From: Juergen Gross <jgross@suse.com>
To: xen-devel@lists.xenproject.org
Cc: Juergen Gross <jgross@suse.com>,
andrew.cooper3@citrix.com, wei.liu2@citrix.com,
jbeulich@suse.com, dfaggioli@suse.com
Subject: [PATCH v2 3/6] xen/x86: support per-domain flag for xpti
Date: Fri, 2 Mar 2018 09:14:00 +0100 [thread overview]
Message-ID: <20180302081403.16953-4-jgross@suse.com> (raw)
In-Reply-To: <20180302081403.16953-1-jgross@suse.com>
Instead of switching XPTI globally on or off add a per-domain flag for
that purpose. This allows to modify the xpti boot parameter to support
running dom0 without Meltdown mitigations. Using "xpti=nodom0" as boot
parameter will achieve that.
Move the xpti boot parameter handling to xen/arch/x86/pv/domain.c as
it is pv-domain specific.
Signed-off-by: Juergen Gross <jgross@suse.com>
---
docs/misc/xen-command-line.markdown | 8 +++-
xen/arch/x86/domctl.c | 4 ++
xen/arch/x86/mm.c | 6 ++-
xen/arch/x86/pv/dom0_build.c | 4 ++
xen/arch/x86/pv/domain.c | 85 ++++++++++++++++++++++++++++++++++++-
xen/arch/x86/setup.c | 20 +--------
xen/arch/x86/smpboot.c | 4 +-
xen/arch/x86/x86_64/entry.S | 2 +
xen/include/asm-x86/current.h | 3 +-
xen/include/asm-x86/domain.h | 3 ++
xen/include/asm-x86/pv/domain.h | 4 ++
11 files changed, 119 insertions(+), 24 deletions(-)
diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index a95195f246..6122d6d7d5 100644
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -1940,7 +1940,7 @@ clustered mode. The default, given no hint from the **FADT**, is cluster
mode.
### xpti
-> `= <boolean>`
+> `= nodom0 | <boolean>`
> Default: `false` on AMD hardware
> Default: `true` everywhere else
@@ -1948,6 +1948,12 @@ mode.
Override default selection of whether to isolate 64-bit PV guest page
tables.
+`true` activates page table isolation even on AMD hardware.
+
+`false` deactivates page table isolation on all systems.
+
+`nodom0` deactivates page table isolation for dom0.
+
### xsave
> `= <boolean>`
diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 8fbbf3aeb3..0704f398c7 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -24,6 +24,7 @@
#include <asm/hvm/hvm.h>
#include <asm/hvm/support.h>
#include <asm/processor.h>
+#include <asm/pv/domain.h>
#include <asm/acpi.h> /* for hvm_acpi_power_button */
#include <xen/hypercall.h> /* for arch_do_domctl */
#include <xsm/xsm.h>
@@ -610,6 +611,9 @@ long arch_do_domctl(
ret = switch_compat(d);
else
ret = -EINVAL;
+
+ if ( ret == 0 )
+ xpti_domain_init(d);
break;
case XEN_DOMCTL_get_address_size:
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index cf512ee306..0d0badea86 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -510,15 +510,19 @@ void make_cr3(struct vcpu *v, mfn_t mfn)
void write_ptbase(struct vcpu *v)
{
- if ( this_cpu(root_pgt) && is_pv_vcpu(v) && !is_pv_32bit_vcpu(v) )
+ if ( is_pv_vcpu(v) && v->domain->arch.pv_domain.xpti )
{
get_cpu_info()->root_pgt_changed = true;
+ get_cpu_info()->pv_cr3 = __pa(this_cpu(root_pgt));
asm volatile ( "mov %0, %%cr3" : : "r" (v->arch.cr3) : "memory" );
}
else
{
get_cpu_info()->root_pgt_changed = false;
+ /* Make sure to clear xen_cr3 before pv_cr3; write_cr3() serializes. */
+ get_cpu_info()->xen_cr3 = 0;
write_cr3(v->arch.cr3);
+ get_cpu_info()->pv_cr3 = 0;
}
}
diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c
index 0bd2f1bf90..21e8cd56bf 100644
--- a/xen/arch/x86/pv/dom0_build.c
+++ b/xen/arch/x86/pv/dom0_build.c
@@ -19,6 +19,7 @@
#include <asm/dom0_build.h>
#include <asm/guest.h>
#include <asm/page.h>
+#include <asm/pv/domain.h>
#include <asm/pv/mm.h>
#include <asm/setup.h>
@@ -707,6 +708,9 @@ int __init dom0_construct_pv(struct domain *d,
cpu = p->processor;
}
+ if ( !is_pv_32bit_domain(d) )
+ xpti_domain_init(d);
+
d->arch.paging.mode = 0;
/* Set up CR3 value for write_ptbase */
diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c
index 7742d522f5..5f15c9e25b 100644
--- a/xen/arch/x86/pv/domain.c
+++ b/xen/arch/x86/pv/domain.c
@@ -9,6 +9,8 @@
#include <xen/lib.h>
#include <xen/sched.h>
+#include <asm/cpufeature.h>
+#include <asm/msr-index.h>
#include <asm/pv/domain.h>
/* Override macros from asm/page.h to make them work with mfn_t */
@@ -17,6 +19,87 @@
#undef page_to_mfn
#define page_to_mfn(pg) _mfn(__page_to_mfn(pg))
+static __read_mostly enum {
+ XPTI_DEFAULT,
+ XPTI_ON,
+ XPTI_OFF,
+ XPTI_NODOM0
+} opt_xpti = XPTI_DEFAULT;
+
+static int parse_xpti(const char *s)
+{
+ int rc = 0;
+
+ switch ( parse_bool(s, NULL) )
+ {
+ case 0:
+ opt_xpti = XPTI_OFF;
+ break;
+ case 1:
+ opt_xpti = XPTI_ON;
+ break;
+ default:
+ if ( !strcmp(s, "default") )
+ opt_xpti = XPTI_DEFAULT;
+ else if ( !strcmp(s, "nodom0") )
+ opt_xpti = XPTI_NODOM0;
+ else
+ rc = -EINVAL;
+ break;
+ }
+
+ return rc;
+}
+
+custom_param("xpti", parse_xpti);
+
+void xpti_init(void)
+{
+ uint64_t caps = 0;
+
+ if ( boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
+ caps = ARCH_CAPABILITIES_RDCL_NO;
+ else if ( boot_cpu_has(X86_FEATURE_ARCH_CAPS) )
+ rdmsrl(MSR_ARCH_CAPABILITIES, caps);
+
+ if ( opt_xpti != XPTI_ON && (caps & ARCH_CAPABILITIES_RDCL_NO) )
+ opt_xpti = XPTI_OFF;
+ else if ( opt_xpti == XPTI_DEFAULT )
+ opt_xpti = XPTI_ON;
+
+ if ( opt_xpti == XPTI_OFF )
+ setup_force_cpu_cap(X86_FEATURE_NO_XPTI);
+ else
+ setup_clear_cpu_cap(X86_FEATURE_NO_XPTI);
+}
+
+void xpti_domain_init(struct domain *d)
+{
+ if ( !is_pv_domain(d) || is_pv_32bit_domain(d) )
+ return;
+
+ switch ( opt_xpti )
+ {
+ case XPTI_OFF:
+ d->arch.pv_domain.xpti = false;
+ break;
+ case XPTI_ON:
+ d->arch.pv_domain.xpti = true;
+ break;
+ case XPTI_NODOM0:
+ d->arch.pv_domain.xpti = d->domain_id != 0 &&
+ d->domain_id != hardware_domid;
+ break;
+ default:
+ ASSERT_UNREACHABLE();
+ break;
+ }
+
+ if ( d->arch.pv_domain.xpti )
+ printk("Enabling Xen Pagetable protection (XPTI) for Domain %d\n",
+ d->domain_id);
+}
+
static void noreturn continue_nonidle_domain(struct vcpu *v)
{
check_wakeup_from_wait();
@@ -266,7 +349,7 @@ void toggle_guest_mode(struct vcpu *v)
}
asm volatile ( "swapgs" );
- _toggle_guest_pt(v, cpu_has_no_xpti);
+ _toggle_guest_pt(v, !v->domain->arch.pv_domain.xpti);
}
void toggle_guest_pt(struct vcpu *v)
diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index 148054c438..7c9fbfe04a 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -53,6 +53,7 @@
#include <asm/cpuid.h>
#include <asm/spec_ctrl.h>
#include <asm/guest.h>
+#include <asm/pv/domain.h>
/* opt_nosmp: If true, secondary processors are ignored. */
static bool __initdata opt_nosmp;
@@ -169,9 +170,6 @@ static int __init parse_smap_param(const char *s)
}
custom_param("smap", parse_smap_param);
-static int8_t __initdata opt_xpti = -1;
-boolean_param("xpti", opt_xpti);
-
bool __read_mostly acpi_disabled;
bool __initdata acpi_force;
static char __initdata acpi_param[10] = "";
@@ -1544,21 +1542,7 @@ void __init noreturn __start_xen(unsigned long mbi_p)
cr4_pv32_mask = mmu_cr4_features & XEN_CR4_PV32_BITS;
- if ( opt_xpti < 0 )
- {
- uint64_t caps = 0;
-
- if ( boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
- caps = ARCH_CAPABILITIES_RDCL_NO;
- else if ( boot_cpu_has(X86_FEATURE_ARCH_CAPS) )
- rdmsrl(MSR_ARCH_CAPABILITIES, caps);
-
- opt_xpti = !(caps & ARCH_CAPABILITIES_RDCL_NO);
- }
- if ( opt_xpti )
- setup_clear_cpu_cap(X86_FEATURE_NO_XPTI);
- else
- setup_force_cpu_cap(X86_FEATURE_NO_XPTI);
+ xpti_init();
if ( cpu_has_fsgsbase )
set_in_cr4(X86_CR4_FSGSBASE);
diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c
index c587e4db9f..60604f4535 100644
--- a/xen/arch/x86/smpboot.c
+++ b/xen/arch/x86/smpboot.c
@@ -331,7 +331,7 @@ void start_secondary(void *unused)
spin_debug_disable();
get_cpu_info()->xen_cr3 = 0;
- get_cpu_info()->pv_cr3 = this_cpu(root_pgt) ? __pa(this_cpu(root_pgt)) : 0;
+ get_cpu_info()->pv_cr3 = 0;
load_system_tables();
@@ -1050,7 +1050,7 @@ void __init smp_prepare_cpus(unsigned int max_cpus)
panic("Error %d setting up PV root page table\n", rc);
if ( per_cpu(root_pgt, 0) )
{
- get_cpu_info()->pv_cr3 = __pa(per_cpu(root_pgt, 0));
+ get_cpu_info()->pv_cr3 = 0;
/*
* All entry points which may need to switch page tables have to start
* with interrupts off. Re-write what pv_trap_init() has put there.
diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
index 828f9ccfe8..cdcdc2c40a 100644
--- a/xen/arch/x86/x86_64/entry.S
+++ b/xen/arch/x86/x86_64/entry.S
@@ -49,6 +49,8 @@ restore_all_guest:
mov VCPU_cr3(%rbx), %r9
GET_STACK_END(dx)
mov STACK_CPUINFO_FIELD(pv_cr3)(%rdx), %rax
+ test %rax, %rax
+ jz .Lrag_cr3_end
cmpb $0, STACK_CPUINFO_FIELD(root_pgt_changed)(%rdx)
je .Lrag_copy_done
movb $0, STACK_CPUINFO_FIELD(root_pgt_changed)(%rdx)
diff --git a/xen/include/asm-x86/current.h b/xen/include/asm-x86/current.h
index 3c96c173c2..d5236c82de 100644
--- a/xen/include/asm-x86/current.h
+++ b/xen/include/asm-x86/current.h
@@ -44,7 +44,8 @@ struct cpu_info {
/*
* Of the two following fields the latter is being set to the CR3 value
* to be used on the given pCPU for loading whenever 64-bit PV guest
- * context is being entered. The value never changes once set.
+ * context is being entered. A value of zero indicates no setting of CR3
+ * is to be performed.
* The former is the value to restore when re-entering Xen, if any. IOW
* its value being zero means there's nothing to restore. However, its
* value can also be negative, indicating to the exit-to-Xen code that
diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
index 4679d5477d..0cc37dea05 100644
--- a/xen/include/asm-x86/domain.h
+++ b/xen/include/asm-x86/domain.h
@@ -257,6 +257,9 @@ struct pv_domain
struct mapcache_domain mapcache;
struct cpuidmasks *cpuidmasks;
+
+ /* XPTI active? */
+ bool xpti;
};
struct monitor_write_data {
diff --git a/xen/include/asm-x86/pv/domain.h b/xen/include/asm-x86/pv/domain.h
index acdf140fbd..c6fdf3fe56 100644
--- a/xen/include/asm-x86/pv/domain.h
+++ b/xen/include/asm-x86/pv/domain.h
@@ -28,6 +28,8 @@ int pv_vcpu_initialise(struct vcpu *v);
void pv_domain_destroy(struct domain *d);
int pv_domain_initialise(struct domain *d, unsigned int domcr_flags,
struct xen_arch_domainconfig *config);
+void xpti_init(void);
+void xpti_domain_init(struct domain *d);
#else /* !CONFIG_PV */
@@ -42,6 +44,8 @@ static inline int pv_domain_initialise(struct domain *d,
{
return -EOPNOTSUPP;
}
+static inline void xpti_init(void) {}
+static inline void xpti_domain_init(struct domain *d) {}
#endif /* CONFIG_PV */
void paravirt_ctxt_switch_from(struct vcpu *v);
--
2.13.6
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2018-03-02 8:18 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-02 8:13 [PATCH v2 0/6] xen/x86: various XPTI speedups Juergen Gross
2018-03-02 8:13 ` [PATCH v2 1/6] x86/xpti: avoid copying L4 page table contents when possible Juergen Gross
2018-03-05 16:43 ` Jan Beulich
2018-03-08 11:59 ` Juergen Gross
2018-03-08 12:47 ` Jan Beulich
[not found] ` <5AA13EEA02000078001AFCAF@suse.com>
2018-03-08 13:03 ` Juergen Gross
[not found] ` <5A9D81DC02000078001AEB68@suse.com>
2018-03-06 7:01 ` Juergen Gross
2018-03-06 7:58 ` Jan Beulich
[not found] ` <5A9E583002000078001AED3A@suse.com>
2018-03-06 8:06 ` Juergen Gross
2018-03-06 8:17 ` Jan Beulich
2018-03-02 8:13 ` [PATCH v2 2/6] x86/xpti: don't flush TLB twice when switching to 64-bit pv context Juergen Gross
2018-03-05 16:49 ` Jan Beulich
[not found] ` <5A9D831F02000078001AEB7E@suse.com>
2018-03-06 7:02 ` Juergen Gross
2018-03-02 8:14 ` Juergen Gross [this message]
2018-03-08 10:17 ` [PATCH v2 3/6] xen/x86: support per-domain flag for xpti Jan Beulich
[not found] ` <5AA11BDE02000078001AFB92@suse.com>
2018-03-08 11:30 ` Juergen Gross
2018-03-08 12:49 ` Jan Beulich
[not found] ` <5AA13F7D02000078001AFCB3@suse.com>
2018-03-08 13:13 ` Juergen Gross
2018-03-02 8:14 ` [PATCH v2 4/6] xen/x86: disable global pages for domains with XPTI active Juergen Gross
2018-03-02 11:03 ` Wei Liu
2018-03-02 11:30 ` Juergen Gross
2018-03-08 13:38 ` Jan Beulich
2018-03-09 3:01 ` Tian, Kevin
2018-03-09 5:23 ` Tian, Kevin
2018-03-09 8:34 ` Jan Beulich
[not found] ` <5AA2551002000078001B0116@suse.com>
2018-03-09 8:42 ` Juergen Gross
[not found] ` <5AA14AF302000078001AFD30@suse.com>
2018-03-08 14:05 ` Juergen Gross
2018-03-08 14:33 ` Jan Beulich
[not found] ` <5AA157E002000078001AFDA4@suse.com>
2018-03-08 14:39 ` Juergen Gross
2018-03-08 15:06 ` Jan Beulich
2018-03-09 14:40 ` Juergen Gross
2018-03-09 15:30 ` Jan Beulich
2018-03-02 8:14 ` [PATCH v2 5/6] xen/x86: use flag byte for decision whether xen_cr3 is valid Juergen Gross
2018-03-08 14:24 ` Jan Beulich
[not found] ` <5AA155BE02000078001AFD89@suse.com>
2018-03-08 14:28 ` Juergen Gross
2018-03-02 8:14 ` [PATCH v2 6/6] xen/x86: use PCID feature for XPTI Juergen Gross
2018-03-08 15:27 ` Jan Beulich
2018-03-05 16:20 ` [PATCH v2 0/6] xen/x86: various XPTI speedups Dario Faggioli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180302081403.16953-4-jgross@suse.com \
--to=jgross@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=dfaggioli@suse.com \
--cc=jbeulich@suse.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.