[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/3] x86: Initial pieces for guest CET support


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Wed, 28 Apr 2021 13:25:45 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3GSTP0sOz+gvVg67wg/hpzHOIkbb60iO32BepmLw2aE=; b=f+TE09p6mPeYFs8pQD42nQTR0CjY7VXae7jjhzIidEwvf18XjdS9AUHdXhSd8gnQGeDV165wnzGWsSgqBvMtnJqFF8TXMf1bzS9tPkO9oXK9EvpHov1eI/3vF6tAQcTviTNIA0iUTi4JmFmvawhGKQQsWYqIKPlLUI7NHdZce4FHHOGg4afdqEizmdA76J9LqN6SDzkd/ukxbptWn79zDZNt8TOzdZim6vFK3rRezatSXPrZ24QSsJTGtM3Ui1qFXs/hbMhVBBCfUIqusocl76gkhB7kQtgqg41om2xJWfOJ+JSP7zNCht/SulqSNkuLe/9omB0VAfaPdnsUKevpMg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XwXvphdkGghxrO3pZ3vssAAKk4QJ7ZOTSZvQPngA9lo7y75Yum6AXeo+zUjpQXs/wvmQ819ZmizA88D8vmECz6kA8t8y4klXb7lNctmLBM7WP8asGRoUkAKpr3gwmw6QyU219aMdHp5eiUg7pmLvKbMDzk2bCiDyJgtAymwvEXv2MDWVajH1PexMApqldVCx+rezM/2hoo9jOabr8c9QzSvg4q0KUXKzPHbKSXEn9Ssx1gSFCZZ1I7of948znK8oAihN1musNj36ujQ4721WndmSovLb1AMz/iYmxkTe/wD0HuZ7g0MDz3E4mCVNF59DcGaVuplEdY64UVRw+p276A==
  • Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 28 Apr 2021 12:26:04 +0000
  • Ironport-hdrordr: A9a23:Ocu9Ma9Ew2rvChj7DTBuk+FLdb1zdoIgy1knxilNYDReeMCAio SKlPMUyRf7hF8qKRcdsPqLUZPwMU/035hz/IUXIPOGVA7ppGOnIOhZnPLf6hfnHDDz8fMY6L d4f8FFeaHNJHVzkMqS2njbL/8O29+CmZrGuc7/yDNXQRhue+Vc6W5Ce2GmO2lXYCUDOpYjDp qb4aN81kWdUFAadN6yCHVAf8WrnayvqLvcbRQLBwEq5WC15FvCgtOXLzGi0hgTSD9Jy7s5mF K19zDR3LmpsP2w13bntlP70pVMlNPtjvtFCcCc4/JlSQnEtweyaIxtH4CFpTA+ydvO1H8Wlr D3zSsIDoBW0TfxdnvwiQbx0wPguQxek0PK+Bu9uz/fhuDXABg9ENFMgIpFdACx0TtagPhMlJ 1z+wuixu5qJCKFox3Yo/TufVVQumSVhVZKq59gs1VvFbQmTPt+lqoixQd0Pf47bVHHwbFiL9 BLSOD73ss+SyLqU1np+lZX5JiNZDATLjy8YmVqgL3h7xFm2E9B6w89/uJavlpozuNCd7B0o9 v8FuBUsYsLdOMwQI5Hbd1xNvefGyjKWhLDMGWbPFThGuUGIhv22uTKyaRw+eXvYpsU1t8pnI nZOWkoyFIPRw==
  • Ironport-sdr: NHe41w5qBUg2H+4UaymrR0r6Qe7L8yLGs+6CxN0RE2wtd5XFa/Ykzn3k+qaAFzSO7AySta7T0o Y+38oTmnulEBZXfZSHQfyt8NIh6FakOeQoMUGLBs0wDG+Kp4JyvxEfHAh06rRt7x8eSf9XK4m1 usTDI1rWZcU+uWdE+ZF1sUOLrTeG9E65uGlh448Tm9ss9w9UIE60iGaOlQeII9j9TTBarnaPsP 9BlD5nqAi6WGV/EoJ/bKsltGnoBqYS/uJ/ngi3HeL8t6QIJ0D4IuYFmmHdwV4NqnU7PVdFxt61 /eI=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 27/04/2021 11:13, Andrew Cooper wrote:
> There are 3 emulator complexities for shadow stack instructions.  SSP
> itself as a register, WRUSS no longer being CPL-based for
> user/supervisor, and the fact that RSTORSSP in particular uses an atomic
> block which microcode can express, but can't be encoded at an ISA
> level.  I've got no idea what to do about this last problem, because we
> can't map the two guest frames and re-issue the instruction - the
> aliasing check on the tokens forces us to map the two frames in their
> correct linear addresses.

Actually, RSTORSSP isn't too difficult.  I'd mis-read the pseudocode.

The atomic block is a check&edit of the token on the remote stack (not
both stacks, as I'd mistakenly thought).  The purpose is to prevent two
concurrent RSTORSSP's moving two threads onto the same shadow stack.

Without microcode superpowers, the best we can do this with a read,
check, cmpxchg() loop.

The common case will be no conflict, as stack switching will be well
formed (outside of debugging).  Any conflict here from real code is
going to yield #GP/#CP on one of the threads participating, so in the
case of a conflict in the emulator, a likely consequence of the 2nd
iteration is going to be a hard failure.

That said, malicious cases within the guest, or from foreign mappings,
can cause the cmpxchg() loop to take an unbounded time, so after 3
retries or so, we need to escalate to vcpu_pause_all_except_self(), and
or the ARM stop_machine() big hammer.

I'm tempted to just throw #GP back after 3 retries.  Its potentially
non-architectural behaviour, but won't occur in non-malicious
circumstances, and all fallback mechanisms have system-wide implications
that we oughtn't to be bowing to in a malicious circumstance.

~Andrew




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.