Xen project Mailing List

Re: [Xen-devel] [PATCH for-4.13] x86/vvmx: Fix livelock with XSA-304 fix

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 22 Nov 2019 18:35:35 +0000

Authentication-results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@xxxxxxxxxx; spf=Pass smtp.mailfrom=Andrew.Cooper3@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx

Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; prefer-encrypt=mutual; keydata= mQINBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABtClBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPokCOgQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86LkCDQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAYkC HwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==

Cc: Juergen Gross <jgross@xxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Fri, 22 Nov 2019 18:35:48 +0000

Ironport-sdr: NT3vszKf9dKrxKyjlfOSURX/z6zAOcUhXlFZWY3oDh/Liv+9KUpunAw9rPe6QUvSNj4CXs0MY8 0ggOIh56did4HGh7yS1bulZH/4YmkZQIcx9XN1NgOBfzQutwi/8/2uT0KVOkuPCmq2IFExO2yS 5igQCaD/oScUxayZ/f7QXfI7SDdVroytSbwDIYfGCpSGR9FK+tHhe+geMwUNFtK4Mvekmtft1s bhBg/AmaaFlXEvd4EX5ovL7vdB1ilzY84vmqDvcyTi1XnjcFnd/hGejOEb/KPiOwdVfw92zu12 syI=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Openpgp: preference=signencrypt

On 22/11/2019 18:08, George Dunlap wrote: > On Fri, Nov 22, 2019 at 5:55 PM Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > wrote: >> It turns out that the XSA-304 / CVE-2018-12207 fix of disabling executable >> superpages doesn't work well with the nested p2m code. >> >> Nested virt is experimental and not security supported, but is useful for >> development purposes. In order to not regress the status quo, disable the >> XSA-304 workaround until the nested p2m code can be improved. >> >> Introduce a per-domain exec_sp control and set it based on the current >> opt_ept_exec_sp setting. Take the oppotunity to omit a PVH hardware domain >> from the performance hit, because it is already permitted to DoS the system >> in >> such ways as issuing a reboot. >> >> When nested virt is enabled on a domain, force it to using executable >> superpages and rebuild the p2m. >> >> Having the setting per-domain involves rearranging the internals of >> parse_ept_param_runtime() but it still retains the same overall semantics - >> for each applicable domain whose setting needs to change, rebuild the p2m. >> >> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> >> --- >> CC: Jan Beulich <JBeulich@xxxxxxxx> >> CC: Wei Liu <wl@xxxxxxx> >> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> >> CC: Juergen Gross <jgross@xxxxxxxx> >> --- >> xen/arch/x86/hvm/vmx/vmcs.c | 31 +++++++++++++++++++++++-------- >> xen/arch/x86/hvm/vmx/vmx.c | 6 ++++++ >> xen/arch/x86/hvm/vmx/vvmx.c | 13 +++++++++++++ >> xen/arch/x86/mm/p2m-ept.c | 2 +- >> xen/include/asm-x86/hvm/vmx/vmcs.h | 6 ++++++ >> 5 files changed, 49 insertions(+), 9 deletions(-) >> >> diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c >> index 477c968409..f10f6b78ec 100644 >> --- a/xen/arch/x86/hvm/vmx/vmcs.c >> +++ b/xen/arch/x86/hvm/vmx/vmcs.c >> @@ -31,6 +31,7 @@ >> #include <asm/xstate.h> >> #include <asm/hvm/hvm.h> >> #include <asm/hvm/io.h> >> +#include <asm/hvm/nestedhvm.h> >> #include <asm/hvm/support.h> >> #include <asm/hvm/vmx/vmx.h> >> #include <asm/hvm/vmx/vvmx.h> >> @@ -97,6 +98,7 @@ custom_param("ept", parse_ept_param); >> >> static int parse_ept_param_runtime(const char *s) >> { >> + struct domain *d; >> int val; >> >> if ( !cpu_has_vmx_ept || !hvm_funcs.hap_supported || >> @@ -110,18 +112,31 @@ static int parse_ept_param_runtime(const char *s) >> if ( (val = parse_boolean("exec-sp", s, NULL)) < 0 ) >> return -EINVAL; >> >> - if ( val != opt_ept_exec_sp ) >> + opt_ept_exec_sp = val; >> + >> + rcu_read_lock(&domlist_read_lock); >> + for_each_domain ( d ) >> { >> - struct domain *d; >> + /* PV, or HVM Shadow domain? Not applicable. */ >> + if ( !paging_mode_hap(d) ) >> + continue; >> >> - opt_ept_exec_sp = val; >> + /* Hardware domain? Not applicable. */ >> + if ( is_hardware_domain(d) ) >> + continue; >> >> - rcu_read_lock(&domlist_read_lock); >> - for_each_domain ( d ) >> - if ( paging_mode_hap(d) ) >> - p2m_change_entry_type_global(d, p2m_ram_rw, p2m_ram_rw); >> - rcu_read_unlock(&domlist_read_lock); >> + /* Nested Virt? Broken and exec_sp forced on to avoid livelocks. */ >> + if ( nestedhvm_enabled(d) ) >> + continue; >> + >> + /* Setting already matches? No need to rebuild the p2m. */ >> + if ( d->arch.hvm.vmx.exec_sp == val ) >> + continue; >> + >> + d->arch.hvm.vmx.exec_sp = val; >> + p2m_change_entry_type_global(d, p2m_ram_rw, p2m_ram_rw); >> } >> + rcu_read_unlock(&domlist_read_lock); >> >> printk("VMX: EPT executable superpages %sabled\n", >> val ? "en" : "dis"); >> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c >> index 6a5eeb5c13..a71df71bc1 100644 >> --- a/xen/arch/x86/hvm/vmx/vmx.c >> +++ b/xen/arch/x86/hvm/vmx/vmx.c >> @@ -404,6 +404,12 @@ static int vmx_domain_initialise(struct domain *d) >> >> d->arch.ctxt_switch = &csw; >> >> + /* >> + * Work around CVE-2018-12207? The hardware domain is already permitted >> + * to reboot the system, so doesn't need mitigating against DoS's. >> + */ >> + d->arch.hvm.vmx.exec_sp = is_hardware_domain(d) || opt_ept_exec_sp; >> + >> if ( !has_vlapic(d) ) >> return 0; >> >> diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c >> index 6696bd6240..5dd00e11b5 100644 >> --- a/xen/arch/x86/hvm/vmx/vvmx.c >> +++ b/xen/arch/x86/hvm/vmx/vvmx.c >> @@ -63,10 +63,23 @@ void nvmx_cpu_dead(unsigned int cpu) >> >> int nvmx_vcpu_initialise(struct vcpu *v) >> { >> + struct domain *d = v->domain; >> struct nestedvmx *nvmx = &vcpu_2_nvmx(v); >> struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); >> struct page_info *pg = alloc_domheap_page(NULL, 0); >> >> + /* >> + * Gross bodge. The nested p2m logic can't cope with the CVE-2018-12207 >> + * workaround of using NX EPT superpages, and livelocks. Nested HVM >> isn't >> + * security supported, so disable the workaround until the nested p2m >> + * logic can be improved. >> + */ >> + if ( !d->arch.hvm.vmx.exec_sp ) >> + { >> + d->arch.hvm.vmx.exec_sp = true; >> + p2m_change_entry_type_global(d, p2m_ram_rw, p2m_ram_rw); > There wasn't an issue with nested guests having to deal with the > changed entry type? > > Assuming the answer to that is "no": > > Acked-by: George Dunlap <george.dunlap@xxxxxxxxxx> That is the issue we're working around by not letting the L01 walk encounter an NX superpage to begin with. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.