From: Feng Wu <feng.wu@intel.com>
To: xen-devel@lists.xen.org
Cc: kevin.tian@intel.com, Feng Wu <feng.wu@intel.com>,
JBeulich@suse.com, andrew.cooper3@citrix.com,
eddie.dong@intel.com, jun.nakajima@intel.com,
ian.campbell@citrix.com
Subject: [PATCH v9 2/7] x86: Clear AC bit in RFLAGS to protect Xen itself by SMAP
Date: Mon, 12 May 2014 14:27:36 +0800 [thread overview]
Message-ID: <1399876061-28158-3-git-send-email-feng.wu@intel.com> (raw)
In-Reply-To: <1399876061-28158-1-git-send-email-feng.wu@intel.com>
Clear AC bit in RFLAGS at the beginning of exception, interrupt, hypercall,
so Xen itself can be protected by SMAP mechanism. This patch also sets AC
bit at the beginning of double_fault and fatal_trap() to reduce the likelihood
of taking a further fault while trying to dump state.
Signed-off-by: Feng Wu <feng.wu@intel.com>
---
xen/arch/x86/acpi/suspend.c | 5 +----
xen/arch/x86/boot/x86_64.S | 2 +-
xen/arch/x86/traps.c | 3 +++
xen/arch/x86/x86_64/compat/entry.S | 1 +
xen/arch/x86/x86_64/entry.S | 14 +++++++++-----
xen/arch/x86/x86_64/traps.c | 5 +----
xen/include/asm-x86/asm_defns.h | 13 ++++++++++++-
xen/include/asm-x86/processor.h | 4 ++++
8 files changed, 32 insertions(+), 15 deletions(-)
diff --git a/xen/arch/x86/acpi/suspend.c b/xen/arch/x86/acpi/suspend.c
index a373e9a..1d8344c 100644
--- a/xen/arch/x86/acpi/suspend.c
+++ b/xen/arch/x86/acpi/suspend.c
@@ -56,10 +56,7 @@ void restore_rest_processor_state(void)
wrmsrl(MSR_LSTAR, saved_lstar);
wrmsrl(MSR_CSTAR, saved_cstar);
wrmsr(MSR_STAR, 0, (FLAT_RING3_CS32<<16) | __HYPERVISOR_CS);
- wrmsr(MSR_SYSCALL_MASK,
- X86_EFLAGS_VM|X86_EFLAGS_RF|X86_EFLAGS_NT|
- X86_EFLAGS_DF|X86_EFLAGS_IF|X86_EFLAGS_TF,
- 0U);
+ wrmsr(MSR_SYSCALL_MASK, XEN_SYSCALL_MASK, 0U);
wrfsbase(saved_fs_base);
wrgsbase(saved_gs_base);
diff --git a/xen/arch/x86/boot/x86_64.S b/xen/arch/x86/boot/x86_64.S
index 22645d6..67dfef9 100644
--- a/xen/arch/x86/boot/x86_64.S
+++ b/xen/arch/x86/boot/x86_64.S
@@ -60,7 +60,7 @@ start_bsp:
/* This is the default interrupt handler. */
ignore_int:
- SAVE_ALL
+ SAVE_ALL CLAC
movq %cr2,%rsi
leaq int_msg(%rip),%rdi
xorl %eax,%eax
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 5d27581..ac68a85 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -401,6 +401,9 @@ void fatal_trap(int trapnr, struct cpu_user_regs *regs)
{
static DEFINE_PER_CPU(char, depth);
+ /* Set AC to reduce chance of further SMAP faults */
+ stac();
+
/*
* In some cases, we can end up in a vicious cycle of fatal_trap()s
* within fatal_trap()s. We give the problem a couple of iterations to
diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
index 32b3bcc..ac594c9 100644
--- a/xen/arch/x86/x86_64/compat/entry.S
+++ b/xen/arch/x86/x86_64/compat/entry.S
@@ -13,6 +13,7 @@
#include <irq_vectors.h>
ENTRY(compat_hypercall)
+ ASM_CLAC
pushq $0
SAVE_VOLATILE type=TRAP_syscall compat=1
diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
index 1c81852..42f66bf 100644
--- a/xen/arch/x86/x86_64/entry.S
+++ b/xen/arch/x86/x86_64/entry.S
@@ -273,6 +273,7 @@ ENTRY(sysenter_entry)
pushq $0
pushfq
GLOBAL(sysenter_eflags_saved)
+ ASM_CLAC
pushq $3 /* ring 3 null cs */
pushq $0 /* null rip */
pushq $0
@@ -309,6 +310,7 @@ UNLIKELY_END(sysenter_gpf)
jmp .Lbounce_exception
ENTRY(int80_direct_trap)
+ ASM_CLAC
pushq $0
SAVE_VOLATILE 0x80
@@ -466,7 +468,7 @@ ENTRY(dom_crash_sync_extable)
jmp asm_domain_crash_synchronous /* Does not return */
ENTRY(common_interrupt)
- SAVE_ALL
+ SAVE_ALL CLAC
movq %rsp,%rdi
callq do_IRQ
jmp ret_from_intr
@@ -485,7 +487,7 @@ ENTRY(page_fault)
movl $TRAP_page_fault,4(%rsp)
/* No special register assumptions. */
GLOBAL(handle_exception)
- SAVE_ALL
+ SAVE_ALL CLAC
handle_exception_saved:
testb $X86_EFLAGS_IF>>8,UREGS_eflags+1(%rsp)
jz exception_with_ints_disabled
@@ -614,7 +616,8 @@ ENTRY(spurious_interrupt_bug)
ENTRY(double_fault)
movl $TRAP_double_fault,4(%rsp)
- SAVE_ALL
+ /* Set AC to reduce chance of further SMAP faults */
+ SAVE_ALL STAC
movq %rsp,%rdi
call do_double_fault
ud2
@@ -631,7 +634,7 @@ ENTRY(nmi)
pushq $0
movl $TRAP_nmi,4(%rsp)
handle_ist_exception:
- SAVE_ALL
+ SAVE_ALL CLAC
testb $3,UREGS_cs(%rsp)
jz 1f
/* Interrupted guest context. Copy the context to stack bottom. */
@@ -667,7 +670,8 @@ handle_ist_exception:
ENTRY(nmi_crash)
pushq $0
movl $TRAP_nmi,4(%rsp)
- SAVE_ALL
+ /* Set AC to reduce chance of further SMAP faults */
+ SAVE_ALL STAC
movq %rsp,%rdi
callq do_nmi_crash /* Does not return */
ud2
diff --git a/xen/arch/x86/x86_64/traps.c b/xen/arch/x86/x86_64/traps.c
index 90072c1..3a48478 100644
--- a/xen/arch/x86/x86_64/traps.c
+++ b/xen/arch/x86/x86_64/traps.c
@@ -436,10 +436,7 @@ void __devinit subarch_percpu_traps_init(void)
/* Common SYSCALL parameters. */
wrmsr(MSR_STAR, 0, (FLAT_RING3_CS32<<16) | __HYPERVISOR_CS);
- wrmsr(MSR_SYSCALL_MASK,
- X86_EFLAGS_VM|X86_EFLAGS_RF|X86_EFLAGS_NT|
- X86_EFLAGS_DF|X86_EFLAGS_IF|X86_EFLAGS_TF,
- 0U);
+ wrmsr(MSR_SYSCALL_MASK, XEN_SYSCALL_MASK, 0U);
}
void init_int80_direct_trap(struct vcpu *v)
diff --git a/xen/include/asm-x86/asm_defns.h b/xen/include/asm-x86/asm_defns.h
index b75905a..df4873b 100644
--- a/xen/include/asm-x86/asm_defns.h
+++ b/xen/include/asm-x86/asm_defns.h
@@ -190,7 +190,18 @@ static inline void stac(void)
#endif
#ifdef __ASSEMBLY__
-.macro SAVE_ALL
+.macro SAVE_ALL op
+.ifeqs "\op", "CLAC"
+ ASM_CLAC
+.else
+.ifeqs "\op", "STAC"
+ ASM_STAC
+.else
+.ifnb \op
+ .err
+.endif
+.endif
+.endif
addq $-(UREGS_error_code-UREGS_r15), %rsp
cld
movq %rdi,UREGS_rdi(%rsp)
diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processor.h
index 604f5b3..35b2433 100644
--- a/xen/include/asm-x86/processor.h
+++ b/xen/include/asm-x86/processor.h
@@ -141,6 +141,10 @@
#define PFEC_page_paged (1U<<5)
#define PFEC_page_shared (1U<<6)
+#define XEN_SYSCALL_MASK (X86_EFLAGS_AC|X86_EFLAGS_VM|X86_EFLAGS_RF| \
+ X86_EFLAGS_NT|X86_EFLAGS_DF|X86_EFLAGS_IF| \
+ X86_EFLAGS_TF)
+
#ifndef __ASSEMBLY__
struct domain;
--
1.8.3.1
next prev parent reply other threads:[~2014-05-12 6:27 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-12 6:27 [PATCH v9 0/7] x86: Enable Supervisor Mode Access Prevention (SMAP) Feng Wu
2014-05-12 6:27 ` [PATCH v9 1/7] x86: Add support for STAC/CLAC instructions Feng Wu
2014-05-12 6:27 ` Feng Wu [this message]
2014-05-12 14:04 ` [PATCH v9 2/7] x86: Clear AC bit in RFLAGS to protect Xen itself by SMAP Andrew Cooper
2014-05-12 6:27 ` [PATCH v9 3/7] x86: Temporary disable SMAP to legally access user pages in kernel mode Feng Wu
2014-05-12 6:27 ` [PATCH v9 4/7] VMX: Disable SMAP feature when guest is in non-paging mode Feng Wu
2014-05-12 6:27 ` [PATCH v9 5/7] x86: Enable Supervisor Mode Access Prevention (SMAP) for Xen Feng Wu
2014-05-12 6:27 ` [PATCH v9 6/7] x86/hvm: Add SMAP support to HVM guest Feng Wu
2014-05-12 6:27 ` [PATCH v9 7/7] x86/tools: Expose SMAP to HVM guests Feng Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1399876061-28158-3-git-send-email-feng.wu@intel.com \
--to=feng.wu@intel.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=eddie.dong@intel.com \
--cc=ian.campbell@citrix.com \
--cc=jun.nakajima@intel.com \
--cc=kevin.tian@intel.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).