Re: [PATCH 2/2] x86/hvm: honor guest's option when updating secondary system time for guest

xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed

From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <JBeulich@suse.com>, Feng Wu <feng.wu@intel.com>
Cc: "linux@eikelenboom.it" <linux@eikelenboom.it>,
	"keir@xen.org" <keir@xen.org>, "tim@xen.org" <tim@xen.org>,
	"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: [PATCH 2/2] x86/hvm: honor guest's option when updating secondary system time for guest
Date: Fri, 25 Jul 2014 09:52:04 +0100	[thread overview]
Message-ID: <53D21AB4.3060108@citrix.com> (raw)
In-Reply-To: <53D232040200007800025E4A@mail.emea.novell.com>

On 25/07/14 09:31, Jan Beulich wrote:
>>>> On 25.07.14 at 10:03, <feng.wu@intel.com> wrote:
>>> -----Original Message-----
>>> From: Jan Beulich [mailto:JBeulich@suse.com]
>>> Sent: Friday, July 25, 2014 3:40 PM
>>> To: Wu, Feng
>>> Cc: linux@eikelenboom.it; xen-devel@lists.xen.org; konrad.wilk@oracle.com;
>>> keir@xen.org; tim@xen.org 
>>> Subject: RE: [PATCH 2/2] x86/hvm: honor guest's option when updating
>>> secondary system time for guest
>>>
>>>>>> On 25.07.14 at 09:33, <feng.wu@intel.com> wrote:
>>>>> -----Original Message-----
>>>>> From: Jan Beulich [mailto:JBeulich@suse.com]
>>>>> Sent: Friday, July 25, 2014 3:26 PM
>>>>> To: Wu, Feng
>>>>> Cc: linux@eikelenboom.it; xen-devel@lists.xen.org;
>>> konrad.wilk@oracle.com;
>>>>> keir@xen.org; tim@xen.org 
>>>>> Subject: RE: [PATCH 2/2] x86/hvm: honor guest's option when updating
>>>>> secondary system time for guest
>>>>>
>>>>>>>> On 25.07.14 at 06:30, <feng.wu@intel.com> wrote:
>>>>>>> -----Original Message-----
>>>>>>> From: Jan Beulich [mailto:JBeulich@suse.com]
>>>>>>> Sent: Wednesday, July 23, 2014 8:19 PM
>>>>>>> To: Wu, Feng
>>>>>>> Cc: linux@eikelenboom.it; xen-devel@lists.xen.org;
>>>>> konrad.wilk@oracle.com;
>>>>>>> keir@xen.org; tim@xen.org 
>>>>>>> Subject: Re: [PATCH 2/2] x86/hvm: honor guest's option when updating
>>>>>>> secondary system time for guest
>>>>>>>
>>>>>>>>>> On 08.07.14 at 01:18, <feng.wu@intel.com> wrote:
>>>>>>>> --- a/xen/include/public/vcpu.h
>>>>>>>> +++ b/xen/include/public/vcpu.h
>>>>>>>> @@ -227,6 +227,16 @@ struct vcpu_register_time_memory_area {
>>>>>>>>  typedef struct vcpu_register_time_memory_area
>>>>>>>> vcpu_register_time_memory_area_t;
>>>>>>>>  DEFINE_XEN_GUEST_HANDLE(vcpu_register_time_memory_area_t);
>>>>>>>>
>>>>>>>> +/*
>>>>>>>> + * Flags to tell Xen whether we need to do the SMAP check when
>>>>> updating
>>>>>>>> + * the secondary copy of the vcpu time when SMAP is enabled. Since
>>> the
>>>>>>>> + * memory location for the secondary copy of the vcpu time may be
>>>>> mapped
>>>>>>>> + * into userspace by guests intendedly, we let the guest to determine
>>>>>>>> + * whether the check is needed. The default behavior of hypevisor is
>>>>>>>> + * not doing the check.
>>>>>>>> + */
>>>>>>>> +#define VCPUOP_enable_smap_check_vcpu_time_memory_area
>>> 14
>>>>>>> I think the new op to be
>>> VCPUOP_register_vcpu_time_memory_area_smap,
>>>>>>> identical to VCPUOP_register_vcpu_time_memory_area apart from also
>>>>>>> setting the flag, would be more natural. But considering what I just
>>> wrote
>>>>>>> in the reply to Tim I guess we can expect a nun-user mapping to be
>>>>>>> presented here anyway, i.e. we wouldn't need to new operation at all.
>>>>>> Do you mean since the user-paging is r/o, guest will pass a r/w kernel page
>>>>>> to
>>>>>> Xen for updating the system time. So we don't need to do the SMAP check
>>>>>> in this case?
>>>>> If the user page is r/o, it's VA obviously can't be used for updating by
>>>>> Xen. Hence the kernel has to provide a r/w mapped VA. That should be
>>>>> subject to SMAP checking (consistent with the runstate area handling),
>>>>> to make sure it's not a user accessible mapping.
>>>> But there are two possible problems here:
>>>> 1. Is it possible that guest passes a user r/w page to update the system
>>>> time information?
>>> The guest kernel may pass a page that was originally mapped r/w-
>>> kernel, but the mapping later gets (say inadvertently) changed to
>>> r/w-user. That's why I think the SMAP checking ought to be done
>>> here.
>> But in another case, as what we discussed before, if the guest intended to
>> pass a user r/w page to get the time information. Do we need to do the
>> SMAP checking for this?
> The question is whether we should bother supporting such insecure
> kernels.

Thinking about this some more, how can we possibly know whether writing
to the nominated page is even safe?  At the point of update, there is no
knowledge about the current cr3 in use.

As far as I can see, the only safe actions Xen can take is refuse to
ever write to user mappings, and insist that any OS using this feature
provide a supervisor mapping to Xen (and guarantee it will never swap
the target of that mapping) and give user mappings of the same gpa to
any of its own userspace which wants access.  This then avoids any
concerns wrt SMAP.

~Andrew

next prev parent reply	other threads:[~2014-07-25  8:52 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-07-07 23:18 [PATCH 0/2] x86/HVM: Properly handle SMAP check in certain cases Feng Wu
2014-07-07 23:18 ` [PATCH 1/2] x86/hvm: Always do SMAP check when updating runstate_guest(v) Feng Wu
2014-07-08 10:04   ` Andrew Cooper
2014-07-09  1:33     ` Wu, Feng
2014-07-23 12:10       ` Jan Beulich
2014-07-10 10:56   ` Tim Deegan
2014-07-23 12:11     ` Jan Beulich
2014-07-23 12:15       ` Tim Deegan
2014-07-07 23:18 ` [PATCH 2/2] x86/hvm: honor guest's option when updating secondary system time for guest Feng Wu
2014-07-08 10:08   ` Andrew Cooper
2014-07-09  1:39     ` Wu, Feng
2014-07-08 16:13   ` Konrad Rzeszutek Wilk
2014-07-09  1:52     ` Wu, Feng
2014-07-10 11:00   ` Tim Deegan
2014-07-23 12:16     ` Jan Beulich
2014-07-23 12:19   ` Jan Beulich
2014-07-25  4:30     ` Wu, Feng
2014-07-25  7:25       ` Jan Beulich
2014-07-25  7:33         ` Wu, Feng
2014-07-25  7:39           ` Jan Beulich
2014-07-25  8:03             ` Wu, Feng
2014-07-25  8:31               ` Jan Beulich
2014-07-25  8:35                 ` Wu, Feng
2014-07-25  8:52                 ` Andrew Cooper [this message]
2014-07-25  9:17                   ` Jan Beulich
2014-07-08  9:56 ` [PATCH 0/2] x86/HVM: Properly handle SMAP check in certain cases Sander Eikelenboom

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53D21AB4.3060108@citrix.com \
    --to=andrew.cooper3@citrix.com \
    --cc=JBeulich@suse.com \
    --cc=feng.wu@intel.com \
    --cc=keir@xen.org \
    --cc=linux@eikelenboom.it \
    --cc=tim@xen.org \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).