All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andi Kleen <ak@linux.intel.com>
To: speck@linutronix.de
Subject: [MODERATED] [PATCH 1/8] L1TFv8 0
Date: Wed, 13 Jun 2018 15:48:21 -0700	[thread overview]
Message-ID: <d009b3ddd6d01c5d17380ea97177a481ba2cabb6.1528929489.git.ak@linux.intel.com> (raw)
In-Reply-To: <cover.1528929489.git.ak@linux.intel.com>
In-Reply-To: <cover.1528929489.git.ak@linux.intel.com>

We need to protect memory inside the guest's memory against L1TF
by inverting the right bits to point to non existing memory.

The hypervisor should already protect itself against the guest by flushing
the caches as needed, but pages inside the guest are not protected against
attacks from other processes in that guest.

Our inverted PTE mask has to match the host to provide the full
protection for all pages the host could possibly map into our guest.
The host is likely 64bit and may use more than 43 bits of
memory. We want to set all possible bits to be safe here.

On 32bit PAE the max PTE mask is currently set to 44 bit because that is
the limit imposed by 32bit unsigned long PFNs in the VMs. This limits
the mask to be below what the host could possible use for physical
pages.

The L1TF PROT_NONE protection code uses the PTE masks to determine
what bits to invert to make sure the higher bits are set for unmapped
entries to prevent L1TF speculation attacks against EPT inside guests.

We want to invert all bits that could be used by the host.

So increase the mask on 32bit PAE to 52 to match 64bit.

The real limit for a 32bit OS is still 44 bits.

All Linux PTEs are created from unsigned long PFNs, so cannot be
higher than 44 bits on a 32bit kernel. So these extra PFN
bits should be never set. The only users of this macro are using
it to look at PTEs, so it's safe.

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-By: Dave Hansen <dave.hansen@intel.com>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>

---

v2: Improve commit message.
---
 arch/x86/include/asm/page_32_types.h | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h
index aa30c3241ea7..0d5c739eebd7 100644
--- a/arch/x86/include/asm/page_32_types.h
+++ b/arch/x86/include/asm/page_32_types.h
@@ -29,8 +29,13 @@
 #define N_EXCEPTION_STACKS 1
 
 #ifdef CONFIG_X86_PAE
-/* 44=32+12, the limit we can fit into an unsigned long pfn */
-#define __PHYSICAL_MASK_SHIFT	44
+/*
+ * This is beyond the 44 bit limit imposed by the 32bit long pfns,
+ * but we need the full mask to make sure inverted PROT_NONE
+ * entries have all the host bits set in a guest.
+ * The real limit is still 44 bits.
+ */
+#define __PHYSICAL_MASK_SHIFT	52
 #define __VIRTUAL_MASK_SHIFT	32
 
 #else  /* !CONFIG_X86_PAE */
-- 
2.14.4

  reply	other threads:[~2018-06-13 22:54 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-13 22:48 [MODERATED] [PATCH 0/8] L1TFv8 2 Andi Kleen
2018-06-13 22:48 ` Andi Kleen [this message]
2018-06-13 22:48 ` [MODERATED] [PATCH 2/8] L1TFv8 4 Andi Kleen
2018-06-13 22:48 ` [MODERATED] [PATCH 3/8] L1TFv8 5 Andi Kleen
2018-06-13 22:48 ` [MODERATED] [PATCH 4/8] L1TFv8 8 Andi Kleen
2018-06-13 22:48 ` [MODERATED] [PATCH 5/8] L1TFv8 3 Andi Kleen
2018-06-13 22:48 ` [MODERATED] [PATCH 6/8] L1TFv8 7 Andi Kleen
2018-06-13 22:48 ` [MODERATED] [PATCH 7/8] L1TFv8 1 Andi Kleen
2018-06-13 22:48 ` [MODERATED] [PATCH 8/8] L1TFv8 6 Andi Kleen
     [not found] ` <20180614150632.E064C61183@crypto-ml.lab.linutronix.de>
2018-06-21  9:02   ` [MODERATED] " Vlastimil Babka
2018-06-21 11:43     ` Vlastimil Babka
2018-06-21 13:17       ` Vlastimil Babka
2018-06-21 14:38         ` Michal Hocko
2018-06-21 14:38         ` Thomas Gleixner
2018-06-21 20:32         ` [MODERATED] " Andi Kleen
2018-06-22 15:46       ` Vlastimil Babka
2018-06-22 16:56         ` Andi Kleen
2018-06-25  7:04           ` Vlastimil Babka
2018-06-25 20:31             ` Andi Kleen
2018-06-26 12:01               ` Vlastimil Babka
2018-06-26 12:57                 ` Michal Hocko
2018-06-26 13:05                   ` Michal Hocko
2018-06-27  9:14                 ` Thomas Gleixner
     [not found] ` <20180613225434.1CDC8610FD@crypto-ml.lab.linutronix.de>
2018-06-27 15:51   ` [MODERATED] Re: x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation Michal Hocko
2018-06-28  8:05     ` [MODERATED] Re: [PATCH 4/8] L1TFv8 8 Vlastimil Babka
2018-06-29 12:22       ` Michal Hocko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d009b3ddd6d01c5d17380ea97177a481ba2cabb6.1528929489.git.ak@linux.intel.com \
    --to=ak@linux.intel.com \
    --cc=speck@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.