From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: Xen-devel <xen-devel@lists.xenproject.org>,
"Wei Liu" <wl@xen.org>, "Roger Pau Monné" <roger.pau@citrix.com>
Subject: Re: [PATCH] x86/traps: Rework #PF[Rsvd] bit handling
Date: Tue, 19 May 2020 15:11:14 +0100 [thread overview]
Message-ID: <62d4999b-7db3-bac6-28ed-bb636347df38@citrix.com> (raw)
In-Reply-To: <2783ddc5-9919-3c97-ba52-2f734e7d72d5@suse.com>
On 19/05/2020 09:34, Jan Beulich wrote:
> On 18.05.2020 17:38, Andrew Cooper wrote:
>> @@ -1439,6 +1418,18 @@ void do_page_fault(struct cpu_user_regs *regs)
>> if ( unlikely(fixup_page_fault(addr, regs) != 0) )
>> return;
>>
>> + /*
>> + * Xen have reserved bits in its pagetables, nor do we permit PV guests to
>> + * write any. Such entries would be vulnerable to the L1TF sidechannel.
>> + *
>> + * The only logic which intentionally sets reserved bits is the shadow
>> + * MMIO fastpath (SH_L1E_MMIO_*), which is careful not to be
>> + * L1TF-vulnerable, and handled via the VMExit #PF intercept path, rather
>> + * than here.
> What about SH_L1E_MAGIC and sh_l1e_gnp()? The latter gets used by
> _sh_propagate() without visible restriction to HVM.
SH_L1E_MAGIC looks to be redundant with SH_L1E_MMIO_MAGIC.
sh_l1e_mmio() is the only path which ever creates an entry like that.
sh_l1e_gnp() is a very well hidden use of reserved bits, but surely
can't be used for PV guests, as there doesn't appear to be anything to
turn the resulting fault back into a plain not-present.
> And of course every time I look at this code I wonder how we can
> get away with (quoting a comment) "We store 28 bits of GFN in
> bits 4:32 of the entry." Do we have a hidden restriction
> somewhere guaranteeing that guests won't have (emulated MMIO)
> GFNs above 1Tb when run in shadow mode?
I've raised that several times before. Its broken.
Given that shadow frames are limited to 44 bits anyway (and not yet
levelled safely in the migration stream), my suggestion for fixing this
was just to use one extra nibble for the extra 4 bits and call it done.
~Andrew
next prev parent reply other threads:[~2020-05-19 14:12 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-18 15:38 [PATCH] x86/traps: Rework #PF[Rsvd] bit handling Andrew Cooper
2020-05-18 15:40 ` Andrew Cooper
2020-05-19 8:14 ` Jan Beulich
2020-05-19 14:29 ` Andrew Cooper
2020-05-19 14:55 ` Jan Beulich
2020-05-19 15:59 ` Andrew Cooper
2020-05-19 8:34 ` Jan Beulich
2020-05-19 14:11 ` Andrew Cooper [this message]
2020-05-19 14:48 ` Jan Beulich
2020-05-19 15:33 ` Andrew Cooper
2020-05-19 16:09 ` Jan Beulich
2020-05-19 18:00 ` Andrew Cooper
2020-05-20 7:48 ` Jan Beulich
2020-05-20 15:48 ` Andrew Cooper
2020-05-20 7:10 ` Tim Deegan
2020-05-21 15:43 ` [PATCH v2] " Andrew Cooper
2020-05-22 13:51 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=62d4999b-7db3-bac6-28ed-bb636347df38@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=jbeulich@suse.com \
--cc=roger.pau@citrix.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.