From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH] x86/PV: further harden guest memory accesses against speculative abuse
Date: Thu, 23 Jan 2025 12:54:58 +0100 [thread overview]
Message-ID: <Z5IuEq9Lauhn8glx@macbook.local> (raw)
In-Reply-To: <a537dd1e-bbd3-4ef8-8014-6bb432484c57@suse.com>
On Tue, Nov 05, 2024 at 02:56:42PM +0100, Jan Beulich wrote:
> The original implementation has two issues: For one it doesn't preserve
> non-canonical-ness of inputs in the range 0x8000000000000000 through
> 0x80007fffffffffff. Bogus guest pointers in that range would not cause a
> (#GP) fault upon access, when they should.
>
> And then there is an AMD-specific aspect, where only the low 48 bits of
> an address are used for speculative execution; the architecturally
> mandated #GP for non-canonical addresses would be raised at a later
> execution stage. Therefore to prevent Xen controlled data to make it
> into any of the caches in a guest controllable manner, we need to
> additionally ensure that for non-canonical inputs bit 47 would be clear.
>
> See the code comment for how addressing both is being achieved.
>
> Fixes: 4dc181599142 ("x86/PV: harden guest memory accesses against speculative abuse")
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> ---
> RFC: Two variants of part of the logic are being presented, both with
> certain undesirable aspects: The first form is pretty large and
> ugly (some improvement may be possible by introducing further
> helper macros). The alternative form continues to use RCR, which
> generally would be nice to do away with. Then again that's also
> slightly smaller generated code.
Oh, I assume that's why there's a hardcoded .if 1, I was wondering
about that. What's the specific issue with using rcr? And why is the
more complex set of macros that use setc plus a shl better?
Why not use cmovc:
mov $(1 << 63), \scratch1
cmovc \scratch1, \scratch2
AFAICT \scratch1 is not used past the btr instruction, and hence can
be used for the cmovc?
Thanks, Roger.
next prev parent reply other threads:[~2025-01-23 11:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-05 13:56 [PATCH] x86/PV: further harden guest memory accesses against speculative abuse Jan Beulich
2025-01-23 11:54 ` Roger Pau Monné [this message]
2025-01-23 12:44 ` Jan Beulich
2025-01-23 14:02 ` Roger Pau Monné
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z5IuEq9Lauhn8glx@macbook.local \
--to=roger.pau@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=jbeulich@suse.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.