From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matt Wilson <msw@amazon.com>
Subject: Re: [PATCH] VMX: XSA-60 workaround
Date: Mon, 19 Aug 2013 11:27:57 -0700
Message-ID: <20130819182728.GA29522@u109add4315675089e695.ant.amazon.com>
References: <520A7CA202000078000EB9DB@nat28.tlf.novell.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <prvs=93663773d=msw@amazon.com>) id 1VBUBu-0002yk-SP
	for xen-devel@lists.xenproject.org; Mon, 19 Aug 2013 18:28:35 +0000
Content-Disposition: inline
In-Reply-To: <520A7CA202000078000EB9DB@nat28.tlf.novell.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Jan Beulich <JBeulich@suse.com>
Cc: xen-devel <xen-devel@lists.xenproject.org>, Keir Fraser <keir@xen.org>, Eddie Dong <eddie.dong@intel.com>, Jun Nakajima <jun.nakajima@intel.com>
List-Id: xen-devel@lists.xenproject.org

On Tue, Aug 13, 2013 at 05:36:17PM +0100, Jan Beulich wrote:
> Considering that there's still no real progress towards a resolution
> for XSA-60, I'd like to propose turning off the probelamtic code by
> default, allowing it to be turned back on via command line option.

Apologies for a late reply, I've been on holiday for the past week.

I think it'd be really handy to make this a per-domain configuration,
perhaps with a system-wide default set by boot command line. If not
per-domain, it would be helpful to be configurable at boot time.

--msw

> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> 
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -57,6 +57,14 @@
>  #include <asm/hvm/nestedhvm.h>
>  #include <asm/event.h>
>  
> +/*
> + * Option to allow VMX guests to run with caches disabled. This is exposing
> + * the host to DoS attacks (due to the way vmx_set_uc_mode() works), and hence
> + * needs to be disabled by default.
> + */
> +static bool_t __read_mostly opt_permit_cache_disable;
> +boolean_param("vmx-permit-cache-disable", opt_permit_cache_disable);
> +
>  enum handler_return { HNDL_done, HNDL_unhandled, HNDL_exception_raised };
>  
>  static void vmx_ctxt_switch_from(struct vcpu *v);
> @@ -1133,6 +1141,8 @@ static void vmx_update_guest_cr(struct v
>  
>          v->arch.hvm_vcpu.hw_cr[0] =
>              v->arch.hvm_vcpu.guest_cr[0] | hw_cr0_mask;
> +        if ( !opt_permit_cache_disable )
> +            v->arch.hvm_vcpu.hw_cr[0] &= ~(X86_CR0_CD | X86_CR0_NW);
>          __vmwrite(GUEST_CR0, v->arch.hvm_vcpu.hw_cr[0]);
>          __vmwrite(CR0_READ_SHADOW, v->arch.hvm_vcpu.guest_cr[0]);
>  
> @@ -1603,6 +1613,9 @@ const struct hvm_function_table * __init
>          vmx_function_table.sync_pir_to_irr = NULL;
>      }
>  
> +    if ( !opt_permit_cache_disable )
> +        vmx_function_table.set_uc_mode = NULL;
> +
>      setup_vmcs_dump();
>  
>      return &vmx_function_table;
> 
> 
> 

> VMX: XSA-60 workaround
> 
> Considering that there's still no real progress towards a resolution
> for XSA-60, I'd like to propose turning off the probelamtic code by
> default, allowing it to be turned back on via command line option.
> 
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> 
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -57,6 +57,14 @@
>  #include <asm/hvm/nestedhvm.h>
>  #include <asm/event.h>
>  
> +/*
> + * Option to allow VMX guests to run with caches disabled. This is exposing
> + * the host to DoS attacks (due to the way vmx_set_uc_mode() works), and hence
> + * needs to be disabled by default.
> + */
> +static bool_t __read_mostly opt_permit_cache_disable;
> +boolean_param("vmx-permit-cache-disable", opt_permit_cache_disable);
> +
>  enum handler_return { HNDL_done, HNDL_unhandled, HNDL_exception_raised };
>  
>  static void vmx_ctxt_switch_from(struct vcpu *v);
> @@ -1133,6 +1141,8 @@ static void vmx_update_guest_cr(struct v
>  
>          v->arch.hvm_vcpu.hw_cr[0] =
>              v->arch.hvm_vcpu.guest_cr[0] | hw_cr0_mask;
> +        if ( !opt_permit_cache_disable )
> +            v->arch.hvm_vcpu.hw_cr[0] &= ~(X86_CR0_CD | X86_CR0_NW);
>          __vmwrite(GUEST_CR0, v->arch.hvm_vcpu.hw_cr[0]);
>          __vmwrite(CR0_READ_SHADOW, v->arch.hvm_vcpu.guest_cr[0]);
>  
> @@ -1603,6 +1613,9 @@ const struct hvm_function_table * __init
>          vmx_function_table.sync_pir_to_irr = NULL;
>      }
>  
> +    if ( !opt_permit_cache_disable )
> +        vmx_function_table.set_uc_mode = NULL;
> +
>      setup_vmcs_dump();
>  
>      return &vmx_function_table;

> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel