[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC PATCH 1/1] xen: Use a global mapping for runstate


  • To: Julien Grall <julien@xxxxxxx>
  • From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>
  • Date: Fri, 29 May 2020 14:21:44 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3TsrYCiHH609KhDx/UK9fcnT62zA0TBsXE68ACIzW60=; b=FBq0fNO60wuEPHd1EQ48xiyKS9AZt3TMA2jx0CamCy/XYgkLbhF5N0OxGIuvO6A6CQky0Q47Z1Ytjc8tC9esS5EO9V9QvQBaHRT40nC5OcygkkoO7tDx+3pF7UzQAVnlpksr/UKzbFqbc5Quki+beJ/nReMLqPJt9v/MX2tbSDWQvb+TMnb+JyoGpMJrJLZ0x98hYMasH6pdTc0PB2+XZzGaq0CwTck+5kUGzXq0kZkjm0TmFqo4AEpbvy4Kutmys2QKaVdUo857qq5u5Q3uvvA6Ex21u7P/bIrAA8TU9S3YO3hpaZ65IBBLAIg4Ow+NpWjCrKJH2he2LVsCUojicA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mPwyidpa9RReWN5SVb+k6uWCND3ENVTxeNVJ3flSh/R5qqgA6GR9+IEv46KwWP+R9lM8tlDOlZ8mfRDjK+QpkUTsvbTBovBLyDtLy7p0sW1ODOzRzOPHi5D2gzdAYDtEy+M9HU7I57RafgbLl94yAlZs+MQh5ftJAcdXe4OTuALvUNFKgIHCXqNm6I9ipiZ54lsavmyBOrjMEG4v+hpRBymwlyh9ePLkMe3yNfeAqeZ/ZUBVPlTxynwFQyapNyNFw/E0CYi8Jk0TbYDonioBBXUMYdvaXLF97iqcyj+J9MhKmMFXoWTHW+AGXMfcA9F9Rxoes1B+4dhTtLT8HpaD4Q==
  • Authentication-results-original: xen.org; dkim=none (message not signed) header.d=none;xen.org; dmarc=none action=none header.from=arm.com;
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, "paul@xxxxxxx" <paul@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, "Xia, Hongyan" <hongyxia@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, nd <nd@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Fri, 29 May 2020 14:22:04 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: xen.org; dkim=none (message not signed) header.d=none;xen.org; dmarc=none action=none header.from=arm.com;
  • Thread-index: AQHWNP6nIxIB/r3XC025DLnqIbmaJai92N6AgADfWQCAABkLAIAASFMAgAADiACAAAHaAA==
  • Thread-topic: [RFC PATCH 1/1] xen: Use a global mapping for runstate


> On 29 May 2020, at 15:15, Julien Grall <julien@xxxxxxx> wrote:
> 
> 
> 
> On 29/05/2020 15:02, Bertrand Marquis wrote:
>>> On 29 May 2020, at 10:43, Julien Grall <julien@xxxxxxx> wrote:
>>> 
>>> Hi Bertrand,
>>> 
>>> On 29/05/2020 09:13, Bertrand Marquis wrote:
>>>> Hi Julien,
>>>>> On 28 May 2020, at 19:54, Julien Grall <julien@xxxxxxx> wrote:
>>>>> 
>>>>> Hi Bertrand,
>>>>> 
>>>>> Thank you for the patch.
>>>>> 
>>>>> On 28/05/2020 16:25, Bertrand Marquis wrote:
>>>>>> At the moment on Arm, a Linux guest running with KTPI enabled will
>>>>>> cause the following error when a context switch happens in user mode:
>>>>>> (XEN) p2m.c:1890: d1v0: Failed to walk page-table va 0xffffff837ebe0cd0
>>>>>> This patch is modifying runstate handling to map the area given by the
>>>>>> guest inside Xen during the hypercall.
>>>>>> This is removing the guest virtual to physical conversion during context
>>>>>> switches which removes the bug
>>>>> 
>>>>> It would be good to spell out that a virtual address is not stable. So 
>>>>> relying on it is wrong.
>>>>> 
>>>>>> and improve performance by preventing to
>>>>>> walk page tables during context switches.
>>>>> 
>>>>> With Secret free hypervisor in mind, I would like to suggest to map/unmap 
>>>>> the runstate during context switch.
>>>>> 
>>>>> The cost should be minimal when there is a direct map (i.e on Arm64 and 
>>>>> x86) and still provide better performance on Arm32.
>>>> Even with a minimal cost this is still adding some non real-time behaviour 
>>>> to the context switch.
>>> 
>>> Just to be clear, by minimal I meant the mapping part is just a 
>>> virt_to_mfn() call and the unmapping is a NOP.
>>> 
>>> IHMO, if virt_to_mfn() ends up to add non-RT behavior then you have much 
>>> bigger problem than just this call.
>>> 
>>>> But definitely from the security point of view as we have to map a page 
>>>> from the guest, we could have accessible in Xen some data that should not 
>>>> be there.
>>>> There is a trade here where:
>>>> - xen can protect by map/unmapping
>>>> - a guest which wants to secure his data should either not use it or make 
>>>> sure there is nothing else in the page
>>> 
>>> Both are valid and depends on your setup. One may want to protect all the 
>>> existing guests, so modifying a guest may not be a solution.
>> The fact to map/unmap is increasing the protection but not removing the 
>> problem completely.
> 
> I would be curious to understand why the problem is not completely removed.
> 
> From my perspective, this covers the case where Xen could leak the 
> information of one domain to another domain. When there is no direct mapping, 
> temporary mappings via domain_map_page() will be either per-pCPU (or 
> per-vCPU). So the content should never be (easily) accessible by another 
> running domain while it is mapped.
> 
> If the guest is concerned about exposing the data to Xen, then it is a 
> completely different issue and should be taken care by the guest iself.

Even temporarily mapped you still have access to more then you need so you 
could potentially modify something from the guest at that point (from an 
interrupt handler for example).
The attack surface is reduced a lot I agree but if the guest does not make sure 
that nothing else is available in the page, you can potentially still get an 
access.

Cheers
Bertrand




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.