[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 3/3] x86: Support booting under Secure Startup via SKINIT

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Fri, 29 Jan 2021 09:18:21 +0100
Cc: Norbert Kamiński <norbert.kaminski@xxxxxxxxx>, Marek Kasiewicz <marek.kasiewicz@xxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Michal Zygowski <michal.zygowski@xxxxxxxxx>, Piotr Krol <piotr.krol@xxxxxxxx>, Krystian Hebel <krystian.hebel@xxxxxxxxx>, "Daniel P . Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Rich Persaud <persaur@xxxxxxxxx>, Christopher Clark <christopher.w.clark@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Fri, 29 Jan 2021 08:18:27 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 28.01.2021 21:26, Andrew Cooper wrote:
> On 20/01/2021 09:19, Jan Beulich wrote:
>> On 16.01.2021 00:10, Andrew Cooper wrote:
>>> --- a/xen/arch/x86/cpu/common.c
>>> +++ b/xen/arch/x86/cpu/common.c
>>> @@ -834,6 +834,29 @@ void load_system_tables(void)
>>>     BUG_ON(system_state != SYS_STATE_early_boot && (stack_bottom & 0xf));
>>>  }
>>>  
>>> +static void skinit_enable_intr(void)
>>> +{
>>> +   uint64_t val;
>>> +
>>> +   /*
>>> +    * If the platform is performing a Secure Launch via SKINIT
>>> +    * INIT_REDIRECTION flag will be active.
>>> +    */
>>> +   if ( !cpu_has_skinit || rdmsr_safe(MSR_K8_VM_CR, val) ||
>>> +        !(val & VM_CR_INIT_REDIRECTION) )
>>> +           return;
>>> +
>>> +   ap_boot_method = AP_BOOT_SKINIT;
>>> +
>>> +   /*
>>> +    * We don't yet handle #SX.  Disable INIT_REDIRECTION first, before
>>> +    * enabling GIF, so a pending INIT resets us, rather than causing a
>>> +    * panic due to an unknown exception.
>>> +    */
>>> +   wrmsr_safe(MSR_K8_VM_CR, val & ~VM_CR_INIT_REDIRECTION);
>> Why wrmsr_safe() without checking its return value? If the write
>> faults, we're hosed anyway, aren't we, so we may as well crash on
>> the offending WRMSR rather than some time later?
> 
> Paranoia.
> 
> Xen's old MSR behaviour would have leaked INIT_REDIRECTION into guest
> context but discarded writes,

In which case there wouldn't have been any fault to catch and
ignore.

> and there are usecases to keep
> INIT_REDIRECTION enabled (if you're willing to sacrifice PV guests to
> avoid #SX-over-the-syscall-gap or back-to-back-INIT-on-IST shaped
> security holes).
> 
> I can make it unconditional if you'd prefer.  At the moment, all this is
> is a best-effort attempt to get back into the old state, so development
> can continue more easily.

I'm not sure which variant is strictly better, but if you stick
to wrmsr_safe(), may I ask that you say this is out of paranoia
in the comment, so future readers will not wonder like I did?

Jan

References:
- [PATCH 0/3] x86: Initial Trenchboot/SKINIT support
  - From: Andrew Cooper
- [PATCH 3/3] x86: Support booting under Secure Startup via SKINIT
  - From: Andrew Cooper
- Re: [PATCH 3/3] x86: Support booting under Secure Startup via SKINIT
  - From: Jan Beulich
- Re: [PATCH 3/3] x86: Support booting under Secure Startup via SKINIT
  - From: Andrew Cooper

Prev by Date: RE: [PATCH V6 00/24] IOREQ feature (+ virtio-mmio) on Arm
Next by Date: Re: Null scheduler and vwfi native problem
Previous by thread: Re: [PATCH 3/3] x86: Support booting under Secure Startup via SKINIT
Next by thread: [PATCH 2.5/3] x86/svm: Reimplement VMRUN/STGI/CLGI with new asm-defns.h infrastructure
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.