[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH L1TF MDS GT v2 1/2] common/grant_table: harden bound accesses

  • To: Norbert Manthey <nmanthey@xxxxxxxxx>
  • From: Jan Beulich <JBeulich@xxxxxxxx>
  • Date: Mon, 15 Jul 2019 06:32:06 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=suse.com;dmarc=pass action=none header.from=suse.com;dkim=pass header.d=suse.com;arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PXUL4fi+BzGf50U1dD0WHFLE9VoPgEKAODlBvjgGHXM=; b=XUimzdwpFX8HD1XQygUjkIK5ElFDY3/Aq/7NPSulPAYKmAu/QfOt+frnrTOVarpNLR3aNFAMK0dFswNkYTMbRl37ux1OePtfFrFKgSqQ4vKPeazLhVfa8FkCrzFpRB7/k87VtphC9ZDXVLu4++WD2EeAPS6wzq1U7SFAVH/gApW+u49054660WhTaZJAVEUHvoyvYrx7RCdjOePNWv1tiyLGuR3FlBTiXBGFYG2us8nuMC/EEFKswx3f+Yu5qipNbdQAl1tv4zeANVkMta9eI3R/o4lEmYr5WvjD83JA5zFE9zKGUUrj6Bog4/bWv5Mm/eTuUuKn25LuWnn4pbxjEg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QjECggCurFOIlH+J6H+1HsTnWId9azGT6aVkznLFCIIN9zoXarv51pelLIJP7uuT25rj5uKTRioTzyM6kvZwTOnJfN08tfXiiF+52mYHUveMldJLnXZUJWNCaFFQLd6pW1Pkm5lHbZwE6yd0IwQ36XCkBxH9QqBwvprj4kwuhEfhzL/giEzoY+N0unpuOk+IYsWqL0NwlbS1OjH+7hRTJLC6VWbJz0Kaw5G0UTKODAZka7MXzq4sOyRq58O7vGfdTLYXPYUNRcp/nWflSjN/0Ueb07yevrI2aTz8n1ESw9RaKCHSjyhurHUgY+hYqeZjpaJ6hTEn7YUXd4SU0dfBQw==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=JBeulich@xxxxxxxx;
  • Cc: Juergen Gross <JGross@xxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, IanJackson <ian.jackson@xxxxxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, PawelWieczorkiewicz <wipawel@xxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, DavidWoodhouse <dwmw@xxxxxxxxxxxx>, Martin Mazein <amazein@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, BjoernDoebel <doebel@xxxxxxxxx>
  • Delivery-date: Mon, 15 Jul 2019 06:42:44 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHVN+UKfsMu2qLxDkqLQxY1kOPIcKbGq28agASSyAA=
  • Thread-topic: [PATCH L1TF MDS GT v2 1/2] common/grant_table: harden bound accesses
On 12.07.2019 10:40, Norbert Manthey wrote:
> On 7/11/19 14:34, Jan Beulich wrote:
>> On 10.07.2019 14:54, Norbert Manthey wrote:
>>> Guests can issue grant table operations and provide guest controlled
>>> data to them. This data is used as index for memory loads after bound
>>> checks have been done. To avoid speculative out-of-bound accesses, we
>>> use the array_index_nospec macro where applicable, or the macro
>>> block_speculation. Note, the block_speculation macro is used on all
>>> path in shared_entry_header and nr_grant_entries. This way, after a
>>> call to such a function, all bound checks that happened before become
>>> architectural visible, so that no additional protection is required
>>> for corresponding array accesses. As the way we introduce an lfence
>>> instruction might allow the compiler to reload certain values from
>>> memory multiple times, we try to avoid speculatively continuing
>>> execution with stale register data by moving relevant data into
>>> function local variables.
>>>
>>> Speculative execution is not blocked in case one of the following
>>> properties is true:
>>>    - path cannot be triggered by the guest
>>>    - path does not return to the guest
>>>    - path does not result in an out-of-bound access
>>>    - path cannot be executed repeatedly
>> Upon re-reading I think this last item isn't fully applicable: I think
>> you attach such an attribute to domain creation/destruction functions.
>> Those aren't executed repeatedly for a single guest, but e.g. rapid
>> rebooting of a guest (or several ones) may actually be able to train
>> such paths.
> True, but a rebooted domain might come up on a different core, which
> results in using different hardware structures. The "repeatedly" is open
> to be interpreted, I agree. From my understanding, it belongs to the
> properties to have to reliably target a speculative out-of-bound access.

Looks like we're taking a somewhat different perspective here: I don't
think "reliably" is the criteria to go by, but instead it would be
"there's a reasonable chance". Plus the smaller the host, the less
possibilities there are for coming back up on a different core, yet imo
we shouldn't favor large hosts in our considerations.

Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.