[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 2/2] x86/xpti: Don't leak TSS-adjacent percpu data via Meltdown


  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Fri, 26 Jul 2019 16:38:29 +0200
  • Authentication-results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=roger.pau@xxxxxxxxxx; spf=Pass smtp.mailfrom=roger.pau@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>
  • Delivery-date: Fri, 26 Jul 2019 14:38:50 +0000
  • Ironport-sdr: UrAH2+RvkuKjOcEUzVLN8TNcDqNHxXjdnvckEjosbifmeKWh/Zy/EF1HYJmcPbQlI4k0SbKbyN uHyoFvFJqe9+6PPz23KuRR3a8KF3Ox8LIIGlGKxLrHLnt78RLxFBLYfTLIxAxD7dMmyi5tGZQs Y8XDLgl/Ef2TssrLEoMGzPmHihJRRjH8lzEGFHvu6LSk0aTM2JhQZI2JMu5AIOZ3KWaeSk3tVN Xiu/BmKDe/711PHVHpi1BwO6Mb3Q1avLFw+VLst8C97wuemhsozjkZ4FDBQH6NrKO11QzwqUek b6I=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Jul 26, 2019 at 02:52:40PM +0100, Andrew Cooper wrote:
> The XPTI work restricted the visibility of most of memory, but missed a few
> aspects when it came to the TSS.
> 
> Given that the TSS is just an object in percpu data, the 4k mapping for it
> created in setup_cpu_root_pgt() maps adjacent percpu data, making it all
> leakable via Meltdown, even when XPTI is in use.
> 
> Furthermore, no care is taken to check that the TSS doesn't cross a page
> boundary.  As it turns out, struct tss_struct is aligned on its size which
> does prevent it straddling a page boundary, but this will cease to be true
> once CET and Shadow Stack support is added to Xen.
> 
> Move the TSS into the page aligned percpu area, so no adjacent data can be
> leaked.  Move the definition from setup.c to traps.c, which is a more
> appropriate place for it to live.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> ---
> CC: Jan Beulich <JBeulich@xxxxxxxx>
> CC: Wei Liu <wl@xxxxxxx>
> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> ---
>  xen/arch/x86/setup.c            | 2 --
>  xen/arch/x86/traps.c            | 6 ++++++
>  xen/arch/x86/xen.lds.S          | 2 ++
>  xen/include/asm-x86/processor.h | 4 ++--
>  4 files changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
> index d2011910fa..1a2ffc4dc1 100644
> --- a/xen/arch/x86/setup.c
> +++ b/xen/arch/x86/setup.c
> @@ -100,8 +100,6 @@ unsigned long __read_mostly xen_phys_start;
>  
>  unsigned long __read_mostly xen_virt_end;
>  
> -DEFINE_PER_CPU(struct tss_struct, init_tss);
> -
>  char __section(".bss.stack_aligned") __aligned(STACK_SIZE)
>      cpu0_stack[STACK_SIZE];
>  
> diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
> index 38d12013db..e4b4587956 100644
> --- a/xen/arch/x86/traps.c
> +++ b/xen/arch/x86/traps.c
> @@ -108,6 +108,12 @@ idt_entry_t __section(".bss.page_aligned") 
> __aligned(PAGE_SIZE)
>  /* Pointer to the IDT of every CPU. */
>  idt_entry_t *idt_tables[NR_CPUS] __read_mostly;
>  
> +/*
> + * The TSS is smaller than a page, but we give it a full page to avoid
> + * adjacent per-cpu data leaking via Meltdown when XPTI is in use.
> + */
> +DEFINE_PER_CPU_PAGE_ALIGNED(struct __aligned(PAGE_SIZE) tss_struct, 
> init_tss);

Can't you bundle the __aligned attribute in
DEFINE_PER_CPU_PAGE_ALIGNED itself?

#define DEFINE_PER_CPU_PAGE_ALIGNED(type, name) \
    __DEFINE_PER_CPU(type __aligned(PAGE_SIZE), _##name, .page_aligned)

I haven't tested this TBH. I'm also not able to find how __typeof__
(used by __DEFINE_PER_CPU) behaves regarding attributes, but I'm quite
sure it keeps them or else lots of things will break.

Thanks, Roger.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.