Xen project Mailing List

Re: [Xen-devel] [PATCH 2/2] x86/xpti: Don't leak TSS-adjacent percpu data via Meltdown

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Fri, 26 Jul 2019 16:38:29 +0200

Authentication-results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=roger.pau@xxxxxxxxxx; spf=Pass smtp.mailfrom=roger.pau@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx

Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>

Delivery-date: Fri, 26 Jul 2019 14:38:50 +0000

Ironport-sdr: UrAH2+RvkuKjOcEUzVLN8TNcDqNHxXjdnvckEjosbifmeKWh/Zy/EF1HYJmcPbQlI4k0SbKbyN uHyoFvFJqe9+6PPz23KuRR3a8KF3Ox8LIIGlGKxLrHLnt78RLxFBLYfTLIxAxD7dMmyi5tGZQs Y8XDLgl/Ef2TssrLEoMGzPmHihJRRjH8lzEGFHvu6LSk0aTM2JhQZI2JMu5AIOZ3KWaeSk3tVN Xiu/BmKDe/711PHVHpi1BwO6Mb3Q1avLFw+VLst8C97wuemhsozjkZ4FDBQH6NrKO11QzwqUek b6I=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Jul 26, 2019 at 02:52:40PM +0100, Andrew Cooper wrote: > The XPTI work restricted the visibility of most of memory, but missed a few > aspects when it came to the TSS. > > Given that the TSS is just an object in percpu data, the 4k mapping for it > created in setup_cpu_root_pgt() maps adjacent percpu data, making it all > leakable via Meltdown, even when XPTI is in use. > > Furthermore, no care is taken to check that the TSS doesn't cross a page > boundary. As it turns out, struct tss_struct is aligned on its size which > does prevent it straddling a page boundary, but this will cease to be true > once CET and Shadow Stack support is added to Xen. > > Move the TSS into the page aligned percpu area, so no adjacent data can be > leaked. Move the definition from setup.c to traps.c, which is a more > appropriate place for it to live. > > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > --- > CC: Jan Beulich <JBeulich@xxxxxxxx> > CC: Wei Liu <wl@xxxxxxx> > CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> > --- > xen/arch/x86/setup.c | 2 -- > xen/arch/x86/traps.c | 6 ++++++ > xen/arch/x86/xen.lds.S | 2 ++ > xen/include/asm-x86/processor.h | 4 ++-- > 4 files changed, 10 insertions(+), 4 deletions(-) > > diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c > index d2011910fa..1a2ffc4dc1 100644 > --- a/xen/arch/x86/setup.c > +++ b/xen/arch/x86/setup.c > @@ -100,8 +100,6 @@ unsigned long __read_mostly xen_phys_start; > > unsigned long __read_mostly xen_virt_end; > > -DEFINE_PER_CPU(struct tss_struct, init_tss); > - > char __section(".bss.stack_aligned") __aligned(STACK_SIZE) > cpu0_stack[STACK_SIZE]; > > diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c > index 38d12013db..e4b4587956 100644 > --- a/xen/arch/x86/traps.c > +++ b/xen/arch/x86/traps.c > @@ -108,6 +108,12 @@ idt_entry_t __section(".bss.page_aligned") > __aligned(PAGE_SIZE) > /* Pointer to the IDT of every CPU. */ > idt_entry_t *idt_tables[NR_CPUS] __read_mostly; > > +/* > + * The TSS is smaller than a page, but we give it a full page to avoid > + * adjacent per-cpu data leaking via Meltdown when XPTI is in use. > + */ > +DEFINE_PER_CPU_PAGE_ALIGNED(struct __aligned(PAGE_SIZE) tss_struct, > init_tss); Can't you bundle the __aligned attribute in DEFINE_PER_CPU_PAGE_ALIGNED itself? #define DEFINE_PER_CPU_PAGE_ALIGNED(type, name) \ __DEFINE_PER_CPU(type __aligned(PAGE_SIZE), _##name, .page_aligned) I haven't tested this TBH. I'm also not able to find how __typeof__ (used by __DEFINE_PER_CPU) behaves regarding attributes, but I'm quite sure it keeps them or else lots of things will break. Thanks, Roger. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.