[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH HVM v2 1/1] hvm: refactor set param
On 2/9/21 3:21 PM, Jan Beulich wrote: > On 09.02.2021 14:56, Norbert Manthey wrote: >> On 2/9/21 2:45 PM, Jan Beulich wrote: >>> On 09.02.2021 14:41, Norbert Manthey wrote: >>>> On 2/9/21 10:40 AM, Jan Beulich wrote: >>>>> On 08.02.2021 20:47, Norbert Manthey wrote: >>>>>> On 2/8/21 3:21 PM, Jan Beulich wrote: >>>>>>> On 05.02.2021 21:39, Norbert Manthey wrote: >>>>>>>> @@ -4108,6 +4108,13 @@ static int hvm_allow_set_param(struct domain *d, >>>>>>>> if ( rc ) >>>>>>>> return rc; >>>>>>>> >>>>>>>> + if ( index >= HVM_NR_PARAMS ) >>>>>>>> + return -EINVAL; >>>>>>>> + >>>>>>>> + /* Make sure we evaluate permissions before loading data of >>>>>>>> domains. */ >>>>>>>> + block_speculation(); >>>>>>>> + >>>>>>>> + value = d->arch.hvm.params[index]; >>>>>>>> switch ( index ) >>>>>>>> { >>>>>>>> /* The following parameters should only be changed once. */ >>>>>>> I don't see the need for the heavier block_speculation() here; >>>>>>> afaict array_access_nospec() should do fine. The switch() in >>>>>>> context above as well as the switch() further down in the >>>>>>> function don't have any speculation susceptible code. >>>>>> The reason to block speculation instead of just using the hardened index >>>>>> access is to not allow to speculatively load data from another domain. >>>>> Okay, looks like I got mislead by the added bounds check. Why >>>>> do you add that, when the sole caller already has one? It'll >>>>> suffice since you move the array access past the barrier, >>>>> won't it? >>>> I can drop that bound check again. This was added to make sure other >>>> callers would be save as well. Thinking about this a little more, the >>>> check could actually be moved into the hvm_allow_set_param function, >>>> above the first index access in that function. Are there good reasons to >>>> not move the index check into the allow function? >>> I guess I'm confused: We're talking about dropping the check >>> you add to hvm_allow_set_param() and you suggest to "move" it >>> right there? >> Yes. I can either just no introduce that check in that function (which >> is what you suggested). As an alternative, to have all checks in one >> function, I proposed to instead move it into hvm_allow_set_param. > Oh, I see. What I'd like to be the result of your re-arrangement is > symmetry between "get" and "set" where possible in this regard, and > asymmetry having a clear reason. Seeing that hvm_{get,set}_param() > are the non-static functions here, I think it would be quite > desirable for the bounds checking to live there. Since > hvm_allow_{get,set}_param() are specifically helpers of the two > earlier named functions, checks consistently living there would as > well be fine with me. I agree with the symmetry for get and set. This is what I'd aim for: 1. hvmop_set_param and hvmop_get_param (static) both check for the index, and afterwards use the is_hvm_domain(d) function with its barrier 2. hvm_set_param (static) and hvm_get_param both call their allow helper function, evaluate the return code, and afterwards block speculation. 2.1. hvm_get_param is declared in a public header, and cannot be turned into a static function, hence needs the index check 2.2. hvm_set_param is only called from hvmop_set_param, and index is already checked there, hence, do not add check 3. hvm_allow_set_param (static) and hvm_allow_get_param (static) do not validate the index parameter 3.1. hvm_allow_set_param blocks speculative execution with a barrier after domain permissions have been evaluated, before accessing the parameters of the domain. hvm_allow_get_param does not access the params member of the domain, and hence does not require additional protection. To simplify the code, I propose to furthermore make the hvmop_set_param function static as well. Please let me know whether the above would is acceptable. Best, Norbert > > Jan Amazon Development Center Germany GmbH Krausenstr. 38 10117 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B Sitz: Berlin Ust-ID: DE 289 237 879
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |