[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH L1TF MDS GT v4 1/2] common/grant_table: harden bound accesses

  • To: Norbert Manthey <nmanthey@xxxxxxxxx>
  • From: Jan Beulich <JBeulich@xxxxxxxx>
  • Date: Tue, 30 Jul 2019 13:38:30 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=suse.com;dmarc=pass action=none header.from=suse.com;dkim=pass header.d=suse.com;arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nwlAt2OehTeo9mW3PbTVg+Dm93CezandTO5jJZvsKkI=; b=M6DwOUZQ8WzdYSKTo2CHZ6Bwbs2CPNvLgEomqbvSjS45c2+SUEEdhyM5oYoRusyg/JQVlppLXtYbrtkGxLbj6PB7Tz5JoRoa4gBllnfYolNJxL6ZRELOsbL3vypYfZAJ6kZm9ZnSSLh4DcCwTfpe3aSn4lTe6Z2QcHVPNLR3CJzv9vmGtzUTOmR6lTSIWHBbih+bXfog2Ae4SUrrrV2trw5Ek4JOr+JNL1Ldgr6tuK4WQY08yMnAKWx+TOk1Sz/n1fDRP2FYhtND1URRuSvV4mg81nMCHJ0hV9ZAgu9KzKO+WmaAOV8vZUu6dJVw1bhwTWnLj2XT7SihInV6774JSA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QrK9htCvQMwSgFfbL5KzqAiP6xrG04+lVjqSW5+cuMUkN3W8IJ1gmosRIjxB3LU8lVbu8LvKvZSr+DZNJE81nDUPetLPsE6QPBJTl/XwSh+1eNkCxhpUn/0XjvQjqISVQ5qhtOuksOUDBllXGKatgAJQ2ptpK3TcP7ZKCKy1bwVmuege4NEU9zNOTTVe4h/is1m50bv4zSjrjmCANlAETYUDsTBpW6jqgNnxTksLHStHH8J56adP8rDqd9lKV7CPravj1gc9KHy6fcL7ZhIuJKBsZhG3j5fQKUnHsFE/+KyWM2o1lLdvDi0YKA1qHVj8ZfryhYFuz+wxkIwAs0msxA==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=JBeulich@xxxxxxxx;
  • Cc: Juergen Gross <JGross@xxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, KonradRzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, IanJackson <ian.jackson@xxxxxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, Pawel Wieczorkiewicz <wipawel@xxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, David Woodhouse <dwmw@xxxxxxxxxxxx>, Martin Mazein <amazein@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Bjoern Doebel <doebel@xxxxxxxxx>
  • Delivery-date: Tue, 30 Jul 2019 13:44:35 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHVRtj90XYoVpwrQku2OrPMiAgfMabjKmoA
  • Thread-topic: [PATCH L1TF MDS GT v4 1/2] common/grant_table: harden bound accesses
On 30.07.2019 15:15, Norbert Manthey wrote:
> Guests can issue grant table operations and provide guest controlled
> data to them. This data is used as index for memory loads after bound
> checks have been done. To avoid speculative out-of-bound accesses, we
> use the array_index_nospec macro where applicable, or the macro
> block_speculation. Note, the block_speculation macro is used on all
> path in shared_entry_header and nr_grant_entries. This way, after a
> call to such a function, all bound checks that happened before become
> architectural visible, so that no additional protection is required
> for corresponding array accesses. As the way we introduce an lfence
> instruction might allow the compiler to reload certain values from
> memory multiple times, we try to avoid speculatively continuing
> execution with stale register data by moving relevant data into
> function local variables.
> 
> Speculative execution is not blocked in case one of the following
> properties is true:
>   - path cannot be triggered by the guest
>   - path does not return to the guest
>   - path does not result in an out-of-bound access
> 
> Only the combination of the above properties allows to actually leak
> continuous chunks of memory. Therefore, we only add the penalty of
> protective mechanisms in case a potential speculative out-of-bound
> access matches all the above properties.
> 
> This commit addresses only out-of-bound accesses whose index is
> directly controlled by the guest, and the index is checked before.
> Potential out-of-bound accesses that are caused by speculatively
> evaluating the version of the current table are not addressed in this
> commit. Hence, speculative out-of-bound accesses might still be
> possible, for example in gnttab_get_status_frame_mfn, when calling
> gnttab_grow_table, the assertion that the grant table version equals
> two might not hold under speculation.
> 
> This is part of the speculative hardening effort.
> 
> Signed-off-by: Norbert Manthey <nmanthey@xxxxxxxxx>
> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
> ---
> 
> Notes:
>    v3:  Drop condition to not fix defects in commit message.
>         Copy in reviewed-by.

According to this (which aiui means v4) there are no code changes
compared to v3. At the risk of annoying you, this doesn't fit well
with me having said "and then perhaps make changes to a few more
paths" alongside the option of doing this removal in reply to v3.
After all you've now dropped a condition from what is covered by
"Only the combination of ...", and hence there's a wider set of
paths that would need to be fixed. It was for this reason that as
the other alternative I did suggest to simply weaken the wording
of the item you've now dropped. IOW I'm afraid my R-b is not
applicable to v4.

Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.