[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 07/17] IOMMU/x86: restrict IO-APIC mappings for PV Dom0

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Tue, 7 Sep 2021 18:13:36 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=GJ3bNmTS1SCgQmc3iJNrcycJ8ksUb33jC2GsqzoyOMY=; b=EA6KHDfd9OxBSSOH3w4COol4f9i/QwkChFKl87s4Cq0nTYlUkC8nA8t7CzUKUWVaYqdtBE0CloExRRxriXkw65PITgo/ULbWSJRZmN4tEyzo3lKKsU4hiYxbR4N3gDfAX0GbVQT6YYjYYJt0LPKbs0jRbFCiOqOj39XGyQm9E6gvprMnpqc+HYBRyZeq9O6BnhBmfn/fp+CYPJ9HSUeWM4XNsDPrhZ+AYDiCx97PRTeFktub+LAYlo9PeVACV+irB+0BMatFr7om8UHck60Xs7ZMpdDsTigV6qE0cLuqrdxUSSAYLhyJDdb881bqAw1KDX/jwv57FnpZzCm5faGCYA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cAZ7dx2t6MPKD/Cwl7e2n6jSgZObv3CFTvGCVph/DjqGibmqqEAjl7VakRqZSyslN0Xk/ZuBKjCpnI4j8RGoCUogvHK7X51uYn6dbKHdgWspvhYJBMed/rT4YuYtVrvecWgg0i5+iZb5EPIi7NpSl2R6P/wYce+s38hF0x14gKn8UiTUYbRacAHPQhj6ZSfT3m3HVEwohInn2bP8UjjIV6wKCybqyLlmNKvRQ/A5bBaSbktSdOjxfiekVMY/o4IoYdqo0f8gSj4z8Ld7K2eNuKUxgh3S88VD/OEoAVyv5GpNfAy+3whGI77zTea42niBygFiNKB6HGfZH9JwGq+T9w==
  • Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Paul Durrant <paul@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 07 Sep 2021 17:13:48 +0000
  • Ironport-hdrordr: A9a23:QrjXcqAsKD89qOTlHemQ55DYdb4zR+YMi2TDsHoBLSC9E/bo8v xG885rtiMc5AxxZJhCo7690cu7MBThHPdOiOF6UItKNDOW3ldAR7sSj7cKrQeBJ8TWzJ8l6U 8+GJIUNDSLNzdHZGzBkXGF+q0brOW6zA==
  • Ironport-sdr: xthbV/wYKObH9XYXDBoscF+DLVj3fg2Le+AN78iur3lWnjc+uWj2fX8qjGAKO/1qWBW7TGjJc0 fetO4bcq12gxg+rBPwLHlIxiyowWVrPBO3IodEBFFjSVgxMrZfAuY1r0uA0+OvOu0MWORoRrCZ WjKMsuceHcFgC9tSTgsg8t7jVf5S7uM9a1WgINK7kRDfO3OxwmAd4euiC3JAByTLH4YzLRSaV3 b/pdb17PzBAgATKHZwXbwr+If3sO9Q2dRLgS0Gzx8bX4tMIF+XGl6ubL71xLkW33JdJoI+HKrf 3iCfjTT4JCWedPBo7mKaz15Z
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 26/08/2021 13:55, Jan Beulich wrote:
> On 26.08.2021 13:57, Andrew Cooper wrote:
>> On 24/08/2021 15:21, Jan Beulich wrote:
>>> While already the case for PVH, there's no reason to treat PV
>>> differently here, though of course the addresses get taken from another
>>> source in this case. Except that, to match CPU side mappings, by default
>>> we permit r/o ones. This then also means we now deal consistently with
>>> IO-APICs whose MMIO is or is not covered by E820 reserved regions.
>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>> Why do we give PV dom0 a mapping of the IO-APIC?  Having thought about
>> it, it cannot possibly be usable.
>> IO-APICs use a indirect window, and Xen doesn't perform any
>> write-emulation (that I can see), so the guest can't even read the data
>> register and work out which register it represents.  It also can't do an
>> atomic 64bit read across the index and data registers, as that is
>> explicitly undefined behaviour in the IO-APIC spec.
>> On the other hand, we do have PHYSDEVOP_apic_{read,write} which, despite
>> the name, is for the IO-APIC not the LAPIC, and I bet these hypercalls
>> where introduced upon discovering that a read-only mapping of the
>> IO-APIC it totally useless.
>> I think we can safely not expose the IO-APICs to PV dom0 at all, which
>> simplifies the memory handling further.
> The reason we do expose it r/o is that some ACPI implementations access
> (read and write) some RTEs from AML. If we don't allow Dom0 to map the
> IO-APIC, Dom0 will typically fail to boot on such systems.

I think more details are needed.

If AML is reading the RTEs, it's is also writing to the index register.

Irrespective of Xen, doing this behind the back of the OS cannot work
safely, because at a minimum the ACPI interpreter would need to take the
ioapic lock, and I see no evidence of workarounds like this in Linux.

In Xen, we appear to swallow writes to mmio_ro ranges which is rude, and
causes the associated reads to read garbage.  This is Xen-induced memory
corruption inside dom0.

I don't think any of this is legitimate behaviour.  ACPI needs disabling
on such systems, or interlocking suitably, and its not just IO-APICs
which are problematic - any windowed I/O (e.g. RTC) as well as any other
device with read side effects.

I think we should seriously consider not mapping the IO-APIC at all. 
That said, I would be surprised if Linux is cleanly avoiding the
IO-APIC, so a slightly less bad alternative is to redirect to an "MMIO"
frame of ~0's which we still write-discard on top of.

That at least makes the Xen-induced memory corruption behave




Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.