Re: [Xen-devel] [PATCH 3/6] x86/AMD: Rework XSA-9 / Erratum 121 handling entirely

["Jan Beulich" <JBeulich@xxxxxxxx>]

>>> On 28.12.18 at 13:39, <andrew.cooper3@xxxxxxxxxx> wrote:
> There are multiple problems:
> 
>  * The opt_allow_unsafe < 0 logic is dead since 2012 (c/s 0c7a6966511
>    "x86-64: refine the XSA-9 fix").

Not really, no, the more that said commit only introduced it. Please
pay attention to the description saying "by means of a single line
change" as well as "don't default to boot denial". The thing I agree
was not possible (no idea how I did overlook it) was to set the
value to -1 without it defaulting to it.

>  * Given that opt_allow_unsafe was deliberately intended not to be
>    specific to #121 alone, setting it to true for the not-affected case
>    will cause a security issue if a second use of this option ever
>    appears.
>  * Calling cpu_has_amd_erratum() on every domain creation is wasteful,
>    given that the answer is static after boot.

Hardly a big performance impact, I would say.

> Move opt_allow_unsafe into domain.c, as a better location for it to
> live, and switch it to be a straight boolean.

So you think boot denial is not useful, and hence not worthwhile to
retain (and make properly command line controllable)?

> @@ -538,6 +534,14 @@ static void init_amd_k8(struct cpuinfo_x86 *c)
>  {
>      uint64_t val;
>  
> +    setup_force_cpu_cap(X86_BUG_AMD_ERRATUM_121);
> +        printk(KERN_WARNING
> +               "*** Xen will not allow DomU creation on this CPU for 
> security reasons ***\n"
> +               KERN_WARNING
> +               "*** Pass \"allow_unsafe\" if you trust all your guest 
> kernels ***\n");

This would affect all of Fam0F, while models 0x40 and higher aren't
affected from all I know.

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel