Xen project Mailing List

[PATCH 11/16] x86: add a boot option to enable and disable the direct map

From: Hongyan Xia <hx242@xxxxxxx>

Date: Thu, 30 Apr 2020 21:44:20 +0100

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, julien@xxxxxxx, Wei Liu <wl@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Thu, 30 Apr 2020 20:50:15 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

From: Hongyan Xia <hongyxia@xxxxxxxxxx> Also add a helper function to retrieve it. Change arch_mfn_in_direct_map to check this option before returning. This is added as a boot command line option, not a Kconfig. We do not produce different builds for EC2 so this is not introduced as a compile-time configuration. Signed-off-by: Hongyan Xia <hongyxia@xxxxxxxxxx> --- docs/misc/xen-command-line.pandoc | 12 ++++++++++++ xen/arch/x86/mm.c | 3 +++ xen/arch/x86/setup.c | 2 ++ xen/include/asm-arm/mm.h | 5 +++++ xen/include/asm-x86/mm.h | 17 ++++++++++++++++- 5 files changed, 38 insertions(+), 1 deletion(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index ee12b0f53f..7027e3a15c 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -652,6 +652,18 @@ Specify the size of the console debug trace buffer. By specifying `cpu:` additionally a trace buffer of the specified size is allocated per cpu. The debug trace feature is only enabled in debugging builds of Xen. +### directmap (x86) +> `= <boolean>` + +> Default: `true` + +Enable or disable the direct map region in Xen. + +By default, Xen creates the direct map region which maps physical memory +in that region. Setting this to no will remove the direct map, blocking +exploits that leak secrets via speculative memory access in the direct +map. + ### dma_bits > `= <integer>` diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index b3530d2763..64da997764 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -162,6 +162,9 @@ l1_pgentry_t __section(".bss.page_aligned") __aligned(PAGE_SIZE) l1_pgentry_t __section(".bss.page_aligned") __aligned(PAGE_SIZE) l1_fixmap_x[L1_PAGETABLE_ENTRIES]; +bool __read_mostly opt_directmap = true; +boolean_param("directmap", opt_directmap); + paddr_t __read_mostly mem_hotplug; /* Frame table size in pages. */ diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index faca8c9758..60fc4038be 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -1282,6 +1282,8 @@ void __init noreturn __start_xen(unsigned long mbi_p) if ( highmem_start ) xenheap_max_mfn(PFN_DOWN(highmem_start - 1)); + printk("Booting with directmap %s\n", arch_has_directmap() ? "on" : "off"); + /* * Walk every RAM region and map it in its entirety (on x86/64, at least) * and notify it to the boot allocator. diff --git a/xen/include/asm-arm/mm.h b/xen/include/asm-arm/mm.h index 7df91280bc..e6fd934113 100644 --- a/xen/include/asm-arm/mm.h +++ b/xen/include/asm-arm/mm.h @@ -366,6 +366,11 @@ int arch_acquire_resource(struct domain *d, unsigned int type, unsigned int id, return -EOPNOTSUPP; } +static inline bool arch_has_directmap(void) +{ + return true; +} + #endif /* __ARCH_ARM_MM__ */ /* * Local variables: diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h index ef7a20ac7d..7ff99ee8e3 100644 --- a/xen/include/asm-x86/mm.h +++ b/xen/include/asm-x86/mm.h @@ -454,6 +454,8 @@ int check_descriptor(const struct domain *d, seg_desc_t *desc); extern paddr_t mem_hotplug; +extern bool opt_directmap; + /****************************************************************************** * With shadow pagetables, the different kinds of address start * to get get confusing. @@ -637,13 +639,26 @@ extern const char zero_page[]; /* Build a 32bit PSE page table using 4MB pages. */ void write_32bit_pse_identmap(uint32_t *l2); +static inline bool arch_has_directmap(void) +{ + return opt_directmap; +} + /* * x86 maps part of physical memory via the directmap region. * Return whether the input MFN falls in that range. + * + * When boot command line sets directmap=no, we will not have a direct map at + * all so this will always return false. */ static inline bool arch_mfn_in_directmap(unsigned long mfn) { - unsigned long eva = min(DIRECTMAP_VIRT_END, HYPERVISOR_VIRT_END); + unsigned long eva; + + if ( !arch_has_directmap() ) + return false; + + eva = min(DIRECTMAP_VIRT_END, HYPERVISOR_VIRT_END); return mfn <= (virt_to_mfn(eva - 1) + 1); } -- 2.24.1.AMZN

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.