[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] SVM/VMX and Interrupt Shadows

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, SuraveeSuthikulpanit <suravee.suthikulpanit@xxxxxxx>
From: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
Date: Wed, 14 Dec 2016 20:38:06 -0500
Cc: Jan Beulich <JBeulich@xxxxxxxx>, Xen-devel List <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Thu, 15 Dec 2016 01:39:02 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>



On 12/13/2016 02:24 PM, Andrew Cooper wrote:

Hello,

All of this came about while reviewing some of Jans improvements to the
x86 instruction emulator.

It turns out that the XSA-156 / CVE-2015-8104 fix, c/s bd2239d9
"x86/HVM: always intercept #AC and #DB", introduced an awkward bug on
Intel hardware.

Executing a sti while singlestepping is active currently causes a
VMEntry failure, because the #DB is still intercepted, but on re-entry,
the sti interrupt shadow is still active and hardware complains about
invalid guest state.

Experimentally, on both Intel and AMD hardware, the mov_ss shadow
inhibits #DB and the VMexit caused by its interception, whereas the sti
shadow doesn't inhibit #DB.

AMD's APM is very vague on this --- vol2 says in the STI's shadow*certain* debug traps are not recognized and doesn't say anything aboutMOV SS. And vol3 is silent about traps completely.

I also found that that very old (family fh) processors had an erratumrelated to interrupt shadows but I assume you are running on somethingbetter than 2008 processor.


I guess Suravee will have to clarify this one as well.

-boris


 Therefore, my planned fix for VT-x is to

unconditionally clobber the sti shadow if we intercept #DB.  I am also
looking to get the behaviour correct for all hardware, and from the
instruction emulator.

So my question to both AMD and Intel is how do the these shadow bits
actually function in real hardware? I can't find any useful information
in the manuals, other than rules about how to use the fields in the
VMCS/VMCB.

Additionally, Intel:

vmx_set_info_guest() clobbers the sti shadow if a debugger is attached,
citing a rule that eflags.TF may not be set alongside the sti shadow.  I
can't find any such rule in the list of vmentry checks, but then again I
can't find a rule which I have actually violated with the above
scenario.  Have I missed anything obvious?

AMD: Despite observably different behaviour, the VMCB only has a single
bit for shadowing.  Will the hardware mov_ss shadow always inhibit all
#DB activity, including instruction breakpoints on the following
instruction?  If not, I can't see a way to safely fix this.

~Andrew


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

References:
- [Xen-devel] SVM/VMX and Interrupt Shadows
  - From: Andrew Cooper

Prev by Date: [Xen-devel] [PATCH] xen/arm: fix rank/vgic locks inversion bug
Next by Date: [Xen-devel] [xen-unstable-smoke test] 103373: regressions - FAIL
Previous by thread: Re: [Xen-devel] SVM/VMX and Interrupt Shadows
Next by thread: [Xen-devel] [xen-unstable-smoke test] 103284: tolerable all pass - PUSHED
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.