* [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat
@ 2013-10-16 18:33 Liu, Jinsong
2013-10-17 9:58 ` Jan Beulich
0 siblings, 1 reply; 3+ messages in thread
From: Liu, Jinsong @ 2013-10-16 18:33 UTC (permalink / raw)
To: Jan Beulich
Cc: Keir Fraser, suravee.suthikulpanit@amd.com, Tim Deegan,
zhenzhong.duan@oracle.com, xen-devel@lists.xen.org, Auld, Will,
Nakajima, Jun, sherry.hurwitz@amd.com
[-- Attachment #1: Type: text/plain, Size: 3012 bytes --]
>From 9ec2ca512979e99a229d333038f849a2d5a7fde5 Mon Sep 17 00:00:00 2001
From: Liu Jinsong <jinsong.liu@intel.com>
Date: Thu, 17 Oct 2013 04:00:49 +0800
Subject: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat
Recently Oracle developers found a Xen security issue as DOS affecting,
named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html
Basically it involves how to handle guest cr0.cd setting, which under
some environment it consumes much time resulting in DOS-like behavior.
This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60
via PAT under Intel EPT case, which depends on cpu_has_vmx_pat.
Signed-off-by: Liu Jinsong <jinsong.liu@intel.com>
---
xen/arch/x86/hvm/vmx/vmcs.c | 4 ++--
xen/arch/x86/hvm/vmx/vmx.c | 10 +++++++---
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
index 6526504..6916c6d 100644
--- a/xen/arch/x86/hvm/vmx/vmcs.c
+++ b/xen/arch/x86/hvm/vmx/vmcs.c
@@ -921,7 +921,7 @@ static int construct_vmcs(struct vcpu *v)
vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_CS, MSR_TYPE_R | MSR_TYPE_W);
vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_ESP, MSR_TYPE_R | MSR_TYPE_W);
vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_EIP, MSR_TYPE_R | MSR_TYPE_W);
- if ( cpu_has_vmx_pat && paging_mode_hap(d) )
+ if ( paging_mode_hap(d) )
vmx_disable_intercept_for_msr(v, MSR_IA32_CR_PAT, MSR_TYPE_R | MSR_TYPE_W);
}
@@ -1063,7 +1063,7 @@ static int construct_vmcs(struct vcpu *v)
__vmwrite(EPT_POINTER, ept_get_eptp(ept));
}
- if ( cpu_has_vmx_pat && paging_mode_hap(d) )
+ if ( paging_mode_hap(d) )
{
u64 host_pat, guest_pat;
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 9ca8632..b59bf59 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -908,7 +908,7 @@ static unsigned long vmx_get_shadow_gs_base(struct vcpu *v)
static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
{
- if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
+ if ( !paging_mode_hap(v->domain) )
return 0;
vmx_vmcs_enter(v);
@@ -919,7 +919,7 @@ static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
static int vmx_get_guest_pat(struct vcpu *v, u64 *gpat)
{
- if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
+ if ( !paging_mode_hap(v->domain) )
return 0;
vmx_vmcs_enter(v);
@@ -1591,7 +1591,11 @@ const struct hvm_function_table * __init start_vmx(void)
return NULL;
}
- if ( cpu_has_vmx_ept )
+ /*
+ * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole
+ * which refer to http://xenbits.xen.org/xsa/advisory-60.html
+ */
+ if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
{
vmx_function_table.hap_supported = 1;
--
1.7.1
[-- Attachment #2: 0001-XSA-60-security-hole-disable-EPT-when-cpu_has_vmx_pa.patch --]
[-- Type: application/octet-stream, Size: 2934 bytes --]
From 9ec2ca512979e99a229d333038f849a2d5a7fde5 Mon Sep 17 00:00:00 2001
From: Liu Jinsong <jinsong.liu@intel.com>
Date: Thu, 17 Oct 2013 04:00:49 +0800
Subject: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat
Recently Oracle developers found a Xen security issue as DOS affecting,
named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html
Basically it involves how to handle guest cr0.cd setting, which under
some environment it consumes much time resulting in DOS-like behavior.
This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60
via PAT under Intel EPT case, which depends on cpu_has_vmx_pat.
Signed-off-by: Liu Jinsong <jinsong.liu@intel.com>
---
xen/arch/x86/hvm/vmx/vmcs.c | 4 ++--
xen/arch/x86/hvm/vmx/vmx.c | 10 +++++++---
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
index 6526504..6916c6d 100644
--- a/xen/arch/x86/hvm/vmx/vmcs.c
+++ b/xen/arch/x86/hvm/vmx/vmcs.c
@@ -921,7 +921,7 @@ static int construct_vmcs(struct vcpu *v)
vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_CS, MSR_TYPE_R | MSR_TYPE_W);
vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_ESP, MSR_TYPE_R | MSR_TYPE_W);
vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_EIP, MSR_TYPE_R | MSR_TYPE_W);
- if ( cpu_has_vmx_pat && paging_mode_hap(d) )
+ if ( paging_mode_hap(d) )
vmx_disable_intercept_for_msr(v, MSR_IA32_CR_PAT, MSR_TYPE_R | MSR_TYPE_W);
}
@@ -1063,7 +1063,7 @@ static int construct_vmcs(struct vcpu *v)
__vmwrite(EPT_POINTER, ept_get_eptp(ept));
}
- if ( cpu_has_vmx_pat && paging_mode_hap(d) )
+ if ( paging_mode_hap(d) )
{
u64 host_pat, guest_pat;
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 9ca8632..b59bf59 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -908,7 +908,7 @@ static unsigned long vmx_get_shadow_gs_base(struct vcpu *v)
static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
{
- if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
+ if ( !paging_mode_hap(v->domain) )
return 0;
vmx_vmcs_enter(v);
@@ -919,7 +919,7 @@ static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
static int vmx_get_guest_pat(struct vcpu *v, u64 *gpat)
{
- if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
+ if ( !paging_mode_hap(v->domain) )
return 0;
vmx_vmcs_enter(v);
@@ -1591,7 +1591,11 @@ const struct hvm_function_table * __init start_vmx(void)
return NULL;
}
- if ( cpu_has_vmx_ept )
+ /*
+ * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole
+ * which refer to http://xenbits.xen.org/xsa/advisory-60.html
+ */
+ if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
{
vmx_function_table.hap_supported = 1;
--
1.7.1
[-- Attachment #3: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat
2013-10-16 18:33 [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat Liu, Jinsong
@ 2013-10-17 9:58 ` Jan Beulich
2013-10-17 10:05 ` Andrew Cooper
0 siblings, 1 reply; 3+ messages in thread
From: Jan Beulich @ 2013-10-17 9:58 UTC (permalink / raw)
To: Jinsong Liu
Cc: Keir Fraser, suravee.suthikulpanit@amd.com, Tim Deegan,
zhenzhong.duan@oracle.com, xen-devel@lists.xen.org, Will Auld,
Jun Nakajima, sherry.hurwitz@amd.com
>>> On 16.10.13 at 20:33, "Liu, Jinsong" <jinsong.liu@intel.com> wrote:
> From 9ec2ca512979e99a229d333038f849a2d5a7fde5 Mon Sep 17 00:00:00 2001
> From: Liu Jinsong <jinsong.liu@intel.com>
> Date: Thu, 17 Oct 2013 04:00:49 +0800
> Subject: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat
>
> Recently Oracle developers found a Xen security issue as DOS affecting,
> named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html
> Basically it involves how to handle guest cr0.cd setting, which under
> some environment it consumes much time resulting in DOS-like behavior.
>
> This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60
> via PAT under Intel EPT case, which depends on cpu_has_vmx_pat.
>
> Signed-off-by: Liu Jinsong <jinsong.liu@intel.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
> ---
> xen/arch/x86/hvm/vmx/vmcs.c | 4 ++--
> xen/arch/x86/hvm/vmx/vmx.c | 10 +++++++---
> 2 files changed, 9 insertions(+), 5 deletions(-)
>
> diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
> index 6526504..6916c6d 100644
> --- a/xen/arch/x86/hvm/vmx/vmcs.c
> +++ b/xen/arch/x86/hvm/vmx/vmcs.c
> @@ -921,7 +921,7 @@ static int construct_vmcs(struct vcpu *v)
> vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_CS, MSR_TYPE_R |
> MSR_TYPE_W);
> vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_ESP, MSR_TYPE_R
> | MSR_TYPE_W);
> vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_EIP, MSR_TYPE_R
> | MSR_TYPE_W);
> - if ( cpu_has_vmx_pat && paging_mode_hap(d) )
> + if ( paging_mode_hap(d) )
> vmx_disable_intercept_for_msr(v, MSR_IA32_CR_PAT, MSR_TYPE_R |
> MSR_TYPE_W);
> }
>
> @@ -1063,7 +1063,7 @@ static int construct_vmcs(struct vcpu *v)
> __vmwrite(EPT_POINTER, ept_get_eptp(ept));
> }
>
> - if ( cpu_has_vmx_pat && paging_mode_hap(d) )
> + if ( paging_mode_hap(d) )
> {
> u64 host_pat, guest_pat;
>
> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
> index 9ca8632..b59bf59 100644
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -908,7 +908,7 @@ static unsigned long vmx_get_shadow_gs_base(struct vcpu
> *v)
>
> static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
> {
> - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
> + if ( !paging_mode_hap(v->domain) )
> return 0;
>
> vmx_vmcs_enter(v);
> @@ -919,7 +919,7 @@ static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
>
> static int vmx_get_guest_pat(struct vcpu *v, u64 *gpat)
> {
> - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
> + if ( !paging_mode_hap(v->domain) )
> return 0;
>
> vmx_vmcs_enter(v);
> @@ -1591,7 +1591,11 @@ const struct hvm_function_table * __init
> start_vmx(void)
> return NULL;
> }
>
> - if ( cpu_has_vmx_ept )
> + /*
> + * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole
> + * which refer to http://xenbits.xen.org/xsa/advisory-60.html
> + */
> + if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
> {
> vmx_function_table.hap_supported = 1;
>
> --
> 1.7.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat
2013-10-17 9:58 ` Jan Beulich
@ 2013-10-17 10:05 ` Andrew Cooper
0 siblings, 0 replies; 3+ messages in thread
From: Andrew Cooper @ 2013-10-17 10:05 UTC (permalink / raw)
To: Jan Beulich
Cc: Jinsong Liu, Keir Fraser, Jun Nakajima, Tim Deegan,
zhenzhong.duan@oracle.com, xen-devel@lists.xen.org, Will Auld,
suravee.suthikulpanit@amd.com, sherry.hurwitz@amd.com
On 17/10/13 10:58, Jan Beulich wrote:
>>>> On 16.10.13 at 20:33, "Liu, Jinsong" <jinsong.liu@intel.com> wrote:
>> From 9ec2ca512979e99a229d333038f849a2d5a7fde5 Mon Sep 17 00:00:00 2001
>> From: Liu Jinsong <jinsong.liu@intel.com>
>> Date: Thu, 17 Oct 2013 04:00:49 +0800
>> Subject: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat
>>
>> Recently Oracle developers found a Xen security issue as DOS affecting,
>> named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html
>> Basically it involves how to handle guest cr0.cd setting, which under
>> some environment it consumes much time resulting in DOS-like behavior.
>>
>> This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60
>> via PAT under Intel EPT case, which depends on cpu_has_vmx_pat.
>>
>> Signed-off-by: Liu Jinsong <jinsong.liu@intel.com>
> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
>
>> ---
>> xen/arch/x86/hvm/vmx/vmcs.c | 4 ++--
>> xen/arch/x86/hvm/vmx/vmx.c | 10 +++++++---
>> 2 files changed, 9 insertions(+), 5 deletions(-)
>>
>> diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
>> index 6526504..6916c6d 100644
>> --- a/xen/arch/x86/hvm/vmx/vmcs.c
>> +++ b/xen/arch/x86/hvm/vmx/vmcs.c
>> @@ -921,7 +921,7 @@ static int construct_vmcs(struct vcpu *v)
>> vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_CS, MSR_TYPE_R |
>> MSR_TYPE_W);
>> vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_ESP, MSR_TYPE_R
>> | MSR_TYPE_W);
>> vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_EIP, MSR_TYPE_R
>> | MSR_TYPE_W);
>> - if ( cpu_has_vmx_pat && paging_mode_hap(d) )
>> + if ( paging_mode_hap(d) )
>> vmx_disable_intercept_for_msr(v, MSR_IA32_CR_PAT, MSR_TYPE_R |
>> MSR_TYPE_W);
>> }
>>
>> @@ -1063,7 +1063,7 @@ static int construct_vmcs(struct vcpu *v)
>> __vmwrite(EPT_POINTER, ept_get_eptp(ept));
>> }
>>
>> - if ( cpu_has_vmx_pat && paging_mode_hap(d) )
>> + if ( paging_mode_hap(d) )
>> {
>> u64 host_pat, guest_pat;
>>
>> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
>> index 9ca8632..b59bf59 100644
>> --- a/xen/arch/x86/hvm/vmx/vmx.c
>> +++ b/xen/arch/x86/hvm/vmx/vmx.c
>> @@ -908,7 +908,7 @@ static unsigned long vmx_get_shadow_gs_base(struct vcpu
>> *v)
>>
>> static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
>> {
>> - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
>> + if ( !paging_mode_hap(v->domain) )
>> return 0;
>>
>> vmx_vmcs_enter(v);
>> @@ -919,7 +919,7 @@ static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
>>
>> static int vmx_get_guest_pat(struct vcpu *v, u64 *gpat)
>> {
>> - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
>> + if ( !paging_mode_hap(v->domain) )
>> return 0;
>>
>> vmx_vmcs_enter(v);
>> @@ -1591,7 +1591,11 @@ const struct hvm_function_table * __init
>> start_vmx(void)
>> return NULL;
>> }
>>
>> - if ( cpu_has_vmx_ept )
>> + /*
>> + * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole
>> + * which refer to http://xenbits.xen.org/xsa/advisory-60.html
>> + */
>> + if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
>> {
>> vmx_function_table.hap_supported = 1;
>>
>> --
>> 1.7.1
>
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-10-17 10:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-10-16 18:33 [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat Liu, Jinsong
2013-10-17 9:58 ` Jan Beulich
2013-10-17 10:05 ` Andrew Cooper
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.