Xen project Mailing List

Re: [PATCH HVM v2 1/1] hvm: refactor set param

From: Norbert Manthey <nmanthey@xxxxxxxxx>

Date: Thu, 11 Feb 2021 21:46:47 +0100

Autocrypt: addr=nmanthey@xxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFoJQc0BEADM8Z7hB7AnW6ErbSMsYkKh4HLAPfoM+wt7Fd7axHurcOgFJEBOY2gz0isR /EDiGxYyTgxt5PZHJIfra0OqXRbWuLltbjhJACbu35eaAo8UM4/awgtYx3O1UCbIlvHGsYDg kXjF8bBrVjPu0+g55XizX6ot/YPAgmWTdH8qXoLYVZVWJilKlTqpYEVvarSn/BVgCbIsQIps K93sOTN9eJKDSqHvbkgKl9XG3WsZ703431egIpIZpfN0zZtzumdZONb7LiodcFHJ717vvd89 3Hv2bYv8QLSfYsZcSnyU0NVzbPhb1WtaduwXwNmnX1qHJuExzr8EnRT1pyhVSqouxt+xkKbV QD9r+cWLChumg3g9bDLzyrOTlEfAUNxIqbzSt03CRR43dWgfgGiLDcrqC2b1QR886WDpz4ok xX3fdLaqN492s/3c59qCGNG30ebAj8AbV+v551rsfEba+IWTvvoQnbstc6vKJCc2uG8rom5o eHG/bP1Ug2ht6m/0uWRyFq9C27fpU9+FDhb0ZsT4UwOCbthe35/wBZUg72zDpT/h5lm64G6C 0TRqYRgYcltlP705BJafsymmAXOZ1nTCuXnYAB9G9LzZcKKq5q0rP0kp7KRDbniirCUfp7jK VpPCOUEc3tS1RdCCSeWNuVgzLnJdR8W2h9StuEbb7hW4aFhwRQARAQABzSROb3JiZXJ0IE1h bnRoZXkgPG5tYW50aGV5QGFtYXpvbi5kZT7CwX0EEwEIACcFAloJQc0CGyMFCQlmAYAFCwkI BwIGFQgJCgsCBBYCAwECHgECF4AACgkQZ+8yS8zN62ajmQ/6AlChoY5UlnUaH/jgcabyAfUC XayHgCcpL1SoMKvc2rCA8PF0fza3Ep2Sw0idLqC/LyAYbI6gMYavSZsLcsvY6KYAZKeaEriG 7R6cSdrbmRcKpPjwvv4iY6G0DBTeaqfNjGe1ECY8u522LprDQVquysJIf3YaEyxoK/cLSb0c kjzpqI1P9Vh+8BQb5H9gWpakbhFIwbRGHdAF1roT7tezmEshFS0IURJ2ZFEI+ZgWgtl1MBwN sBt65im7x5gDo25h8A5xC9gLXTc4j3tk+3huaZjUJ9mCbtI12djVtspjNvDyUPQ5Mxw2Jwar C3/ZC+Nkb+VlymmErpnEUZNltcq8gsdYND4TlNbZ2JhD0ibiYFQPkyuCVUiVtimXfh6po9Yt OkE0DIgEngxMYfTTx01Zf6iwrbi49eHd/eQQw3zG5nn+yZsEG8UcP1SCrUma8p93KiKOedoL n43kTg4RscdZMjj4v6JkISBcGTR4uotMYP4M0zwjklnFXPmrZ6/E5huzUpH9B7ZIe/SUu8Ur xww/4dN6rfqbNzMxmya8VGlEQZgUMWcck+cPrRLB09ZOk4zq9i/yaHDEZA1HNOfQ9UCevXV5 7seXSX7PCY6WDAdsT3+FuaoQ7UoWN3rdpb+064QKZ0FsHeGzUd7MZtlgU4EKrh25mTSNZYRs nTz2zT/J33fOwU0EWglBzQEQAKioD1gSELj3Y47NE11oPkzWWdxKZdVr8B8VMu6nVAAGFRSf Dms4ZmwGY27skMmOH2srnZyTfm9FaTKr8RI+71Fh9nfB9PMmwzA7OIY9nD73/HqPywzTTleG MlALmnuY6xFRSDmqmvxDHgWyzB4TgPWt8+hW3+TJKCx2RgLAdSuULZla4lia+NlS8WNRUDGK sFJCCB3BW5I/cocfpBEUqLbbmnPuD9UKpEnFcYWD9YaDNcBTjSc7iDsvtpdrBXg5VETOz/TQ /CmVs9h/5zug8O4bXxHEEJpCAxs4cGKxowBqx/XJfkwdWeo/LdaeR+LRbXvq4A32HSkyj9sV vygwt2OFEk493JGik8qtAA/oPvuqVPJGacxmZ7zKR12c0mnKCHiexFJzFbC7MSiUhhe8nNiM p6Sl6EZmsTUXhV2bd2M12Bqcss3TTJ1AcW04T4HYHVCSxwl0dVfcf3TIaH0BSPiwFxz0FjMk 10umoRvUhYYoYpPFCz8dujXBlfB8q2tnHltEfoi/EIptt1BMNzTYkHKArj8Fwjf6K+nQ3a8p 1cWfkYpA5bRqbhbplzpa0u1Ex0hZk6pka0qcVgqmH31O2OcSsqeKfUfHkzj3Q6dmuwm1je/f HWH9N1gDPEp1RB5bIxPnOG1Z4SNl9oVQJhc4qoJiqbvkciivYcH7u2CBkboFABEBAAHCwWUE GAEIAA8FAloJQc0CGwwFCQlmAYAACgkQZ+8yS8zN62YU9Q//WTnN28aBX1EhDidVho80Ql2b tV1cDRh/vWTcM4qoM8vzW4+F/Ive6wDVAJ7zwAv8F8WPzy+acxtHLkyYk14M6VZ1eSy0kV0+ RZQdQ+nPtlb1MoDKw2N5zhvs8A+WD8xjDIA9i21hQ/BNILUBINuYKyR19448/41szmYIEhuJ R2fHoLzNdXNKWQnN3/NPTuvpjcrkXKJm2k32qfiys9KBcZX8/GpuMCc9hMuymzOr+YlXo4z4 1xarEJoPOQOXnrmxN4Y30/qmf70KHLZ0GQccIm/o/XSOvNGluaYv0ZVJXHoCnYvTbi0eYvz5 OfOcndqLOfboq9kVHC6Yye1DLNGjIVoShJGSsphxOx2ryGjHwhzqDrLiRkV82gh6dUHKxBWd DXfirT8a4Gz/tY9PMxan67aSxQ5ONpXe7g7FrfrAMe91XRTf50G3rHb8+AqZfxZJFrBn+06i p1cthq7rJSlYCqna2FedTUT+tK1hU9O0aK4ZYYcRzuTRxjd4gKAWDzJ1F/MQ12ftrfCAvs7U sVbXv2TndGIleMnheYv1pIrXEm0+sdz5v91l2/TmvkyyWT8s2ksuZis9luh+OubeLxHq090C hfavI9WxhitfYVsfo2kr3EotGG1MnW+cOkCIX68w+3ZS4nixZyJ/TBa7RcTDNr+gjbiGMtd9 pEddsOqYwOs=

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 11 Feb 2021 20:47:29 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 2/9/21 3:21 PM, Jan Beulich wrote: > On 09.02.2021 14:56, Norbert Manthey wrote: >> On 2/9/21 2:45 PM, Jan Beulich wrote: >>> On 09.02.2021 14:41, Norbert Manthey wrote: >>>> On 2/9/21 10:40 AM, Jan Beulich wrote: >>>>> On 08.02.2021 20:47, Norbert Manthey wrote: >>>>>> On 2/8/21 3:21 PM, Jan Beulich wrote: >>>>>>> On 05.02.2021 21:39, Norbert Manthey wrote: >>>>>>>> @@ -4108,6 +4108,13 @@ static int hvm_allow_set_param(struct domain *d, >>>>>>>> if ( rc ) >>>>>>>> return rc; >>>>>>>> >>>>>>>> + if ( index >= HVM_NR_PARAMS ) >>>>>>>> + return -EINVAL; >>>>>>>> + >>>>>>>> + /* Make sure we evaluate permissions before loading data of >>>>>>>> domains. */ >>>>>>>> + block_speculation(); >>>>>>>> + >>>>>>>> + value = d->arch.hvm.params[index]; >>>>>>>> switch ( index ) >>>>>>>> { >>>>>>>> /* The following parameters should only be changed once. */ >>>>>>> I don't see the need for the heavier block_speculation() here; >>>>>>> afaict array_access_nospec() should do fine. The switch() in >>>>>>> context above as well as the switch() further down in the >>>>>>> function don't have any speculation susceptible code. >>>>>> The reason to block speculation instead of just using the hardened index >>>>>> access is to not allow to speculatively load data from another domain. >>>>> Okay, looks like I got mislead by the added bounds check. Why >>>>> do you add that, when the sole caller already has one? It'll >>>>> suffice since you move the array access past the barrier, >>>>> won't it? >>>> I can drop that bound check again. This was added to make sure other >>>> callers would be save as well. Thinking about this a little more, the >>>> check could actually be moved into the hvm_allow_set_param function, >>>> above the first index access in that function. Are there good reasons to >>>> not move the index check into the allow function? >>> I guess I'm confused: We're talking about dropping the check >>> you add to hvm_allow_set_param() and you suggest to "move" it >>> right there? >> Yes. I can either just no introduce that check in that function (which >> is what you suggested). As an alternative, to have all checks in one >> function, I proposed to instead move it into hvm_allow_set_param. > Oh, I see. What I'd like to be the result of your re-arrangement is > symmetry between "get" and "set" where possible in this regard, and > asymmetry having a clear reason. Seeing that hvm_{get,set}_param() > are the non-static functions here, I think it would be quite > desirable for the bounds checking to live there. Since > hvm_allow_{get,set}_param() are specifically helpers of the two > earlier named functions, checks consistently living there would as > well be fine with me. I agree with the symmetry for get and set. This is what I'd aim for: 1. hvmop_set_param and hvmop_get_param (static) both check for the index, and afterwards use the is_hvm_domain(d) function with its barrier 2. hvm_set_param (static) and hvm_get_param both call their allow helper function, evaluate the return code, and afterwards block speculation. 2.1. hvm_get_param is declared in a public header, and cannot be turned into a static function, hence needs the index check 2.2. hvm_set_param is only called from hvmop_set_param, and index is already checked there, hence, do not add check 3. hvm_allow_set_param (static) and hvm_allow_get_param (static) do not validate the index parameter 3.1. hvm_allow_set_param blocks speculative execution with a barrier after domain permissions have been evaluated, before accessing the parameters of the domain. hvm_allow_get_param does not access the params member of the domain, and hence does not require additional protection. To simplify the code, I propose to furthermore make the hvmop_set_param function static as well. Please let me know whether the above would is acceptable. Best, Norbert > > Jan Amazon Development Center Germany GmbH Krausenstr. 38 10117 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B Sitz: Berlin Ust-ID: DE 289 237 879

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.