xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Juergen Gross <jgross@suse.com>
To: xen-devel@lists.xenproject.org
Cc: Juergen Gross <jgross@suse.com>,
	andrew.cooper3@citrix.com, dfaggioli@suse.com, jbeulich@suse.com
Subject: [PATCH v3 09/17] x86: create syscall stub for per-domain mapping
Date: Fri,  9 Feb 2018 15:01:43 +0100	[thread overview]
Message-ID: <20180209140151.24714-10-jgross@suse.com> (raw)
In-Reply-To: <20180209140151.24714-1-jgross@suse.com>

The current syscall stub can't be used mapped in the per domain area
as required by XPTI due to the distance for jumping into the common
interrupt handling code is larger than 2GB. Using just an indirect
jump isn't going to work as this will require mitigations against
Spectre.

So use a new trampoline which is no longer unique to a (v)cpu, but
can be mapped into the per-domain area as needed. For addressing the
stack use the knowledge that the primary stack will be in the next
page after the trampoline coding so we can save %rsp via a %rip
relative access without needing any further register.

For being able to easily switch between per-cpu and per-vcpu stubs add
a macro for the per-cpu stub size and add the prototypes of
[cl]star_enter() to a header.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
V3:
- completely new per-vcpu stub containing Spectre mitigation
---
 xen/arch/x86/pv/Makefile           |  1 +
 xen/arch/x86/pv/xpti-stub.S        | 61 ++++++++++++++++++++++++++++++++++++++
 xen/arch/x86/x86_64/compat/entry.S |  1 +
 xen/arch/x86/x86_64/entry.S        |  1 +
 xen/arch/x86/x86_64/traps.c        |  3 +-
 xen/include/asm-x86/system.h       |  5 ++++
 6 files changed, 70 insertions(+), 2 deletions(-)
 create mode 100644 xen/arch/x86/pv/xpti-stub.S

diff --git a/xen/arch/x86/pv/Makefile b/xen/arch/x86/pv/Makefile
index a12e4fbd1a..3f6b5506dc 100644
--- a/xen/arch/x86/pv/Makefile
+++ b/xen/arch/x86/pv/Makefile
@@ -17,3 +17,4 @@ obj-y += xpti.o
 
 obj-bin-y += dom0_build.init.o
 obj-bin-y += gpr_switch.o
+obj-bin-y += xpti-stub.o
diff --git a/xen/arch/x86/pv/xpti-stub.S b/xen/arch/x86/pv/xpti-stub.S
new file mode 100644
index 0000000000..efa1e3f661
--- /dev/null
+++ b/xen/arch/x86/pv/xpti-stub.S
@@ -0,0 +1,61 @@
+/*
+ * Syscall stubs mappable to per-vcpu area in order to mitigate Meltdown attack.
+ * The stack page will be mapped just after the stub page, so its distance
+ * is well known.
+ *
+ * Copyright (c) 2018, Juergen Gross
+ */
+
+        .file "pv/xpti-stub.S"
+
+#include <asm/asm_defns.h>
+#include <public/xen.h>
+
+        .align PAGE_SIZE
+
+        .equ xpti_regs, . + 2 * PAGE_SIZE - CPUINFO_sizeof
+
+ENTRY(xpti_lstar)
+        mov   %rsp, xpti_regs+UREGS_rsp(%rip)
+        lea   xpti_regs+UREGS_rsp(%rip), %rsp
+        movq  $FLAT_KERNEL_SS, 8(%rsp)
+        pushq %r11
+        pushq $FLAT_KERNEL_CS64
+        pushq %rcx
+        pushq $0
+        movl  $TRAP_syscall, 4(%rsp)
+        SAVE_ALL
+        mov   %rsp, %r12
+
+        sti
+
+        SPEC_CTRL_ENTRY_FROM_PV /* Req: %r12=regs, %rsp=cpuinfo, Clob: acd */
+        /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */
+
+        movabsq $lstar_common, %rax
+        INDIRECT_LOCAL_JMP %rax
+
+ENTRY(xpti_cstar)
+        mov   %rsp, xpti_regs+UREGS_rsp(%rip)
+        lea   xpti_regs+UREGS_rsp(%rip), %rsp
+        movq  $FLAT_KERNEL_SS, 8(%rsp)
+        pushq %r11
+        pushq $FLAT_USER_CS32
+        pushq %rcx
+        pushq $0
+        movl  $TRAP_syscall, 4(%rsp)
+        SAVE_ALL
+        movq  %rsp, %r12
+
+        sti
+
+        SPEC_CTRL_ENTRY_FROM_PV /* Req: %r12=regs, %rsp=cpuinfo, Clob: acd */
+        /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */
+
+        movabsq $cstar_common, %rax
+        INDIRECT_LOCAL_JMP %rax
+
+local__x86_indirect_thunk_rax:
+        GEN_INDIRECT_THUNK_BODY rax
+
+        .align PAGE_SIZE
diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
index eced1475b7..206bc9a05a 100644
--- a/xen/arch/x86/x86_64/compat/entry.S
+++ b/xen/arch/x86/x86_64/compat/entry.S
@@ -215,6 +215,7 @@ ENTRY(cstar_enter)
         SPEC_CTRL_ENTRY_FROM_PV /* Req: %r12=regs, %rsp=cpuinfo, Clob: acd */
         /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */
 
+GLOBAL(cstar_common)
         CR4_PV32_RESTORE
         GET_CURRENT(bx)
         movq  VCPU_domain(%rbx),%rcx
diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
index f067a74b0f..69590d0b17 100644
--- a/xen/arch/x86/x86_64/entry.S
+++ b/xen/arch/x86/x86_64/entry.S
@@ -120,6 +120,7 @@ ENTRY(lstar_enter)
         SPEC_CTRL_ENTRY_FROM_PV /* Req: %r12=regs, %rsp=cpuinfo, Clob: acd */
         /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */
 
+GLOBAL(lstar_common)
         GET_CURRENT(bx)
         testb $TF_kernel_mode,VCPU_thread_flags(%rbx)
         jz    switch_to_kernel
diff --git a/xen/arch/x86/x86_64/traps.c b/xen/arch/x86/x86_64/traps.c
index 3652f5ff21..bd4d37c2ad 100644
--- a/xen/arch/x86/x86_64/traps.c
+++ b/xen/arch/x86/x86_64/traps.c
@@ -291,8 +291,6 @@ static unsigned int write_stub_trampoline(
 }
 
 DEFINE_PER_CPU(struct stubs, stubs);
-void lstar_enter(void);
-void cstar_enter(void);
 
 void subarch_percpu_traps_init(void)
 {
@@ -315,6 +313,7 @@ void subarch_percpu_traps_init(void)
     offset = write_stub_trampoline(stub_page + (stub_va & ~PAGE_MASK),
                                    stub_va, stack_bottom,
                                    (unsigned long)lstar_enter);
+    ASSERT(offset == STUB_TRAMPOLINE_SIZE_PERCPU);
     stub_va += offset;
 
     if ( boot_cpu_data.x86_vendor == X86_VENDOR_INTEL ||
diff --git a/xen/include/asm-x86/system.h b/xen/include/asm-x86/system.h
index 8ac170371b..06afc59822 100644
--- a/xen/include/asm-x86/system.h
+++ b/xen/include/asm-x86/system.h
@@ -230,6 +230,11 @@ static inline int local_irq_is_enabled(void)
 
 void trap_init(void);
 void init_idt_traps(void);
+#define STUB_TRAMPOLINE_SIZE_PERCPU   32
+void lstar_enter(void);
+void cstar_enter(void);
+void xpti_lstar(void);
+void xpti_cstar(void);
 void load_system_tables(void);
 void percpu_traps_init(void);
 void subarch_percpu_traps_init(void);
-- 
2.13.6


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

  parent reply	other threads:[~2018-02-09 14:05 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-09 14:01 [PATCH v3 00/17] Alternative Meltdown mitigation Juergen Gross
2018-02-09 14:01 ` [PATCH v3 01/17] x86: don't use hypervisor stack size for dumping guest stacks Juergen Gross
2018-02-09 14:01 ` [PATCH v3 02/17] x86: do a revert of e871e80c38547d9faefc6604532ba3e985e65873 Juergen Gross
2018-02-13 10:14   ` Jan Beulich
2018-02-09 14:01 ` [PATCH v3 03/17] x86: revert 5784de3e2067ed73efc2fe42e62831e8ae7f46c4 Juergen Gross
2018-02-09 14:01 ` [PATCH v3 04/17] x86: don't access saved user regs via rsp in trap handlers Juergen Gross
2018-02-09 14:01 ` [PATCH v3 05/17] x86: add a xpti command line parameter Juergen Gross
2018-02-09 14:01 ` [PATCH v3 06/17] x86: allow per-domain mappings without NX bit or with specific mfn Juergen Gross
2018-02-09 14:01 ` [PATCH v3 07/17] xen/x86: split _set_tssldt_desc() into ldt and tss specific functions Juergen Gross
2018-02-09 14:01 ` [PATCH v3 08/17] x86: add support for spectre mitigation with local thunk Juergen Gross
2018-02-09 14:01 ` Juergen Gross [this message]
2018-02-09 14:01 ` [PATCH v3 10/17] x86: allocate per-vcpu stacks for interrupt entries Juergen Gross
2018-02-09 14:01 ` [PATCH v3 11/17] x86: modify interrupt handlers to support stack switching Juergen Gross
2018-02-09 14:01 ` [PATCH v3 12/17] x86: activate per-vcpu stacks in case of xpti Juergen Gross
2018-02-09 14:01 ` [PATCH v3 13/17] x86: allocate hypervisor L4 page table for XPTI Juergen Gross
2018-02-09 14:01 ` [PATCH v3 14/17] xen: add domain pointer to fill_ro_mpt() and zap_ro_mpt() functions Juergen Gross
2018-02-09 14:01 ` [PATCH v3 15/17] x86: fill XPTI shadow pages and keep them in sync with guest L4 Juergen Gross
2018-02-09 14:01 ` [PATCH v3 16/17] x86: do page table switching when entering/leaving hypervisor Juergen Gross
2018-02-09 14:01 ` [PATCH v3 17/17] x86: hide most hypervisor mappings in XPTI shadow page tables Juergen Gross
2018-02-12 17:54 ` [PATCH v3 00/17] Alternative Meltdown mitigation Dario Faggioli
2018-02-13 11:36   ` Juergen Gross
2018-02-13 14:16     ` Jan Beulich
     [not found]     ` <5A83014E02000078001A7619@suse.com>
2018-02-13 14:29       ` Juergen Gross

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180209140151.24714-10-jgross@suse.com \
    --to=jgross@suse.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=dfaggioli@suse.com \
    --cc=jbeulich@suse.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).