Xen project Mailing List

RE: [Xen-devel] Re: [Xen-changelog] [xen-unstable] x86_emulate: Emulate RDTSCP instruction.

To: Keir Fraser <keir.fraser@xxxxxxxxxxxxx>, Dan Magenheimer <dan.magenheimer@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>

From: "Zhang, Xiantao" <xiantao.zhang@xxxxxxxxx>

Date: Thu, 17 Dec 2009 15:21:10 +0800

Accept-language: en-US

Acceptlanguage: en-US

Cc:

Delivery-date: Wed, 16 Dec 2009 23:21:50 -0800

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Thread-index: Acp+jkyE4e2n8njFRGqCBa6Frw2rqAAEQ/3nAA9MGjAAAiEpmwABFIhw

Thread-topic: [Xen-devel] Re: [Xen-changelog] [xen-unstable] x86_emulate: Emulate RDTSCP instruction.

If we don't care such security issues, also okay for me. :) Xiantao Keir Fraser wrote: > On 17/12/2009 05:56, "Zhang, Xiantao" <xiantao.zhang@xxxxxxxxx> wrote: > >> Hi, Keir >> After adding the logic, it can solve the migration issue between >> rdtscp-capable machine and rdtsc-less machine, but it also >> introduces a security hole at the same time. Imagine the case below: >> If boot a guest on a rdtsc-less machine and cpuid instruction tells >> the guest OS that processor doesn't support rdtscp instruction, but >> rdtscp can execute successfully on it instead of hitting a expected >> #UD exception. And guest can use this security hole to detect >> whether it is running in a virutal machine or not. Thanks! > > There's no doubt a guest could already detect this if it wanted, even > from user space. If this was seriously part of our threat model, we'd > need to be much more careful than we are. As it is we explicitly > announce our presence via CPUID in a way that cannot be turned off! > > -- Keir > >> Xiantao >> >> >> Keir Fraser wrote: >>> Would have done if the original HVM TSC_AUX patch was up to it. I've >>> rewritten it about 1/4 the size and does more, as c/s 20646. >>> >>> -- Keir >>> >>> On 16/12/2009 20:27, "Dan Magenheimer" <dan.magenheimer@xxxxxxxxxx> >>> wrote: >>> >>>> Is this patch supposed to allow an application >>>> in an HVM domain to successfully execute an rdtscp >>>> instruction even on a processor that doesn't have >>>> hardware support for the instruction? >>>> >>>> If so, I tried it and it doesn't seem to work. >>>> The app segfaults (same, I think, as it did before >>>> the patch). >>>> >>>>> -----Original Message----- >>>>> From: Xen patchbot-unstable >>>>> [mailto:patchbot-unstable@xxxxxxxxxxxxxxxxxxx] >>>>> Sent: Wednesday, December 16, 2009 7:00 AM >>>>> To: xen-changelog@xxxxxxxxxxxxxxxxxxx >>>>> Subject: [Xen-changelog] [xen-unstable] x86_emulate: Emulate >>>>> RDTSCP instruction. >>>>> >>>>> >>>>> # HG changeset patch >>>>> # User Keir Fraser <keir.fraser@xxxxxxxxxx> >>>>> # Date 1260967518 0 >>>>> # Node ID cbcb3d564b2fb51574b8a1d06cd6e7780839c331 >>>>> # Parent b543acc1aaad743f20e8ee44ab048ca239350685 >>>>> x86_emulate: Emulate RDTSCP instruction. >>>>> >>>>> Signed-off-by: Keir Fraser <keir.fraser@xxxxxxxxxx> --- >>>>> xen/arch/x86/x86_emulate/x86_emulate.c | 13 ++++++++++++- >>>>> 1 files changed, 12 insertions(+), 1 deletion(-) >>>>> >>>>> diff -r b543acc1aaad -r cbcb3d564b2f >>>>> xen/arch/x86/x86_emulate/x86_emulate.c >>>>> --- a/xen/arch/x86/x86_emulate/x86_emulate.c Wed Dec 16 12:32:35 >>>>> 2009 +0000 +++ b/xen/arch/x86/x86_emulate/x86_emulate.c Wed Dec 16 >>>>> 12:45:18 2009 +0000 @@ -292,6 +292,7 @@ struct operand { >>>>> #define MSR_LSTAR 0xc0000082 >>>>> #define MSR_CSTAR 0xc0000083 >>>>> #define MSR_FMASK 0xc0000084 >>>>> +#define MSR_TSC_AUX 0xc0000103 >>>>> >>>>> /* Control register flags. */ >>>>> #define CR0_PE (1<<0) >>>>> @@ -3503,6 +3504,16 @@ x86_emulate( >>>>> break; >>>>> } >>>>> >>>>> + if ( modrm == 0xf9 ) /* rdtscp */ >>>>> + { >>>>> + uint64_t tsc_aux; >>>>> + fail_if(ops->read_msr == NULL); >>>>> + if ( (rc = ops->read_msr(MSR_TSC_AUX, &tsc_aux, >>>>> ctxt)) != 0 ) + goto done; >>>>> + _regs.ecx = (uint32_t)tsc_aux; >>>>> + goto rdtsc; >>>>> + } >>>>> + >>>>> switch ( modrm_reg & 7 ) >>>>> { >>>>> case 0: /* sgdt */ >>>>> @@ -3712,7 +3723,7 @@ x86_emulate( >>>>> break; >>>>> } >>>>> >>>>> - case 0x31: /* rdtsc */ { >>>>> + case 0x31: rdtsc: /* rdtsc */ { >>>>> unsigned long cr4; >>>>> uint64_t val; >>>>> if ( !mode_ring0() ) >>>>> >>>>> _______________________________________________ >>>>> Xen-changelog mailing list >>>>> Xen-changelog@xxxxxxxxxxxxxxxxxxx >>>>> http://lists.xensource.com/xen-changelog >>>>> >>> >>> >>> >>> _______________________________________________ >>> Xen-devel mailing list >>> Xen-devel@xxxxxxxxxxxxxxxxxxx >>> http://lists.xensource.com/xen-devel _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.