From: George Dunlap <george.dunlap@citrix.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: further post-Meltdown-bad-aid performance thoughts
Date: Mon, 22 Jan 2018 17:11:50 +0000 [thread overview]
Message-ID: <a1124778-8a7d-66c3-d606-a1210c902334@citrix.com> (raw)
In-Reply-To: <5A6627CA02000078001A13A5@prv-mh.provo.novell.com>
On 01/22/2018 05:04 PM, Jan Beulich wrote:
>>>> On 22.01.18 at 16:15, <george.dunlap@citrix.com> wrote:
>> On 01/22/2018 01:30 PM, Jan Beulich wrote:
>>>>>> On 22.01.18 at 13:33, <george.dunlap@citrix.com> wrote:
>>>> What I'm proposing is something like this:
>>>>
>>>> * We have a "global" region of Xen memory that is mapped by all
>>>> processors. This will contain everything we consider not sensitive;
>>>> including Xen text segments, and most domain and vcpu data. But it will
>>>> *not* map all of host memory, nor have access to sensitive data, such as
>>>> vcpu register state.
>>>>
>>>> * We have per-cpu "local" regions. In this region we will map,
>>>> on-demand, guest memory which is needed to perform current operations.
>>>> (We can consider how strictly we need to unmap memory after using it.)
>>>> We will also map the current vcpu's registers.
>>>>
>>>> * On entry to a 64-bit PV guest, we don't change the mapping at all.
>>>>
>>>> Now, no matter what the speculative attack -- SP1, SP2, or SP3 -- a vcpu
>>>> can only access its own RAM and registers. There's no extra overhead to
>>>> context switching into or out of the hypervisor.
>>>
>>> And we would open back up the SP3 variant of guest user mode
>>> attacking its own kernel by going through the Xen mappings. I
>>> can't exclude that variants of SP1 (less likely SP2) allowing indirect
>>> guest-user -> guest-kernel attacks couldn't be found.
>>
>> How? Xen doesn't have the guest kernel memory mapped when it's not
>> using it.
>
> Oh, so you mean to do away with the direct map altogether?
Yes. :-) The direct map is *the* core reason why the SP*
vulnerabilities are so dangerous. If the *only* thing we did was get
rid of the direct map, without doing *anything* else, we would almost
entirely mitigate the effect of all of the attacks.
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2018-01-22 17:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-19 14:37 further post-Meltdown-bad-aid performance thoughts Jan Beulich
2018-01-19 15:43 ` George Dunlap
2018-01-19 16:36 ` Jan Beulich
2018-01-19 17:00 ` George Dunlap
2018-01-22 9:25 ` Jan Beulich
2018-01-22 12:33 ` George Dunlap
2018-01-22 13:30 ` Jan Beulich
2018-01-22 15:15 ` George Dunlap
2018-01-22 17:04 ` Jan Beulich
2018-01-22 17:11 ` George Dunlap [this message]
2018-01-22 17:44 ` Matt Wilson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a1124778-8a7d-66c3-d606-a1210c902334@citrix.com \
--to=george.dunlap@citrix.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.