[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] SUPPORT.md: Un-shimmed 32-bit PV guests are no longer supported

  • To: George Dunlap <george.dunlap@xxxxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Fri, 7 May 2021 12:26:15 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uA7J73w4tUhnzRmbH076hDYbU3zz8EBFrETmbD7W0Ak=; b=WmjUnh1RkmWYRkSaaVIMH1S9eLvuuy0oGY66fzy65L6M8OEcEu3RlwCpDeluBIc8AcnjlEI3gQ9hZhx/UcnQibciHmZxu9mX3E0TmmHzbisQXKTZOIT1YsWgBFIwy9PLODQ0HtqhzbrugJoQLmRxLwm5d2tDaOUvTSQSKL2CQcgaTg4++HHe/TXc8TybSsjDS7aRedGfYJeDaUiSgDSmPhec2rNGyBZ7EP6ThEVWCYWvvzbvnDNj/VK92BZJlHcgUu0Yf+gXzML7DsaRsI0+KewO1/oojk9hidACH8L8SdFrBQmspKjMawoTfrPCey+swCNAlCfGc2lkgNcB8Y1HyQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gEPLhjjiWy7a8STo1hX4OU9KeTGkEZWa0A1+LVAhYxOHUwswQ1Y4pVJroDfTkLS7yMyCvXz7uDop3+Nh/BcPrXcrbRmWB/wG7NESJUawmV/srizw5GUIdyZle4nKrpwkClZlahnGwMHFhe3OS9fTOt+09xoC0uYgo+fUsNsAU7wOnE+yNge2a4XEn/vr5U0xy9rshAPS901WsuMJrWGzMWXPeik+SLVWIq/xf/bIg/cyJ5DatdX9D+qfP9og0DfrEqih5y9aAgU3l3ok1P+dl7GdFCOaqy23l8CiczPN5x18Miy2OmsIKGqS+vKVQbzztolimZEAzEoBF8czyKLIGQ==
  • Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: <security@xxxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Jann Horn <jannh@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>
  • Delivery-date: Fri, 07 May 2021 10:26:32 +0000
  • Ironport-hdrordr: A9a23:g9h+Ta9oGqTf6ExTf65uk+Hadb1zdoMgy1knxilNoENuHPBwxv rAoB1E73PJYVYqOE3Jmbi7Sc+9qFfnhONICOgqTM2ftWzd2VdAQ7sSiLcKrweQfxEWs9QtqZ uIEJIOeOEYb2IK9foSiTPQe71LrajlgcLY99s2jU0dNj2CA5sQnjuRYTzra3GeKjM2YqbQQ/ Gnl7R6TnebCDgqhqvRPAhLY8Hz4/nw0L72ax8PABAqrCOUiymz1bL8Gx+Emj8DTjJm294ZgC j4uj28wp/mn+Cwyxfa2WOWxY9RgsHdxtxKA9HJotQJKw/rlh2jaO1aKvy/VQgO0aOSAWsR4Z zxS09KBbU215qRRBD6nfLV4Xii7N50gEWSjmNx6BDY0L/ErDFTMbsLuWsWSGqe16KM1OsMpp 6j5Fjpw6a/Oymw1BgV1+K4Ii2CqXDE1kbKsdRjxUC3ArFuJYO4k+QkjQpo+cA7bV3HAcYcYb BTMP0=
  • Ironport-sdr: vdkvY8i0oItjhJc8At2//s1kNRL4sXbPm178WU31BQKI9ak7DtKl34X5fSijuOw6Fq4EWBfzWd 4qI9nXFgjRgZuwlyOw4X0zMqPf058zkGZfESpUTFH5jLcxXfTVID03FQKHjm6zOhCHifGxkQMc GssJcLxZGXOumgOA6A4EsVMl4ycph6x8wzspmfSSougcGu2zqBD79bftxHIbIB/sTID5xnMxSc /btdFae/MeDwwzDqkE+z8xEhNKHXI4C/IMejuzkHbQDeoCj8br+gdPMV8Er3fsU1o6AWQ17s7M Kfg=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, May 06, 2021 at 01:47:52PM +0100, George Dunlap wrote:
> The support status of 32-bit guests doesn't seem particularly useful.
> 
> With it changed to fully unsupported outside of PV-shim, adjust the PV32
> Kconfig default accordingly.
> 
> Reported-by: Jann Horn <jannh@xxxxxxxxxx>
> Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> ---
> v2:
>  - add in Kconfig from advisory, ported over c/s d23d792478d
> ---
>  SUPPORT.md           | 9 +--------
>  xen/arch/x86/Kconfig | 7 +++++--
>  2 files changed, 6 insertions(+), 10 deletions(-)
> 
> diff --git a/SUPPORT.md b/SUPPORT.md
> index d0d4fc6f4f..a29680e04c 100644
> --- a/SUPPORT.md
> +++ b/SUPPORT.md
> @@ -86,14 +86,7 @@ No hardware requirements
>  
>      Status, x86_64: Supported
>      Status, x86_32, shim: Supported
> -    Status, x86_32, without shim: Supported, with caveats
> -
> -Due to architectural limitations,
> -32-bit PV guests must be assumed to be able to read arbitrary host memory
> -using speculative execution attacks.
> -Advisories will continue to be issued
> -for new vulnerabilities related to un-shimmed 32-bit PV guests
> -enabling denial-of-service attacks or privilege escalation attacks.
> +    Status, x86_32, without shim: Supported, not security supported
>  
>  ### x86/HVM
>  
> diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
> index e55e029b79..9b164db641 100644
> --- a/xen/arch/x86/Kconfig
> +++ b/xen/arch/x86/Kconfig
> @@ -55,7 +55,7 @@ config PV
>  config PV32
>       bool "Support for 32bit PV guests"
>       depends on PV
> -     default y
> +     default PV_SHIM
>       select COMPAT
>       ---help---
>         The 32bit PV ABI uses Ring1, an area of the x86 architecture which
> @@ -67,7 +67,10 @@ config PV32
>         reduction, or performance reasons.  Backwards compatibility can be
>         provided via the PV Shim mechanism.
>  
> -       If unsure, say Y.
> +       Note that outside of PV Shim, 32-bit PV guests are not security
> +       supported anymore.
> +
> +       If unsure, use the default setting.

While not opposed to this, I wonder whether we should give people some
time to adapt. We have in the past not blocked vulnerable
configurations by default (ie: the smt stuff for example).

It might be less disruptive for users to start by printing a warning
message at boot (either on the serial for dom0 or in the toolstack for
domU) and switch the default Kconfig slightly later?

Note I don't have any specific interest in 32bit PV, so I'm not going
to argue strongly against this if everyone else is fine with it.

I also wonder whether xl shouldn't try to boot PV 32bit guests by
default using the shim now if the hypervisor has been built without
CONFIG_PV32, or at least print a message so users know how to deal
with the fallout.

Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.