Xen project Mailing List

Re: [PATCH v2 7/9] x86/svm: VMEntry/Exit logic for MSR_SPEC_CTRL

From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>

Date: Mon, 31 Jan 2022 14:04:16 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0esSsSEfh9yotDbMv+1IsMVYrHAcB2rEdPmUrXAH8EA=; b=AuRS7phI68ArPCkOOtPSVAtdEWLg6TemAkISVBOnCrzg9NjdV4JUWr8t1HEeGvUHYo/jXWNlUhUIwjfHocxO7dLUKMsxe/9SnRuM1W3eM95DfHgylscdop/g6qW7+ovmDFZiebXAm7TbZrf+1bRqRTLnFPA6pOQeKX8NAfYx4utho4JW2kRjfnFWTkqTzznV2E+HTeN8FDNvr6PSHLT0qgAFfWD2WpC+MQscBEilqLCSDj7yUXeqBoGZZh58Hsq4YV52pPRxZX9/5URAQUGB6Fx/+BVswfPHqe/eCJmQssW2D+FKvumPDg8jiV5UNwLOma7JW5bWAoHJejOHMOOXAw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SLcSTD6y/Mxpmc8F5JqJSfwt7+EeCvLVUiQcd65sPLwwn/RNJZeDtm6Anmd/EvNYR9MIz7B7Go1+tdm+yqAgfeIQ/4mMCJ7UQTsHGZ8S/CqcZNkj/QSyNil961e4G+D2TeYkkjjmzBWqtw/EQE+ShpIC+hF9ufR09B/RgSUhxZgcVstaDvEkXSC58J5QnRsyccU29U4tIAGgCQ1DQWeCYuLOdREagbaEss0hqTJ7IqFbNYgXweJPnb1EF4KgFQ1MpktHkFlaKRfbWDtCKSsjLzBg1D8ElFWxpWIzzDybXLuJO3OroThdcYiQisYvwLIMnk8POwXvNAafzuoXgAYc2g==

Authentication-results: esa2.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 31 Jan 2022 14:04:30 +0000

Ironport-data: A9a23:ZzuwZ68awy5Lnk8c2MgXDrUDbXmTJUtcMsCJ2f8bNWPcYEJGY0x3y WJMWz+HbKyIMDHyedhxbNuz8U0PuZaBmN9qG1Zq+Xo8E34SpcT7XtnIdU2Y0wF+jyHgoOCLy +1EN7Es+ehtFie0Si9AttENlFEkvU2ybuOU5NXsZ2YhFWeIdA970Ug5w7di29Yy6TSEK1jlV e3a8pW31GCNg1aYAkpMg05UgEoy1BhakGpwUm0WPZinjneH/5UmJMt3yZWKB2n5WuFp8tuSH I4v+l0bElTxpH/BAvv9+lryn9ZjrrT6ZWBigVIOM0Sub4QrSoXfHc/XOdJFAXq7hQllkPhY0 uVSt5WzdDwgO4CcpvoEFEEJPnhhaPguFL/veRBTsOSWxkzCNXDt3+9vHAc9OohwFuRfWD8Us 6ZCcXZUM07F17neLLGTE4GAguwKKsXxMZxZkXZn1TzDVt4tQIzZQrWM7thdtNs1rp4VRK2HO JFIAdZpRDrmehlQYmVMMp0/27vxhnTnXQNdul3A8MLb5ECMlVcsgdABKuH9atGMAMlYgEucj mbH5HjiRAEXMsSFzjiI+W7qgfXA9QvkXKoCGbv+8eRl6HWRzGEODBwdVXOgvOK0zEW5Xrpix 1c8o3R06/JorQryE4e7D0bQTGO4UgA0csBgDO8z6zy2w6/5sziHHy9cHxMYd4lz3CMpfgAC2 liMltLvIDVgtryJVH6QnoupQSOO1Ts9djFbO3JdJecRy5y6+dxo0EqTJjp2OPPt1rXI9SfML ydmRcTUr5EaloY12qqy5jgraBr898GSHmbZCug6N19JDz+Vhqb4PeRECnCBtJ6sybp1qHHb5 hDofODFtIgz4WmlznDlfQn0NOjBCwy5GDPdm0VzOJIq6i6g/XWuFagJvm0leRc2apZaKGO4C KM2he+3zMUJVJdNRfQvC79d9uxwlfSwfTgbfq28giVyjmhZK1bcoXAGib+41GHxikk8+ZzTy r/AGftA+U0yUPw9pBLvHr91+eZymkgWmD2PLbimkUXP+efONRa9FOZeWHPTP79R0U9xiFiPm zqpH5HUm0w3vSyXSnS/zLP/2nhTcyBjW8iq+pMGHgNBSyI/cFwc5zbq6epJU6RunrhPl/eO+ Xe4W0RCz0H4i2GBIgKPAk2PopuyNXqmhX5kbyEqI3iy3H0vPdSm4KsFLsNldrg77u1zi/VzS qBdKcmHB/1OTBXB+igcMsah/NAzKkzziFLcJTehbRg+Y4VkG17D9Oj7c1a97yIJFCe265cz+ uXyygPBTJMfbA1+F8KKOum3xla8sCFFyuJ/VkfFOPdJf0Do/NQ4IiD9lKZvccoNNQ/C1n2R0 APPWUUUouzEookU9tjVhP/b89f1QrUmRkcDRjvV97e7MyXe71GP+44YXbbaZy3ZWUP15L6mO bdfwcbjPaBVh11NqYd9TepmlPps+9v1qrZG5Q14B3GXPU+zA7ZtL3Taj8lCsqpBmu1QtQesA x/d/9BbPfOCOd//EU5XLw0gN7zR2fYRkzjUzPI0PESlu3MnoOvZCR1fb0uWlShQDLppK4d0k +4utfkf5xG7lhd3YM2NiTpZ9jjUI3ENO0n9Wkr23GM/ZtIX92x/

Ironport-hdrordr: A9a23:Ku8U+KwNhwoqvWbfKuxbKrPxiOskLtp133Aq2lEZdPULSKOlfp GV8MjziyWYtN9IYgBcpTiBUJPwJE81bfZOkMcs1MSZLXXbUQyTXcBfBOrZsnLd8kjFmNK1up 0QCpSWZOeAbmSSyPyKmjVQcOxQgOVvkprY/ds2pk0FJWoBCsFdBkVCe32m+yVNNVN77PECZf 6hD7981lydkAMsH6OG7xc+Lor+juyOsKijTQ8NBhYh5gXLpyiv8qTGHx+R2Qpbey9TwJ85mF K10DDR1+GGibWW2xXc32jc49B9g9360OZOA8SKl4w8NijssAC1f45sMofy/gzd4dvfrWrCou O85CvIDP4DrU85uVvF+CcF7jOQlArGLUWSkWNwz0GT+vARDwhKdPapzbgpDCcxrXBQ4e2UmZ g7r15w/fBsfGL9tTW46N7SWx5wkE2o5XIkjO4IlnRaFZATcblLsOUkjQlo+bo7bWrHAbocYa JT5QDnlYJrWELfa2qcsnhkwdSqUHh2FhCaQlIassjQ1zRNhnh2w0YR2cRaxx47hd4AYogB4/ 6BPrVjlblIQMNTZaVhBP0ZSc/yDmDWWxrDPG+bPFyiHqAaPHDGrYLx/dwOlayXUY1NyIF3lI XKUVteu2J3c0XyCdeW1JkO6RzJSHXVZ0Wl9iif3ekOhlTRfsuYDcSzciFYryL7mYRtPiTyYY fHBK5r

Ironport-sdr: 9XwUEBzb0qU+Yn+dJ5UwZ1LpFcYrXhTpFqq18n+whc0ybXle0Oa6VNF6Yj3X1Bj1jfxmw0MLfP lJupnv2Zyj+/KNEQRRgwylnHQ2U3cBZFI0HoGhjlQE2tcp10BkTvtfD55/gmvLBu/PdGb7LusQ I6iHDqczXKYIB7dyfqclQ1TeInpKI/uRuv2ZXDp2VWyrlWPDP63wzR51GLq5WeFliF+cq3AYsM 2DqBR20/XJmMbvu6lYKofyB8DBt0kAI092p1grX/hzWuEGJ4jcrJTbK4uzgya6sKA7kfQJ1buZ Kt7uWYQ7Vs1W4Fonyi/wgHUX

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHYFEsgduRKpPrES0uMVuwf+i5+76x9GvYAgAATUQA=

Thread-topic: [PATCH v2 7/9] x86/svm: VMEntry/Exit logic for MSR_SPEC_CTRL

On 31/01/2022 12:55, Jan Beulich wrote: > On 28.01.2022 14:29, Andrew Cooper wrote: >> --- a/xen/arch/x86/hvm/svm/entry.S >> +++ b/xen/arch/x86/hvm/svm/entry.S >> @@ -55,11 +55,12 @@ __UNLIKELY_END(nsvm_hap) >> mov %rsp, %rdi >> call svm_vmenter_helper >> >> - mov VCPU_arch_msrs(%rbx), %rax >> - mov VCPUMSR_spec_ctrl_raw(%rax), %eax >> + clgi >> >> /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ >> - /* SPEC_CTRL_EXIT_TO_SVM (nothing currently) */ >> + /* SPEC_CTRL_EXIT_TO_SVM Req: Clob: >> C */ >> + ALTERNATIVE "", STR(mov %rbx, %rdi; mov %rsp, %rsi), >> X86_FEATURE_SC_MSR_HVM >> + ALTERNATIVE "", STR(call vmentry_spec_ctrl), X86_FEATURE_SC_MSR_HVM > Both this and ... > >> @@ -86,8 +86,10 @@ __UNLIKELY_END(nsvm_hap) >> >> GET_CURRENT(bx) >> >> - /* SPEC_CTRL_ENTRY_FROM_SVM Req: b=curr %rsp=regs/cpuinfo, Clob: >> ac */ >> + /* SPEC_CTRL_ENTRY_FROM_SVM Req: Clob: >> C */ >> ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_HVM >> + ALTERNATIVE "", STR(mov %rsp, %rdi), X86_FEATURE_SC_MSR_HVM >> + ALTERNATIVE "", STR(call vmexit_spec_ctrl), X86_FEATURE_SC_MSR_HVM >> /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ > ... this now effectively violate what the warning comment says, as there > is a RET involved in the C call. If this is not a problem for some reason, > I'd like to ask that the comments be updated accordingly. The `ret` note pertains to two things: 1) RSB underflows falling back to indirect predictions 2) SpectreRSB executing more rets than calls Aspect 2 is largely theoretical, but can happen with an out of bounds write which hits the return address on the stack in an otherwise regular call tree. Once DO_OVERWRITE_RSB is complete, there are no user RSB entries to consume. I know this gets complicated with the RAS[:32] flushing which is part of why the behaviour is up for consideration, but even the current code completes the full flush before a ret is executed. Aspect 1 is a feature seemingly unique to Intel CPUs, and we have to set MSR_SPEC_CTRL.IBRS to 1 before indirect predictions are "safe". That said, I stand by the comments as they are. They're there for other code to remember to be careful. I think it is entirely reasonable to expect the internals of the speculative safety logic to know how to stay safe. I'll see how it looks with the helpers inlined. That's the easiest way of fixing this issue. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.