xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] xsm/dummy: harden against speculative abuse
@ 2020-12-17 11:57 Jan Beulich
  2020-12-21 13:15 ` Jan Beulich
  0 siblings, 1 reply; 3+ messages in thread
From: Jan Beulich @ 2020-12-17 11:57 UTC (permalink / raw)
  To: xen-devel
  Cc: Daniel de Graaf, Andrew Cooper, George Dunlap, Ian Jackson,
	Julien Grall, Stefano Stabellini, Wei Liu

First of all don't open-code is_control_domain(), which is already
suitably using evaluate_nospec(). Then also apply this construct to the
other paths of xsm_default_action(). Also guard two paths not using this
function.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
While the functions are always_inline I'm not entirely certain we can
get away with doing this inside of them, rather than in the callers. It
will certainly take more to also guard builds with non-dummy XSM.

--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -76,20 +76,20 @@ static always_inline int xsm_default_act
     case XSM_HOOK:
         return 0;
     case XSM_TARGET:
-        if ( src == target )
+        if ( evaluate_nospec(src == target) )
         {
             return 0;
     case XSM_XS_PRIV:
-            if ( is_xenstore_domain(src) )
+            if ( evaluate_nospec(is_xenstore_domain(src)) )
                 return 0;
         }
         /* fall through */
     case XSM_DM_PRIV:
-        if ( target && src->target == target )
+        if ( target && evaluate_nospec(src->target == target) )
             return 0;
         /* fall through */
     case XSM_PRIV:
-        if ( src->is_privileged )
+        if ( !is_control_domain(src) )
             return 0;
         return -EPERM;
     default:
@@ -656,7 +656,7 @@ static XSM_INLINE int xsm_mmu_update(XSM
     XSM_ASSERT_ACTION(XSM_TARGET);
     if ( f != dom_io )
         rc = xsm_default_action(action, d, f);
-    if ( t && !rc )
+    if ( evaluate_nospec(t) && !rc )
         rc = xsm_default_action(action, d, t);
     return rc;
 }
@@ -750,6 +750,7 @@ static XSM_INLINE int xsm_xen_version (X
     case XENVER_platform_parameters:
     case XENVER_get_features:
         /* These sub-ops ignore the permission checks and return data. */
+        block_speculation();
         return 0;
     case XENVER_extraversion:
     case XENVER_compile_info:


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] xsm/dummy: harden against speculative abuse
  2020-12-17 11:57 [PATCH] xsm/dummy: harden against speculative abuse Jan Beulich
@ 2020-12-21 13:15 ` Jan Beulich
  2021-01-05 12:26   ` Wei Liu
  0 siblings, 1 reply; 3+ messages in thread
From: Jan Beulich @ 2020-12-21 13:15 UTC (permalink / raw)
  To: xen-devel
  Cc: Daniel de Graaf, Andrew Cooper, George Dunlap, Ian Jackson,
	Julien Grall, Stefano Stabellini, Wei Liu

On 17.12.2020 12:57, Jan Beulich wrote:
> --- a/xen/include/xsm/dummy.h
> +++ b/xen/include/xsm/dummy.h
> @@ -76,20 +76,20 @@ static always_inline int xsm_default_act
>      case XSM_HOOK:
>          return 0;
>      case XSM_TARGET:
> -        if ( src == target )
> +        if ( evaluate_nospec(src == target) )
>          {
>              return 0;
>      case XSM_XS_PRIV:
> -            if ( is_xenstore_domain(src) )
> +            if ( evaluate_nospec(is_xenstore_domain(src)) )
>                  return 0;
>          }
>          /* fall through */
>      case XSM_DM_PRIV:
> -        if ( target && src->target == target )
> +        if ( target && evaluate_nospec(src->target == target) )
>              return 0;
>          /* fall through */
>      case XSM_PRIV:
> -        if ( src->is_privileged )
> +        if ( !is_control_domain(src) )
>              return 0;
>          return -EPERM;

And a stray ! slipped in here. Now fixed.

Jan


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] xsm/dummy: harden against speculative abuse
  2020-12-21 13:15 ` Jan Beulich
@ 2021-01-05 12:26   ` Wei Liu
  0 siblings, 0 replies; 3+ messages in thread
From: Wei Liu @ 2021-01-05 12:26 UTC (permalink / raw)
  To: Jan Beulich
  Cc: xen-devel, Daniel de Graaf, Andrew Cooper, George Dunlap,
	Ian Jackson, Julien Grall, Stefano Stabellini, Wei Liu

On Mon, Dec 21, 2020 at 02:15:55PM +0100, Jan Beulich wrote:
> On 17.12.2020 12:57, Jan Beulich wrote:
> > --- a/xen/include/xsm/dummy.h
> > +++ b/xen/include/xsm/dummy.h
> > @@ -76,20 +76,20 @@ static always_inline int xsm_default_act
> >      case XSM_HOOK:
> >          return 0;
> >      case XSM_TARGET:
> > -        if ( src == target )
> > +        if ( evaluate_nospec(src == target) )
> >          {
> >              return 0;
> >      case XSM_XS_PRIV:
> > -            if ( is_xenstore_domain(src) )
> > +            if ( evaluate_nospec(is_xenstore_domain(src)) )
> >                  return 0;
> >          }
> >          /* fall through */
> >      case XSM_DM_PRIV:
> > -        if ( target && src->target == target )
> > +        if ( target && evaluate_nospec(src->target == target) )
> >              return 0;
> >          /* fall through */
> >      case XSM_PRIV:
> > -        if ( src->is_privileged )
> > +        if ( !is_control_domain(src) )
> >              return 0;
> >          return -EPERM;
> 
> And a stray ! slipped in here. Now fixed.

FWIW:

Reviewed-by: Wei Liu <wl@xen.org>

> 
> Jan


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-01-05 12:27 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-17 11:57 [PATCH] xsm/dummy: harden against speculative abuse Jan Beulich
2020-12-21 13:15 ` Jan Beulich
2021-01-05 12:26   ` Wei Liu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).