[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/3] x86: Initial pieces for guest CET support
- To: Jan Beulich <jbeulich@xxxxxxxx>
- From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Date: Tue, 27 Apr 2021 11:13:46 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CdDLMUlgbjmhB7z9vklvy5BuyDYDvl/ql/xjhKF4GR0=; b=TW8Kk6rI8y70SiWs/0HaTJV79X7kDwvtas+z/gDUNCq2VsHHtobAz1eZ0DZFhpkjP2TnDgqzFVqDm/vWQM83aPNZ8n9PpeHpxtQrCxX4US1R9iqHe4MOp/102Gbl9xpv/3GodMFj9XvWVScKvMH1aumKniq8YUhSV3U0wjFG1K+Y0GEiJu5OPJLtWrOw/0vQ6LFYMepdjEsf0AN1JJKqN9IT8GBnlX1Lp8N3NaVEsYxAyY319pb/smvq3bPLGHOlTk67UB/4UWC0ciiCshh9tfsr12qQO1yHZ8+g3rm6VS0J1v4qHmtDdGAO+Pon4iK2bp8mJKD7zvPF1VP8OtIupQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GrqTFBs1m9n/0dz/kFqflQiBmQ/Ulyaybk4/pinJnE6SknLBW4aKcioFYmsVqBb9lTp+XpZv8P3jFbSuyCQVSDAX/2HtdQJZ1Ip4F0UI4lxPE//tgJxYnWUL8BWwMtgoKqbSqHspfzlh0Rr7W9FnIhY3EAJK5T8b4J5ii0C/rJW4e/KG+gD+LQMp1MZMCmfFYkLlYSsOwVYcMmNQXsC/FZRMUuZz8krrsuzEXAKECSUz6VO08GSHr9NbM7YbvjsY4Juu0FhqgcLF4qCn92rmuUmZ0Lu5LZ1Iw/TGaoK3t+kx9YqtGYBOnaNNva2ysdFxkjWHtjWOVRUGlrUoUKYNjQ==
- Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Tue, 27 Apr 2021 10:14:03 +0000
- Ironport-hdrordr: A9a23:9uR0lqDPv6BfyG3lHej/tceALOonbusQ8zAX/mhLY1h8btGYm8 eynP4SyB/zj3IrVGs9nM2bUZPvfVr1zrQwxYUKJ7+tUE3duGWuJJx/9oeK+VLdMgXE3Kpm2a 9kGpITNPTZEUV6gcHm4AOxDtYnx529/Lq1gPrFpk0McShBQchbnmNEIyycFVB7QxQDIJI/Go aV6MYvnUvfRV08aMOnCn4ZG9XZr9rQm578JTIADRgr6A6B5AnYl4LSOR6ewxsYTndz0a4vmF K17zDRy4eCl7WAyhHa33LO9Jg+orrc4/ZKGcDksLlvFhzCkQCtDb4RPYGqnDdwm+237UZvrd +kmWZcA+1Wy1f8Ol64ugHs3Q6I6kdd11bHxUWDiXXu5ezVLQhKc/Zpvo5SfhvH50dIhrgVu8 gnrgHp1esiMTr6kCvw/NTOXR1x/3DExkYKquIPk2dZFbIXdb45l/1twGpuDJwCECjmgbpXad VGMce03ocyTXqndXzD+kFgzNuwN05DZCuucwwpv8yY1CVuh3Zpz0cU79x3pAZxyLsND7ZD/O jKKaJuifVnSdIXd7t0AKM7TdKwEXGle2OMDEuiZXHLUJgdPXjAsYT67dwOlamXUa1N6KF3tI XKUVteu2J3U0XyCfeW1JkO1hzWWm2yURnk18k23ek4hpTMAJ7QdQGTQlEnlMWt598FBNfAZv q1MJVKR9f+MGrHA+9yrkjDcqgXDUNbfNweu949VV7LiNnMMJfWuuvSd+uWDKbxEAwjRnj0Dh I4LXrODfQFynrudm7zgRDXVX+oUFf454hMHK/T+PVW55MKMqFKrwgJmXW07syGMlR5w+sLVX o7BImivrKwpGGw82qNxX5uIABhAkFc56ilc34in35ND2rENZI4//mPc2Fb23WKYjVlSdnNLQ JZr1NrvYa+L5mawzEeG8uqW1jq1kc7lTavddMxi6eD7cDqdtcTFZA9QpF8Eg3NClhTlRt1rn xALCsJXFXWGD+rqajNtu1WOMjvM/1HxCu7K89drnzS8W+Go9s0e3cdVzmyFeiNgQgvQDJQrk Zr87AWhYeBnTrHExp6vM0IdHl3LEiHCrNPCwqIIK9OnKrwRQ12RWCWwQCBhwoLYWrs/UUKjm nHJSmZEMu7WmZ1izR96OLH4Vl0fmKScwZVZmphuYNwL2jAp01+yPSGfKa1zmuXZGYT2+11Ck CxXRIiZidVg/yn3h+cnziPUU8rwZgjJcTxJrUuebO74ALgFKS40YU9W9NE9pdsM97j9tIRWe WEYgmPMXfTEOUywTGYoX4jJQh5oHQpiunTxRXg9WS0tURPWsb6ERBDffU2Mtuc52/rS7K0y5 1/l8sypvb1HWPraNKKoJunJAJrG1f2myqRQO4po5wP4v53m7t3ApXBUTzHkFtAxw4zKc/olE UYBIR3iYqxTLNHTog3QWZ++FFsqfGkaG0MmSbyCvUlfV4sg2TAVun5robgmP4KOAm5uAD0OV Oj6CVT8PfOYjub2dchetUNCFUTTHJ51W9r8+yDfbDBEQmGd+lM+1yhL3+2GYUtAZStKPE1rh xg5cuPkPLSXy3k2BrItT8TGNMAz0+XBeezChmLA+hG7piTPkmNmLKj5IqWgC3sQTW2L2Qeio stTz1fUu1zzh0jhpYwyC68V+jepV8kiUJX5XVfrWHWs7LWqlvzLAVhKg3WgpJfQDlVPDyptK 3+gJml/UW4xiNE15nFHFpXZfdUFbErP9LKExs=
- Ironport-sdr: W7EoRAjsmgLknpOKyR85bYP4doE++5uewmPnaULHx4MoCQs91YxbhTr+syaksVCdelZ/BBgxsY Zy1lYywvLPyJqINzUwymRXkmbtIPZtCmfnvZGz0fvfB+P6kZQNoj5/OwiTc3yRXLEMysDSMQEJ g6LZwZUT4tXIt3Pfn6BS7Ebt8Gyv81KMPzVwLnE9F7ThhXL7I+mda6H45EuKZ4VuhVrdHw76WO zTtMMZ00qBGuePNAIOmorC45i+QmvX7yEfV13utThqqemCNDj+wz/kKuEzQx2+v2zWTl1oRYPy rF8=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 27/04/2021 07:46, Jan Beulich wrote:
> On 26.04.2021 19:54, Andrew Cooper wrote:
>> Some initial pieces for guest support. Everything will currently malfunction
>> for VMs which explicitly opt in to CET_SS/IBT.
>>
>> Still TODO as a minimum:
>> * Teach the pagewalk logic about shadow stack accesses and errors.
>> * Emulator support for the new instructions. WRUSS is an irritating corner
>> case, requiring a change to how we express pagewalk inputs, as
>> user/supervisor is no longer dependent on CPL.
> I can put this on my todo list, considering that I'm the one to play
> with the emulator the most. Just let me know if you would prefer to
> do it yourself. (Otherwise my next item there after AMX is now
> complete would have been KeyLocker insns.)
My plan was actually to start with WRSS and do the pagewalk side of
things, including refreshing my comprehensive pagewalk XTF test. This
will block work on all the other shadow stack instructions.
There are 3 emulator complexities for shadow stack instructions. SSP
itself as a register, WRUSS no longer being CPL-based for
user/supervisor, and the fact that RSTORSSP in particular uses an atomic
block which microcode can express, but can't be encoded at an ISA
level. I've got no idea what to do about this last problem, because we
can't map the two guest frames and re-issue the instruction - the
aliasing check on the tokens forces us to map the two frames in their
correct linear addresses.
IBT is quite different. There are only two new instructions,
ENDBR{32,64} but tweaks to lots of other instructions (all indirect
control transfers), as well as 0x3e for the notrack prefix, and the
legacy code page bitmap. The tracker bits themselves are somewhat
irritating to access in the {U,S}_CET MSRs.
Furthermore, I don't have access to hardware with CET-IBT (the SDP seems
to have let out some blue smoke), so any support here would be speculative.
Other bits I'd forgotten from the first set of bullet points.
* {RD,WR}MSR support for all the MSRs, including finally breaking into
the non-trivial work of context-dependent state.
* Changes to Task Switch.
>> * Context switching of U/S_CET state. Recommended way is with XSAVES,
>> except
>> the S_CET has broken sematics - it ends up as a mix of host and guest
>> state, and isn't safe to XRSTOR without editing what the CPU wrote out.
> Hmm, I wasn't aware of quirks here - would you mind going into more
> detail?
I'll double check my notes.
>
>> The above ought to suffice for getting some XTF testing in place. For
>> general
>> guest support:
>> * In-guest XSAVES support. Windows is the only OS to support CET at the
>> time
>> of writing, and it cross-checks for XSAVES. Linux expected to perform the
>> same cross-check in due course.
> What specifically do you mean here? The XSAVES CPU feature is marked
> 'S', so ought to be visible to Windows. Hence I guess you mean support
> for the respective XSS bits?
We really shouldn't have exposed XSAVES without XSS bits, but yes - what
matters is that the {U,S}_CET XSTATE components are usable in the guest.
~Andrew
|
