[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 04/17] x86/PV: harden guest memory accesses against speculative abuse

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Fri, 12 Feb 2021 14:02:24 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OuRljw37Pm8v4CMER+HIra1Dp97uTC9tAyl+hBTWkwQ=; b=XnDTQSDhQ0rWE9UMKRANR+6qB090KUfBNade58VLJgQ6V55cGsQyB9gJBB76t9Sl59gb2O9DwyISQ7FAVUWYmbCaKD9ZVxYMXBY3uw8OSlviOuOiTbqisz4XEwleMqqU3M+nGZx9b3hdPfZ3P8uoha7UxTmh0bASM19md1IVpdwpR3rbR1uFHDgH5DugQM48FKV3pmot2/ENMEHYYCPwdTAMeLo4KzphFUThR3AZW35lxgGa9LFyHjbJ8ANxhQn/fF0QDk9fC9xH5dNPL8wLup44iKgjRAvzO2FRDfBGXgdWm7WdKwXlJgA1DX0zatKiPZcXBbr+ke2nc3oei1Fw9Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QIkjZNpJ4ffk85qnpWP2g7FEM7yWQDaJAqg1RyzZobrvnqXobDsVJ8dd6JMMh1iNtlw0Ytxo1uXtj/1g6QK8psIbmKaQox/SSd7MJ7qsJHzsnL8vhI2QiKMXR5oYBG6MDXs5eCcQH6tEx5/lQIg5pftNcu7ysz2l+TKk4hqVT2Jpm40t7600oUMF/LDap3sOtx/2BoNK+qEISeaDhzUtVoFyMZljzqdTBmIjNzrPK6514wpkK6SuQoOpG/i6P94f/UDPL/KM5/4ImIAEdb5INWJ6vGoMXYzaloQekN2OAw4fvmPyII+y4HjzuKUJwAMIr6LMb6xQGwxLGvWk+UHZ8A==
  • Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Tim Deegan <tim@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>
  • Delivery-date: Fri, 12 Feb 2021 13:02:39 +0000
  • Ironport-sdr: HrKqCgRLyVC/XvQ2Cz2SiOfGsgkDN41n5dQoml39ICRvZg9F8n4oVoWPGqEBXK7pATkco3pQY7 rYOBFrP4FiRTQ6MYb4L+kFDTMYfNut9Cmn++G9FteemVXdbTQmEe0s7R63uKgocTTukaFonbpw scG9WRKS/gU2sJhBxEG7TM9PZDxb6YCW7PmPbh6SSH03OWPVX6Qit1puTkbuI3+UWqoZeFvoNT llLJOuL253EKFPgOyxbIYSJmyivRStAN+aGsPFvfmZmUfOfhRudT16G/uyh63Hn7Kfmsr5+yTw wE8=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Fri, Feb 12, 2021 at 01:48:43PM +0100, Jan Beulich wrote:
> On 12.02.2021 11:41, Roger Pau Monné wrote:
> > On Thu, Jan 14, 2021 at 04:04:57PM +0100, Jan Beulich wrote:
> >> @@ -94,6 +106,8 @@ unsigned __copy_from_user_ll(void *to, c
> >>      return n;
> >>  }
> >>  
> >> +#if GUARD(1) + 0
> > 
> > Why do you need the '+ 0' here? I guess it's to prevent the
> > preprocessor from complaining when GUARD(1) gets replaced by nothing?
> 
> Yes. "#if" with nothing after it is an error from all I know.
> 
> >> --- a/xen/include/asm-x86/asm-defns.h
> >> +++ b/xen/include/asm-x86/asm-defns.h
> >> @@ -44,3 +44,16 @@
> >>  .macro INDIRECT_JMP arg:req
> >>      INDIRECT_BRANCH jmp \arg
> >>  .endm
> >> +
> >> +.macro guest_access_mask_ptr ptr:req, scratch1:req, scratch2:req
> >> +#if defined(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS)
> >> +    mov $(HYPERVISOR_VIRT_END - 1), \scratch1
> >> +    mov $~0, \scratch2
> >> +    cmp \ptr, \scratch1
> >> +    rcr $1, \scratch2
> >> +    and \scratch2, \ptr
> > 
> > If my understanding is correct, that's equivalent to:
> > 
> > ptr &= ~0ull >> (ptr < HYPERVISOR_VIRT_END);
> > 
> > It might be helpful to add this as a comment, to clarify the indented
> > functionality of the assembly bit.
> > 
> > I wonder if the C code above can generate any jumps? As you pointed
> > out, we already use something similar in array_index_mask_nospec and
> > that's fine to do in C.
> 
> Note how array_index_mask_nospec() gets away without any use of
> relational operators. They're what poses the risk of getting
> translated to branches. (Quite likely the compiler wouldn't use
> any in the case here, as the code can easily get away without,
> but we don't want to chance it. Afaict it would instead use a
> 3rd scratch register, so register pressure might still lead to
> using a branch instead in some exceptional case.)

I see, it's not easy to build such construct without using any
relational operator. Would you mind adding the C equivalent next to
assembly chunk?

I don't think I have further comments:

Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Thanks, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.