[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen staging-4.9] x86/xstate: Use a guests CPUID policy, rather than allowing all features
commit 819e114e39bb34218349bce194c5c89210a98bc8 Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> AuthorDate: Mon Jul 30 11:55:46 2018 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Mon Jul 30 11:55:46 2018 +0200 x86/xstate: Use a guests CPUID policy, rather than allowing all features It turns out that Xen has never enforced that a domain remain within the xstate features advertised in CPUID. The check of new_bv against xfeature_mask ensures that a domain stays within the set of features that Xen has enabled in hardware (and therefore isn't a security problem), but this does means that attempts to level a guest for migration safety might not be effective if the guest ignores CPUID. Check the CPUID policy in validate_xstate() (for incoming migration) and in handle_xsetbv() (for guest XSETBV instructions). This subsumes the PKRU check for PV guests in handle_xsetbv() (and also demonstrates that I should have spotted this problem while reviewing c/s fbf9971241f). For migration, this is correct despite the current (mis)ordering of data because d->arch.cpuid is the applicable max policy. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> master commit: 361b835fa00d9f45167c50a60e054ccf22c065d7 master date: 2018-07-19 19:57:26 +0100 --- xen/arch/x86/domctl.c | 2 +- xen/arch/x86/hvm/hvm.c | 2 +- xen/arch/x86/xstate.c | 17 +++++++++++------ xen/include/asm-x86/xstate.h | 5 +++-- 4 files changed, 16 insertions(+), 10 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index e14a0eabde..61ed9540d3 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -1199,7 +1199,7 @@ long arch_do_domctl( if ( _xcr0_accum ) { if ( evc->size >= PV_XSAVE_HDR_SIZE + XSTATE_AREA_MIN_SIZE ) - ret = validate_xstate(_xcr0, _xcr0_accum, + ret = validate_xstate(d, _xcr0, _xcr0_accum, &_xsave_area->xsave_hdr); } else if ( !_xcr0 ) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 78b692cd2b..d6fe84d229 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -1251,7 +1251,7 @@ static int hvm_load_cpu_xsave_states(struct domain *d, hvm_domain_context_t *h) ctxt = (struct hvm_hw_cpu_xsave *)&h->data[h->cur]; h->cur += desc->length; - err = validate_xstate(ctxt->xcr0, ctxt->xcr0_accum, + err = validate_xstate(d, ctxt->xcr0, ctxt->xcr0_accum, (const void *)&ctxt->save_area.xsave_hdr); if ( err ) { diff --git a/xen/arch/x86/xstate.c b/xen/arch/x86/xstate.c index c2a722c60e..3e2b457ed6 100644 --- a/xen/arch/x86/xstate.c +++ b/xen/arch/x86/xstate.c @@ -670,12 +670,17 @@ static bool_t valid_xcr0(u64 xcr0) return !(xcr0 & XSTATE_BNDREGS) == !(xcr0 & XSTATE_BNDCSR); } -int validate_xstate(u64 xcr0, u64 xcr0_accum, const struct xsave_hdr *hdr) +int validate_xstate(const struct domain *d, uint64_t xcr0, uint64_t xcr0_accum, + const struct xsave_hdr *hdr) { + const struct cpuid_policy *cp = d->arch.cpuid; + uint64_t xcr0_max = + ((uint64_t)cp->xstate.xcr0_high << 32) | cp->xstate.xcr0_low; unsigned int i; if ( (hdr->xstate_bv & ~xcr0_accum) || (xcr0 & ~xcr0_accum) || + (xcr0_accum & ~xcr0_max) || !valid_xcr0(xcr0) || !valid_xcr0(xcr0_accum) ) return -EINVAL; @@ -694,18 +699,18 @@ int validate_xstate(u64 xcr0, u64 xcr0_accum, const struct xsave_hdr *hdr) int handle_xsetbv(u32 index, u64 new_bv) { struct vcpu *curr = current; + const struct cpuid_policy *cp = curr->domain->arch.cpuid; + uint64_t xcr0_max = + ((uint64_t)cp->xstate.xcr0_high << 32) | cp->xstate.xcr0_low; u64 mask; if ( index != XCR_XFEATURE_ENABLED_MASK ) return -EOPNOTSUPP; - if ( (new_bv & ~xfeature_mask) || !valid_xcr0(new_bv) ) + if ( (new_bv & ~xcr0_max) || + (new_bv & ~xfeature_mask) || !valid_xcr0(new_bv) ) return -EINVAL; - /* XCR0.PKRU is disabled on PV mode. */ - if ( is_pv_vcpu(curr) && (new_bv & XSTATE_PKRU) ) - return -EOPNOTSUPP; - if ( !set_xcr0(new_bv) ) return -EFAULT; diff --git a/xen/include/asm-x86/xstate.h b/xen/include/asm-x86/xstate.h index b31ad75bdb..6afba6bc23 100644 --- a/xen/include/asm-x86/xstate.h +++ b/xen/include/asm-x86/xstate.h @@ -116,8 +116,9 @@ void xsave(struct vcpu *v, uint64_t mask); void xrstor(struct vcpu *v, uint64_t mask); void xstate_set_init(uint64_t mask); bool_t xsave_enabled(const struct vcpu *v); -int __must_check validate_xstate(u64 xcr0, u64 xcr0_accum, - const struct xsave_hdr *); +int __must_check validate_xstate(const struct domain *d, + uint64_t xcr0, uint64_t xcr0_accum, + const struct xsave_hdr *hdr); int __must_check handle_xsetbv(u32 index, u64 new_bv); void expand_xsave_states(struct vcpu *v, void *dest, unsigned int size); void compress_xsave_states(struct vcpu *v, const void *src, unsigned int size); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.9 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |