[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH L1TF MDS GT v3 1/2] common/grant_table: harden bound accesses

  • To: Norbert Manthey <nmanthey@xxxxxxxxx>
  • From: Jan Beulich <JBeulich@xxxxxxxx>
  • Date: Thu, 18 Jul 2019 12:09:02 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=suse.com;dmarc=pass action=none header.from=suse.com;dkim=pass header.d=suse.com;arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k3z27VVnjn9HoLPvt55VCDJkdkK9awO3fbiyKSMacpc=; b=JoIrsN1QncGiWIhIFVdieqxbwFkefn9btD99dmdIyJOnNy8/+o0KeDUImdQDxz4bL7GFWWyCaOPh4Ej+VkkPrsaUB0YMwr3ml1WdMFbr3nlujdtdNGvhwWHoZ2kRpqyBbGU44qyQSZaQZROo4TOIjibzFbiBzb6R+85qg0EejqTh4INggd1nJoJ6lCAeHiWNcdewVBRDtTMFfbWIEy0tzbnPiUQJkdiN6nZaTZqtVVQsbyXgeLNdnJYZ8FxEJ5ZDlSV1RouAm5oiRdWs25Q5T+hqX+QrtYE4Tq1b9zkR7ria7wzob1i+NWLBL9D5jRL3TfFc/FsvFN1r52MG9bMErw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q3P+lZo38KLykUSjpQ4jhy86Qk7BdAXOZL3qxudt9qWl4Tmn5VHqDmS/PAcrWZAgrUpY4xPnppt0p+IOB5FXEhbjFzFwS8HCZ9GScSTJG8yTxkze5554WIJi1eccPvA3soJFgzvgOnTsUk3D5SnN9oA+50suY56OZ1SGh8hwZcIIEEwDNyhiP9QW9FVjXGk+Z8/XxGM5DtzUTRC3QGVZpadfoDbbLQSYTV9u0pMnvUQf/JsPMTLP22z9GLDcKpE0dvmT6upjyJUmvU4ITsiT/itZnBDxB3SW8uUPCQ7K2md7lFPLDrLIUW6B5dAbReJp82FrAjmJMeGBaLMyo+PPcA==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=JBeulich@xxxxxxxx;
  • Cc: Juergen Gross <JGross@xxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, KonradRzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, IanJackson <ian.jackson@xxxxxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, Pawel Wieczorkiewicz <wipawel@xxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, David Woodhouse <dwmw@xxxxxxxxxxxx>, Martin Mazein <amazein@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Bjoern Doebel <doebel@xxxxxxxxx>
  • Delivery-date: Thu, 18 Jul 2019 12:09:38 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHVOI9EFD+2Co2LEUukceT0T/LFJ6bQUgiA
  • Thread-topic: [PATCH L1TF MDS GT v3 1/2] common/grant_table: harden bound accesses
On 12.07.2019 10:51, Norbert Manthey wrote:
> Guests can issue grant table operations and provide guest controlled
> data to them. This data is used as index for memory loads after bound
> checks have been done. To avoid speculative out-of-bound accesses, we
> use the array_index_nospec macro where applicable, or the macro
> block_speculation. Note, the block_speculation macro is used on all
> path in shared_entry_header and nr_grant_entries. This way, after a
> call to such a function, all bound checks that happened before become
> architectural visible, so that no additional protection is required
> for corresponding array accesses. As the way we introduce an lfence
> instruction might allow the compiler to reload certain values from
> memory multiple times, we try to avoid speculatively continuing
> execution with stale register data by moving relevant data into
> function local variables.
> 
> Speculative execution is not blocked in case one of the following
> properties is true:
>   - path cannot be triggered by the guest
>   - path does not return to the guest
>   - path does not result in an out-of-bound access
>   - path cannot be executed repeatedly

I notice this sentence is still there without modification. If you
don't want to drop it (and then perhaps make changes to a few more
paths), can we at least settle on a less firm statement like "path
is unlikely to be executed repeatedly in rapid succession"?

> Only the combination of the above properties allows to actually leak
> continuous chunks of memory. Therefore, we only add the penalty of
> protective mechanisms in case a potential speculative out-of-bound
> access matches all the above properties.
> 
> This commit addresses only out-of-bound accesses whose index is
> directly controlled by the guest, and the index is checked before.
> Potential out-of-bound accesses that are caused by speculatively
> evaluating the version of the current table are not addressed in this
> commit. Hence, speculative out-of-bound accesses might still be
> possible, for example in gnttab_get_status_frame_mfn, when calling
> gnttab_grow_table, the assertion that the grant table version equals
> two might not hold under speculation.
> 
> This is part of the speculative hardening effort.
> 
> Signed-off-by: Norbert Manthey <nmanthey@xxxxxxxxx>

With the above taken care of by some re-writing
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>

Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.