Xen project Mailing List

Re: [Xen-devel] [PATCH 3/6] x86/AMD: Rework XSA-9 / Erratum 121 handling entirely

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 28 Dec 2018 16:06:53 +0000

Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; prefer-encrypt=mutual; keydata= mQINBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABtClBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPokCOgQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86LkCDQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAYkC HwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==

Cc: Wei Liu <wei.liu2@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Fri, 28 Dec 2018 16:07:06 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Openpgp: preference=signencrypt

On 28/12/2018 15:26, Roger Pau Monné wrote: > On Fri, Dec 28, 2018 at 12:39:33PM +0000, Andrew Cooper wrote: >> There are multiple problems: >> >> * The opt_allow_unsafe < 0 logic is dead since 2012 (c/s 0c7a6966511 >> "x86-64: refine the XSA-9 fix"). >> * Given that opt_allow_unsafe was deliberately intended not to be >> specific to #121 alone, setting it to true for the not-affected case >> will cause a security issue if a second use of this option ever >> appears. >> * Calling cpu_has_amd_erratum() on every domain creation is wasteful, >> given that the answer is static after boot. >> >> Move opt_allow_unsafe into domain.c, as a better location for it to >> live, and switch it to be a straight boolean. >> >> Use the new cpu_bug_* infrastructure to precompute erratum 121 during >> boot, rather than repeatedly at runtime. Leave a comment beside the >> check in arch_domain_create() to explain why we may refuse to boot >> DomU's. >> >> Reflow the printed information for grep-ability, and fix them for >> correctness and brevity. >> >> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> >> --- >> CC: Jan Beulich <JBeulich@xxxxxxxx> >> CC: Wei Liu <wei.liu2@xxxxxxxxxx> >> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> >> --- >> xen/arch/x86/cpu/amd.c | 26 ++++++++------------------ >> xen/arch/x86/domain.c | 19 +++++++++++++------ >> xen/include/asm-x86/amd.h | 5 ----- >> xen/include/asm-x86/cpufeature.h | 3 +++ >> xen/include/asm-x86/cpufeatures.h | 2 ++ >> xen/include/asm-x86/domain.h | 2 ++ >> 6 files changed, 28 insertions(+), 29 deletions(-) >> >> diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c >> index c3aa1f4..8089fb9 100644 >> --- a/xen/arch/x86/cpu/amd.c >> +++ b/xen/arch/x86/cpu/amd.c >> @@ -40,10 +40,6 @@ integer_param("cpuid_mask_l7s0_ebx", >> opt_cpuid_mask_l7s0_ebx); >> static unsigned int __initdata opt_cpuid_mask_thermal_ecx = ~0u; >> integer_param("cpuid_mask_thermal_ecx", opt_cpuid_mask_thermal_ecx); >> >> -/* 1 = allow, 0 = don't allow guest creation, -1 = don't allow boot */ >> -s8 __read_mostly opt_allow_unsafe; >> -boolean_param("allow_unsafe", opt_allow_unsafe); >> - >> /* Signal whether the ACPI C1E quirk is required. */ >> bool __read_mostly amd_acpi_c1e_quirk; >> >> @@ -538,6 +534,14 @@ static void init_amd_k8(struct cpuinfo_x86 *c) >> { >> uint64_t val; >> >> + setup_force_cpu_cap(X86_BUG_AMD_ERRATUM_121); >> + >> + if ( c == &boot_cpu_data && !opt_allow_unsafe ) >> + printk(KERN_WARNING >> + "*** Xen will not allow DomU creation on this CPU for >> security reasons ***\n" >> + KERN_WARNING >> + "*** Pass \"allow_unsafe\" if you trust all your guest >> kernels ***\n"); > Since you are switching the file to match Xen's coding style, I would > use XENLOG_WARNING instead of KERN_WARNING. Oops - right you are. > >> + >> /* >> * Skip errata workarounds if we are virtualised. We won't have >> * sufficient control of hardware to do anything useful. >> @@ -784,20 +788,6 @@ static void init_amd(struct cpuinfo_x86 *c) >> >> amd_get_topology(c); >> >> - if (!cpu_has_amd_erratum(c, AMD_ERRATUM_121)) >> - opt_allow_unsafe = 1; >> - else if (opt_allow_unsafe < 0) >> - panic("Xen will not boot on this CPU for security reasons" >> - "Pass \"allow_unsafe\" if you're trusting all your" >> - " (PV) guest kernels.\n"); >> - else if (!opt_allow_unsafe && c == &boot_cpu_data) >> - printk(KERN_WARNING >> - "*** Xen will not allow creation of DomU-s on" >> - " this CPU for security reasons. ***\n" >> - KERN_WARNING >> - "*** Pass \"allow_unsafe\" if you're trusting" >> - " all your (PV) guest kernels. ***\n"); >> - >> /* AMD CPUs do not support SYSENTER outside of legacy mode. */ >> __clear_bit(X86_FEATURE_SEP, c->x86_capability); >> >> diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c >> index 32dc4253..beeb1d7 100644 >> --- a/xen/arch/x86/domain.c >> +++ b/xen/arch/x86/domain.c >> @@ -71,6 +71,10 @@ >> >> DEFINE_PER_CPU(struct vcpu *, curr_vcpu); >> >> +/* Permit creating domains on unsafe systems? */ >> +bool __read_mostly opt_allow_unsafe; > I think you can make this static now, since you have removed the only > external user which was amd.c. There is still a user in amd.c, for the printk() which needs adjusting. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.