[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-4.1-testing] x86-64: refine the XSA-9 fix


  • To: xen-changelog@xxxxxxxxxxxxxxxxxxx
  • From: Xen patchbot-4.1-testing <patchbot@xxxxxxx>
  • Date: Thu, 20 Sep 2012 17:22:17 +0000
  • Delivery-date: Thu, 20 Sep 2012 17:22:23 +0000
  • List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

# HG changeset patch
# User Jan Beulich <jbeulich@xxxxxxxx>
# Date 1348131223 -7200
# Node ID 6162d01a51499009913119334fa6f061b5fea283
# Parent  4fc6e4f64024d1085ae397b38001d1194a5513be
x86-64: refine the XSA-9 fix

Our product management wasn't happy with the "solution" for XSA-9, and
demanded that customer systems must continue to boot. Rather than
having our and perhaps other distros carry non-trivial patches, allow
for more fine grained control (panic on boot, deny guest creation, or
merely warn) by means of a single line change.

Also, as this was found to be a problem with remotely managed systems,
don't default to boot denial (just deny guest creation).

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Keir Fraser <keir@xxxxxxx>
xen-unstable changeset: 25765:e6ca45ca03c2
xen-unstable date: Mon Aug 20 06:46:47 UTC 2012
---


diff -r 4fc6e4f64024 -r 6162d01a5149 xen/arch/x86/cpu/amd.c
--- a/xen/arch/x86/cpu/amd.c    Thu Sep 20 10:52:24 2012 +0200
+++ b/xen/arch/x86/cpu/amd.c    Thu Sep 20 10:53:43 2012 +0200
@@ -32,8 +32,11 @@
 static char opt_famrev[14];
 string_param("cpuid_mask_cpu", opt_famrev);
 
-static int opt_allow_unsafe;
+#ifdef __x86_64__
+/* 1 = allow, 0 = don't allow guest creation, -1 = don't allow boot */
+int __read_mostly opt_allow_unsafe;
 boolean_param("allow_unsafe", opt_allow_unsafe);
+#endif
 
 static inline void wrmsr_amd(unsigned int index, unsigned int lo, 
                unsigned int hi)
@@ -623,10 +626,19 @@ static void __devinit init_amd(struct cp
                clear_bit(X86_FEATURE_MCE, c->x86_capability);
 
 #ifdef __x86_64__
-       if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe)
+       if (!cpu_has_amd_erratum(c, AMD_ERRATUM_121))
+               opt_allow_unsafe = 1;
+       else if (opt_allow_unsafe < 0)
                panic("Xen will not boot on this CPU for security reasons.\n"
                      "Pass \"allow_unsafe\" if you're trusting all your"
                      " (PV) guest kernels.\n");
+       else if (!opt_allow_unsafe && c == &boot_cpu_data)
+               printk(KERN_WARNING
+                      "*** Xen will not allow creation of DomU-s on"
+                      " this CPU for security reasons. ***\n"
+                      KERN_WARNING
+                      "*** Pass \"allow_unsafe\" if you're trusting"
+                      " all your (PV) guest kernels. ***\n");
 
        /* AMD CPUs do not support SYSENTER outside of legacy mode. */
        clear_bit(X86_FEATURE_SEP, c->x86_capability);
diff -r 4fc6e4f64024 -r 6162d01a5149 xen/arch/x86/domain.c
--- a/xen/arch/x86/domain.c     Thu Sep 20 10:52:24 2012 +0200
+++ b/xen/arch/x86/domain.c     Thu Sep 20 10:53:43 2012 +0200
@@ -52,6 +52,7 @@
 #include <asm/traps.h>
 #include <asm/nmi.h>
 #include <asm/mce.h>
+#include <asm/amd.h>
 #include <xen/numa.h>
 #include <xen/iommu.h>
 #ifdef CONFIG_COMPAT
@@ -457,6 +458,20 @@ int arch_domain_create(struct domain *d,
 
 #else /* __x86_64__ */
 
+    if ( d->domain_id && !is_idle_domain(d) &&
+         cpu_has_amd_erratum(&boot_cpu_data, AMD_ERRATUM_121) )
+    {
+        if ( !opt_allow_unsafe )
+        {
+            printk(XENLOG_G_ERR "Xen does not allow DomU creation on this CPU"
+                   " for security reasons.\n");
+            return -EPERM;
+        }
+        printk(XENLOG_G_WARNING
+               "Dom%d may compromise security on this CPU.\n",
+               d->domain_id);
+    }
+
     BUILD_BUG_ON(PDPT_L2_ENTRIES * sizeof(*d->arch.mm_perdomain_pt_pages)
                  != PAGE_SIZE);
     pg = alloc_domheap_page(NULL, MEMF_node(domain_to_node(d)));
diff -r 4fc6e4f64024 -r 6162d01a5149 xen/include/asm-x86/amd.h
--- a/xen/include/asm-x86/amd.h Thu Sep 20 10:52:24 2012 +0200
+++ b/xen/include/asm-x86/amd.h Thu Sep 20 10:53:43 2012 +0200
@@ -151,6 +151,8 @@ struct cpuinfo_x86;
 int cpu_has_amd_erratum(const struct cpuinfo_x86 *, int, ...);
 
 #ifdef __x86_64__
+extern int opt_allow_unsafe;
+
 void fam10h_check_enable_mmcfg(void);
 void check_enable_amd_mmconf_dmi(void);
 #endif

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.