[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.12] x86/sm{e, a}p: do not enable SMEP/SMAP in PV shim by default on AMD



commit 58d3a681b8f279d1801db6468d8b151bd2fd3518
Author:     Igor Druzhinin <igor.druzhinin@xxxxxxxxxx>
AuthorDate: Thu Mar 5 11:16:11 2020 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Mar 5 11:16:11 2020 +0100

    x86/sm{e, a}p: do not enable SMEP/SMAP in PV shim by default on AMD
    
    Due to AMD and Hygon being unable to selectively trap CR4 bit modifications
    running 32-bit PV guest inside PV shim comes with significant performance
    hit. Moreover, for SMEP in particular every time CR4.SMEP changes on context
    switch to/from 32-bit PV guest, it gets trapped by L0 Xen which then
    tries to perform global TLB invalidation for PV shim domain. This usually
    results in eventual hang of a PV shim with at least several vCPUs.
    
    Since the overall security risk is generally lower for shim Xen as it being
    there more of a defense-in-depth mechanism, choose to disable SMEP/SMAP in
    it by default on AMD and Hygon unless a user chose otherwise.
    
    Signed-off-by: Igor Druzhinin <igor.druzhinin@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: b05ec9263e56ef0784da766e829cfe08569d1d88
    master date: 2020-01-17 16:18:20 +0100
---
 docs/misc/xen-command-line.pandoc | 10 ++++++++--
 xen/arch/x86/setup.c              | 18 ++++++++++++------
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/docs/misc/xen-command-line.pandoc 
b/docs/misc/xen-command-line.pandoc
index 519851c278..3561d88b59 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -1854,19 +1854,25 @@ is 1MB.
 ### smap (x86)
 > `= <boolean> | hvm`
 
-> Default: `true`
+> Default: `true` unless running in pv-shim mode on AMD hardware
 
 Flag to enable Supervisor Mode Access Prevention
 Use `smap=hvm` to allow SMAP use by HVM guests only.
 
+In PV shim mode on AMD hardware due to significant performance impact in some
+cases and generally lower security risk the option defaults to false.
+
 ### smep (x86)
 > `= <boolean> | hvm`
 
-> Default: `true`
+> Default: `true` unless running in pv-shim mode on AMD hardware
 
 Flag to enable Supervisor Mode Execution Protection
 Use `smep=hvm` to allow SMEP use by HVM guests only.
 
+In PV shim mode on AMD hardware due to significant performance impact in some
+cases and generally lower security risk the option defaults to false.
+
 ### smt (x86)
 > `= <boolean>`
 
diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index 5ab53e3d85..ec6500b867 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -107,9 +107,9 @@ struct cpuinfo_x86 __read_mostly boot_cpu_data = { 0, 0, 0, 
0, -1 };
 
 unsigned long __read_mostly mmu_cr4_features = XEN_MINIMAL_CR4;
 
-/* smep: Enable/disable Supervisor Mode Execution Protection (default on). */
-#define SMEP_HVM_ONLY (-1)
-static s8 __initdata opt_smep = 1;
+/* smep: Enable/disable Supervisor Mode Execution Protection */
+#define SMEP_HVM_ONLY (-2)
+static s8 __initdata opt_smep = -1;
 
 /*
  * Initial domain place holder. Needs to be global so it can be created in
@@ -144,9 +144,9 @@ static int __init parse_smep_param(const char *s)
 }
 custom_param("smep", parse_smep_param);
 
-/* smap: Enable/disable Supervisor Mode Access Prevention (default on). */
-#define SMAP_HVM_ONLY (-1)
-static s8 __initdata opt_smap = 1;
+/* smap: Enable/disable Supervisor Mode Access Prevention */
+#define SMAP_HVM_ONLY (-2)
+static s8 __initdata opt_smap = -1;
 
 static int __init parse_smap_param(const char *s)
 {
@@ -1600,6 +1600,12 @@ void __init noreturn __start_xen(unsigned long mbi_p)
 
     set_in_cr4(X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT);
 
+    /* Do not enable SMEP/SMAP in PV shim on AMD by default */
+    if ( opt_smep == -1 )
+        opt_smep = !pv_shim || boot_cpu_data.x86_vendor != X86_VENDOR_AMD;
+    if ( opt_smap == -1 )
+        opt_smap = !pv_shim || boot_cpu_data.x86_vendor != X86_VENDOR_AMD;
+
     if ( !opt_smep )
         setup_clear_cpu_cap(X86_FEATURE_SMEP);
     if ( cpu_has_smep && opt_smep != SMEP_HVM_ONLY )
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.12

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.