Re: [PATCH v2 2/7] Clear AC bit in RFLAGS to protect Xen itself by SMAP

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Feng Wu <feng.wu@intel.com>
Cc: kevin.tian@intel.com, ian.campbell@citrix.com,
	eddie.dong@intel.com, xen-devel@lists.xen.org, JBeulich@suse.com,
	jun.nakajima@intel.com
Subject: Re: [PATCH v2 2/7] Clear AC bit in RFLAGS to protect Xen itself by SMAP
Date: Wed, 23 Apr 2014 11:19:53 +0100	[thread overview]
Message-ID: <535793C9.7000001@citrix.com> (raw)
In-Reply-To: <1398263711-32046-1-git-send-email-feng.wu@intel.com>

On 23/04/14 15:35, Feng Wu wrote:
> Clear AC bit in RFLAGS at the beginning of exception, interrupt, hypercall,
> so Xen itself can be protected by SMAP mechanism.
>
> Signed-off-by: Feng Wu <feng.wu@intel.com>
> ---
>  xen/arch/x86/x86_64/compat/entry.S     |  1 +
>  xen/arch/x86/x86_64/entry.S            | 26 ++++++++++++++++++++++++++
>  xen/include/asm-x86/x86_64/asm_defns.h |  1 +
>  3 files changed, 28 insertions(+)
>
> diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
> index 32b3bcc..ac594c9 100644
> --- a/xen/arch/x86/x86_64/compat/entry.S
> +++ b/xen/arch/x86/x86_64/compat/entry.S
> @@ -13,6 +13,7 @@
>  #include <irq_vectors.h>
>  
>  ENTRY(compat_hypercall)
> +        ASM_CLAC
>          pushq $0
>          SAVE_VOLATILE type=TRAP_syscall compat=1
>  
> diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
> index 3ea4683..d294064 100644
> --- a/xen/arch/x86/x86_64/entry.S
> +++ b/xen/arch/x86/x86_64/entry.S
> @@ -120,6 +120,7 @@ restore_all_xen:
>   * the space left by the trampoline.
>   */
>  ENTRY(syscall_enter)
> +        ASM_CLAC

Surely this can be sorted more succinctly by setting X86_EFLAGS_AC in
MSR 0xc0000084 ?

You also need to patch the entry points in the compat trampoline in

>          sti
>          movl  $FLAT_KERNEL_SS,24(%rsp)
>          pushq %rcx
> @@ -268,6 +269,7 @@ bad_hypercall:
>          jmp  test_all_events
>  
>  ENTRY(sysenter_entry)
> +        ASM_CLAC
>          sti
>          pushq $FLAT_USER_SS
>          pushq $0
> @@ -309,6 +311,7 @@ UNLIKELY_END(sysenter_gpf)
>          jmp   .Lbounce_exception
>  
...
>  
>          .pushsection .init.text, "ax", @progbits
>  ENTRY(early_page_fault)
> +        ASM_CLAC

I don't think CLAC is appropriate here.  This is a pagefault handler for
Xen early boot, and is replaced with a real handler substantially before
dom0 is created.

>          SAVE_ALL
>          movq  %rsp,%rdi
>          call  do_early_page_fault
> @@ -622,6 +644,7 @@ ENTRY(early_page_fault)
>          .popsection
>  
>  ENTRY(nmi)
> +        ASM_CLAC
>          pushq $0
>          movl  $TRAP_nmi,4(%rsp)
>  handle_ist_exception:
> @@ -659,6 +682,7 @@ handle_ist_exception:
>          jmp   compat_restore_all_guest
>  
>  ENTRY(nmi_crash)
> +        ASM_CLAC
>          pushq $0
>          movl $TRAP_nmi,4(%rsp)
>          SAVE_ALL
> @@ -667,6 +691,7 @@ ENTRY(nmi_crash)
>          ud2
>  
>  ENTRY(machine_check)
> +        ASM_CLAC
>          pushq $0
>          movl  $TRAP_machine_check,4(%rsp)
>          jmp   handle_ist_exception
> @@ -689,6 +714,7 @@ ENTRY(enable_nmis)
>  
>  /* No op trap handler.  Required for kexec crash path. */
>  GLOBAL(trap_nop)
> +        ASM_CLAC
>          iretq

This is not sensible in the slightest, given the following instruction.

~Andrew

>  
>  
> diff --git a/xen/include/asm-x86/x86_64/asm_defns.h b/xen/include/asm-x86/x86_64/asm_defns.h
> index bf63ac1..69f76b2 100644
> --- a/xen/include/asm-x86/x86_64/asm_defns.h
> +++ b/xen/include/asm-x86/x86_64/asm_defns.h
> @@ -212,6 +212,7 @@
>  __asm__(                                        \
>      "\n" __ALIGN_STR"\n"                        \
>      "common_interrupt:\n\t"                     \
> +    ASM_CLAC(%)"\n\t"                           \
>      STR(SAVE_ALL) "\n\t"                        \
>      "movq %rsp,%rdi\n\t"                        \
>      "callq " STR(do_IRQ) "\n\t"                 \

next prev parent reply	other threads:[~2014-04-23 10:19 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-23 14:35 [PATCH v2 2/7] Clear AC bit in RFLAGS to protect Xen itself by SMAP Feng Wu
2014-04-23 10:19 ` Andrew Cooper [this message]
2014-04-24  6:45   ` Wu, Feng
2014-04-24  7:19     ` Jan Beulich
2014-04-24  7:20       ` Wu, Feng
2014-04-24 10:51         ` Andrew Cooper
2014-04-24 11:37           ` Jan Beulich
2014-04-25  2:02             ` Wu, Feng
2014-04-25  2:10           ` Wu, Feng
2014-04-23 10:30 ` Jan Beulich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=535793C9.7000001@citrix.com \
    --to=andrew.cooper3@citrix.com \
    --cc=JBeulich@suse.com \
    --cc=eddie.dong@intel.com \
    --cc=feng.wu@intel.com \
    --cc=ian.campbell@citrix.com \
    --cc=jun.nakajima@intel.com \
    --cc=kevin.tian@intel.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.