[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v7 05/10] x86: Clear AC bit in RFLAGS to protect Xen itself by SMAP

Clear AC bit in RFLAGS at the beginning of exception, interrupt, hypercall,
so Xen itself can be protected by SMAP mechanism. This patch also sets AC
bit at the beginning of double_fault and fatal_trap() to reduce the likelihood
of taking a further fault while trying to dump state.

Signed-off-by: Feng Wu <feng.wu@xxxxxxxxx>
---
 xen/arch/x86/acpi/suspend.c        |  2 +-
 xen/arch/x86/traps.c               |  6 ++++++
 xen/arch/x86/x86_64/compat/entry.S |  3 ++-
 xen/arch/x86/x86_64/entry.S        | 12 +++++++++---
 xen/arch/x86/x86_64/traps.c        |  2 +-
 xen/include/asm-x86/asm_defns.h    | 15 ++++++++++++++-
 6 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/xen/arch/x86/acpi/suspend.c b/xen/arch/x86/acpi/suspend.c
index a373e9a..acf667d 100644
--- a/xen/arch/x86/acpi/suspend.c
+++ b/xen/arch/x86/acpi/suspend.c
@@ -57,7 +57,7 @@ void restore_rest_processor_state(void)
     wrmsrl(MSR_CSTAR, saved_cstar);
     wrmsr(MSR_STAR, 0, (FLAT_RING3_CS32<<16) | __HYPERVISOR_CS);
     wrmsr(MSR_SYSCALL_MASK,
-          X86_EFLAGS_VM|X86_EFLAGS_RF|X86_EFLAGS_NT|
+          X86_EFLAGS_AC|X86_EFLAGS_VM|X86_EFLAGS_RF|X86_EFLAGS_NT|
           X86_EFLAGS_DF|X86_EFLAGS_IF|X86_EFLAGS_TF,
           0U);
 
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 45070bb..3800b6f 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -402,6 +402,12 @@ void fatal_trap(int trapnr, struct cpu_user_regs *regs)
     static DEFINE_PER_CPU(char, depth);
 
     /*
+     * Set AC bit to reduce the likelihood of taking a further fault
+     * while trying to dump state.
+     */
+    stac();
+
+    /*
      * In some cases, we can end up in a vicious cycle of fatal_trap()s
      * within fatal_trap()s. We give the problem a couple of iterations to
      * bottom out, and then we just panic.
diff --git a/xen/arch/x86/x86_64/compat/entry.S 
b/xen/arch/x86/x86_64/compat/entry.S
index 32b3bcc..1d1d3d6 100644
--- a/xen/arch/x86/x86_64/compat/entry.S
+++ b/xen/arch/x86/x86_64/compat/entry.S
@@ -13,6 +13,7 @@
 #include <irq_vectors.h>
 
 ENTRY(compat_hypercall)
+        ASM_CLAC
         pushq $0
         SAVE_VOLATILE type=TRAP_syscall compat=1
 
@@ -178,7 +179,7 @@ ENTRY(compat_restore_all_guest)
 
 .section .fixup,"ax"
 .Lfx0:  sti
-        SAVE_ALL
+        SAVE_ALL 2
         movq  UREGS_error_code(%rsp),%rsi
         movq  %rsp,%rax
         andq  $~0xf,%rsp
diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
index 1c81852..ed7b96f 100644
--- a/xen/arch/x86/x86_64/entry.S
+++ b/xen/arch/x86/x86_64/entry.S
@@ -68,7 +68,7 @@ iret_exit_to_guest:
 
 .section .fixup,"ax"
 .Lfx0:  sti
-        SAVE_ALL
+        SAVE_ALL 2
         movq  UREGS_error_code(%rsp),%rsi
         movq  %rsp,%rax
         andq  $~0xf,%rsp
@@ -273,6 +273,7 @@ ENTRY(sysenter_entry)
         pushq $0
         pushfq
 GLOBAL(sysenter_eflags_saved)
+        ASM_CLAC
         pushq $3 /* ring 3 null cs */
         pushq $0 /* null rip */
         pushq $0
@@ -309,6 +310,7 @@ UNLIKELY_END(sysenter_gpf)
         jmp   .Lbounce_exception
 
 ENTRY(int80_direct_trap)
+        ASM_CLAC
         pushq $0
         SAVE_VOLATILE 0x80
 
@@ -614,14 +616,18 @@ ENTRY(spurious_interrupt_bug)
 
 ENTRY(double_fault)
         movl  $TRAP_double_fault,4(%rsp)
-        SAVE_ALL
+        /*
+         * Set AC bit to reduce the likelihood of taking a further fault
+         * while trying to dump state.
+         */
+        SAVE_ALL 1
         movq  %rsp,%rdi
         call  do_double_fault
         ud2
 
         .pushsection .init.text, "ax", @progbits
 ENTRY(early_page_fault)
-        SAVE_ALL
+        SAVE_ALL 2
         movq  %rsp,%rdi
         call  do_early_page_fault
         jmp   restore_all_xen
diff --git a/xen/arch/x86/x86_64/traps.c b/xen/arch/x86/x86_64/traps.c
index 90072c1..b87b33e 100644
--- a/xen/arch/x86/x86_64/traps.c
+++ b/xen/arch/x86/x86_64/traps.c
@@ -437,7 +437,7 @@ void __devinit subarch_percpu_traps_init(void)
     /* Common SYSCALL parameters. */
     wrmsr(MSR_STAR, 0, (FLAT_RING3_CS32<<16) | __HYPERVISOR_CS);
     wrmsr(MSR_SYSCALL_MASK,
-          X86_EFLAGS_VM|X86_EFLAGS_RF|X86_EFLAGS_NT|
+          X86_EFLAGS_AC|X86_EFLAGS_VM|X86_EFLAGS_RF|X86_EFLAGS_NT|
           X86_EFLAGS_DF|X86_EFLAGS_IF|X86_EFLAGS_TF,
           0U);
 }
diff --git a/xen/include/asm-x86/asm_defns.h b/xen/include/asm-x86/asm_defns.h
index 0302836..dadc251 100644
--- a/xen/include/asm-x86/asm_defns.h
+++ b/xen/include/asm-x86/asm_defns.h
@@ -190,7 +190,20 @@ static inline void stac(void)
 #endif
 
 #ifdef __ASSEMBLY__
-.macro SAVE_ALL
+/*
+ * Save all registers.
+ *
+ * @ac:
+ *     0 - claer AC bit
+ *     1 - set AC bit
+ *     others - don't modify AC bit
+ */
+.macro SAVE_ALL ac=0
+.if \ac == 0
+        ASM_CLAC
+.elseif \ac == 1
+        ASM_STAC
+.endif
         addq  $-(UREGS_error_code-UREGS_r15), %rsp
         cld
         movq  %rdi,UREGS_rdi(%rsp)
-- 
1.8.3.1


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.