From: Alexandru Stefan ISAILA <aisaila@bitdefender.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: Petre Ovidiu PIRCALABU <ppircalabu@bitdefender.com>,
"tamas@tklengyel.com" <tamas@tklengyel.com>,
"wl@xen.org" <wl@xen.org>,
"rcojocaru@bitdefender.com" <rcojocaru@bitdefender.com>,
"george.dunlap@eu.citrix.com" <george.dunlap@eu.citrix.com>,
"andrew.cooper3@citrix.com" <andrew.cooper3@citrix.com>,
"paul.durrant@citrix.com" <paul.durrant@citrix.com>,
"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
"roger.pau@citrix.com" <roger.pau@citrix.com>
Subject: Re: [Xen-devel] [PATCH v7] x86/emulate: Send vm_event from emulate
Date: Tue, 23 Jul 2019 08:17:53 +0000 [thread overview]
Message-ID: <7666f388-3343-5bdd-cff0-3176a228496f@bitdefender.com> (raw)
In-Reply-To: <e61a882e-d2ea-a03d-fde8-2c2befd865da@suse.com>
On 19.07.2019 16:18, Jan Beulich wrote:
> On 19.07.2019 14:34, Alexandru Stefan ISAILA wrote:
>> On 18.07.2019 15:58, Jan Beulich wrote:
>>> On 03.07.2019 12:56, Alexandru Stefan ISAILA wrote:
>>>> Currently, we are fully emulating the instruction at RIP when the hardware sees
>>>> an EPT fault with npfec.kind != npfec_kind_with_gla. This is, however,
>>>> incorrect, because the instruction at RIP might legitimately cause an
>>>> EPT fault of its own while accessing a _different_ page from the original one,
>>>> where A/D were set.
>>>> The solution is to perform the whole emulation,
>>>
>>> Above you said fully emulating such an insn is incorrect. To me the
>>> two statements contradict one another.
>>>
>>>> while ignoring EPT restrictions
>>>> for the walk part, and taking them into account for the "actual" emulating of
>>>> the instruction at RIP.
>>>
>>> So the "ignore" part here is because the walk doesn't currently send
>>> any events? That's an omission after all, which ultimately wants to
>>> get fixed. This in turn makes me wonder whether there couldn't be
>>> cases where a monitor actually wants to see these violations, too.
>>> After all one may be able to abuse to page walker to set bits in
>>> places you actually care to protect from undue modification.
>>
>> There is no need for events from page walk. Further work will have to be
>> done, when page-walk will send events, so that we can toggle that new
>> feature on/off.
>
> Please can you move over to thinking in more general terms,
> not just what you need for your application. In this case
> "There is no need" != "We don't have a need for". And I think
> the VM event _interface_ should be arranged in a way that it
> already accounts for eventually correct behavior of the page
> walk paths.
>
I'm not sure how future code for sending events form page-walk will be
but I will try to make this patch have some checks in place so that it
will work the same.
>>>> After the emulation stops we'll call hvm_vm_event_do_resume() again after the
>>>> introspection agent treats the event and resumes the guest. There, the
>>>> instruction at RIP will be fully emulated (with the EPT ignored) if the
>>>> introspection application allows it, and the guest will continue to run past
>>>> the instruction.
>>>>
>>>> We use hvmemul_map_linear_addr() to intercept r/w access and
>>>> __hvm_copy() to intercept exec access.
>>>
>>> Btw I continue to be unhappy about this asymmetry. Furthermore in
>>> the former case you only handle write and rmw accesses, but not
>>> reads afaics. I assume you don't care about reads, but this should
>>> then be made explicit. Furthermore EPT allows read protection, and
>>> there are p2m_access_w, p2m_access_wx, and p2m_access_x, so I guess
>>> ignoring reads can at best be an option picked by the monitor, not
>>> something to be left out of the interface altogether.
>>
>> That is correct, we are not interested in read events but there is
>> another problem, we are checking access and pfec to fill the event flag
>> and pfec only has a write flag(PFEC_write_access), in __hvmemul_read()
>> pfec only gets PFEC_page_present and there is no way to differentiate
>> write from read.
>
> By the PFEC model, anything that's not a write or insn fetch is a
> read. The main anomaly is elsewhere: The write flag is also going
> to be set for RMW operations.
>
>>>> hvm_emulate_send_vm_event() can return false if there was no violation,
>>>> if there was an error from monitor_traps() or p2m_get_mem_access().
>>>
>>> As said before - I don't think errors and lack of a violation can
>>> sensibly be treated the same way. Is the implication perhaps that
>>> emulation then will fail later anyway? If so, is such an
>>> assumption taking into consideration possible races?
>>
>> The only place that I can see a problem is the error from
>> monitor_traps(). That can be checked and accompanied by a warning msg.
>
> How would a warning message help?
>
>> Or if you can give me a different idea to go forward with this issue I
>> will be glad to review it.
>
> I'm afraid you'll have to first of all give me an idea what the
> correct action is in case of such an error. And once you've done
> so, I'm pretty sure you'll recognize yourself whether the current
> code you have is appropriate (and I'll then know whether I want
> to insist on you changing the code).
>
So I think that the return of hvm_emulate_send_vm_event() should not use
the return of monitor_traps(). By the time monitor_traps() is called we
are sure that there is a violation and emulation should stop regardless
if the event was sent or not. In this idea the last return should be true.
>>>> --- a/xen/arch/x86/hvm/hvm.c
>>>> +++ b/xen/arch/x86/hvm/hvm.c
>>>> @@ -3224,6 +3224,14 @@ static enum hvm_translation_result __hvm_copy(
>>>> return HVMTRANS_bad_gfn_to_mfn;
>>>> }
>>>>
>>>> + if ( unlikely(v->arch.vm_event) &&
>>>> + v->arch.vm_event->send_event &&
>>>> + hvm_emulate_send_vm_event(addr, gfn, pfec) )
>>>
>>> Indentation looks wrong again.
>>>
>>>> + {
>>>> + put_page(page);
>>>> + return HVMTRANS_gfn_paged_out;
>>>
>>> Why "paged out"? If this is an intentional abuse, then you want
>>> to say so in a comment and justify the abuse here or in the
>>> description.
Yes this is intentional so linear_read() will return X86EMUL_RETRY.
Thanks for the review,
Alex
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
prev parent reply other threads:[~2019-07-23 8:18 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-03 10:56 [Xen-devel] [PATCH v7] x86/emulate: Send vm_event from emulate Alexandru Stefan ISAILA
2019-07-11 17:13 ` Tamas K Lengyel
2019-07-12 1:28 ` Jan Beulich
2019-07-15 8:52 ` Alexandru Stefan ISAILA
2019-07-18 12:58 ` Jan Beulich
2019-07-19 12:34 ` Alexandru Stefan ISAILA
2019-07-19 13:18 ` Jan Beulich
2019-07-19 13:30 ` Razvan Cojocaru
2019-07-19 13:38 ` Jan Beulich
2019-07-19 14:23 ` Razvan Cojocaru
2019-07-29 8:12 ` Alexandru Stefan ISAILA
2019-07-29 11:30 ` Jan Beulich
2019-07-22 7:51 ` Alexandru Stefan ISAILA
2019-07-30 12:21 ` Alexandru Stefan ISAILA
2019-07-30 13:27 ` Jan Beulich
2019-07-30 14:12 ` Alexandru Stefan ISAILA
2019-07-30 14:54 ` Jan Beulich
2019-07-30 15:28 ` Alexandru Stefan ISAILA
2019-08-20 20:11 ` Andrew Cooper
2019-08-27 8:26 ` Jan Beulich
2019-09-02 14:36 ` Alexandru Stefan ISAILA
2019-09-02 14:59 ` Jan Beulich
2019-07-23 8:17 ` Alexandru Stefan ISAILA [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7666f388-3343-5bdd-cff0-3176a228496f@bitdefender.com \
--to=aisaila@bitdefender.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=george.dunlap@eu.citrix.com \
--cc=paul.durrant@citrix.com \
--cc=ppircalabu@bitdefender.com \
--cc=rcojocaru@bitdefender.com \
--cc=roger.pau@citrix.com \
--cc=tamas@tklengyel.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).