[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH V6 2/4] x86/altp2m: Add hypercall to set a range of sve bits

  • To: George Dunlap <george.dunlap@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Alexandru Stefan ISAILA <aisaila@xxxxxxxxxxxxxxx>
  • Date: Tue, 24 Dec 2019 09:04:57 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bitdefender.com; dmarc=pass action=none header.from=bitdefender.com; dkim=pass header.d=bitdefender.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DBMN6YdXpZEN8kSnLGcDwH4T8yCWWn/Mkk6aGvWAmuo=; b=iL/Moav+2t/VMjzxmGrOVEKDZZilZgKYkkYdBbKT1F+9HSVou8iZT4pb/8Ub7rUKDt7mQBtn9MuBMbrfOPataHY8+r+FbyG7I1Z8iYIN2r7o/YbiKTmtrvExmF2+tn3F+hBg8UvbrmsoUsB5JIAwGi+VhoLcctqi2U2IVSf78mwQoZflPsV2Cb3/9yFF7G5q/WM8XXEBf384fMcdR0EhJd4TTmwOYb91B/d1PVrawb5vIygm9+5HeqLCfXIv689TZ0xiFMj6eKyWNnA/4KqS3K+VlQrN4Op8gu5IY+7P0RApz1hNrvpieMwJ1OLbxlmJ1qvAMsm4/amVHJFq70M6Vw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aeM5RHol1JfwrZ71pq7iAqsP6aBhIIE1DqKWduAV95uLoCUnFdJqO04s7tzUlBJAzdnFbeVmdQ7VAeP1lvkAZVaU3wLMOTC54+cemG8Alr6rDZiK5sObkM3uo6UbbWerSy9x0sj6CarissJ5ta6uICXh08TyUwAyAWOJNkGUlQjwt8N03J6uQc81td2x3eiuZvs2H0B1yVnmlq6GAD1ci/4x4Ljm3cgy5ENI5/o+1rXEwwI1Cmu843Yo89TxPAQXZ3BZsP/lXeuQ7SXRP9Gt6lLZVYhPLu5HyiMdXvlzdmT2Haj2i1svTAe7VQXC7lAk7JrsuxBcIDr93cdyGGu5Wg==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=aisaila@xxxxxxxxxxxxxxx;
  • Cc: Petre Ovidiu PIRCALABU <ppircalabu@xxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Razvan COJOCARU <rcojocaru@xxxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Tue, 24 Dec 2019 09:05:25 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHVuZnoQDql7d7Su0+P124sSAtk36fI9bKAgAAmd4D//+FVgIAAAbmA
  • Thread-topic: [Xen-devel] [PATCH V6 2/4] x86/altp2m: Add hypercall to set a range of sve bits
>>>> +/*
>>>> + * Set/clear the #VE suppress bit for multiple pages.  Only available on 
>>>> VMX.
>>>> + */
>>>> +int p2m_set_suppress_ve_multi(struct domain *d,
>>>> +                              struct xen_hvm_altp2m_suppress_ve_multi 
>>>> *sve)
>>>> +{
>>>> +    struct p2m_domain *host_p2m = p2m_get_hostp2m(d);
>>>> +    struct p2m_domain *ap2m = NULL;
>>>> +    struct p2m_domain *p2m = host_p2m;
>>>> +    uint64_t start = sve->first_gfn;
>>>> +    int rc = 0;
>>>> +
>>>> +    if ( sve->view > 0 )
>>>> +    {
>>>> +        if ( sve->view >= MAX_ALTP2M ||
>>>> +             d->arch.altp2m_eptp[array_index_nospec(sve->view, 
>>>> MAX_ALTP2M)] ==
>>>> +             mfn_x(INVALID_MFN) )
>>>> +            return -EINVAL;
>>>> +
>>>> +        p2m = ap2m = d->arch.altp2m_p2m[array_index_nospec(sve->view,
>>>> +                                                           MAX_ALTP2M)];
>>>> +    }
>>>> +
>>>> +    p2m_lock(host_p2m);
>>>> +
>>>> +    if ( ap2m )
>>>> +        p2m_lock(ap2m);
>>>> +
>>>> +    while ( sve->last_gfn >= start )
>>>> +    {
>>>> +        p2m_access_t a;
>>>> +        p2m_type_t t;
>>>> +        mfn_t mfn;
>>>> +        int err = 0;
>>>> +
>>>> +        if ( altp2m_get_effective_entry(p2m, _gfn(start), &mfn, &t, &a, 
>>>> AP2MGET_query) )
>>>> +            a = p2m->default_access;
>>>
>>> So in the single-entry version, if altp2m_get_effective_entry() returns
>>> an error, you pass that error up the stack; but in the multiple-entry
>>> version, you ignore the error and simply set the access to
>>> default_access?  I don't think that can be right.  If it is right, then
>>> it definitely needs a comment.
>>>
>>
>> The idea behind this was to have a best effort try and signal the first
>> error. If the get_entry fails then the best way to go is with
>> default_access but this is open for debate.
> 
> I don't see how it's a good idea at all. If get_effective_entry fails,
> then mfn and t may both be uninitialized.  If an attacker can arrange
> for those to have the values she wants, she could use this to take over
> the system.
> 
>> Another way to solve this is to update the first_error_gfn/first_error
>> and then continue. I think this ca be used to make p2m_set_suppress_ve()
>> call p2m_set_suppress_ve_multi.
> 
> Isn't that exactly the semantics you want -- try gfn N, if that fails,
> record it and move on to the next one?  Why would "write an entry with
> random values for mfn and type, but with the default access" be a better
> response?
> 

That is right, I'll go with this for the next version. Should I have the 
single version call the _multi version after this change?

Alex
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.