From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH] VMX: XSA-60 workaround Date: Tue, 13 Aug 2013 17:48:44 +0100 Message-ID: <520A636C.9030903@citrix.com> References: <520A7CA202000078000EB9DB@nat28.tlf.novell.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0756526704109402743==" Return-path: Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1V9Hm4-0000Xa-RT for xen-devel@lists.xenproject.org; Tue, 13 Aug 2013 16:48:49 +0000 In-Reply-To: <520A7CA202000078000EB9DB@nat28.tlf.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Jan Beulich Cc: xen-devel , Keir Fraser , Eddie Dong , Jun Nakajima List-Id: xen-devel@lists.xenproject.org --===============0756526704109402743== Content-Type: multipart/alternative; boundary="------------090905090805000105010206" --------------090905090805000105010206 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit On 13/08/13 17:36, Jan Beulich wrote: > Considering that there's still no real progress towards a resolution > for XSA-60, I'd like to propose turning off the probelamtic code by > default, allowing it to be turned back on via command line option. > > Signed-off-by: Jan Beulich In principle, ok, but can I suggest that this initially goes in with a per domain warn once, (and perhaps gdprintk afterwards), so guests which actually try to use this can at least be identified if they suddenly start behaving weirdly? ~Andrew > > --- a/xen/arch/x86/hvm/vmx/vmx.c > +++ b/xen/arch/x86/hvm/vmx/vmx.c > @@ -57,6 +57,14 @@ > #include > #include > > +/* > + * Option to allow VMX guests to run with caches disabled. This is exposing > + * the host to DoS attacks (due to the way vmx_set_uc_mode() works), and hence > + * needs to be disabled by default. > + */ > +static bool_t __read_mostly opt_permit_cache_disable; > +boolean_param("vmx-permit-cache-disable", opt_permit_cache_disable); > + > enum handler_return { HNDL_done, HNDL_unhandled, HNDL_exception_raised }; > > static void vmx_ctxt_switch_from(struct vcpu *v); > @@ -1133,6 +1141,8 @@ static void vmx_update_guest_cr(struct v > > v->arch.hvm_vcpu.hw_cr[0] = > v->arch.hvm_vcpu.guest_cr[0] | hw_cr0_mask; > + if ( !opt_permit_cache_disable ) > + v->arch.hvm_vcpu.hw_cr[0] &= ~(X86_CR0_CD | X86_CR0_NW); > __vmwrite(GUEST_CR0, v->arch.hvm_vcpu.hw_cr[0]); > __vmwrite(CR0_READ_SHADOW, v->arch.hvm_vcpu.guest_cr[0]); > > @@ -1603,6 +1613,9 @@ const struct hvm_function_table * __init > vmx_function_table.sync_pir_to_irr = NULL; > } > > + if ( !opt_permit_cache_disable ) > + vmx_function_table.set_uc_mode = NULL; > + > setup_vmcs_dump(); > > return &vmx_function_table; > > > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel --------------090905090805000105010206 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit
On 13/08/13 17:36, Jan Beulich wrote:
Considering that there's still no real progress towards a resolution
for XSA-60, I'd like to propose turning off the probelamtic code by
default, allowing it to be turned back on via command line option.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

In principle, ok, but can I suggest that this initially goes in with a per domain warn once, (and perhaps gdprintk afterwards), so guests which actually try to use this can at least be identified if they suddenly start behaving weirdly?

~Andrew


--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -57,6 +57,14 @@
 #include <asm/hvm/nestedhvm.h>
 #include <asm/event.h>
 
+/*
+ * Option to allow VMX guests to run with caches disabled. This is exposing
+ * the host to DoS attacks (due to the way vmx_set_uc_mode() works), and hence
+ * needs to be disabled by default.
+ */
+static bool_t __read_mostly opt_permit_cache_disable;
+boolean_param("vmx-permit-cache-disable", opt_permit_cache_disable);
+
 enum handler_return { HNDL_done, HNDL_unhandled, HNDL_exception_raised };
 
 static void vmx_ctxt_switch_from(struct vcpu *v);
@@ -1133,6 +1141,8 @@ static void vmx_update_guest_cr(struct v
 
         v->arch.hvm_vcpu.hw_cr[0] =
             v->arch.hvm_vcpu.guest_cr[0] | hw_cr0_mask;
+        if ( !opt_permit_cache_disable )
+            v->arch.hvm_vcpu.hw_cr[0] &= ~(X86_CR0_CD | X86_CR0_NW);
         __vmwrite(GUEST_CR0, v->arch.hvm_vcpu.hw_cr[0]);
         __vmwrite(CR0_READ_SHADOW, v->arch.hvm_vcpu.guest_cr[0]);
 
@@ -1603,6 +1613,9 @@ const struct hvm_function_table * __init
         vmx_function_table.sync_pir_to_irr = NULL;
     }
 
+    if ( !opt_permit_cache_disable )
+        vmx_function_table.set_uc_mode = NULL;
+
     setup_vmcs_dump();
 
     return &vmx_function_table;






_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--------------090905090805000105010206-- --===============0756526704109402743== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============0756526704109402743==--