|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] Ping: [PATCH] x86: fix "xpti=" and "pv-l1tf=" yet again
>>> On 21.08.18 at 12:44, wrote:
> While commit 2a3b34ec47 ("x86/spec-ctrl: Yet more fixes for xpti=
> parsing") indeed fixed "xpti=dom0", it broke "xpti=no-dom0", in that
> this then became equivalent to "xpti=no". In particular, the presence
> of "xpti=" alone on the command line means nothing as to which
> default is to be overridden; "xpti=no-dom0" ought to have no effect
> for DomU-s (and vice versa), as this is distinct from both
> "xpti=no-dom0,domu" and "xpti=no-dom0,no-domu".
>
> Here as well as for "pv-l1tf=" I think there's no way around tracking
> the "use default" state separately for Dom0 and DomU-s. Introduce
> individual bits for this, and convert the variables' types (back) to
> uint8_t.
>
> Additionally the earlier change claimed to have got rid of the
> 'parameter "xpti" has invalid value "", rc=-22!' log message for "xpti"
> alone on the command line, which wasn't the case (the option took effect
> nevertheless). Fix this as well.
>
> Finally also support a "default" sub-option for "pv-l1tf=", just like
> "xpti=" does.
>
> It is perhaps worth to note that OPT_<what>_DOM<which>_DEFAULT set
> implies OPT_<what>_DOM<which> clear, which is being utilized in a number
> of places (we effectively want to hold two tristates in a single
> variable, which means the fourth state is impossible).
>
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> ---
> Seeing the redundancy between OPT_XPTI_* and OPT_PV_L1TF_*, I wonder
> whether it wouldn't be worthwhile to fold the constants. Which option
> they apply to is easily seen from the variable they get used with.
>
> --- a/docs/misc/xen-command-line.markdown
> +++ b/docs/misc/xen-command-line.markdown
> @@ -1563,7 +1563,7 @@ certain you don't plan on having PV gues
> turning it off can reduce the attack surface.
>
> ### pv-l1tf (x86)
> -> `= List of [ <bool>, dom0=<bool>, domu=<bool> ]`
> +> `= List of [ default, <bool>, dom0=<bool>, domu=<bool> ]`
>
> > Default: `false` on believed-unaffected hardware, or in pv-shim mode.
> > `domu` on believed-affected hardware.
> --- a/xen/arch/x86/spec_ctrl.c
> +++ b/xen/arch/x86/spec_ctrl.c
> @@ -134,15 +134,12 @@ static int __init parse_spec_ctrl(const
>
> opt_eager_fpu = 0;
>
> - if ( opt_xpti < 0 )
> - opt_xpti = 0;
> + opt_xpti &= ~(OPT_XPTI_DOM0_DEFAULT | OPT_XPTI_DOMU_DEFAULT);
> + opt_pv_l1tf &= ~OPT_PV_L1TF_DOMU_DEFAULT;
>
> if ( opt_smt < 0 )
> opt_smt = 1;
>
> - if ( opt_pv_l1tf < 0 )
> - opt_pv_l1tf = 0;
> -
> disable_common:
> opt_rsb_pv = false;
> opt_rsb_hvm = false;
> @@ -219,17 +216,13 @@ static int __init parse_spec_ctrl(const
> }
> custom_param("spec-ctrl", parse_spec_ctrl);
>
> -int8_t __read_mostly opt_pv_l1tf = -1;
> +uint8_t __read_mostly opt_pv_l1tf = OPT_PV_L1TF_DOMU_DEFAULT;
>
> static __init int parse_pv_l1tf(const char *s)
> {
> const char *ss;
> int val, rc = 0;
>
> - /* Inhibit the defaults as an explicit choice has been given. */
> - if ( opt_pv_l1tf == -1 )
> - opt_pv_l1tf = 0;
> -
> /* Interpret 'pv-l1tf' alone in its positive boolean form. */
> if ( *s == '\0' )
> opt_pv_l1tf = OPT_PV_L1TF_DOM0 | OPT_PV_L1TF_DOMU;
> @@ -250,13 +243,16 @@ static __init int parse_pv_l1tf(const ch
> break;
>
> default:
> - if ( (val = parse_boolean("dom0", s, ss)) >= 0 )
> + if ( !strcmp(s, "default") )
> + opt_xpti = OPT_PV_L1TF_DOMU_DEFAULT;
Obviously with this corrected, as pointed out by Jürgen.
Jan
> + else if ( (val = parse_boolean("dom0", s, ss)) >= 0 )
> opt_pv_l1tf = ((opt_pv_l1tf & ~OPT_PV_L1TF_DOM0) |
> (val ? OPT_PV_L1TF_DOM0 : 0));
> else if ( (val = parse_boolean("domu", s, ss)) >= 0 )
> - opt_pv_l1tf = ((opt_pv_l1tf & ~OPT_PV_L1TF_DOMU) |
> + opt_pv_l1tf = ((opt_pv_l1tf & ~(OPT_PV_L1TF_DOMU_DEFAULT |
> + OPT_PV_L1TF_DOMU)) |
> (val ? OPT_PV_L1TF_DOMU : 0));
> - else
> + else if ( *s )
> rc = -EINVAL;
> break;
> }
> @@ -657,17 +653,22 @@ static __init void l1tf_calculations(uin
> : (3ul << (paddr_bits - 2))));
> }
>
> -int8_t __read_mostly opt_xpti = -1;
> +uint8_t __read_mostly opt_xpti = OPT_XPTI_DOM0_DEFAULT |
> OPT_XPTI_DOMU_DEFAULT;
>
> static __init void xpti_init_default(uint64_t caps)
> {
> if ( boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
> caps = ARCH_CAPABILITIES_RDCL_NO;
>
> - if ( caps & ARCH_CAPABILITIES_RDCL_NO )
> - opt_xpti = 0;
> - else
> - opt_xpti = OPT_XPTI_DOM0 | OPT_XPTI_DOMU;
> + if ( !(caps & ARCH_CAPABILITIES_RDCL_NO) )
> + {
> + if ( opt_xpti & OPT_XPTI_DOM0_DEFAULT )
> + opt_xpti |= OPT_XPTI_DOM0;
> + if ( opt_xpti & OPT_XPTI_DOMU_DEFAULT )
> + opt_xpti |= OPT_XPTI_DOMU;
> + }
> +
> + opt_xpti &= ~(OPT_XPTI_DOM0_DEFAULT | OPT_XPTI_DOMU_DEFAULT);
> }
>
> static __init int parse_xpti(const char *s)
> @@ -675,10 +676,6 @@ static __init int parse_xpti(const char
> const char *ss;
> int val, rc = 0;
>
> - /* Inhibit the defaults as an explicit choice has been given. */
> - if ( opt_xpti == -1 )
> - opt_xpti = 0;
> -
> /* Interpret 'xpti' alone in its positive boolean form. */
> if ( *s == '\0' )
> opt_xpti = OPT_XPTI_DOM0 | OPT_XPTI_DOMU;
> @@ -700,14 +697,16 @@ static __init int parse_xpti(const char
>
> default:
> if ( !strcmp(s, "default") )
> - opt_xpti = -1;
> + opt_xpti = OPT_XPTI_DOM0_DEFAULT | OPT_XPTI_DOMU_DEFAULT;
> else if ( (val = parse_boolean("dom0", s, ss)) >= 0 )
> - opt_xpti = (opt_xpti & ~OPT_XPTI_DOM0) |
> + opt_xpti = (opt_xpti & ~(OPT_XPTI_DOM0_DEFAULT |
> + OPT_XPTI_DOM0)) |
> (val ? OPT_XPTI_DOM0 : 0);
> else if ( (val = parse_boolean("domu", s, ss)) >= 0 )
> - opt_xpti = (opt_xpti & ~OPT_XPTI_DOMU) |
> + opt_xpti = (opt_xpti & ~(OPT_XPTI_DOMU_DEFAULT |
> + OPT_XPTI_DOMU)) |
> (val ? OPT_XPTI_DOMU : 0);
> - else
> + else if ( *s )
> rc = -EINVAL;
> break;
> }
> @@ -862,8 +861,7 @@ void __init init_speculation_mitigations
> if ( default_xen_spec_ctrl )
> setup_force_cpu_cap(X86_FEATURE_SC_MSR_IDLE);
>
> - if ( opt_xpti == -1 )
> - xpti_init_default(caps);
> + xpti_init_default(caps);
>
> if ( opt_xpti == 0 )
> setup_force_cpu_cap(X86_FEATURE_NO_XPTI);
> @@ -879,13 +877,11 @@ void __init init_speculation_mitigations
> * In shim mode, SHADOW is expected to be compiled out, and a malicious
> * guest kernel can only attack the shim Xen, not the host Xen.
> */
> - if ( opt_pv_l1tf == -1 )
> - {
> - if ( pv_shim || !cpu_has_bug_l1tf )
> - opt_pv_l1tf = 0;
> - else
> - opt_pv_l1tf = OPT_PV_L1TF_DOMU;
> - }
> + if ( (opt_pv_l1tf & OPT_PV_L1TF_DOMU_DEFAULT) &&
> + !pv_shim && cpu_has_bug_l1tf )
> + opt_pv_l1tf |= OPT_PV_L1TF_DOMU;
> +
> + opt_pv_l1tf &= ~OPT_PV_L1TF_DOMU_DEFAULT;
>
> /*
> * By default, enable L1D_FLUSH on L1TF-vulnerable hardware, unless
> --- a/xen/include/asm-x86/spec_ctrl.h
> +++ b/xen/include/asm-x86/spec_ctrl.h
> @@ -35,13 +35,16 @@ extern bool bsp_delay_spec_ctrl;
> extern uint8_t default_xen_spec_ctrl;
> extern uint8_t default_spec_ctrl_flags;
>
> -extern int8_t opt_xpti;
> +extern uint8_t opt_xpti;
> #define OPT_XPTI_DOM0 0x01
> #define OPT_XPTI_DOMU 0x02
> +#define OPT_XPTI_DOM0_DEFAULT 0x10
> +#define OPT_XPTI_DOMU_DEFAULT 0x20
>
> -extern int8_t opt_pv_l1tf;
> +extern uint8_t opt_pv_l1tf;
> #define OPT_PV_L1TF_DOM0 0x01
> #define OPT_PV_L1TF_DOMU 0x02
> +#define OPT_PV_L1TF_DOMU_DEFAULT 0x20
>
> /*
> * The L1D address mask, which might be wider than reported in CPUID, and the
>
>
>
>
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |