[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v6 4/5] x86/mm: Reject invalid cacheability in PV guests by default

  • To: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Thu, 5 Jan 2023 20:28:26 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3Brf3BTM2yp64T+Ybhf1eDYGhFqzzLxM11WSv72X/XE=; b=KNJFVuf0RS0te31QSxcj6gXnmvAEAR7vBY/UDYkAwT4yI4Ntib8i4aCtiRB+0+TBGzzS2w9aHSJwC2nuLZcQ59qI9oakcJcUYTTA1WH5dDMU5ZeUSykp9JSasvh+uYiTaFN8+ccKSbn30DWuQuSpvMvtSIYso4AGsWBS/fIbss2jtmN3K8bRMv4klPyUhywwctqSDLO8rhDPa/Xcyw2TZnlduifW6kJJk734f8HSzYHf+0APDppEIwqrLhHiHR9Gi4SWFA/PPPvTBf8rqFQUkNMUkvBgZUmdAxEX/wrZkWDwzABJcaRA1Ir4L78bY6dg5WD4jY3f1HbRMuM1/CJmMQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LD/UWG8VzebcNoOk7SPqsCyl+nTffsHe8QpB0Vuq2oTcY/Jq749FfNPvAYGio2m9sdwfKBXBOKi71WmQcACKrougWzjdpo+I8WJdzKayjQGGS9gS+Cn2B6UsQevoyTNVKp3Yn9bEQi5MduNMMaqdX0AreZYW7XXk9LeUpQG3qwSXHjz4LQslK+eeyZHfBl/ZMDl7ZzCQkprG1YDEgpYvclsiPXK2bvBozSeD9Ld4CmiHuK6S7GQQZHlaYWh2NLl9fREL3lmac8JQ0e0BifY1nQ5VSBVKj1RzIqe6D2ZMdlhDteZzT8jCa7B8KmGN5uAXVSXmoSyTQlJ2DU5vsFSzMg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, "Tim (Xen.org)" <tim@xxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>
  • Delivery-date: Thu, 05 Jan 2023 20:28:49 +0000
  • Ironport-data: A9a23:5HYGcq5l0/+SaxhwbLzycQxRtM/GchMFZxGqfqrLsTDasY5as4F+v mpKWDjXP/aMMGDzfN9zOYS/oRgAu8fUm9RkGQY5rHoxHi5G8cbLO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7YnRGvynTraBYnoqLeNdYH9JoQp5nOIkiZJfj9G8Agec0 fv/uMSaM1K+s9JOGjt8B5mr9VU+4pwehBtC5gZlPakT4QeF/5UoJMl3yZ+ZfiOQrrZ8RoZWd 86bpJml82XQ+QsaC9/Nut4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5iXBYoUm9Fii3hojxE4 I4lWapc6+seFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpdFLjoH4EweZOUlFuhL7W5mz OIfdyImPkG6q+e0xI7kYcV9xdshFZy+VG8fkikIITDxK98DGMiGZpqQoNhS0XE3m9xEGuvYa 4wBcz1zYR/cYhpJfFAKFJY5m+TujX76G9FagAvN+exrvC6OkUooiOiF3Nn9I7RmQe18mEqCq 32A1GP+GhwAb/SUyCaf82LqjejK9c/+cNNLT+Lnr6U26LGV7nVMV0EuUl2endeegEejBMluB GEM/DV7+MDe82TuFLERRSaQrHOBvzYdXcRRCOww7AyRyqvS7B2dD2JCRTlEAPQ2uclzSTE02 1uhm9LyGScpoLCTUWia9LqfsXW1Iyd9BWoLfyoNVwYGy9jlvoAojxjLQ8pjEai6ldn8E3f7x DXihCo0iqgXjMUL/76m5l2BiDWpzrDWSiYl6wORWXiqhitlZYuNd4Gur1/B4p59wJ2xS1CAu D0BhJKY5eVXVZWVznXVEKMKAa2j4OuDPHvEm1lzEpI99jOrvXm+YYRX5zI4L0BsWioZRQLUj IbokVs5zPdu0LGCNMebv6rZ5xwW8JXd
  • Ironport-hdrordr: A9a23:QsKeJKrVWbObZ5vgS29hFPYaV5r/eYIsimQD101hICG9E/bo8v xG+c536faaslkssR0b9+xoQZPwJU80rKQFhrX5Xo3SPjUO2lHFEGgK1+KLqQEIfReeygc078 xdmsNFeb7N5DZB7foTNGGDYq8dKMbuytHWuQ/Op00dKz2Ddclbnn9E4wygYzFLrFQvP+tDKH KFjvA33QZJYhwsH7mGOkU=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHZFlU8BnV2WctoSkOEZs7zNTRXG66QW9uA
  • Thread-topic: [PATCH v6 4/5] x86/mm: Reject invalid cacheability in PV guests by default
On 22/12/2022 10:31 pm, Demi Marie Obenour wrote:
> diff --git a/docs/misc/xen-command-line.pandoc 
> b/docs/misc/xen-command-line.pandoc
> index 
> 424b12cfb27d6ade2ec63eacb8afe5df82465451..0230a7bc17cbd4362a42ea64cea695f31f5e0f86
>  100644
> --- a/docs/misc/xen-command-line.pandoc
> +++ b/docs/misc/xen-command-line.pandoc
> @@ -1417,6 +1417,17 @@ detection of systems known to misbehave upon accesses 
> to that port.
>  ### idle_latency_factor (x86)
>  > `= <integer>`
>  
> +### invalid-cacheability (x86)
> +> `= allow | deny | trap`
> +
> +> Default: `deny` in release builds, otherwise `trap`
> +
> +Specify what happens when a PV guest tries to use one of the reserved 
> entries in
> +the PAT.  `deny` causes the attempt to be rejected with -EINVAL, `allow` 
> allows
> +the attempt, and `trap` causes a general protection fault to be raised.
> +Currently, the reserved entries are marked as uncacheable in Xen's PAT, but 
> this
> +will change if new memory types are added, so guests must not rely on it.
> +

This wants to be scoped under "pv", and not a top-level option.  Current
parsing is at the top of xen/arch/x86/pv/domain.c

How about `pv={no-}oob-pat`, and parse it into the opt_pv_oob_pat boolean ?

There really is no need to distinguish between deny and trap.  IMO,
injecting #GP unilaterally is fine (to a guest expecting the hypercall
to succeed, -EINVAL vs #GP makes no difference, but #GP is far more
useful to a human trying to debug issues here), but I could be talked
into putting that behind a CONFIG_DEBUG if other feel strongly.

> @@ -1343,7 +1374,34 @@ static int promote_l1_table(struct page_info *page)
>          }
>          else
>          {
> -            switch ( ret = get_page_from_l1e(pl1e[i], d, d) )
> +            l1_pgentry_t l1e = pl1e[i];
> +
> +            if ( invalid_cacheability != INVALID_CACHEABILITY_ALLOW )
> +            {
> +                switch ( l1e.l1 & PAGE_CACHE_ATTRS )
> +                {
> +                case _PAGE_WB:
> +                case _PAGE_UC:
> +                case _PAGE_UCM:
> +                case _PAGE_WC:
> +                case _PAGE_WT:
> +                case _PAGE_WP:
> +                    break;
> +                default:
> +                    /*
> +                     * If we get here, a PV guest tried to use one of the
> +                     * reserved values in Xen's PAT.  This indicates a bug
> +                     * in the guest.  If requested by the user, inject #GP
> +                     * to cause the guest to log a stack trace.
> +                     */
> +                    if ( invalid_cacheability == INVALID_CACHEABILITY_TRAP )
> +                        pv_inject_hw_exception(TRAP_gp_fault, 0);
> +                    ret = -EINVAL;
> +                    goto fail;
> +                }
> +            }

This will catch cases where the guest writes a full pagetable, then
promotes it, but won't catch cases where the guest modifies an
individual entry with mmu_update/etc.

The logic needs to be in get_page_from_l1e() to get applied uniformly to
all PTE modifications.

Right now, the l1_disallow_mask() check near the start hides the "can
you use a nonzero cacheattr" check.  If I ever get around to cleaning up
my post-XSA-402 series, I have a load of modifications to this.

But this could be something like this:

if ( opt_pv_oob_pat && (l1f & PAGE_CACHE_ATTRS) > _PAGE_WP )
{
    // #GP
    return -EINVAL;
}

fairly early on.

It occurs to me that this check is only applicable when we're using the
Xen ABI APT, and seeing as we've talked about possibly making patch 5 a
Kconfig option, that may want accounting here.  (Perhaps simply making
opt_pb_oob_pat be false in a !XEN_PAT build.)

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.