All of lore.kernel.org
 help / color / mirror / Atom feed
From: George Dunlap <george.dunlap@citrix.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>,
	Jan Beulich <JBeulich@suse.com>
Cc: Martin Pohlack <mpohlack@amazon.de>,
	Julien Grall <julien.grall@arm.com>,
	Joao Martins <joao.m.martins@oracle.com>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Mihai Dontu <mdontu@bitdefender.com>,
	Marek Marczykowski <marmarek@invisiblethingslab.com>,
	Anthony Liguori <aliguori@amazon.com>,
	uwed@amazon.de, Lars Kurth <lars.kurth@citrix.com>,
	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
	Ross Philipson <ross.philipson@oracle.com>,
	Dario Faggioli <dfaggioli@suse.com>, Matt Wilson <msw@amazon.com>,
	Boris Ostrovsky <boris.ostrovsky@oracle.com>,
	Juergen Gross <jgross@suse.com>,
	Sergey Dyasli <sergey.dyasli@citrix.com>,
	Wei Liu <wei.liu2@citrix.com>,
	George Dunlap <George.Dunlap@eu.citrix.com>,
	Xen-devel List <xen-devel@lists.xen.org>,
	Daniel Kiper <daniel.kiper@oracle.com>,
	David Woodhouse <dwmw@amazon.co.uk>,
	Roger Pau Monne <roger.pau@citrix.com>
Subject: Re: Ongoing/future speculative mitigation work
Date: Thu, 25 Oct 2018 18:07:30 +0100	[thread overview]
Message-ID: <35965ef2-bd8c-58bc-8a6b-3a08d577e3c6@citrix.com> (raw)
In-Reply-To: <e96c37aa-a67b-8ebc-f3bd-a0e61d1e11e0@citrix.com>

On 10/25/2018 05:50 PM, Andrew Cooper wrote:
> On 25/10/18 17:43, George Dunlap wrote:
>> On 10/25/2018 05:29 PM, Andrew Cooper wrote:
>>> On 25/10/18 16:02, Jan Beulich wrote:
>>>>>>> On 25.10.18 at 16:56, <george.dunlap@citrix.com> wrote:
>>>>> On 10/25/2018 03:50 PM, Jan Beulich wrote:
>>>>>>>>> On 22.10.18 at 16:55, <wei.liu2@citrix.com> wrote:
>>>>>>> On Thu, Oct 18, 2018 at 06:46:22PM +0100, Andrew Cooper wrote:
>>>>>>>> An easy first step here is to remove Xen's directmap, which will mean
>>>>>>>> that guests general RAM isn't mapped by default into Xen's address
>>>>>>>> space.  This will come with some performance hit, as the
>>>>>>>> map_domain_page() infrastructure will now have to actually
>>>>>>>> create/destroy mappings, but removing the directmap will cause an
>>>>>>>> improvement for non-speculative security as well (No possibility of
>>>>>>>> ret2dir as an exploit technique).
>>>>>>> I have looked into making the "separate xenheap domheap with partial
>>>>>>> direct map" mode (see common/page_alloc.c) work but found it not as
>>>>>>> straight forward as it should've been.
>>>>>>>
>>>>>>> Before I spend more time on this, I would like some opinions on if there
>>>>>>> is other approach which might be more useful than that mode.
>>>>>> How would such a split heap model help with L1TF, where the
>>>>>> guest specifies host physical addresses in its vulnerable page
>>>>>> table entries
>>>>> I don't think it would.
>>>>>
>>>>>> (and hence could spy at xenheap but - due to not
>>>>>> being mapped - not domheap)?
>>>>> Er, didn't follow this bit -- if L1TF is related to host physical
>>>>> addresses, how does having a virtual mapping in Xen affect things in any
>>>>> way?
>>>> Hmm, indeed. Scratch that part.
>>> There seems to be quite a bit of confusion in these replies.
>>>
>>> To exploit L1TF, the data in question has to be present in the L1 cache
>>> when the attack is performed.
>>>
>>> In practice, an attacker has to arrange for target data to be resident
>>> in the L1 cache.  One way it can do this when HT is enabled is via a
>>> cache-load gadget such as the first half of an SP1 attack on the other
>>> hyperthread.  A different way mechanism is to try and cause Xen to
>>> speculatively access a piece of data, and have the hardware prefetch
>>> bring it into the cache.
>> Right -- so a split xen/domheap model doesn't prevent L1TF attacks, but
>> it does make L1TF much harder to pull off, because it now only works if
>> you can manage to get onto the same core as the victim, after the victim
>> has accessed the data you want.
>>
>> So it would reduce the risk of L1TF significantly, but not enough (I
>> think) that we could recommend disabling other mitigations.
> 
> Correct.  All of these suggestions are for increased defence in depth. 
> They are not replacements for the existing mitigations.

But it could be a mitigation for, say, Meltdown, yes?  I'm trying to
remember the details; but wouldn't a "secret-free Xen" mean that
disabling XPTI entirely for 64-bit PV guests would be a reasonable
decision (even if many people left it enabled 'just in case')?

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

  reply	other threads:[~2018-10-25 17:07 UTC|newest]

Thread overview: 63+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-18 17:46 Ongoing/future speculative mitigation work Andrew Cooper
2018-10-19  8:09 ` Dario Faggioli
2018-10-19 12:17   ` Andrew Cooper
2018-10-22  9:32     ` Mihai Donțu
2018-10-22 14:55 ` Wei Liu
2018-10-22 15:09   ` Woodhouse, David
2018-10-22 15:14     ` Andrew Cooper
2018-10-25 14:50   ` Jan Beulich
2018-10-25 14:56     ` George Dunlap
2018-10-25 15:02       ` Jan Beulich
2018-10-25 16:29         ` Andrew Cooper
2018-10-25 16:43           ` George Dunlap
2018-10-25 16:50             ` Andrew Cooper
2018-10-25 17:07               ` George Dunlap [this message]
2018-10-26  9:16           ` Jan Beulich
2018-10-26  9:28             ` Wei Liu
2018-10-26  9:56               ` Jan Beulich
2018-10-26 10:51                 ` George Dunlap
2018-10-26 11:20                   ` Jan Beulich
2018-10-26 11:24                     ` George Dunlap
2018-10-26 11:33                       ` Jan Beulich
2018-10-26 11:43                         ` George Dunlap
2018-10-26 11:45                           ` Jan Beulich
2018-12-11 18:05                     ` Wei Liu
     [not found]                       ` <FB70ABC00200007CA293CED3@prv1-mh.provo.novell.com>
2018-12-12  8:32                         ` Jan Beulich
2018-10-24 15:24 ` Tamas K Lengyel
2018-10-25 16:01   ` Dario Faggioli
2018-10-25 16:25     ` Tamas K Lengyel
2018-10-25 17:23       ` Dario Faggioli
2018-10-25 17:29         ` Tamas K Lengyel
2018-10-26  7:31           ` Dario Faggioli
2018-10-25 16:55   ` Andrew Cooper
2018-10-25 17:01     ` George Dunlap
2018-10-25 17:35       ` Tamas K Lengyel
2018-10-25 17:43         ` Andrew Cooper
2018-10-25 17:58           ` Tamas K Lengyel
2018-10-25 18:13             ` Andrew Cooper
2018-10-25 18:35               ` Tamas K Lengyel
2018-10-25 18:39                 ` Andrew Cooper
2018-10-26  7:49                 ` Dario Faggioli
2018-10-26 12:01                   ` Tamas K Lengyel
2018-10-26 14:17                     ` Dario Faggioli
2018-10-26 10:11               ` George Dunlap
2018-12-07 18:40 ` Wei Liu
2018-12-10 12:12   ` George Dunlap
2018-12-10 12:19     ` George Dunlap
2019-01-24 11:44 ` Reducing or removing direct map from xen (was Re: Ongoing/future speculative mitigation work) Wei Liu
2019-01-24 16:00   ` George Dunlap
2019-02-07 16:50   ` Wei Liu
2019-02-20 12:29   ` Wei Liu
2019-02-20 13:00     ` Roger Pau Monné
2019-02-20 13:09       ` Wei Liu
2019-02-20 17:08         ` Wei Liu
2019-02-21  9:59           ` Roger Pau Monné
2019-02-21 17:51             ` Wei Liu
2019-02-22 11:48           ` Jan Beulich
2019-02-22 11:50             ` Wei Liu
2019-02-22 12:06               ` Jan Beulich
2019-02-22 12:11                 ` Wei Liu
2019-02-22 12:47                   ` Jan Beulich
2019-02-22 13:19                     ` Wei Liu
     [not found]                       ` <158783E402000088A293CED3@prv1-mh.provo.novell.com>
2019-02-22 13:24                         ` Jan Beulich
2019-02-22 13:27                           ` Jan Beulich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=35965ef2-bd8c-58bc-8a6b-3a08d577e3c6@citrix.com \
    --to=george.dunlap@citrix.com \
    --cc=George.Dunlap@eu.citrix.com \
    --cc=JBeulich@suse.com \
    --cc=aliguori@amazon.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=boris.ostrovsky@oracle.com \
    --cc=daniel.kiper@oracle.com \
    --cc=dfaggioli@suse.com \
    --cc=dwmw@amazon.co.uk \
    --cc=jgross@suse.com \
    --cc=joao.m.martins@oracle.com \
    --cc=julien.grall@arm.com \
    --cc=konrad.wilk@oracle.com \
    --cc=lars.kurth@citrix.com \
    --cc=marmarek@invisiblethingslab.com \
    --cc=mdontu@bitdefender.com \
    --cc=mpohlack@amazon.de \
    --cc=msw@amazon.com \
    --cc=roger.pau@citrix.com \
    --cc=ross.philipson@oracle.com \
    --cc=sergey.dyasli@citrix.com \
    --cc=sstabellini@kernel.org \
    --cc=uwed@amazon.de \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.