxx>, "H . Peter Anvin" <hpa@xxxxxxxxx>, kernel-hardening@xxxxxxxxxxxxxxxxxx, Jiri Olsa <jolsa@xxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Dave Hansen <dave.hansen@xxxxxxxxx>, Andi Kleen <ak@xxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Michael Ellerman <mpe@xxxxxxxxxxxxxx>, Joerg Roedel <joro@xxxxxxxxxx>, Prarit Bhargava <prarit@xxxxxxxxxx>, kasan-dev@xxxxxxxxxxxxxxxx, Christian Borntraeger <borntraeger@xxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>, Borislav Petkov <bp@xxxxxxx>, Len Brown <len.brown@xxxxxxxxx>, Rik van Riel <riel@xxxxxxxxxx>, Jiri Kosina <jikos@xxxxxxxxxx>, Kees Cook <keescook@xxxxxxxxxxxx>, Arnd Bergmann <arnd@xxxxxxxx>, He Chen <he.chen@xxxxxxxxxxxxxxx>, Brian Gerst <brgerst@xxxxxxxxx>, Rusty Russell <rusty@xxxxxxxxxxxxxxx>, lguest@xxxxxxxxxxxxxxxx, Andy Lutomirski <luto@xxxxxxxxxx>, Josh Poimboeuf <jpoimboe@xxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Chen Yucong <slaoub@xxxxxxxxx>, Arjan van de Ven <arjan@xxxxxxxxxxxxxxx>, Adam Buchbinder <adam.buchbinder@xxxxxxxxx>, Dmitry Vyukov <dvyukov@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>, linux-pm@xxxxxxxxxxxxxxx, "Rafael J . Wysocki" <rjw@xxxxxxxxxxxxx>, linux-kernel@xxxxxxxxxxxxxxx, Andy Lutomirski <luto@xxxxxxxxxxxxxx>, "Luis R . Rodriguez" <mcgrof@xxxxxxxxxx>, David Vrabel <david.vrabel@xxxxxxxxxx>, Paolo Bonzini <pbonzini@xxxxxxxxxx>, Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>, Tim Chen <tim.c.chen@xxxxxxxxxxxxxxx>
Delivery-date: Wed, 01 Feb 2017 09:16:00 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

* Thomas Garnier <thgarnie@xxxxxxxxxx> wrote:

> This patch makes the GDT remapped pages read-only to prevent corruption.
> This change is done only on 64 bit.

Please spell '64-bit' consistently through the series. I've seen two variants:

  64 bit
  64bit

> +/*
> + * The LTR instruction marks the TSS GDT entry as busy. In 64bit, the GDT is
> + * a read-only remapping. To prevent a page fault, the GDT is switched to the
> + * original writeable version when needed.

s/In 64bit,
 /On 64-bit kernels,

> + */
> +#ifdef CONFIG_X86_64
> +static inline void native_load_tr_desc(void)
> +{
> +     struct desc_ptr gdt;
> +     int cpu = raw_smp_processor_id();
> +     bool restore = false;
> +     struct desc_struct *fixmap_gdt;
> +
> +     native_store_gdt(&gdt);
> +     fixmap_gdt = get_cpu_fixmap_gdt(cpu);
> +
> +     /*
> +      * If the current GDT is the read-only fixmap, swap to the original
> +      * writeable version. Swap back at the end.
> +      */
> +     if (gdt.address == (unsigned long)fixmap_gdt) {
> +             load_direct_gdt(cpu);
> +             restore = true;
> +     }
> +     asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
> +     if (restore)
> +             load_fixmap_gdt(cpu);

Please use bool plus 0/1, it's more readable (to me) than the true/false 
notation.

>  extern void switch_to_new_gdt(int);
> +extern void load_direct_gdt(int);
>  extern void load_fixmap_gdt(int);

> +/* Load the original GDT from the per-cpu structure */
> +void load_direct_gdt(int cpu)
> +{
> +     struct desc_ptr gdt_descr;
> +
> +     gdt_descr.address = (long)get_cpu_direct_gdt(cpu);

Please name the functions in an easier to understand way, such as:

        get_cpu_gdt_rw()
        get_cpu_gdt_ro()

that the GDT is in the direct mappings is less important than the fact the the 
address is writable ...

> +}
> +EXPORT_SYMBOL(load_direct_gdt);

EXPORT_SYMBOL_GPL(), or no export at all.

> +EXPORT_SYMBOL(load_fixmap_gdt);

ditto.

>        * VT restores TR but not its size.  Useless.
>        */
> -     struct desc_ptr *gdt = this_cpu_ptr(&host_gdt);
>       struct desc_struct *descs;
>  
> -     descs = (void *)gdt->address;
> +     descs = (void *)get_current_direct_gdt();

Couldn't the type cast be dropped?

>  
> -     table_base = gdt->address;
> +     table_base = (unsigned long)get_current_direct_gdt();

Instead of spreading these type casts far and wide please introduce another 
accessor the returns 'unsigned long':

        get_cpu_gdt_rw_vaddr()

or such.

Thanks,

        Ingo

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v2 3/3] x86: Make the GDT remapping read-only on 64 bit
  - From: Andy Lutomirski

Prev by Date: [Xen-devel] [libvirt test] 105188: regressions - FAIL
Next by Date: [Xen-devel] [xen-unstable test] 105169: regressions - FAIL
Previous by thread: [Xen-devel] [libvirt test] 105188: regressions - FAIL
Next by thread: Re: [Xen-devel] [PATCH v2 3/3] x86: Make the GDT remapping read-only on 64 bit
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.