Xen project Mailing List

Re: [Xen-devel] [PATCH v7] x86/emulate: Send vm_event from emulate

From: Alexandru Stefan ISAILA <aisaila@xxxxxxxxxxxxxxx>

Date: Tue, 23 Jul 2019 08:17:53 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=bitdefender.com;dmarc=pass action=none header.from=bitdefender.com;dkim=pass header.d=bitdefender.com;arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+Q1wotiUOV5Sk4cSeZvV+GaduQJL9uT9YaFyQF8zXVs=; b=HIONrVs2RhcQMRaVh9U+yD8rmaEbZv4DXwgi/NPgd7RKQkBOBDtz1ykMBVjGeD970KqTVLXUfLiOCla+zfezMOybvsiqN1QIiJX3bvTW0u+oqSx84HKZlq/TRDjrYmZOqhn6IvMc7zlSw649NPT52dPhslClMnjuOXmyJyqqbVy1q4otkALqlazGV/ejhTv2JNIC+8UDxYXLBdxDe84zfhF3n88H39aPjAMeEa/oxkriQpVJVFIB8Pu5rTf+SUSE/bM9610XC4n+SyeZM4yn8ksMvbQih07E3xEwGn5jvsaZsvSoQ6i+N/qNWHkRqbPWPD3W/isJ3Z7L/SuT6lOrbA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GqLskZPAcez9hUGfTJA1xf9CMnRP4BeH32EXdeH7wLLQx++iBv0wdNoxs/Rm4TkGTi5Q2SjDjwEtmj2UasSQ/TpWDqABfFUWODyrccvlZZiWVCO4/H9+CRL/s1B+R4yK7loBxZzEssV3/O7VRWbMzdzSGgAD2o+erRY7Nh0ELttoSjAz29QQvfaJx76kCEy7JNVHARKXOrj0+CQ55vTGSHVrooeTgWeCaj7cbfz+jpVS2lycv9l1L8h0V1RAaDGPLhPy9cNhvpof8yEk9qkSMRyZJ3mkqv59jbsHUCIZkTpfE2L1/Pz/Def2iVgxlOfV5QYfJA5rQIMm+xvRkXshZA==

Authentication-results: spf=none (sender IP is ) smtp.mailfrom=aisaila@xxxxxxxxxxxxxxx;

Cc: Petre Ovidiu PIRCALABU <ppircalabu@xxxxxxxxxxxxxxx>, "tamas@xxxxxxxxxxxxx" <tamas@xxxxxxxxxxxxx>, "wl@xxxxxxx" <wl@xxxxxxx>, "rcojocaru@xxxxxxxxxxxxxxx" <rcojocaru@xxxxxxxxxxxxxxx>, "george.dunlap@xxxxxxxxxxxxx" <george.dunlap@xxxxxxxxxxxxx>, "andrew.cooper3@xxxxxxxxxx" <andrew.cooper3@xxxxxxxxxx>, "paul.durrant@xxxxxxxxxx" <paul.durrant@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "roger.pau@xxxxxxxxxx" <roger.pau@xxxxxxxxxx>

Delivery-date: Tue, 23 Jul 2019 08:18:00 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHVMY4Gmux1Y/IiSU2ZKtKyOfOCuKbQbceAgAG+GQD//9nvgIAF9VAA

Thread-topic: [PATCH v7] x86/emulate: Send vm_event from emulate

On 19.07.2019 16:18, Jan Beulich wrote: > On 19.07.2019 14:34, Alexandru Stefan ISAILA wrote: >> On 18.07.2019 15:58, Jan Beulich wrote: >>> On 03.07.2019 12:56, Alexandru Stefan ISAILA wrote: >>>> Currently, we are fully emulating the instruction at RIP when the hardware >>>> sees >>>> an EPT fault with npfec.kind != npfec_kind_with_gla. This is, however, >>>> incorrect, because the instruction at RIP might legitimately cause an >>>> EPT fault of its own while accessing a _different_ page from the original >>>> one, >>>> where A/D were set. >>>> The solution is to perform the whole emulation, >>> >>> Above you said fully emulating such an insn is incorrect. To me the >>> two statements contradict one another. >>> >>>> while ignoring EPT restrictions >>>> for the walk part, and taking them into account for the "actual" emulating >>>> of >>>> the instruction at RIP. >>> >>> So the "ignore" part here is because the walk doesn't currently send >>> any events? That's an omission after all, which ultimately wants to >>> get fixed. This in turn makes me wonder whether there couldn't be >>> cases where a monitor actually wants to see these violations, too. >>> After all one may be able to abuse to page walker to set bits in >>> places you actually care to protect from undue modification. >> >> There is no need for events from page walk. Further work will have to be >> done, when page-walk will send events, so that we can toggle that new >> feature on/off. > > Please can you move over to thinking in more general terms, > not just what you need for your application. In this case > "There is no need" != "We don't have a need for". And I think > the VM event _interface_ should be arranged in a way that it > already accounts for eventually correct behavior of the page > walk paths. > I'm not sure how future code for sending events form page-walk will be but I will try to make this patch have some checks in place so that it will work the same. >>>> After the emulation stops we'll call hvm_vm_event_do_resume() again after >>>> the >>>> introspection agent treats the event and resumes the guest. There, the >>>> instruction at RIP will be fully emulated (with the EPT ignored) if the >>>> introspection application allows it, and the guest will continue to run >>>> past >>>> the instruction. >>>> >>>> We use hvmemul_map_linear_addr() to intercept r/w access and >>>> __hvm_copy() to intercept exec access. >>> >>> Btw I continue to be unhappy about this asymmetry. Furthermore in >>> the former case you only handle write and rmw accesses, but not >>> reads afaics. I assume you don't care about reads, but this should >>> then be made explicit. Furthermore EPT allows read protection, and >>> there are p2m_access_w, p2m_access_wx, and p2m_access_x, so I guess >>> ignoring reads can at best be an option picked by the monitor, not >>> something to be left out of the interface altogether. >> >> That is correct, we are not interested in read events but there is >> another problem, we are checking access and pfec to fill the event flag >> and pfec only has a write flag(PFEC_write_access), in __hvmemul_read() >> pfec only gets PFEC_page_present and there is no way to differentiate >> write from read. > > By the PFEC model, anything that's not a write or insn fetch is a > read. The main anomaly is elsewhere: The write flag is also going > to be set for RMW operations. > >>>> hvm_emulate_send_vm_event() can return false if there was no violation, >>>> if there was an error from monitor_traps() or p2m_get_mem_access(). >>> >>> As said before - I don't think errors and lack of a violation can >>> sensibly be treated the same way. Is the implication perhaps that >>> emulation then will fail later anyway? If so, is such an >>> assumption taking into consideration possible races? >> >> The only place that I can see a problem is the error from >> monitor_traps(). That can be checked and accompanied by a warning msg. > > How would a warning message help? > >> Or if you can give me a different idea to go forward with this issue I >> will be glad to review it. > > I'm afraid you'll have to first of all give me an idea what the > correct action is in case of such an error. And once you've done > so, I'm pretty sure you'll recognize yourself whether the current > code you have is appropriate (and I'll then know whether I want > to insist on you changing the code). > So I think that the return of hvm_emulate_send_vm_event() should not use the return of monitor_traps(). By the time monitor_traps() is called we are sure that there is a violation and emulation should stop regardless if the event was sent or not. In this idea the last return should be true. >>>> --- a/xen/arch/x86/hvm/hvm.c >>>> +++ b/xen/arch/x86/hvm/hvm.c >>>> @@ -3224,6 +3224,14 @@ static enum hvm_translation_result __hvm_copy( >>>> return HVMTRANS_bad_gfn_to_mfn; >>>> } >>>> >>>> + if ( unlikely(v->arch.vm_event) && >>>> + v->arch.vm_event->send_event && >>>> + hvm_emulate_send_vm_event(addr, gfn, pfec) ) >>> >>> Indentation looks wrong again. >>> >>>> + { >>>> + put_page(page); >>>> + return HVMTRANS_gfn_paged_out; >>> >>> Why "paged out"? If this is an intentional abuse, then you want >>> to say so in a comment and justify the abuse here or in the >>> description. Yes this is intentional so linear_read() will return X86EMUL_RETRY. Thanks for the review, Alex _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.