From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Feng Wu <feng.wu@intel.com>
Cc: kevin.tian@intel.com, ian.campbell@citrix.com,
eddie.dong@intel.com, xen-devel@lists.xen.org, JBeulich@suse.com,
jun.nakajima@intel.com
Subject: Re: [PATCH v9 2/7] x86: Clear AC bit in RFLAGS to protect Xen itself by SMAP
Date: Mon, 12 May 2014 15:04:24 +0100 [thread overview]
Message-ID: <5370D4E8.5080200@citrix.com> (raw)
In-Reply-To: <1399876061-28158-3-git-send-email-feng.wu@intel.com>
On 12/05/14 07:27, Feng Wu wrote:
> Clear AC bit in RFLAGS at the beginning of exception, interrupt, hypercall,
> so Xen itself can be protected by SMAP mechanism. This patch also sets AC
> bit at the beginning of double_fault and fatal_trap() to reduce the likelihood
> of taking a further fault while trying to dump state.
>
> Signed-off-by: Feng Wu <feng.wu@intel.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
> ---
> xen/arch/x86/acpi/suspend.c | 5 +----
> xen/arch/x86/boot/x86_64.S | 2 +-
> xen/arch/x86/traps.c | 3 +++
> xen/arch/x86/x86_64/compat/entry.S | 1 +
> xen/arch/x86/x86_64/entry.S | 14 +++++++++-----
> xen/arch/x86/x86_64/traps.c | 5 +----
> xen/include/asm-x86/asm_defns.h | 13 ++++++++++++-
> xen/include/asm-x86/processor.h | 4 ++++
> 8 files changed, 32 insertions(+), 15 deletions(-)
>
> diff --git a/xen/arch/x86/acpi/suspend.c b/xen/arch/x86/acpi/suspend.c
> index a373e9a..1d8344c 100644
> --- a/xen/arch/x86/acpi/suspend.c
> +++ b/xen/arch/x86/acpi/suspend.c
> @@ -56,10 +56,7 @@ void restore_rest_processor_state(void)
> wrmsrl(MSR_LSTAR, saved_lstar);
> wrmsrl(MSR_CSTAR, saved_cstar);
> wrmsr(MSR_STAR, 0, (FLAT_RING3_CS32<<16) | __HYPERVISOR_CS);
> - wrmsr(MSR_SYSCALL_MASK,
> - X86_EFLAGS_VM|X86_EFLAGS_RF|X86_EFLAGS_NT|
> - X86_EFLAGS_DF|X86_EFLAGS_IF|X86_EFLAGS_TF,
> - 0U);
> + wrmsr(MSR_SYSCALL_MASK, XEN_SYSCALL_MASK, 0U);
>
> wrfsbase(saved_fs_base);
> wrgsbase(saved_gs_base);
> diff --git a/xen/arch/x86/boot/x86_64.S b/xen/arch/x86/boot/x86_64.S
> index 22645d6..67dfef9 100644
> --- a/xen/arch/x86/boot/x86_64.S
> +++ b/xen/arch/x86/boot/x86_64.S
> @@ -60,7 +60,7 @@ start_bsp:
>
> /* This is the default interrupt handler. */
> ignore_int:
> - SAVE_ALL
> + SAVE_ALL CLAC
> movq %cr2,%rsi
> leaq int_msg(%rip),%rdi
> xorl %eax,%eax
> diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
> index 5d27581..ac68a85 100644
> --- a/xen/arch/x86/traps.c
> +++ b/xen/arch/x86/traps.c
> @@ -401,6 +401,9 @@ void fatal_trap(int trapnr, struct cpu_user_regs *regs)
> {
> static DEFINE_PER_CPU(char, depth);
>
> + /* Set AC to reduce chance of further SMAP faults */
> + stac();
> +
> /*
> * In some cases, we can end up in a vicious cycle of fatal_trap()s
> * within fatal_trap()s. We give the problem a couple of iterations to
> diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
> index 32b3bcc..ac594c9 100644
> --- a/xen/arch/x86/x86_64/compat/entry.S
> +++ b/xen/arch/x86/x86_64/compat/entry.S
> @@ -13,6 +13,7 @@
> #include <irq_vectors.h>
>
> ENTRY(compat_hypercall)
> + ASM_CLAC
> pushq $0
> SAVE_VOLATILE type=TRAP_syscall compat=1
>
> diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
> index 1c81852..42f66bf 100644
> --- a/xen/arch/x86/x86_64/entry.S
> +++ b/xen/arch/x86/x86_64/entry.S
> @@ -273,6 +273,7 @@ ENTRY(sysenter_entry)
> pushq $0
> pushfq
> GLOBAL(sysenter_eflags_saved)
> + ASM_CLAC
> pushq $3 /* ring 3 null cs */
> pushq $0 /* null rip */
> pushq $0
> @@ -309,6 +310,7 @@ UNLIKELY_END(sysenter_gpf)
> jmp .Lbounce_exception
>
> ENTRY(int80_direct_trap)
> + ASM_CLAC
> pushq $0
> SAVE_VOLATILE 0x80
>
> @@ -466,7 +468,7 @@ ENTRY(dom_crash_sync_extable)
> jmp asm_domain_crash_synchronous /* Does not return */
>
> ENTRY(common_interrupt)
> - SAVE_ALL
> + SAVE_ALL CLAC
> movq %rsp,%rdi
> callq do_IRQ
> jmp ret_from_intr
> @@ -485,7 +487,7 @@ ENTRY(page_fault)
> movl $TRAP_page_fault,4(%rsp)
> /* No special register assumptions. */
> GLOBAL(handle_exception)
> - SAVE_ALL
> + SAVE_ALL CLAC
> handle_exception_saved:
> testb $X86_EFLAGS_IF>>8,UREGS_eflags+1(%rsp)
> jz exception_with_ints_disabled
> @@ -614,7 +616,8 @@ ENTRY(spurious_interrupt_bug)
>
> ENTRY(double_fault)
> movl $TRAP_double_fault,4(%rsp)
> - SAVE_ALL
> + /* Set AC to reduce chance of further SMAP faults */
> + SAVE_ALL STAC
> movq %rsp,%rdi
> call do_double_fault
> ud2
> @@ -631,7 +634,7 @@ ENTRY(nmi)
> pushq $0
> movl $TRAP_nmi,4(%rsp)
> handle_ist_exception:
> - SAVE_ALL
> + SAVE_ALL CLAC
> testb $3,UREGS_cs(%rsp)
> jz 1f
> /* Interrupted guest context. Copy the context to stack bottom. */
> @@ -667,7 +670,8 @@ handle_ist_exception:
> ENTRY(nmi_crash)
> pushq $0
> movl $TRAP_nmi,4(%rsp)
> - SAVE_ALL
> + /* Set AC to reduce chance of further SMAP faults */
> + SAVE_ALL STAC
> movq %rsp,%rdi
> callq do_nmi_crash /* Does not return */
> ud2
> diff --git a/xen/arch/x86/x86_64/traps.c b/xen/arch/x86/x86_64/traps.c
> index 90072c1..3a48478 100644
> --- a/xen/arch/x86/x86_64/traps.c
> +++ b/xen/arch/x86/x86_64/traps.c
> @@ -436,10 +436,7 @@ void __devinit subarch_percpu_traps_init(void)
>
> /* Common SYSCALL parameters. */
> wrmsr(MSR_STAR, 0, (FLAT_RING3_CS32<<16) | __HYPERVISOR_CS);
> - wrmsr(MSR_SYSCALL_MASK,
> - X86_EFLAGS_VM|X86_EFLAGS_RF|X86_EFLAGS_NT|
> - X86_EFLAGS_DF|X86_EFLAGS_IF|X86_EFLAGS_TF,
> - 0U);
> + wrmsr(MSR_SYSCALL_MASK, XEN_SYSCALL_MASK, 0U);
> }
>
> void init_int80_direct_trap(struct vcpu *v)
> diff --git a/xen/include/asm-x86/asm_defns.h b/xen/include/asm-x86/asm_defns.h
> index b75905a..df4873b 100644
> --- a/xen/include/asm-x86/asm_defns.h
> +++ b/xen/include/asm-x86/asm_defns.h
> @@ -190,7 +190,18 @@ static inline void stac(void)
> #endif
>
> #ifdef __ASSEMBLY__
> -.macro SAVE_ALL
> +.macro SAVE_ALL op
> +.ifeqs "\op", "CLAC"
> + ASM_CLAC
> +.else
> +.ifeqs "\op", "STAC"
> + ASM_STAC
> +.else
> +.ifnb \op
> + .err
> +.endif
> +.endif
> +.endif
> addq $-(UREGS_error_code-UREGS_r15), %rsp
> cld
> movq %rdi,UREGS_rdi(%rsp)
> diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processor.h
> index 604f5b3..35b2433 100644
> --- a/xen/include/asm-x86/processor.h
> +++ b/xen/include/asm-x86/processor.h
> @@ -141,6 +141,10 @@
> #define PFEC_page_paged (1U<<5)
> #define PFEC_page_shared (1U<<6)
>
> +#define XEN_SYSCALL_MASK (X86_EFLAGS_AC|X86_EFLAGS_VM|X86_EFLAGS_RF| \
> + X86_EFLAGS_NT|X86_EFLAGS_DF|X86_EFLAGS_IF| \
> + X86_EFLAGS_TF)
> +
> #ifndef __ASSEMBLY__
>
> struct domain;
next prev parent reply other threads:[~2014-05-12 14:04 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-12 6:27 [PATCH v9 0/7] x86: Enable Supervisor Mode Access Prevention (SMAP) Feng Wu
2014-05-12 6:27 ` [PATCH v9 1/7] x86: Add support for STAC/CLAC instructions Feng Wu
2014-05-12 6:27 ` [PATCH v9 2/7] x86: Clear AC bit in RFLAGS to protect Xen itself by SMAP Feng Wu
2014-05-12 14:04 ` Andrew Cooper [this message]
2014-05-12 6:27 ` [PATCH v9 3/7] x86: Temporary disable SMAP to legally access user pages in kernel mode Feng Wu
2014-05-12 6:27 ` [PATCH v9 4/7] VMX: Disable SMAP feature when guest is in non-paging mode Feng Wu
2014-05-12 6:27 ` [PATCH v9 5/7] x86: Enable Supervisor Mode Access Prevention (SMAP) for Xen Feng Wu
2014-05-12 6:27 ` [PATCH v9 6/7] x86/hvm: Add SMAP support to HVM guest Feng Wu
2014-05-12 6:27 ` [PATCH v9 7/7] x86/tools: Expose SMAP to HVM guests Feng Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5370D4E8.5080200@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=eddie.dong@intel.com \
--cc=feng.wu@intel.com \
--cc=ian.campbell@citrix.com \
--cc=jun.nakajima@intel.com \
--cc=kevin.tian@intel.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).