From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.3 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6EEBC433B4 for ; Wed, 28 Apr 2021 13:03:39 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6E3BA613B8 for ; Wed, 28 Apr 2021 13:03:39 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6E3BA613B8 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=suse.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from list by lists.xenproject.org with outflank-mailman.119330.225774 (Exim 4.92) (envelope-from ) id 1lbjqf-0005El-R8; Wed, 28 Apr 2021 13:03:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 119330.225774; Wed, 28 Apr 2021 13:03:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lbjqf-0005Ee-NX; Wed, 28 Apr 2021 13:03:25 +0000 Received: by outflank-mailman (input) for mailman id 119330; Wed, 28 Apr 2021 13:03:24 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lbjqe-0005EZ-6x for xen-devel@lists.xenproject.org; Wed, 28 Apr 2021 13:03:24 +0000 Received: from mx2.suse.de (unknown [195.135.220.15]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id d45dd5e4-2d19-452e-8446-f71693284ce6; Wed, 28 Apr 2021 13:03:22 +0000 (UTC) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id E4C1EB181; Wed, 28 Apr 2021 13:03:21 +0000 (UTC) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: d45dd5e4-2d19-452e-8446-f71693284ce6 X-Virus-Scanned: by amavisd-new at test-mx.suse.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1619615002; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Bb2X/zWNGgoHjla4O1+5XkvRuAvUb+IU89t7YVxTqbc=; b=JuWCwOERnc3gYm7cGj1uzbs/9aJ19eaS97f2ISXYdmXM4mQdkYofgkEDf5wPQ+cf49uFd4 xx2VIz6LGpalUKqoKy6cOXHRJKcigu7b5G728oEF22k6XNWcEUmmx7NVJ9lSM0OOySANlN ey7f9+Z14IDX6qd32BAXSLETaXrEAlU= Subject: Re: [PATCH 0/3] x86: Initial pieces for guest CET support To: Andrew Cooper Cc: =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= , Wei Liu , Jun Nakajima , Kevin Tian , Xen-devel References: <20210426175421.30497-1-andrew.cooper3@citrix.com> <03630ebd-861e-b02c-e845-1e2324211562@suse.com> <3e5369d1-a6eb-92c4-868c-0b9d205aba7a@citrix.com> From: Jan Beulich Message-ID: Date: Wed, 28 Apr 2021 15:03:21 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit On 28.04.2021 14:25, Andrew Cooper wrote: > On 27/04/2021 11:13, Andrew Cooper wrote: >> There are 3 emulator complexities for shadow stack instructions.  SSP >> itself as a register, WRUSS no longer being CPL-based for >> user/supervisor, and the fact that RSTORSSP in particular uses an atomic >> block which microcode can express, but can't be encoded at an ISA >> level.  I've got no idea what to do about this last problem, because we >> can't map the two guest frames and re-issue the instruction - the >> aliasing check on the tokens forces us to map the two frames in their >> correct linear addresses. > > Actually, RSTORSSP isn't too difficult.  I'd mis-read the pseudocode. > > The atomic block is a check&edit of the token on the remote stack (not > both stacks, as I'd mistakenly thought).  The purpose is to prevent two > concurrent RSTORSSP's moving two threads onto the same shadow stack. > > Without microcode superpowers, the best we can do this with a read, > check, cmpxchg() loop. > > The common case will be no conflict, as stack switching will be well > formed (outside of debugging).  Any conflict here from real code is > going to yield #GP/#CP on one of the threads participating, so in the > case of a conflict in the emulator, a likely consequence of the 2nd > iteration is going to be a hard failure. > > That said, malicious cases within the guest, or from foreign mappings, > can cause the cmpxchg() loop to take an unbounded time, so after 3 > retries or so, we need to escalate to vcpu_pause_all_except_self(), and > or the ARM stop_machine() big hammer. > > I'm tempted to just throw #GP back after 3 retries.  Its potentially > non-architectural behaviour, but won't occur in non-malicious > circumstances, and all fallback mechanisms have system-wide implications > that we oughtn't to be bowing to in a malicious circumstance. I agree. Jan