From: Laszlo Ersek <lersek@redhat.com>
To: Igor Mammedov <imammedo@redhat.com>
Cc: "Chen, Yingwen" <yingwen.chen@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
Phillip Goerl <phillip.goerl@oracle.com>,
qemu devel list <qemu-devel@nongnu.org>,
Alex Williamson <alex.williamson@redhat.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
"Nakajima, Jun" <jun.nakajima@intel.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
"rfc@edk2.groups.io" <rfc@edk2.groups.io>,
Joao Marcal Lemos Martins <joao.m.martins@oracle.com>
Subject: Re: [Qemu-devel] [edk2-rfc] [edk2-devel] CPU hotplug using SMM with QEMU+OVMF
Date: Fri, 30 Aug 2019 20:46:14 +0200 [thread overview]
Message-ID: <a43d47e0-6e99-ad42-77d4-638421e8768c@redhat.com> (raw)
In-Reply-To: <20190830164802.1b17ff26@redhat.com>
On 08/30/19 16:48, Igor Mammedov wrote:
> (01) On boot firmware maps and initializes SMI handler at default SMBASE (30000)
> (using dedicated SMRAM at 30000 would allow us to avoid save/restore
> steps and make SMM handler pointer not vulnerable to DMA attacks)
>
> (02) QEMU hotplugs a new CPU in reset-ed state and sends SCI
>
> (03) on receiving SCI, host CPU calls GPE cpu hotplug handler
> which writes to IO port 0xB2 (broadcast SMI)
>
> (04) firmware waits for all existing CPUs rendezvous in SMM mode,
> new CPU(s) have SMI pending but does nothing yet
>
> (05) host CPU wakes up one new CPU (INIT-INIT-SIPI)
> SIPI vector points to RO flash HLT loop.
> (how host CPU will know which new CPUs to relocate?
> possibly reuse QEMU CPU hotplug MMIO interface???)
>
> (06) new CPU does relocation.
> (in case of attacker sends SIPI to several new CPUs,
> open question how to detect collision of several CPUs at the same default SMBASE)
>
> (07) once new CPU relocated host CPU completes initialization, returns
> from IO port write and executes the rest of GPE handler, telling OS
> to online new CPU.
In step (03), it is the OS that handles the SCI; it transfers control to
ACPI. The AML can write to IO port 0xB2 only because the OS allows it.
If the OS decides to omit that step, and sends an INIT-SIPI-SIPI
directly to the new CPU, can it steal the CPU?
Thanks!
Laszlo
next prev parent reply other threads:[~2019-08-30 18:48 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-13 14:16 [Qemu-devel] CPU hotplug using SMM with QEMU+OVMF Laszlo Ersek
2019-08-13 16:09 ` Laszlo Ersek
2019-08-13 16:18 ` Laszlo Ersek
2019-08-14 13:20 ` Yao, Jiewen
2019-08-14 14:04 ` Paolo Bonzini
2019-08-15 9:55 ` Yao, Jiewen
2019-08-15 16:04 ` Paolo Bonzini
2019-08-15 15:00 ` [Qemu-devel] [edk2-devel] " Laszlo Ersek
2019-08-15 16:16 ` Igor Mammedov
2019-08-15 16:21 ` Paolo Bonzini
2019-08-16 2:46 ` Yao, Jiewen
2019-08-16 7:20 ` Paolo Bonzini
2019-08-16 7:49 ` Yao, Jiewen
2019-08-16 20:15 ` Laszlo Ersek
2019-08-16 22:19 ` Alex Williamson
2019-08-17 0:20 ` Yao, Jiewen
2019-08-18 19:50 ` Paolo Bonzini
2019-08-18 23:00 ` Yao, Jiewen
2019-08-19 14:10 ` Paolo Bonzini
2019-08-21 12:07 ` Laszlo Ersek
[not found] ` <E92EE9817A31E24EB0585FDF735412F5B9D9C671@ORSMSX113.amr.corp.intel.com>
2019-08-21 17:05 ` [Qemu-devel] [edk2-rfc] " Paolo Bonzini
[not found] ` <E92EE9817A31E24EB0585FDF735412F5B9D9D74A@ORSMSX113.amr.corp.intel.com>
2019-08-21 17:39 ` Paolo Bonzini
2019-08-21 20:17 ` Kinney, Michael D
2019-08-22 6:18 ` Paolo Bonzini
2019-08-22 18:29 ` Laszlo Ersek
2019-08-22 18:51 ` Paolo Bonzini
2019-08-23 14:53 ` Laszlo Ersek
2019-08-22 20:13 ` Kinney, Michael D
2019-08-22 17:59 ` Laszlo Ersek
2019-08-22 18:43 ` Paolo Bonzini
2019-08-22 20:06 ` Kinney, Michael D
2019-08-22 22:18 ` Paolo Bonzini
2019-08-22 22:32 ` Kinney, Michael D
2019-08-22 23:11 ` Paolo Bonzini
2019-08-23 1:02 ` Kinney, Michael D
2019-08-23 5:00 ` Yao, Jiewen
2019-08-23 15:25 ` Kinney, Michael D
2019-08-24 1:48 ` Yao, Jiewen
2019-08-27 18:31 ` Igor Mammedov
2019-08-29 17:01 ` Laszlo Ersek
2019-08-30 14:48 ` Igor Mammedov
2019-08-30 18:46 ` Laszlo Ersek [this message]
2019-09-02 8:45 ` Igor Mammedov
2019-09-02 19:09 ` Laszlo Ersek
2019-09-03 14:53 ` Igor Mammedov
2019-09-03 17:20 ` Laszlo Ersek
2019-09-04 9:52 ` Igor Mammedov
2019-09-05 13:08 ` Laszlo Ersek
2019-09-05 15:45 ` Igor Mammedov
2019-09-05 15:49 ` [Qemu-devel] [PATCH] q35: lpc: allow to lock down 128K RAM at default SMBASE address Igor Mammedov
2019-09-09 19:15 ` Laszlo Ersek
2019-09-09 19:20 ` Laszlo Ersek
2019-09-10 15:58 ` Igor Mammedov
2019-09-11 17:30 ` Laszlo Ersek
2019-09-17 13:11 ` [Qemu-devel] [edk2-devel] " Igor Mammedov
2019-08-26 15:30 ` [Qemu-devel] [edk2-rfc] [edk2-devel] CPU hotplug using SMM with QEMU+OVMF Laszlo Ersek
2019-08-27 16:23 ` Igor Mammedov
2019-08-27 20:11 ` Laszlo Ersek
2019-08-28 12:01 ` Igor Mammedov
2019-08-29 16:25 ` Laszlo Ersek
2019-08-30 13:49 ` Igor Mammedov
2019-08-22 17:53 ` Laszlo Ersek
2019-08-16 20:00 ` [Qemu-devel] " Laszlo Ersek
2019-08-15 16:07 ` [Qemu-devel] " Igor Mammedov
2019-08-15 16:24 ` Paolo Bonzini
2019-08-16 7:42 ` Igor Mammedov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a43d47e0-6e99-ad42-77d4-638421e8768c@redhat.com \
--to=lersek@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=boris.ostrovsky@oracle.com \
--cc=devel@edk2.groups.io \
--cc=imammedo@redhat.com \
--cc=jiewen.yao@intel.com \
--cc=joao.m.martins@oracle.com \
--cc=jun.nakajima@intel.com \
--cc=michael.d.kinney@intel.com \
--cc=pbonzini@redhat.com \
--cc=phillip.goerl@oracle.com \
--cc=qemu-devel@nongnu.org \
--cc=rfc@edk2.groups.io \
--cc=yingwen.chen@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).