From: Andrew Cooper <andrew.cooper3@citrix.com>
To: "Liu, Jinsong" <jinsong.liu@intel.com>
Cc: "keir@xen.org" <keir@xen.org>,
"Nakajima, Jun" <jun.nakajima@intel.com>,
"tim@xen.org" <tim@xen.org>, "Dong, Eddie" <eddie.dong@intel.com>,
"zhenzhong.duan@oracle.com" <zhenzhong.duan@oracle.com>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
"Auld, Will" <will.auld@intel.com>,
Jan Beulich <JBeulich@suse.com>,
"suravee.suthikulpanit@amd.com" <suravee.suthikulpanit@amd.com>,
"sherry.hurwitz@amd.com" <sherry.hurwitz@amd.com>
Subject: Re: [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling
Date: Tue, 29 Oct 2013 17:20:40 +0000 [thread overview]
Message-ID: <526FEE68.7050906@citrix.com> (raw)
In-Reply-To: <DE8DF0795D48FD4CA783C40EC8292335013AD6D8@SHSMSX101.ccr.corp.intel.com>
On 29/10/13 16:52, Liu, Jinsong wrote:
> Jan Beulich wrote:
>>>>> On 28.10.13 at 09:31, "Liu, Jinsong" <jinsong.liu@intel.com> wrote:
>>> Jan Beulich wrote:
>>>> While mentally going through this logic again I noticed, however,
>>>> that the cache flushing your patch is doing is still insufficient:
>>>> Doing this just when CD gets set and in the context switch path is
>>>> not enough. This needs to be done prior to each VM entry, unless it
>>>> can be proven that the hypervisor (or the service domain) didn't
>>>> touch guest memory.
>>> I think it's safe: it only need guarantee no vcpu guest context
>>> involved
>>> into the small window between cache flushing and TLB invalidation --
>>> after that it doesn't care whether hypervisor touch guest memory or
>>> not, since cache is clear and old memory type in TLB is invalidated
>>> (and is UC afterwards), so no cache line will be polluted by guest
>>> context any more.
>> No - consider a VM exit while in this mode where, in order to process
>> it, the hypervisor or service domain touch guest memory. Such
>> touching will happen with caches being used, and hence unwritten
>> data may be left in the caches when exiting back to the guest when
>> there's no wbinvd on the VM entry path. I don't think anything is
>> being said explicitly anywhere on whether cache contents are being
>> taken into consideration when CD=0 but PAT enforces UC.
>>
> I think we don't need worry about hypervisor touch guest memory when guest UC. I draft 2 tests, monitoring various events during guest UC period.
>
> Test 1 add wbinvd before vmentry. When guest booting, it hungs 10s ~ 60s at vcpu0 UC stage, with bunches of vmexit caused by lapic timer interrupt storm.
> Test 2 is our current patch. It shows during guest UC, vmexit only triggerred by interrupt/ CR access/ MSR access/ wbinvd. With these vmexits hypervisor will not touch any guest memory.
>
> For test1 lapic timer interrupt storm triggered by the 'wbinvd' (without it everything works fine. I didn't dig out the reason -- maybe wbinvd involved into tricky vmentry microcode process?), but anyway, test 2 demonstrates that hypervisor will not touch guest memory during guest UC period.
How about this:
1) Clear a page with ud2s
2) Use the hypervisor msr to write a new hypercall page over this
cleared page
3) Immediately try to make a hypercall using this new page
What guarantee is there that Xen writing the hypercall page has made its
way correctly back to RAM by the time domU tries to execute the hypercall?
~Andrew
>
> Tests log attached below:
> =========================================================
> Test 1: add wbinvd before vmentry (at vmx_vmenter_helper())
> (XEN) uc_vmenter_count = 10607
> (XEN) uc_vmexit_count = 10607
> (XEN) EXIT-REASON COUNT
> (XEN) 1 10463 // EXIT_REASON_EXTERNAL_INTERRUPT
> (XEN) 28 10 // EXIT_REASON_CR_ACCESS
> (XEN) 31 114 // EXIT_REASON_MSR_READ
> (XEN) 32 15 // EXIT_REASON_MSR_WRITE
> (XEN) 54 5 // EXIT_REASON_WBINVD
> (XEN) TOTAL EXIT-REASON-COUNT = 10607
> (XEN)
> (XEN) vcpu[0] vmentry count = 10492
> (XEN) vcpu[1] vmentry count = 37
> (XEN) vcpu[2] vmentry count = 40
> (XEN) vcpu[3] vmentry count = 38
> (XEN) interrupt vec 0xfa occurs 10450 times // lapic timer
> (XEN) interrupt vec 0xfb occurs 13 times // call function IPI
>
>
> Test 2: current patch which didn't add wbinvd before vmentry
> (XEN) uc_vmenter_count = 147
> (XEN) uc_vmexit_count = 147
> (XEN) EXIT-REASON COUNT
> (XEN) 1 3 // EXIT_REASON_EXTERNAL_INTERRUPT
> (XEN) 28 10 // EXIT_REASON_CR_ACCESS
> (XEN) 31 114 // EXIT_REASON_MSR_READ
> (XEN) 32 15 // EXIT_REASON_MSR_WRITE
> (XEN) 54 5 // EXIT_REASON_WBINVD
> (XEN) TOTAL EXIT-REASON-COUNT = 147
> (XEN)
> (XEN) vcpu[0] vmentry count = 45
> (XEN) vcpu[1] vmentry count = 34
> (XEN) vcpu[2] vmentry count = 34
> (XEN) vcpu[3] vmentry count = 34
> (XEN) interrupt vec 0xfa occurs 3 times // lapic timer
> ==================================================================
>
> Thanks,
> Jinsong
next prev parent reply other threads:[~2013-10-29 17:20 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-21 15:55 [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling Liu, Jinsong
2013-10-22 14:55 ` Jan Beulich
2013-10-23 8:48 ` DuanZhenzhong
2013-10-23 16:29 ` Nakajima, Jun
2013-10-23 16:38 ` Jan Beulich
2013-10-24 16:19 ` Liu, Jinsong
2013-10-24 16:39 ` Liu, Jinsong
2013-10-28 7:29 ` Jan Beulich
2013-10-28 8:31 ` Liu, Jinsong
2013-10-28 9:29 ` Jan Beulich
2013-10-29 16:52 ` Liu, Jinsong
2013-10-29 17:20 ` Andrew Cooper [this message]
2013-10-30 15:21 ` Liu, Jinsong
2013-10-30 15:27 ` Jan Beulich
2013-10-30 8:05 ` Jan Beulich
2013-10-30 15:41 ` Liu, Jinsong
2013-10-22 15:26 ` Tim Deegan
2013-10-23 10:16 ` Andrew Cooper
2013-11-04 8:49 ` Zhenzhong Duan
2013-11-04 9:05 ` kexec spin lock issue (was: Re: [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling) Jan Beulich
2013-11-06 12:30 ` [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling Jan Beulich
2013-11-05 21:06 ` Keir Fraser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=526FEE68.7050906@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=eddie.dong@intel.com \
--cc=jinsong.liu@intel.com \
--cc=jun.nakajima@intel.com \
--cc=keir@xen.org \
--cc=sherry.hurwitz@amd.com \
--cc=suravee.suthikulpanit@amd.com \
--cc=tim@xen.org \
--cc=will.auld@intel.com \
--cc=xen-devel@lists.xen.org \
--cc=zhenzhong.duan@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).