[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 9/9] x86/vmx: Don't leak EFER.NXE into guest context

>>> On 22.05.18 at 13:20, <andrew.cooper3@xxxxxxxxxx> wrote:
> @@ -1650,22 +1641,81 @@ static void vmx_update_guest_cr(struct vcpu *v, 
> unsigned int cr,
>  
>  static void vmx_update_guest_efer(struct vcpu *v)
>  {
> -    unsigned long vm_entry_value;
> +    unsigned long entry_ctls, guest_efer = v->arch.hvm_vcpu.guest_efer,
> +        xen_efer = read_efer();
> +
> +    if ( paging_mode_shadow(v->domain) )
> +    {
> +        /*
> +         * When using shadow pagetables, EFER.NX is a Xen-owned bit and is 
> not
> +         * under guest control.
> +         */
> +        guest_efer &= ~EFER_NX;
> +        guest_efer |= xen_efer & EFER_NX;
> +
> +        /*
> +         * At the time of writing (May 2018), the Intel SDM "VM Entry: Checks
> +         * on Guest Control Registers, Debug Registers and MSRs" section 
> says:
> +         *
> +         *  If the "Load IA32_EFER" VM-entry control is 1, the following
> +         *  checks are performed on the field for the IA32_MSR:
> +         *   - Bits reserved in the IA32_EFER MSR must be 0.
> +         *   - Bit 10 (corresponding to IA32_EFER.LMA) must equal the value 
> of
> +         *     the "IA-32e mode guest" VM-entry control.  It must also be
> +         *     identical to bit 8 (LME) if bit 31 in the CR0 field
> +         *     (corresponding to CR0.PG) is 1.
> +         *
> +         * Experimentally what actually happens is:
> +         *   - Checks for EFER.{LME,LMA} apply uniformly whether using the
> +         *     GUEST_EFER VMCS controls, or MSR load/save lists.
> +         *   - Without EPT, LME being different to LMA isn't tolerated by
> +         *     hardware.  As writes to CR0 are intercepted, it is safe to
> +         *     leave LME clear at this point, and fix up both LME and LMA 
> when
> +         *     CR0.PG is set.
> +         */
> +        if ( !(guest_efer & EFER_LMA) )
> +            guest_efer &= ~EFER_LME;
> +    }

Why is this latter adjustments done only for shadow mode?

After the above adjustments, when guest_efer still matches
v->arch.hvm_vcpu.guest_efer, couldn't we disable the MSR read
intercept?

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.