[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/cet: Clear IST supervisor token busy bits on S3 resume


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Wed, 16 Mar 2022 20:13:34 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OhaY+uVYpEHCSCw5BSSoElCvVNP506Gsq8VSkbZbBjA=; b=e1xZUY5sjCvLxeooR6SvnZOQU6eddhRA25GPQp0WLW90qzdduRw3C82vlanmX1lHV33rwtkKBDhDjJANUbF751GbIYAF7HFcZk3QjPE1ut0vzrTHRqTM38V/0dhuMSFSNqARaJolsu9PKZjpNcRvz9CgSSEwfm/QTlZBUx2tVSBUDM44gga3oLzYNFrqjvVYGeMnxQZngfYzFGnfPMAecscuyMtaMpRqjEZwe1Z97Envj1/d9sLK2JAh/D+V1IKF2UgAJCyodeG2q7Po3whtfyShVL1L6Vc8TLTk6JqR7aa6CkMdUVe7AnMoWL/MUfCB7ZYioUy2fE5tv1ewqQT4nQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MMEQGLWtIjtvtjtiZtB+Mt9kswHsve1bunLFQN6O8edYRRCW+orCW3j9U0eQm/Vrj76OIfJLvYIXVKq/r6bLyXp42dZAB64Fbdl2NiW1BHbZfkMYIRO3L5J70OP0DACOkIcdZzYQ4fqG0g6nBTx51a0xGC+h36KXGcg5fP8oLOn7vWKxIkvCIfPKMHW6EDy4Vn7Wqlt/EL+kBfLSsR/bL4jgNng3Be7GbSPY4QSkE+lEFqf1m+GteebyfSDj2Se5GNjuacDIsLxmZmqCIP3vh+hd2SB2Paqjf++ExeX5pHExFv0xRCOht7tQR/3SWxvSW6XYLo0txkrd/garOYgj4g==
  • Authentication-results: esa3.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 16 Mar 2022 20:13:51 +0000
  • Ironport-data: A9a23:v2jFhq9KJjqRTvJ0/xgYDrUDvX6TJUtcMsCJ2f8bNWPcYEJGY0x3y WsZX2iDbvaKamP2coh0O4Xj9UgFuMXUn9VkQFY9+Xo8E34SpcT7XtnIdU2Y0wF+jyHgoOCLy +1EN7Es+ehtFie0Si+Fa+Sn9T8mvU2xbuKU5NTsY0idfic5DnZ54f5fs7Rh2NQw2oHnW1nlV e7a+KUzBnf0g1aYDUpMg06zgEsHUCPa4W5wUvQWPJinjXeG/5UnJMt3yZKZdhMUdrJ8DO+iL 9sv+Znilo/vE7XBPfv++lrzWhVirrc/pmFigFIOM0SpqkAqSiDfTs/XnRfTAKtao2zhojx/9 DlCnZCuayIXJ6eXofQAcDJaNhwlEPQc4LCSdBBTseTLp6HHW37lwvEoB0AqJ4wIvO1wBAmi9 9RBdmpLNErawbvrnvTrEYGAhex6RCXvFKoZtmtt0nfyCvE+TIqYa67L+cVZzHE7gcUm8fP2O ZRFM2swNU6ojxtnZ1UwJbgwn/+TvkL6MHpCtEnLu48H/D2GpOB2+Oe0a4eEEjCQfu1Ql1ydr 3jL/Ez4BA8bL92VzTeZ8nOqifTLlCm9U4UXfJWo+/gvjFCNy2g7DBwNSUD9sfS/klS5Wd9UN woT4CVGhao4+VGvT9L9dwalu3PCtRkZM/JPF8Uq5QfLzbDbizt1HUBdEGQHMoZ/8pZrG3p6j Tdlgu8FGxRjrp+wd2uXrY6EsBCZOw0odkJbPzcLGF5tD8bYnKk/iRfGT9BGGaGzj8HoFTyY/ w1mvBTSlJ1I05dVivzTEUTvxmv1+8OXFlJdChD/BDrN0+9vWGKyi2VEA3D/5O0IEouWR0LpU JMsy5nHt7Bm4X1geUWwrAQx8FOBuq7t3N702wcH83wdG9KFoCbLkWd4um0WGauRGpxYEQIFm WeK0e+r2LddPWGxcYh8aJ+rBsIhwMDITIq5CaqFNIMUMsErLmdrGR2Cg2bLhggBd2B2zckC1 WqzK57wXR7294w6pNZJewvt+eBynX1vrY8ibZv60w6mwdKjiI29Et843K+1Rrlhtsus+VyNm /4Gbpfi40gPAYXWP3iMmaZOfA9iEJTOLc2vwyChXrXYeVQO9aBII6K5/I7NjKQ+xvULzLiUp i/hMqKaoXKm7UD6xcyxQikLQJvkXIplrGJ9OiopPF2y3GMkb5rp56AaH6bbt5F8nAC/5ZaYl 8U4Rvg=
  • Ironport-hdrordr: A9a23:vuCi460X2wSeJZHC0eQyuwqjBRxyeYIsimQD101hICG9Lfb2qy n+ppgmPEHP5Qr5AEtQ5OxpOMG7MBbhHQYc2/hfAV7QZnibhILOFvAt0WKC+UytJ8SazIBgPM hbAtFD4bHLfDtHZIPBkXOF+rUbsZi6GcKT9J/jJh5WJGkAAcAB0+46MHfhLqQffngcOXNTLu v52iMznUvHRZ1hVLXdOpBqZZmgm/T70LbdJTIWDR8u7weDyRmy7qThLhSe1hACFxtS3LYL6w H+4kzEz5Tml8v+5g7X1mfV4ZgTssDm0MF/CMuFjdVQAinwizyveJ9qV9S5zXMISaCUmRQXee v30lMd1vdImjTsl6aO0F3QMjzboXMTArnZuAalaDXY0JTErXkBerV8bMpiA2XkAgwbzYtBOe twrhKkX9A8N2KwoA3to9fPTB1kjUyyvD4rlvMSlWVWVc8EZKZWtpF3xjIfLH4sJlOy1GkcKp gnMCgc3ocjTXqKK3TC+mV/yt2lWXo+Wh+AX0gZo8SQlzxbhmpwwUcUzNEW2i5ozuNxd7BUo+ Dfdqh4nrBHScEbKap7GecaWMOyTmjAWwjFPm6eKUnuUKsHJ3XOoZjq56hd3pDhRLUYiJ8p3J jRWlJRsmA/P0roFM2VxZVOtgvARW2sNA6dvP22J6IJzYEUaICbQxFrEmpe4PdIi89vd/HmZw ==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHYN5LV95qT5IqqP0y7/NV/gPy3Uqy+7QsAgAOIboA=
  • Thread-topic: [PATCH] x86/cet: Clear IST supervisor token busy bits on S3 resume

On 14/03/2022 14:16, Jan Beulich wrote:
> On 14.03.2022 12:00, Andrew Cooper wrote:
>> Stacks are not freed across S3.  Execution just stops, leaving supervisor
>> token busy bits active.  Fixing this for the primary shadow stack was done
>> previously, but there is a (rare) risk that an IST token is left busy too.
>> This will manifest as #DF next time the IST vector gets used.
> Under what (rare) condition would this happen? The only scenario I could
> come up with (which wouldn't result in a crash anyway) is the NMI watchdog
> hitting after a CPU was already taken offline, and the handler not
> managing to complete before power is cut. I think it would help to mention
> one such specific case.

Any NMI, and any #MC.  They're the only two IST vectors which are
triggered by out-of-core actions.

#MC in particular because even LMCE hits both threads.

>> --- /dev/null
>> +++ b/xen/arch/x86/include/asm/shstk.h
>> @@ -0,0 +1,46 @@
>> +/******************************************************************************
>> + * This program is free software; you can redistribute it and/or modify
>> + * it under the terms of the GNU General Public License as published by
>> + * the Free Software Foundation; either version 2 of the License, or
>> + * (at your option) any later version.
>> + *
>> + * This program is distributed in the hope that it will be useful,
>> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
>> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>> + * GNU General Public License for more details.
>> + *
>> + * You should have received a copy of the GNU General Public License
>> + * along with this program; If not, see <http://www.gnu.org/licenses/>.
>> + *
>> + * Copyright (c) 2022 Citrix Systems Ltd.
>> + */
>> +#ifndef XEN_ASM_SHSTK_H
>> +#define XEN_ASM_SHSTK_H
>> +
>> +/*
>> + * RDSSP is a nop when shadow stacks are active.
> I guess there's a "not" missing here, supported by ...
>
>>  Also, SSP has a minimum
>> + * alignment of 4 which enforced by hardware.
>> + *
>> + * We load 1 into a register, then RDSSP.  If shadow stacks are not active,
>> + * RDSSP is a nop, and the 1 is preserved.
> ... this.

Yes.

>  As an alternative I wouldn't mind if you removed the redundancy.
> Then
> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>

Thanks.  I'll see what I can to do tweak the wording, but separating the
statements of behaviour from the description of the logic was intentional.

~Andrew

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.