[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 7/8] x86/hvm: Disallow access to unknown MSRs

To: Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Fri, 4 Sep 2020 10:44:31 +0100
Authentication-results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none
Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>
Delivery-date: Fri, 04 Sep 2020 09:45:02 +0000
Ironport-sdr: z4aebpRE00MjPxZigGCHj91MBKH86aA15kV8E72k36C5QBrUnj1yz8x4kD7lbv6nqXKZjNMteU Yu+3AglMI3MxFZJgPCR+WUk1ZRrrv8Bq+STKpmWE+febDMHmjSDNhs/pDmC2hd1efiVM4tQH11 GIy7oi51jCUg6GRE3Nlf3cK7sxwn1Pft4y2r5NdMlOpQXxkC8CIS8lgxNJSWQrLPZXAflDuRND AMhf+8xf/9cIZuDwhryk4GSt3z1P9kYMJYcy57ehPLfQVNl3HZC3TAH5BrOsM0qEpdfvD305Tx Pbo=
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 04/09/2020 09:53, Jan Beulich wrote:
> On 01.09.2020 12:54, Roger Pau Monne wrote:
>> @@ -3290,11 +3288,6 @@ static int vmx_msr_write_intercept(unsigned int msr, 
>> uint64_t msr_content)
>>          __vmwrite(GUEST_IA32_DEBUGCTL, msr_content);
>>          break;
>>  
>> -    case MSR_IA32_FEATURE_CONTROL:
>> -    case MSR_IA32_VMX_BASIC ... MSR_IA32_VMX_VMFUNC:
>> -        /* None of these MSRs are writeable. */
>> -        goto gp_fault;
> I understand Andrew did ask for this (and I didn't look closely
> when I saw the comment), but ...
>
>> @@ -3320,10 +3313,9 @@ static int vmx_msr_write_intercept(unsigned int msr, 
>> uint64_t msr_content)
>>               is_last_branch_msr(msr) )
>>              break;
>>  
>> -        /* Match up with the RDMSR side; ultimately this should go away. */
>> -        if ( rdmsr_safe(msr, msr_content) == 0 )
>> -            break;
>> -
>> +        gdprintk(XENLOG_WARNING,
>> +                 "WRMSR 0x%08x val 0x%016"PRIx64" unimplemented\n",
>> +                 msr, msr_content);
>>          goto gp_fault;
> ... above from here is logic that handling of these MSRs now goes
> through. I'm particularly worried about vmx_write_guest_msr(),
> which blindly updates the value of any MSR it can find, i.e. if
> any r/o MSR (from the set above, or even more generally) ever got
> added to this vCPU-specific set, the r/o-ness would no longer be
> maintained. Do we perhaps need to white-list MSRs for which
> vmx_write_guest_msr() may get called here?

If a read-only MSR ever actually gets into the load/save list, we'll
take a VMEntry failure (guest load) or SHUTDOWN (host load) as a
consequence of microcode takes a #GP fault.

However, restricting the content of this catch-all clause to nothing
(but the printk) is something I have planned as part of the ongoing MSR
cleanup work.

~Andrew

Follow-Ups:
- Re: [PATCH v3 7/8] x86/hvm: Disallow access to unknown MSRs
  - From: Jan Beulich

References:
- [PATCH v3 0/8] x86: switch default MSR behavior
  - From: Roger Pau Monne
- [PATCH v3 7/8] x86/hvm: Disallow access to unknown MSRs
  - From: Roger Pau Monne
- Re: [PATCH v3 7/8] x86/hvm: Disallow access to unknown MSRs
  - From: Jan Beulich

Prev by Date: Re: [PATCH] EFI: Enable booting unified hypervisor/kernel/initrd images
Next by Date: Re: [PATCH] efi: Always map EfiRuntimeServicesCode and EfiRuntimeServicesData
Previous by thread: Re: [PATCH v3 7/8] x86/hvm: Disallow access to unknown MSRs
Next by thread: Re: [PATCH v3 7/8] x86/hvm: Disallow access to unknown MSRs
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.