[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-4.1-testing] x86-64: refine the XSA-9 fix
# HG changeset patch # User Jan Beulich <jbeulich@xxxxxxxx> # Date 1348131223 -7200 # Node ID 6162d01a51499009913119334fa6f061b5fea283 # Parent 4fc6e4f64024d1085ae397b38001d1194a5513be x86-64: refine the XSA-9 fix Our product management wasn't happy with the "solution" for XSA-9, and demanded that customer systems must continue to boot. Rather than having our and perhaps other distros carry non-trivial patches, allow for more fine grained control (panic on boot, deny guest creation, or merely warn) by means of a single line change. Also, as this was found to be a problem with remotely managed systems, don't default to boot denial (just deny guest creation). Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Acked-by: Keir Fraser <keir@xxxxxxx> xen-unstable changeset: 25765:e6ca45ca03c2 xen-unstable date: Mon Aug 20 06:46:47 UTC 2012 --- diff -r 4fc6e4f64024 -r 6162d01a5149 xen/arch/x86/cpu/amd.c --- a/xen/arch/x86/cpu/amd.c Thu Sep 20 10:52:24 2012 +0200 +++ b/xen/arch/x86/cpu/amd.c Thu Sep 20 10:53:43 2012 +0200 @@ -32,8 +32,11 @@ static char opt_famrev[14]; string_param("cpuid_mask_cpu", opt_famrev); -static int opt_allow_unsafe; +#ifdef __x86_64__ +/* 1 = allow, 0 = don't allow guest creation, -1 = don't allow boot */ +int __read_mostly opt_allow_unsafe; boolean_param("allow_unsafe", opt_allow_unsafe); +#endif static inline void wrmsr_amd(unsigned int index, unsigned int lo, unsigned int hi) @@ -623,10 +626,19 @@ static void __devinit init_amd(struct cp clear_bit(X86_FEATURE_MCE, c->x86_capability); #ifdef __x86_64__ - if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe) + if (!cpu_has_amd_erratum(c, AMD_ERRATUM_121)) + opt_allow_unsafe = 1; + else if (opt_allow_unsafe < 0) panic("Xen will not boot on this CPU for security reasons.\n" "Pass \"allow_unsafe\" if you're trusting all your" " (PV) guest kernels.\n"); + else if (!opt_allow_unsafe && c == &boot_cpu_data) + printk(KERN_WARNING + "*** Xen will not allow creation of DomU-s on" + " this CPU for security reasons. ***\n" + KERN_WARNING + "*** Pass \"allow_unsafe\" if you're trusting" + " all your (PV) guest kernels. ***\n"); /* AMD CPUs do not support SYSENTER outside of legacy mode. */ clear_bit(X86_FEATURE_SEP, c->x86_capability); diff -r 4fc6e4f64024 -r 6162d01a5149 xen/arch/x86/domain.c --- a/xen/arch/x86/domain.c Thu Sep 20 10:52:24 2012 +0200 +++ b/xen/arch/x86/domain.c Thu Sep 20 10:53:43 2012 +0200 @@ -52,6 +52,7 @@ #include <asm/traps.h> #include <asm/nmi.h> #include <asm/mce.h> +#include <asm/amd.h> #include <xen/numa.h> #include <xen/iommu.h> #ifdef CONFIG_COMPAT @@ -457,6 +458,20 @@ int arch_domain_create(struct domain *d, #else /* __x86_64__ */ + if ( d->domain_id && !is_idle_domain(d) && + cpu_has_amd_erratum(&boot_cpu_data, AMD_ERRATUM_121) ) + { + if ( !opt_allow_unsafe ) + { + printk(XENLOG_G_ERR "Xen does not allow DomU creation on this CPU" + " for security reasons.\n"); + return -EPERM; + } + printk(XENLOG_G_WARNING + "Dom%d may compromise security on this CPU.\n", + d->domain_id); + } + BUILD_BUG_ON(PDPT_L2_ENTRIES * sizeof(*d->arch.mm_perdomain_pt_pages) != PAGE_SIZE); pg = alloc_domheap_page(NULL, MEMF_node(domain_to_node(d))); diff -r 4fc6e4f64024 -r 6162d01a5149 xen/include/asm-x86/amd.h --- a/xen/include/asm-x86/amd.h Thu Sep 20 10:52:24 2012 +0200 +++ b/xen/include/asm-x86/amd.h Thu Sep 20 10:53:43 2012 +0200 @@ -151,6 +151,8 @@ struct cpuinfo_x86; int cpu_has_amd_erratum(const struct cpuinfo_x86 *, int, ...); #ifdef __x86_64__ +extern int opt_allow_unsafe; + void fam10h_check_enable_mmcfg(void); void check_enable_amd_mmconf_dmi(void); #endif _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |