Xen project Mailing List

Re: Ping²: [PATCH] x86/PV: conditionally avoid raising #GP for early guest MSR accesses

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Fri, 5 Feb 2021 13:05:38 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fbkXz2G1gY1mWnqqlGfO24JSvUwQzoGuQbX7AZGJnFs=; b=P3pS0wzQVt5UMr8z/QGxHSb3TUj/qZjbwdSwsWrYyO5Zf6R/rcihc9ExwrMVgJfIvXeF+5rK7qugZe7l0b+AKZCDvctxKcUWxKHGQYQATNWTWH2NrKYlKW5cAQ3JdZ5PhDjRb0XUDpKIWlPIZhJsrImd+fjPCaImKjulIRNusuZKulUvA2qxN24b/M9tr+P+L/MpGqO7YcIhK0Sr8rX1WB+DHDcD6ZnYj4e6d2Kt5V+Mw5gMa4NNII0zVRnf6aCYA1eyA6WDHQQn3deUwJoWW/YuQ0F+0uDDvW4o/ehd5TRazoGohLCT9bgSvYXNbIquzONz4yAt3bMtidVcs57HWA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bf1c2yQ95iN019C3bGsNxiX5b5WD5gmJcp4s1QWoF2o5Bg08CET+iyLtUPfF7WgMYjErDnjblSuc8lbol/9bX4QWEet/7r9hbx9+Nb+WQKEnC96eOWcdE3WBpJCiviLDIKdjecfO7Ck19s/82HMZdiQ8NRmcgu4RbZpDFlZ7Opg9wjMd4APoNSuCHYjBaxd2SNO+VR8eaKpFp9tqoPGlFSEpXFtGQ9Fls9jl3b6zEQPZYOr9UYjSO6DfaDQxyUlkdvbgheYjV5JOWJ8glRLL7+jKw7G+2/Ddk1BCCe2Pq7kDZPxSJkOJC6zvc9mAD6HV2kmQ7Y2cu+UMU35HsyyTsw==

Authentication-results: esa3.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Jürgen Groß <jgross@xxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Wei Liu <wl@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Fri, 05 Feb 2021 12:05:55 +0000

Ironport-sdr: sNJvlcGzAXg5KGLksvcZglX5+0xm6aBgw/T8sCDjM3GfGv4mbXu9D74cbya9vRWyMZPoCXCyD7 OiPiTuFmGg+tjF8PgzPk0DbuLzLmQfeDS/cRN/mSSUv83oSM5njlD8jlH085V+KeMQJ1l2qBR0 SzTLf86WQMC8SggmdAfTm3WN2oYYrUGasg6owuZqPJMwMwTQJrfYImfNdBaqPfH7DOSXif8Sno LgclvvABxetoR7WDy+r83RVCAiyUIFBJLGvu0YSvV/8jefheUsnyGltrUQna2NAIBp7nyz7PI9 fWQ=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Feb 05, 2021 at 11:32:07AM +0000, Andrew Cooper wrote: > On 05/02/2021 10:56, Jürgen Groß wrote: > > On 05.02.21 11:14, Jan Beulich wrote: > >> (simply re-sending what was sent over 2 months ago) > >> > >> On 04.11.2020 11:50, Jan Beulich wrote: > >>> On 03.11.2020 18:31, Andrew Cooper wrote: > >>>> On 03/11/2020 17:06, Jan Beulich wrote: > >>>>> Prior to 4.15 Linux, when running in PV mode, did not install a #GP > >>>>> handler early enough to cover for example the rdmsrl_safe() of > >>>>> MSR_K8_TSEG_ADDR in bsp_init_amd() (not to speak of the unguarded > >>>>> read > >>>>> of MSR_K7_HWCR later in the same function). The respective change > >>>>> (42b3a4cb5609 "x86/xen: Support early interrupts in xen pv > >>>>> guests") was > >>>>> backported to 4.14, but no further - presumably since it wasn't > >>>>> really > >>>>> easy because of other dependencies. > >>>>> > >>>>> Therefore, to prevent our change in the handling of guest MSR > >>>>> accesses > >>>>> to render PV Linux 4.13 and older unusable on at least AMD > >>>>> systems, make > >>>>> the raising of #GP on these paths conditional upon the guest having > >>>>> installed a handler. Producing zero for reads and discarding writes > >>>>> isn't necessarily correct and may trip code trying to detect > >>>>> presence of > >>>>> MSRs early, but since such detection logic won't work without a #GP > >>>>> handler anyway, this ought to be a fair workaround. > >>>>> > >>>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > >>>> > >>>> I appreciate that we probably have to do something, but I don't think > >>>> this is a wise move. > >>> > >>> I wouldn't call it wise either, but I'm afraid something along > >>> these lines is necessary. > >>> > >>>> Linux is fundamentally buggy. It is deliberately looking for a > >>>> potential #GP fault given its use of rdmsrl_safe(). The reason > >>>> this bug > >>>> stayed hidden for so long was as a consequence of Xen's inappropriate > >>>> MSR handling for guests, and the reasons for changing Xen's behaviour > >>>> still stand. > >>> > >>> I agree. > >>> > >>>> This change, in particular, does not apply to any explicitly handled > >>>> MSRs, and therefore is not a comprehensive fix. > >>> > >>> But it's intentional that this deals with the situation in a > >>> generic way, not on a per-MSR basis. If we did as you suggest > >>> further down, we'd have to audit all Linux versions up to 4.14 > >>> for similar issues with other MSRs. I don't think this would > >>> be a practical thing to do, and I also don't think that leaving > >>> things as they are until we have concrete reports of problems > >>> is a viable option either. > >>> > >>> Adding explicit handling for the two offending MSRs (and any > >>> possible further ones we discover) would imo only be to avoid > >>> issuing the respective log messages. > >>> > >>>> Nor is it robust to > >>>> someone adding code to explicitly handling the impacted MSRs at a > >>>> later > >>>> date (which are are likely to need to do for HWCR), and which would > >>>> reintroduce this failure to boot. > >>> > >>> I'm afraid I don't understand. Looking at the two functions > >>> the patch alters, only X86EMUL_OKAY is used in return statements > >>> other than the final one. If this model is to be followed by > >>> future additions (which I think it ought to be; perhaps we > >>> should add comments to this effect), the code introduced here > >>> will take care of the situation nevertheless. > >>> > >>>> We should have the impacted MSRs handled explicitly, with a note > >>>> stating > >>>> this was a bug in Linux 4.14 and older. We already have workaround > >>>> for > >>>> similar bugs in Windows, and it also gives us a timeline to eventually > >>>> removing support for obsolete workarounds, rather than having a > >>>> "now and > >>>> in the future, we'll explicitly tolerate broken PV behaviour for > >>>> one bug > >>>> back in ancient linux". > >>> > >>> Comparing with Windows isn't very helpful; the patch here is > >>> specifically about PV, and would help other OSes as well in > >>> case they would have missed setting up exceptions early in > >>> just the PV-on-Xen case. For the HVM case I'd indeed rather > >>> see us go the route we've gone for Windows, if need be. > >> > >> As can be seen from this reply, we're not in agreement what to > >> do here. But we need to do something. I'm not sure how to get > >> unstuck discussions like this one ... > >> > >> Besides this suggestion of yours I also continue to have > >> trouble seeing what good it will do to record an exception to > >> inject into a guest when we know it didn't install a handler > >> yet. > > > > As we need to consider backports of processor bug mitigations > > in old guests, too, I think we need to have a "catch-all" > > fallback. > > > > Not being able to run an old updated guest until we add handling > > for a new MSR isn't a viable option IMO. > > You're trading off against issuing XSAs for all the unknown quantities > of sensitive in MSRs on all past and future platforms. This has > unbounded scope. > > Xen's previous behaviour was astoundingly stupid, and yes - we're > playing more than a decades worth of catchup in one release cycle. > > I'll absolutely take "care/tweaks need to happen crossing the Xen > 4.14=>4.15 boundary" over whack-a-mole for MSRs in the form of security > advisories. I think I'm likely missing part of the point here - Jan's patch would just return 0 for reads, so there's no leak of unhandled MSRs? Hence I'm not seeing the XSA aspect of this. Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.